Solved: Re: DHCPv4 Option 43 for Fast Offline Migration

thisisdisign · ‎04-14-2025

Hi everyone,

I have a question about DHCPv4 Option 43 for Fast Offline Migration.

When I use DHCP Option 43 for the purpose of Fast Offline Migration for Wi-Fi 7 APs, does fast offline migration(f3xxx) work for non Wi-Fi 7 APs?
Should I split the DHCP scope for non-Wi-Fi 7 APs?

Saikat Nandy · ‎04-14-2025

Fast offline migration is only for WIFI7 APs which means f3xx will work. For existing APs you will still have to use f1xx.

View solution in original post

Saikat Nandy · ‎04-23-2025

Thanks @Rich R for sharing your thoughts. I truly believe I was not clear enough with my response before and you are right. So let me try to put my previous answer in a different way.

# Fast Offline Migration uses new DHCP/DNS options and will bypass the 8-minute wait timer. Without FOM, CW917x APs will continue to look for cloud for 8 mins.
# This 8 mins wait timer has been introduced in 917x series AP and to run a 917x series AP you need 17.15.2 and above - that's also true.
# If you are not having any 917x series AP in the network, then you should not run f3xx (as you can get the job done using f1xx simply). f3xx is ‘only’ meant to reduce the 8 mins wait time for 917x series AP - nothing else.

So in a brownfield deployment, lets say 9136 and 9176 are in place and if you already have f1xx configured, better continue using that - if and only if you dont want to wait for 15mins for 917x to come up and in a day zero setup with 917x, I don’t think 15mins wait time is a show-stopper from any angle.

View solution in original post

Saikat Nandy · ‎04-14-2025

Fast offline migration is only for WIFI7 APs which means f3xx will work. For existing APs you will still have to use f1xx.

Rich R · ‎04-23-2025

Not entirely true @Saikat Nandy
@thisisdisign I've tested it (in this case on an 1832 because if it works on that old AP then it should work on all newer models too).
The older AP still works fine with the Fast Offline Migration option 43 configured.
It is still able to get the WLC IP address from DHCP correctly.
As I expected it is the software version that matters, not the AP model.
As long as the AP has the 17.15.3 software installed it will understand the new option 43 format.
However (not surprisingly) when the AP is running 8.10.196.0 software it is not able to discover the controller from the new format option 43.

So the caveat is that the new option 43 will work for all APs running 17.15.3 and later software (regardless of whether they're WiFi 7 or not) but if you expect to deploy APs which have not been staged with the latest software pre-installed then you might need to operate separate DHCP scopes for the older APs to allow them to discover the WLC initially. Once they have the new software installed you could move them all into the same VLAN/DHCP scope. Alternatively you could also use DNS or helper address (to forward the broadcast joins to the WLC) to get those older APs joined and downloaded and then remove the DNS or helper once they're online. That would avoid the need for a second DHCP scope.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Saikat Nandy · ‎04-23-2025

Thanks @Rich R for sharing your thoughts. I truly believe I was not clear enough with my response before and you are right. So let me try to put my previous answer in a different way.

# Fast Offline Migration uses new DHCP/DNS options and will bypass the 8-minute wait timer. Without FOM, CW917x APs will continue to look for cloud for 8 mins.
# This 8 mins wait timer has been introduced in 917x series AP and to run a 917x series AP you need 17.15.2 and above - that's also true.
# If you are not having any 917x series AP in the network, then you should not run f3xx (as you can get the job done using f1xx simply). f3xx is ‘only’ meant to reduce the 8 mins wait time for 917x series AP - nothing else.

So in a brownfield deployment, lets say 9136 and 9176 are in place and if you already have f1xx configured, better continue using that - if and only if you dont want to wait for 15mins for 917x to come up and in a day zero setup with 917x, I don’t think 15mins wait time is a show-stopper from any angle.

fabianwickman · ‎11-27-2025

Hi,

Do you know if the DNS AAAA record to use fast offline migration has to be resolved to the WLC which the AP is supposed to join? Or will it join the WLC provided in the option 43?
I mean this AAAA-record you can configure for fast offline migration:
cisco-automigrate.<domain>

Mark Elsen · ‎11-27-2025

- @fabianwickman The Fast offline migration flag is part of the the DHCP option 43 string , so it's connected
to the IP address of the controller provided in DHCP option 43 (the intended controller for the AP)

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

fabianwickman · ‎11-28-2025

@Mark Elsen Thanks for the reply. But I'm wondering about the option to use DNS as a fast offline migration method to bypass the 8-15 min of searching for meraki cloud.

"

DNSv4/v6

The fast offline migration string for DNS for both v4 and v6 :

Add the DNS entry (A record) cisco-automigrate.<domain> in the DNS server.
The AP checks for the presence of DNS entry (AAAA record): cisco-automigrate.<domain>

If the DNS entry resolves, THEN, ping IP returned from DNS.

If ping success, then immediately migrate AP to WLC mode

If ICMP is blocked, then the AP tries CAPWAP reachable to WLC. If CAPWAP response is successful, then migrate AP to WLC mode."

Does the record cisco-automigrate.<domain> need to be resolved to a WLC IP-adress? Or can it just be any pingable adress?

Regards,
Fabian

Mark Elsen · ‎11-28-2025

- @fabianwickman It can be any pingable address

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Leo Laohoo · ‎12-01-2025

@Saikat Nandy wrote:

# Fast Offline Migration uses new DHCP/DNS options and will bypass the 8-minute wait timer. Without FOM, CW917x APs will continue to look for cloud for 8 mins.
# This 8 mins wait timer has been introduced in 917x series AP and to run a 917x series AP you need 17.15.2 and above - that's also true.
# If you are not having any 917x series AP in the network, then you should not run f3xx (as you can get the job done using f1xx simply). f3xx is ‘only’ meant to reduce the 8 mins wait time for 917x series AP - nothing else.

I found a 4th method and this will benefit those networks where configuring/re-configuring DHCP Option 43 (to f1 or f3) is next to impossible. The 4th method is to exploit or trigger a bug by crashing the Meraki 0-day. Once the Meraki 0-day crashes, the AP will reboot into all-too-familiar "Cheetah OS". Here is how it works:

When the AP boots into Meraki 0-day (or at the <Meraki> prompt), hit Ctrl + Shift + 6 + x (hold down Ctrl, Shift and "6". Let go of the 3 keys and hit "x" immediately and then let go) and wait for approximately 15 to 20 seconds.

If the bug/exploit is triggered, the console will respond with:

meraki_watchdog: Signal TERM, exiting loop
The system is going down NOW!
Sent SIGTERM to all processes
Sent SIGKILL to all processes
Requesting system reboot

After this, the AP will reboot into Cheetah OS.

Screenshot

thisisdisign · ‎04-23-2025

Thanks @Saikat Nandy @Rich R

So that means Fast offline migration (f3xxx) doesn't work except for 917x?
If I choose f1xx for 917x, the long waiting time is usually only applicable for Day-0, right?

Saikat Nandy · ‎04-23-2025

Correct. The FOM concept is not even applicable for any other APs except 917x.
If you use f1xx even with 917x, the wait time will be around 15 mins (first 8mins wait & next 7mins to move to catalyst+dhcp+discovery.......) and that is only for day 0.

thisisdisign · ‎04-23-2025

@Saikat Nandy,

Thanks, got it.