Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
1
Helpful
10
Replies

AP Switching Between Controllers – Unexpected Behavior

athan1234
Level 4
Level 4

‎06-19-2025 04:58 AM - edited ‎06-19-2025 05:02 AM

Hello, I’m wondering how it’s possible for an Access Point (AP) to initially register with one controller and then, after some time, switch to another controller.

 

//////////////////////////////////////////////////////////////////7

I'm also seeing this in the logs.

*Jun 18 00:39:06.006: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:39:15.237: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:39:25.511: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 3 AES-CCMP TSC replays
*Jun 18 00:39:56.301: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:40:09.647: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 6 AES-CCMP TSC replays
*Jun 18 00:41:48.188: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 5 AES-CCMP TSC replays
*Jun 18 00:41:54.360: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 9 AES-CCMP TSC replays
*Jun 18 00:42:00.828: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 8 AES-CCMP TSC replays
*Jun 18 00:42:07.005: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 4 AES-CCMP TSC replays
*Jun 18 00:42:13.172: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 5 AES-CCMP TSC replays
*Jun 18 00:42:20.363: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:42:31.658: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:42:51.901: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 2 AES-CCMP TSC replays
*Jun 18 00:42:59.096: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 2 AES-CCMP TSC replays
*Jun 18 00:43:05.251: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:43:31.943: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:43:46.325: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 4 AES-CCMP TSC replays
*Jun 18 00:43:58.595: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 2 AES-CCMP TSC replays
*Jun 18 00:45:02.000: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:46:02.835: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:3 Channel:6 Source MAC:001e.c01a.72f0
*Jun 18 00:46:10.022: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 2 AES-CCMP TSC replays
*Jun 18 00:46:24.385: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:46:40.832: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:46:51.110: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 3 AES-CCMP TSC replays
*Jun 18 00:47:28.060: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:47:50.649: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 3 AES-CCMP TSC replays
*Jun 18 00:48:05.295: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:48:11.450: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 2 AES-CCMP TSC replays
*Jun 18 00:48:28.901: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 2 AES-CCMP TSC replays
*Jun 18 00:48:46.342: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 2 AES-CCMP TSC replays
*Jun 18 00:49:13.028: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:49:23.293: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:49:34.590: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:50:06.151: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 2 AES-CCMP TSC replays
*Jun 18 00:50:27.700: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:50:45.155: %DOT11-4-CCMP_REPLAY: Client 1695.4143.5a30 had 1 AES-CCMP TSC replays
*Jun 18 00:51:02.600: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:3 Channel:6

 

 

0 Helpful
10 Replies 10

Leo Laohoo
Hall of Fame
Hall of Fame

‎06-19-2025 05:04 AM

@athan1234 wrote:
The controllers involved are a 4400 and a 5500

Da fuq?

The only firmware where 4400 and 5500 "intersects" is AireOS 4.X.X.X.  I do not believe 4400 can go 5.X.X.X.  

0 Helpful

athan1234
Level 4
Level 4
In response to Leo Laohoo

‎06-19-2025 05:06 AM

Hi @Leo Laohoo  i can not understand to you . could you explain to me please

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to athan1234

‎06-19-2025 05:20 AM

If this is a 4400 controller, it is most probably running AireOS 4.X.X.X (or earlier).  And if the 5500 is running a similar firmware, then I can almost guarantee the APs have expired CAPWAP certificate that has long expired before 2020 (FN63942 - Cisco Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration).

This means that the AP would not be able to join the secondary controller.  If the AP reboots, it will never be able to join a controller.  This is all because the CAPWAP certificate has long expired.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎06-19-2025 05:07 AM

@athan1234 wrote:
Hello, I’m wondering how it’s possible for an Access Point (AP) to initially register with one controller and then, after some time, switch to another controller.

Not going to happen. 

Why?  Because the certificates in the APs have long expired 15 years ago.  If the APs leave one controller it will not be able to join the other controller.

