ASIC Miner – Mining Pool Authentication Failed

Hard power-cycle the miner -- 30 seconds off at the breaker, not a soft restart. Clears any wedged stratum socket state and forces a fresh mining.subscribe handshake. Half of 'permanent' auth failures clear here because the miner was stuck re-trying a cached bad credential in a loop after a pool-side hiccup. Do this before anything else -- it costs nothing and rules out the single most common transient state.

Copy-paste pool credentials from the pool's own 'Configure your miner' example block -- not from a password manager, not retyped from memory. Paste the full stratum URL, worker username, and worker password directly into the miner's pool-1 row. Save, reboot. Invisible smart-quotes, trailing spaces, and 0-vs-O mistypes from manual entry are the #1 cause of auth failure across every pool D-Central's customers use. This single habit eliminates the majority of auth-failure tickets.

Verify the miner's clock and timezone on the System / Status page. It should match real-world date within a minute. A wrong clock = TLS certificate validation fails = pool disconnects during handshake before credentials are ever checked. If the clock is wrong and doesn't self-correct on reboot, the CR2032 RTC battery on the control board is dead -- schedule it for Tier 2 replacement. If NTP is blocked at your firewall, open UDP/123 outbound for the miner's IP.

Disable router-level 'AI protection' / 'threat prevention' / 'web filter' features. ASUS AiProtection, Netgear Armor, Eero Secure, and many ISP-provided combo boxes silently block stratum destinations as 'suspicious'. Turn the feature off on the router, reboot the miner, watch the log for a fresh auth attempt. If auth now succeeds, either leave the feature off for the miner's VLAN or exempt the miner's MAC address from the heuristic scanner. This is the single most under-documented auth-fail cause on residential networks.

Point the miner at a known-good reference pool as a control test. Use public-pool.io:21496 or solo.ckpool.org:3333 with your own BTC address as username and x as password. If this auths cleanly, your original pool's config, sub-account, or IP-whitelist is the problem -- open a ticket with the pool. If the reference pool also fails, the miner or your LAN is the problem -- continue to Tier 2.

Replace the CR2032 RTC battery on the control board. Open the miner, locate the coin-cell holder on the control board (Antminer S9 / S17 / S19 / S19 Pro / S19j all have one near the CPU), slide the old cell out, install a fresh CR2032, reboot, verify the clock holds after a full power-off. This single $2 fix resolves TLS auth failures that survive every software diagnostic. If your control board has no visible coin cell (S21 and some late-rev S19 XP rely entirely on NTP), skip to step 7.

Force an explicit NTP sync over SSH. Connect as root (Bitmain stock: root/admin; Braiins OS+: root). Run `ntpd -q -p pool.ntp.org` or `rdate -s time.nist.gov`. Verify with `date`. If NTP fails, outbound UDP/123 is blocked -- open a firewall rule for the miner's IP to 0.0.0.0/0 UDP/123. DCENT_OS, Braiins OS+, LuxOS, and Vnish all honor system-level NTP correctly; stock Bitmain firmware on older builds does not, which is why a dead RTC wrecks them.

Capture the stratum traffic with tcpdump from a Linux / macOS box on the same LAN: `tcpdump -i <iface> host <pool-host>`. Power-cycle the miner. You'll see SYN / SYN-ACK / ACK, then the TLS handshake (port 443) or the JSON-RPC mining.subscribe (plain TCP). If the connection dies during TLS -- cert/clock/cipher mismatch. If mining.authorize returns `error: [24, Unauthorized worker]` -- credentials. If `error: [22, banned]` -- pool-side ban. The literal pool response tells you the actual cause instead of stock firmware's generic 'auth failed'.

Delete the worker on the pool's dashboard and re-create it with a clean ASCII name (home01, miner1, s19-basement -- no spaces, no emojis, no punctuation beyond hyphen/underscore). Copy the fresh credentials into the miner. Some pools cache banned worker entries; deleting and recreating the worker forces a clean slate and clears any accidental pool-side rate-limit flag. This matters especially on Braiins Pool, Ocean, and F2Pool.

