Skip to main content

Offline support

Should your space lose internet access, Kisi supports three fallback mechanisms for unlocking doors or elevators:

  1. Offline Cache on the Kisi Reader: with offline caching for credentials, Kisi allows users to unlock doors even without internet connectivity.
  2. Offline Cache on the Kisi Controller: similar to 1., but designed to work with legacy readers connected to Kisi controllers
  3. Offline Cache on the phone: with mobile data enabled on your phone, the Kisi reader will receive a certificate from your phone through Bluetooth or NFC to unlock the door.

Offline Cache on the Kisi Reader

With Offline Cache (also "Edge Cache") on the reader, access rights are cached on Kisi readers based on recent usage patterns. The Kisi Reader will use these cached access rights before attempting to call the Kisi cloud. If the user is in the cache, an internet connection is not required. Currently, a Kisi Reader's Offline Cache can cover internet outages for up to 36 hours, but this will be increased in future updates.

Prerequisites

  • A Kisi Reader on the same network with the Kisi Controller
  • Relevant access rights in the Kisi Reader's cache. Please note that the API synchronizes with the reader's cache once daily, specifically at midnight. Therefore, when testing the Offline Cache feature, it is recommended to wait at least one day after adding and utilizing the credential on the reader to ensure synchronization.
  • To unlock with mobile credentials: An up-to-date version of the Kisi mobile app on the user's phone
  • To unlock with physical credentials: Valid and authorized physical credentials
info

For integration partners: The Kisi app will request a user-identifying certificate from the API and automatically renew it at regular intervals. It remains valid for a minimum of 14 days upon renewal.

Key features

  • Fully encrypted and authenticated offline support for both cards and phones, simultaneously assuring the confidentiality and authenticity of access rights.
  • High memory and bandwidth efficiency, caching up to 1000 access rights and up to 250 groups in less than 0.2 megabytes
  • Near real-time updates of changed credentials by synchronizing with the reader cache within minutes.
  • Fully supported on Wiegand-enabled third-party readers

Networking protocols

Kisi controllers and readers will send messages over the local network using the User Datagram Protocol (UDP) port 62435 for accessing doors, updating the state and more.

Important
  • Offline Cache is always active, whether the reader is online or offline.
  • Offline Cache works with both Wi-Fi and Ethernet connections, as long as the controllers and readers are on the same network. To verify that controllers and readers that share the same doors are on the same network, note their IP addresses and subnet masks. Calculate the network prefix of the IP addresses. For the devices to be on the same network, the prefixes must be identical.

Supported unlock methods

Status indicators

When no interaction is ongoing:

  • Blue (Kisi Reader Pro 1.0) / White (Kisi Reader Pro 2.0): the reader is ready to process an unlock (whether connected to the internet or not)
  • Red: the reader is offline and cannot reach the controller

When an access attempt is ongoing:

  • Blinking red: the credential presented cannot be authorized, either because the user does not have access (when the device is online), or because the user is not in the Offline Cache (when the device is offline)
  • Green: access granted

Offline Cache for third-party readers

In the landlord scenario with mobile and physical credentials, access rights are cached on the Kisi Controller, allowing offline access. Following the approach of the Kisi Reader, a Kisi Controller's Offline Cache is built based on recent usage patterns. The Kisi Controller will use these cached access rights before sending an unlock request to the legacy controller.

In this scenario, Offline Cache only covers unlocks with physical credentials.

Offline Cache on the phone

Important
  • Offline Cache on the phone works in parallel with the Offline Cache on the Kisi Reader.
  • If at least one of the Offline Caches grants access, offline access is possible.
  • Offline Cache on the phone does not work with third-party readers, as these cannot communicate with Kisi's mobile apps.

When the Kisi Controller is unable to re-establish an internet connection for five minutes, it goes into offline mode. In offline mode, the Kisi Controller, via the Kisi Reader, receives authenticated unlock requests from the Kisi app on the user's phone to authenticate with Kisi and unlock a door. This requires the phone to be online, as it needs to request an offline certificate from the Kisi API. This certificate includes access permissions for the assigned door or elevator, and is valid for a short duration only, typically a few minutes. Renewal of this certificate occurs before each access attempt.

Prerequisites

  • A Kisi Controller and a Kisi Reader, on the same network
  • 4G/5G access
  • The Kisi mobile app on the latest version

Troubleshooting

Kisi provides the following general guidelines to help you diagnose offline support issues. Please note that Kisi is not responsible for your network settings. If you encounter advanced networking problems (firewall rules, DHCP configuration, VLAN settings, etc.), consult your IT department or network administrator.

Important considerations

  • Disconnecting the router: Once a router is disconnected, DHCP services often stop. Kisi devices that rely on DHCP will lose their IP addresses when leases expire, or sooner if they reboot or reconnect. Without valid IP addresses, these devices cannot communicate with each other, causing network segmentation.
  • How to avoid issues: Ensure DHCP services remain active. Either keep the router connected or have an alternative DHCP server in place.

Reader and controller not communicating locally (same subnet)

Unreachable DHCP server

Kisi devices may not have valid IP addresses if DHCP is down, leading to communication failure.

Firewall or network restrictions

UDP port 62435 or ICMP (ping) traffic may be blocked, preventing local network communication.

Troubleshooting steps

Step 1: Confirm DHCP and network settings

  • Ensure the DHCP server is active.
  • Allow traffic on UDP port 62435 and ICMP (ping).
  • Verify the devices appear in the DHCP client table.

Step 2: Ping test

  • Use diagnostic tools to ping the IP addresses of Kisi devices.
  • A timeout may indicate invalid or expired IP addresses.

Step 3: Power cycle the router

  • Restart the router to refresh DHCP leases.
  • Keep Kisi devices powered to preserve the Offline Cache.

Step 4: Full power cycle (if still unsuccessful)

  • Restart the router first.
  • Then restart the Kisi devices to renew DHCP assignments.

Quick checklist: Reader and Controller communication

  • DHCP server is active and reachable
  • UDP 62435 and ICMP traffic allowed
  • Devices have valid IPs and respond to ping

Reader Offline Cache not working on some users

Credential not yet cached

Credentials sync once daily at midnight. Recently added users may not yet be in the Offline Cache.

Credential not recently used

Only frequently used credentials are cached; inactive users may be excluded.

Troubleshooting steps

Step 1: Verify user access

  • Check that the user is assigned to a group with access to the specific door.

Step 2: Wait for cache sync

  • Allow 24 hours for new credentials to be included in the reader’s cache.

Quick checklist: Reader Offline Cache

  • User is assigned door access via correct group
  • New credentials have had 24 hours to sync

Need more help?

Contact Kisi support

Remember to provide detailed information

  • Device IDs
  • Sample user email addresses
  • Logs, screenshots, or videos of the issue
  • Your network setup details (if applicable)
  • Steps you have already taken

Including these details helps Kisi support diagnose the problem more quickly and accurately.

Last updated on by Carl