Solved: Re: APs fail to join C9300 EWC while joining 9800-CL on same VLAN work

MIKI.H · ‎09-08-2025

Hello,

I have a Cisco Catalyst 9300 configured as an Embedded Wireless Controller (EWC), running IOS-XE 17.15.3
The APs (9115 and 1852) discover the controller, start the CAPWAP process, but fail to complete the join. In the logs I see CAPWAP/DTLS messages and the AP retries several times without success.

When I connect the same APs on the same VLAN to a Cisco 9800-CL virtual WLC, they join successfully without any issue.
So the network, VLAN, IP addressing and discovery process seem correct.

Questions:

What could prevent APs from completing the join process on the C9300 EWC while they join normally on the 9800-CL?
Are there additional steps needed to prepare the EWC (trustpoint, certificates, etc.) beyond the default configuration?
Is there a way to verify which certificate or trustpoint the APs are actually using during the join process?

Any guidance would be appreciated.

Rich R · ‎09-09-2025

@MIKI.H

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-744299.html

As part of mode consolidation Embedded Wireless on Catalyst 9000 Series Switch (non-SDA) using WebUI will be End of Support (Q3FY21) with no additional feature development or code changes and 17.3.x is the last supported release.

What you are trying to do is not supported. 9300 can only be used for WLC as part of SDA fabric - not standalone WLC.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

MHM Cisco World · ‎09-09-2025

1- check authz policy for AP

2- 3 check below command

show wireless management trustpoint
show wireless dtls connections

MIKI.H · ‎09-09-2025

Hi
I performed an upgrade (17.18.1) and the unit was able to successfully upgrade.
However, after the upgrade it still does not come up properly and falls back into a loop, repeatedly trying to join.

Here are a few sample log lines showing the behavior:

From the AP side:
/2025 13:44:44.0530]
[*09/09/2025 13:44:44.0530] CAPWAP State: Discovery
[*09/09/2025 13:44:44.0580] Discovery Request sent to 10.109.15.236, discovery type STATIC_CONFIG(1)
[*09/09/2025 13:44:44.0610] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*09/09/2025 13:44:44.0630] Discovery Response from 10.109.15.70
[*09/09/2025 13:44:54.0000] Started wait dtls timer (60 sec)
[*09/09/2025 13:44:54.0070]
[*09/09/2025 13:44:54.0070] CAPWAP State: DTLS Setup
[*09/09/2025 13:44:54.0330] dtls_verify_server_cert: Controller certificate verification successful
[*09/09/2025 13:44:54.8210]
[*09/09/2025 13:44:54.8210] CAPWAP State: Join
[*09/09/2025 13:44:55.8190] Encoding TLV_AP_UL_CAPABILITY_PAYLOAD is_ul_capable_ap: 0 compliance state: 0 nonCompReason: 0
[*09/09/2025 13:44:55.8190] Sending Join request to 10.109.15.70 through port 5261, packet size 1376
[*09/09/2025 13:44:55.8240] Join Response from 10.109.15.70, packet size 1397
[*09/09/2025 13:44:55.8240] AC accepted previous sent request with result code: 0
[*09/09/2025 13:44:55.8240] Received wlcType 0, timer 30
[*09/09/2025 13:44:55.8500]
[*09/09/2025 13:44:55.8500] CAPWAP State: Image Data
[*09/09/2025 13:44:55.8500] AP image version 17.18.1.8 backup 17.15.3.28, Controller 17.18.1.8
[*09/09/2025 13:44:55.8500] Version is the same, do not need update.
[*09/09/2025 13:44:55.8900] status 'upgrade.sh: Script called with args:[NO_UPGRADE]'
[*09/09/2025 13:44:55.9330] do NO_UPGRADE, part1 is active part
[*09/09/2025 13:44:55.9460]
[*09/09/2025 13:44:55.9460] CAPWAP State: Configure
[*09/09/2025 13:44:56.0510] DOT11_CFG[1]: Starting radio 1
[*09/09/2025 13:44:56.0520] DOT11_DRV[1]: Start Radio1
[*09/09/2025 13:44:56.0610] DOT11_DRV[1]: set_channel Channel set to 36/40
[*09/09/2025 13:44:56.5150] Started Radio 1
[*09/09/2025 13:44:56.5160] DOT11_CFG[0]: Starting radio 0
[*09/09/2025 13:44:56.5170] DOT11_DRV[0]: Start Radio0
[*09/09/2025 13:44:56.5250] DOT11_DRV[0]: set_channel Channel set to 1/20
[*09/09/2025 13:44:56.9750] Started Radio 0
[*09/09/2025 13:44:57.0240] dtls_log_replay: dtls_log_replay: DTLS Replay Attack detected for Source IP 10.109.15.70[5246] and Destination IP 10.109.15.75[5261]
[*09/09/2025 13:44:59.9970] Re-Tx Count=1, Max Re-Tx Value=5, SendSeqNum=2, NumofPendingMsgs=1
[*09/09/2025 13:44:59.9970]
[*09/09/2025 13:45:02.9980] Re-Tx Count=2, Max Re-Tx Value=5, SendSeqNum=2, NumofPendingMsgs=1
[*09/09/2025 13:45:02.9980]
[*09/09/2025 13:45:05.9990] Re-Tx Count=3, Max Re-Tx Value=5, SendSeqNum=2, NumofPendingMsgs=1
[*09/09/2025 13:45:05.9990]
[*09/09/2025 13:45:09.0000] Re-Tx Count=4, Max Re-Tx Value=5, SendSeqNum=2, NumofPendingMsgs=1
[*09/09/2025 13:45:09.0000]
[*09/09/2025 13:45:12.0000] Re-Tx Count=5, Max Re-Tx Value=5, SendSeqNum=2, NumofPendingMsgs=1
[*09/09/2025 13:45:12.0000]
[*09/09/2025 13:45:15.0010] Max retransmission count exceeded, going back to DISCOVER mode.
[*09/09/2025 13:45:15.0010]
[*09/09/2025 13:45:15.0010] Failed to reach capwap down with retransmission 3 times
[*09/09/2025 13:45:15.0010]

EWC-switch-test#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_CMCA2_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : 734b499026ea2d5c6900c9fd2fb2a4ee92658346
Private key Info : Available
FIPS suitability : Not Applicable

EWC-switch-test#show wireless dtls connections
EWC-switch-test#
EWC-switch-test#sh inv
EWC-switch-test#sh inventory
NAME: "c93xx Stack", DESCR: "c93xx Stack"
PID: C9300-24P , VID: V05 , SN:

MHM Cisco World · ‎09-10-2025

dtls_log_replay: dtls_log_replay: DTLS Replay Attack detected for Source IP 10.109.15.70[5246] and Destination IP 10.109.15.75[5261]

These IP are for wmi and AP ?

If yes then do

Show ap uptime

Also check AP interface is UP/down

MHM

Mark Elsen · ‎09-09-2025

- @MIKI.H Concerning additional steps :
1) Verify the EWC controller's configuration using the CLI command : show tech wireless
and feed the output from that into : Wireless Config Analyzer
2) Check EWC controller logs when these APs try to join
3) Troubleshoot further using instructions from : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800APJoin

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Rich R · ‎09-09-2025

@MIKI.H

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-744299.html

As part of mode consolidation Embedded Wireless on Catalyst 9000 Series Switch (non-SDA) using WebUI will be End of Support (Q3FY21) with no additional feature development or code changes and 17.3.x is the last supported release.

What you are trying to do is not supported. 9300 can only be used for WLC as part of SDA fabric - not standalone WLC.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

APs fail to join C9300 EWC while joining 9800-CL on same VLAN works