This may seem obvious but had you saved the config before rebooting?
And how exactly did you reboot? (reload reloads both chassis, clean switchover is done using redundancy force-switchover)

Use "show facility-alarm status" to check the alarm details.

Yes, I chose the Save Config and Reboot option at 3:25pm. Both the APs were joined and using IPs in VLAN 2.   I left the APs plugged in overnight.   The 9115AXi eventually joined at 7:19pm.   The 2802i still has not joined the 9800L.  

The only error WCAE reports is: 

WLC-9800LF#show facility-alarm status
System Totals Critical: 4 Major: 0 Minor: 0

Source Time Severity Description [Index]
------ ------ -------- -------------------

TwoGigabitEthernet0/0/0 Mar 13 2023 15:26:16 CRITICAL Physical Port Link Down [1]

TwoGigabitEthernet0/0/1 Mar 13 2023 15:26:16 CRITICAL Physical Port Link Down [1]

TwoGigabitEthernet0/0/2 Mar 13 2023 15:26:16 CRITICAL Physical Port Link Down [1]

TwoGigabitEthernet0/0/3 Mar 13 2023 15:26:16 CRITICAL Physical Port Link Down [1]

Really don't know where to turn next.  Going to open a new TAC case.  

                  >...The 2802i still has not joined the 9800L
 - As stated before use these tools too : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800APJoin

 M.

We took a radioactive trace a few days ago.  TAC has not responded back.  Will likely try them again as it should not take 4 hours for the 9115AXi to re-join.   

            >...as it should not take 4 hours for the 9115AXi to re-join.   
 Take a look at the interface counters  for this AP connection on the switch , check for unusual stats if any , 

 M.

I suspect the AP is still running 17.11 code but you've filtered the log so we can't even see that.
Please downgrade the APs to 17.9.3 code and then factory default reset the AP again please?
And include the full AP log from power on so we can see everything that might be relevant.

https://software.cisco.com/download/home/286304510/type/286288051/release/15.3.3-JPN2
https://software.cisco.com/download/home/286322352/type/286288051/release/15.3.3-JPN2

                         - Put a a laptop on the same subnet as an AP and run : 
                               % nmap -sU -p5246-5247  WLChostname
    in order to verify full capwap reachability  from the APs to the controller. Also run an iperf test from the laptop to a server in the same subnet as the WLC , look if the intranet networking performance is nominal ,

 M.

I ran nmap earlier and posted results showing the ports are open.  I am attaching picture of the 9800L / Switch / AP setup in my office.  The APs and the 9800L Mgmt are in the same VLAN and have Gig connection.  The switch is a 3560X which I know is "EoL" in Cisco's eyes, but we still have them deployed in our network.   This switch was in production up to February and had APs connected to it as well that were running off a 5508.  Plugging a laptop into the switch and have had no issues accessing apps or Internet -- but have not run iperf.   The entire IT Dept uses the same upstream switch and they'd certainly would let me know if there was any nertwork performance issue   

We took the plunge and reset to Factory defaults and did the bare minimum config up to where the APs should join. We rolled back to 17.9.3.  Had a Sr level engineer on a WebEx when the 9800L was reconfigured and he is just as baffled as I am.  

The only thing I have not changed is the uplink port from this switch to the upstream switch on the floor.   I am going to do that in a few minutes.  Other than that, only the 9800L have not been swapped.  Not really looking forward to setting up a 9800CL to test   There is a growing thought that there is some corruption in the SUDI Trustpoint -- just not sure how to verify / fix.  

                          >....I ran nmap earlier and posted results showing the ports are open...
  - When I talked earlier about rommon versions and hardare  programmable devices (updating) , you only gave feedback on the rommon version , not the second item , are you also on latest version according to : https://software.cisco.com/download/home/286321399/type/283425232/release/17.11.1 ?

                   >....I have not changed is the uplink port from this switch to the upstream switch on the floor....
   - Could you check all involved port counters on the path from the 9800 Wireless Management Interface  to the access point , meaning check for instance port counters on the port where the access point is connected to the switch , check if all is good concerning CRC count and overruns and all of those , also check if the port for the access point is 1G full duplex and that there are no discrepancies to what is to be expected. Then go up the path and check port counters on 'the next hop' - till the controller is ( reached (verify all involved hops) . Then if possible also check port counters on the 9800 LF too for the wireless management interface !

                       The commands below are useful for analyzing ap join issued :
       show wireless stats ap join summary
       show wireless dtls connections
       show platform hardware chassis active qfp feature wireless capwap datapath statistics drop all
       show platform hardware chassis active qfp feature wireless capwap datapath mac-address <APradio-mac> details
       show platform hardware chassis active qfp feature wireless capwap datapath mac-address <APradio-mac> statistics
       show platform hardware chassis active qfp feature wireless dtls datapath statistics all (view all DTLS drops)
      show platform hardware chassis active qfp statistics drop all | inc Global | Wls (Data Plane Statistics – Global Wireless Drops)

  Other useful commands are mention in : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800APJoin

 M,

But have you downgraded the software on the AP yet (with default after that)?  See my reply above.

Raised the TAC case to Sev 2.   Got a new engineer (5th one so far).   He found a case where the issue was similar.   The customer changed the 9800's Management VLAN and the APs joined.   

So I moved the 9800L's Management VLAN from VLAN 2 to our current Mgmt VLAN 11 of our 5508.  All the APs in my Lab setup joined rapidly.  Moved the 9800L's Management VLAN back to the VLAN 2 and the APs once again failed to join.

The only substantial difference between the 9800L VLAN 2 and the 5508 VLAN 11 is that the 5508's VLAN 11 is a /24 subnet mask.  The 9800L's Management VLAN 2 is a /22 subnet mask.

I changed the 9800L's VLAN 2 subnet mask to a /24.   All the APs joined rapidly.  

TAC engineer is going to bring this forward to see if it is a Bug or an "undocumented limitation" on the 9800L's Management VLAN.  This issue presented itself in 17.9.2, 17.9.3, 17.10.1 and 17.11.1.

Has anyone here used a /22 on the Management VLAN?  

We don't have any APs sitting directly on the same VLAN as a 9800 - ours are all routed - but we have APs sitting on /21 and /22 subnets without any problems at all.  The WLCs are on /26 subnets.

Are you sure the DHCP is correctly configured with the same /22 mask?  And same/correct throughout?

If this does turn out to be some weird bug then routing is also a workaround - don't put the APs and WLC on the same VLAN - route them and use option 43 for WLC discovery.