Test the miner on a completely different network. Tether it to a 4G/5G phone hotspot, or plug into a neighbour's LAN, or directly into the modem bypassing the router. Use the same pool config. If auth succeeds on a different network, your router / ISP / VPN / ISP DPI is mangling stratum traffic -- diagnose at the network layer. If it still fails on a completely foreign network, the miner itself owns the bug -- continue to Tier 3.

Disable router QoS and traffic shaping for the miner's MAC address. Aggressive QoS can delay the stratum TCP handshake past the pool's timeout (most pools drop sessions that don't complete mining.authorize within 5 seconds). Flag the miner as 'highest priority' or disable QoS entirely during the diagnostic window. Reboot the miner after each router change to ensure a clean handshake.

Flash DCENT_OS on Antminer hardware -- D-Central's own open-source Antminer firmware, built by Mining Hackers for Mining Hackers. It ships modern stratum handling, honors system NTP, speaks Stratum V2 natively, and exposes the full mining.authorize JSON response in the log UI so you see the pool's actual error code instead of 'auth failed'. Alternatives if DCENT_OS doesn't support your specific hardware revision: Braiins OS+, LuxOS, Vnish. All four eliminate 80% of stock-firmware stratum bugs in one flash.

SD-card recovery the control board on S9 / S17 / early S19 models. Image fresh Bitmain stock firmware to a 16 GB Micro SD (FAT32, written with Etcher). Power off, insert the SD, power on. The miner boots from the card, reformats the internal image, comes up clean. This fixes a corrupt overlayfs that holds a stale pool config the UI can't overwrite. Source images: service.bitmain.com/support/download. SD is the reversible entry point; eMMC is not.

eMMC reflash for late S19 / S19 XP / S21 models (no SD slot). Requires a USB-C / JTAG recovery fixture. If you don't have the fixture, this is the moment to ship to D-Central. A corrupt eMMC holding a malformed worker string will survive every factory reset because the reset only wipes the user-layer overlay, not the base image. D-Central's eMMC reflash service is CAD $95-$180.

Cross-flash a completely different firmware line as a diagnostic. If stock Antminer won't auth and DCENT_OS won't install, flash Braiins OS+ from Braiins' official downloader. Braiins-from-SD on Bitmain hardware is reversible -- pop the card out to revert to stock. If the miner auths cleanly under Braiins OS+, you've confirmed a stock-firmware regression; either stay on Braiins or retry DCENT_OS after Braiins' cold boot clears the control board state.

Inspect the control board for physical damage. Burnt traces near the Ethernet jack, swollen electrolytics near the RTC circuit, water damage, rodent chew marks, or corroded connectors all mean the control board is failing hardware even though it still boots. Document every finding with photos before shipping or replacing -- this saves diagnostic time at D-Central and therefore saves you money on the repair quote.

Stop DIY and book a D-Central repair slot. If you've eliminated credentials, protocol, TLS, a known-good pool, the network, router filters, firmware (stock vs custom), RTC, and eMMC / SD recovery -- your miner still won't auth on any pool over any protocol -- that's control-board hardware territory. Dead Ethernet MAC, failing SoC, corrupt eMMC that reflash doesn't clear, or silicon-level network-stack fault. Replacement control board: CAD $140-$320. Full diagnostic + fix: CAD $185-$420.

Ship safely for repair. Anti-static bag the control board (or the whole miner). Double-box with at least 5 cm of foam on every side. Include a written note covering: pool you tried, exact worker string (with a photo of the miner's config page), firmware version, symptom timeline, what you already ruled out. Diagnostic time is billable, so the note cuts your repair bill materially. D-Central ships Canada-wide with US / international welcomed; turnaround 5-10 business days; all units burn-in tested for 24 hours post-repair.