detailed breakdown of Access Point (AP) join procedures in SSO and N+1

Ahmed Gamal · ‎05-11-2025

I need to know what the access points' joining procedures are in SSO deployments and N+1 deployments, and what the timers are in each section. For example, in SSO, if the primary controller fails, what will happen with the access point, and if it comes back, also, if the whole SSO comes down, what will happen with the access points? What is the required time to join the N+1?

Saikat Nandy · ‎05-12-2025

Your AP join procedure is same - be in HA-SSO or N+1. You can refer these two doc to understand the process -

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9120axe-access-point/221056-understand-the-ap-join-process-with-the.html
https://mrncciew.com/2013/03/17/ap-registration/

In HA-SSO, AP failover from Active to Standby is seamless - means no downtime required.

In HA-N+1, AP failover from Primary to Secondary takes 1-3mins - depending on multiple things. Ex -
You have 8*5 = 40 secs CAPWAP timer.
Both the Primary and Secondary are on same version.
Latency between AP & Primary/Secondary controllers are pretty much same.

marce1000 · ‎05-12-2025

- I will not cover all the details but for instance from https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-4/deployment-guide/c9800-n-plus-1-high-availability-wp.pdf
Read from Difference Between SSO (Stateful Switchover) and N+1 High
availability

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Ahmed Gamal · ‎05-12-2025

@Saikat Nandy

Thank you for the details shared above. I have one more point I’d like to clarify:

In the event that both SSO controllers go down and the access points join the N+1 controller, what will be the behavior of the access points once the SSO pair comes back online? Will they automatically rejoin the SSO, or is manual intervention required?

Looking forward to your clarification.

Rich R · ‎05-12-2025

If you have set primary/secondary/tertiary WLC in the AP HA config then the AP will constantly poll and try to switch back to the primary WLC.
The timing of that return to primary WLC is determined by the "capwap timers primary-discovery-timeout" configuration.
From an AP point of view an SSO pair looks like a single WLC - the AP is effectively unaware of the HA-SSO.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/cmd-ref/b_wl_17_12_cr/configuration-commands-a-to-f.html#wp3078683012

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Ahmed Gamal · ‎05-12-2025

I would appreciate your clarification on the following scenario:

If we have an SSO setup along with an N+1 backup controller, and the access points are not configured with explicit primary/secondary/tertiary controller settings, what will be the AP behavior when the SSO pair comes back online after a failure? Specifically:

Will the access points automatically leave the N+1 controller and rejoin the SSO primary controller?
Or will they remain associated with the N+1 controller until a manual reset or failure occurs?
Additionally, could you please share the relevant failover and fallback timers that apply in this scenario?

Your insights on this would be very helpful.

Rich R · ‎05-12-2025

No I don't think it will switch back automatically if there is no static WLC config.
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9120axe-access-point/221056-understand-the-ap-join-process-with-the.html
If you want it to do that then configure it that way.
You can also have a look at a previous similar discussion:
https://community.cisco.com/t5/wireless/wireless-ap-wlc-discovery/td-p/5006301

For the timers refer to the config guide and the command reference (previous reply).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Fella · ‎05-12-2025

We have the same setup per say, SSO with N+1. It's just best practice to define the primary, secondary and or tertiary controller, because you want to dictate that. Keep in mind since this is new to you, that ap's once joined to a controller will know of the controller its joined to and any in the mobility group. However, if you have defined any discover, dhcp, dns or broadcast, the ap's can or might even join those which might not be what you want. I have seen configurations that were used to help setup environments to get ap's to join a specific controller and then was never removed or changed. You can't always rely on timers or ap's finding the right controller. You have variables that can cause issues, like connectivity, controller issues, controllers having the wrong image, configurations on the N+1 that is wrong, routing issues, etc.

The general questions you asked are all documented and even folks have discussed them in blogs. You have to understand the "what ifs" and what you need to do to remediate issues. Having a healthy environment helps, but there is always that one issue that will cause an incident.

-Scott
*** Please rate helpful posts ***

Rich R · ‎05-12-2025

Totally agree with Scott - keep it deterministic and set your preference.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Leo Laohoo · ‎05-12-2025

One important detail that will affect new AP join process to the controllers (whether it is N+1 or SSO) and that is LOAD of each individual controller.

Say, I have three controllers (N+1): Controller 1 has 3600 APs, Controller 2 has 5000 APs and Controller 3 has 0 APs.

Even if DHCP Option has Controller 1 as first, Controller 2, as second and Controller 3 as third option, there is a strong chance new APs will join Controller 3 over the other 2.