@Arne17 That makes complete sense and is a very thoughtful response. I'm going to turn on WPA3 on my trusted network and leave the IoT network at WPA2. My biggest concern was that I heard this issue had bleed-over between VLANs so I had to set both as WPA2. I'll test out just the IoT network on WPA2 and see if the problem occurs again.

  @Off-grid Where did you get that firmware? I can't seem to find it on the TP-Link Beta site. Thank you.

  @CoffeeAndTech

 @Arne17 I can confirm the issue bleeds over from separate VLANs/SSIDs. When I set 6g, WPA3, and PMF = Capable on my trusted network, my 2.4g IoT devices on my IoT network fail to connect (my IoT network has 6g turned off, WPA2, PMF = Off). That's pretty bad. I sure hope TP-Link posts a fix soon.

  @CoffeeAndTech iIn case it helps TP-Link support, I've found that my Kasa TP-Link Smart Plugs HS103 v5.6 have this problem. My other Kasa Smart Plugs HS103 v2.8 and v3.8 don't have this problem.

Ok, quick recap. I'm wondering if we are all actually facing the same issue here or if there are some fundamental differences.

My situation is like: IoT devices are connected on their IoT SSID via 2.4GHz WiFi, using WPA2. The issue that I'm facing is: Suddenly no traffic is forwarded by the EAP650 to/from the IoT devices, except for ARP packets. That means: The connection on the wireless side is still up (you can see them being connected either by their respective status LED or by looking up the connected stations list in Omada controller or by calling "cliclientd wltool sta" on the EAP terminal), but it is non-functional because no usable data is forwarded. New connection attempts (e.g. try to connect to the IoT net with your phone) to the IoT SSID are refused by the EAP650 on the IoT SSID. Please confirm on your side by creating packet capture when the issue occurs, either on the EAP itself using the controller or by creating a dump on your firewall box on the IoT interface. Alternatively, use Wireshark on a client that is able to ping or HTTP to a device. Analyse the traffic capture with Wireshark. If you can confirm that you only see ARP packets going through (= packets coming from IoT device AND responses to IoT device), than we have the same situation. For that you have to get the MAC address of one affected device upfront and filter the packet capture. If you're seeing IP traffic in both directions, then we are not facing the same issue here.

Regarding the WPA2/WPA3 question: I have WPA2/3 mixed mode on my "trusted" user network, WPA2 only on IoT net.