0 Helpful

athan1234
Level 4
Level 4

‎06-19-2025 05:14 AM

 disabled the certificates and set the date on the controller. I have a screenshot from when it happened: I saw the AP registered on the 4400 controller, and 30 minutes later, it was registered on the 5500 controller. Since then, the AP has remained registered on the 5500

0 Helpful

athan1234
Level 4
Level 4

‎06-19-2025 05:18 AM

it might be possible that when I disabled the WLAN ssid  on the 4400, roaming with the 5500 started working. We were having an issue because both controllers had the same SSID, and when an AP from the 5500 tried to roam, it had problems with the 4400. After I disabled the SSID on the 4400, I noticed the AP stayed connected to the 5500. So yes, it's possible. This machine are moving in the fabric 

0 Helpful

Rich R
VIP
VIP

‎06-19-2025 06:33 AM

@athan1234 for some reason you deleted half your question? Anyway:
> My customer is asking about this behavior. The controllers involved are a 4400 and a 5500, located near each other. Both are on the
> same network range, but with different IP addresses.
> When I check the AP history, I can see that it first connected to the 4400 controller, and later it started connecting to the 5500.
> The only explanation I can think of is that the AP has the 4400 IP set as the primary and the 5500 as the secondary. However, when
> I check the AP configuration using the appropriate command, I only see the 5500 IP listed.

APs learn (discover) and remember WLC IP addresses from multiple sources and always keep the complete list for attempting to connect until you reset to factory default.  Even though it doesn't have the other WLC configured the AP could learn it from option 43, DNS, WLC mobility and broadcast discovery if they're on the same subnet or you have a helper address configured.  And it might have previously been configured for that WLC then you changed the config - it will still "remember" the old WLC IP unless you do factory default reset.  If it loses connection to primary WLC (for any reason) then it will try other known WLCs.  Since you must be running very old software there are going to be thousands of bugs (on both AP and WLC) which could cause disconnection and that's before you consider things which might interrupt connectivity on the network between AP and WLC.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

athan1234
Level 4
Level 4
In response to Rich R

‎06-19-2025 07:26 AM

 hi @Rich R I’m trying to understand a behavior we’re seeing in our wireless network. The APs are not restarting, but we’re experiencing issues that might be related to client roaming. The clients are machines in motion, connecting to access points managed by both a 4400 and a 5500 controller. Both WLCs are on the same network range.

What we observed is that some machines were having connectivity problems. I noticed that both controllers were broadcasting the same SSID, which might be causing conflicts. To test this, I disabled the SSID on the 5500 controller. After doing that, I saw the APs that were previously connected to the 5500 start reconnecting to the 4400.

It seems like when a machine connects to an AP on the 4400, and then moves to an area covered by an AP on the 5500, the roaming doesn't work properly. But once I disabled the duplicate SSID on the 5500, things seemed to stabilize.

So my question is: Is it possible that having the same SSID configured on both WLCs, without proper mobility or synchronization, causes roaming or connection issues like this? Or is this behavior unexpected?Thanks in advance, and I hope I explained it clearly!

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to athan1234

‎06-19-2025 07:43 AM

Roaming between controllers requires a few things... mobility between the two controllers, the same code on the controllers (in case ap move from one to another), SSID's must be configured identical and mapped to the same network if possible.  You can search up "roaming between WLC's", "Cisco WLC intra controller roaming", etc. and do some reading on this.  You would be better off with a single controller so you don't have intra controller roaming.

I'm surprised your 4400 is still running, but what would you do when that dies?  Even the 5508... you really need to have a future plan just in case, because it will cost you money to replace the ap's for support.  

-Scott
*** Please rate helpful posts ***

Rich R
VIP
VIP
In response to athan1234

‎06-19-2025 02:52 PM

> So my question is: Is it possible that having the same SSID configured on both WLCs, without proper mobility or synchronization, causes roaming or connection issues like this? YES
Or is this behavior unexpected? NO

As Scott has explained to support roaming between WLCs they must be configured correctly with mobility between them.
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107188-mobility-groups-faq.html
https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/m_configuring_mobility_groups.html

Both your WLCs are end of support and running end of support software.  Moreover with different software versions there are likely to be incompatibilities.  Definitely time to look at upgrades ...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card