Showing results for 
Search instead for 
Did you mean: 

High Availability AP-SSO configuration Examples Using CLI, GUI and pair-up in Wireless LAN Controller - 7.3 Release

Rising star



Mohit Paul is a Testing Engineer in Wireless Engineering Team. In this Video Series Mohit explains about "How to configure and pair-up two different controllers in High Availability mode using CLI", "AP-SSO configuration using initial CLI configuration wizard" and "AP-SSO configuration using GUI".

The new High Availability (HA) feature (that is, AP SSO) set within the Cisco Unified Wireless Network software release version 7.3 allows the access point (AP) to establish a CAPWAP tunnel with the Active WLC and share a mirror copy of the AP database with the Standby WLC. The APs do not go into the Discovery state when the Active WLC fails and the Standby WLC takes over the network as the Active WLC.

AP-SSO configuration using GUI.jpg

There is only one CAPWAP tunnel maintained at a time between the APs and the WLC that is in an Active state. The overall goal for the addition of AP SSO support to the Cisco Unified Wireless LAN was to reduce major downtime in wireless networks due to failure conditions that may occur due to box failover or network failover.


AP-SSO configuration using initial CLI configuration wizard.jpg








How to configure and pair-up two different controllers in High Availability mode using CLI.jpg


So in 7.3, it is  true High Availability i.e. Hot standby. That is when one box fails due to hardware issues or network connectivity almost instantaneously the  standby box takes over. This reduces the failover time. The downtime  between failver is reduced to 5 – 996 Milliseconds in case of WLC  hardware failure and upto 3 seconds in case of Network issues. One WLC  will be active state and second WLC will be Hot standby state which  monitors the health of the active WLC.


High Availability in Release 7.3 and 7.4

The new architecture for HA is for box-to-box redundancy. In other words, 1:1 where one WLC will be in an Active state and the second WLC will be in a Hot Standby state continuously monitoring the health of the Active WLC via a Redundant Port. Both the WLCs will share the same set of configurations including the IP address of the Management interface. The WLC in the Standby state does not need to be configured independently as the entire configuration (Bulk Configuration while boot up and Incremental Configuration in runtime) will be synched from the Active WLC to the Standby WLC via a Redundant Port. The AP's CAPWAP State (only APs which are in a run state) is also synched, and a mirror copy of the AP database is maintained on the Standby WLC. The APs do not go into the Discovery state when the Active WLC fails and the Standby WLC takes over the network's Active WLC.

There is no preempt functionality. When the previous Active WLC comes back, it will not take the role of the Active WLC, but will negotiate its state with the current Active WLC and transition to a Standby state. The Active and Standby decision is not an automated election process. The Active/Standby WLC is decided based on HA SKU (Manufacturing Ordered UDI) from release 7.3 onwards. A WLC with HA SKU UDI will always be the Standby WLC for the first time when it boots and pairs up with a WLC running a permanent count license. For existing WLCs having a permanent count license, the Active/Standby decision can be made based on manual configuration.

AP SSO is supported on 5500/7500/8500 and WiSM-2 WLCs. Release 7.3 only supports AP SSO that will ensure that the AP sessions are intact after switchover. MAPs, which are treated as mesh clients on RAP, are not de-authenticated with AP SSO.

Client SSO is supported on 5500/7500/8500 and WiSM2 WLCs from release 7.5 onwards.

High Availability in Release 7.5

To support High Availability without impacting service, there needs to be support for seamless transition of clients and APs from the active controller to the standby controller. Release 7.5 supports Client Stateful Switch Over (Client SSO) in Wireless LAN controllers. Client SSO will be supported for clients which have already completed the authentication and DHCP phase and have started passing traffic. With Client SSO, a client's information is synced to the Standby WLC when the client associates to the WLC or the client’s parameters change. Fully authenticated clients, i.e. the ones in Run state, are synced to the Standby and thus, client re-association is avoided on switchover making the failover seamless for the APs as well as for the clients, resulting in zero client service downtime and no SSID outage.

Video Series - New Features introduced in Wireless LAN Controller 7.3 Release

You can also check High Availability Architecture in Wireless LAN Controller – 7.3 Release.

More details on High Availability (AP SSO) Deployment Guide

Configure HA from the CLI
Configure HA from the GUI
Configure HA from the Configuration Wizard
Configure HA from Cisco Prime

Do Rate the Videos!

Cisco Employee

Hi Mohit:

Thanks a lot!!! HA configuration videos cover enough information to start for beginners.

You should come up with more detailed videos about HA configuration & functionality - AP SSO for level up knowledge to intermediate.


Hi to all,

i did not find which ip address is used for capwap tunnel (i suppose redundancy ip address) but i'm not usre.

Any of you can confirm it?



Content for Community-Ad