Buy or Renew
Buy or Renew
We are currently experiencing Knowledge Base board outages and are working to resolve. Thank you for your patience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
1
Helpful
4
Replies

iOS 26 and mobile Safari issues with some websites on WLAN on 9800

panderson25
Level 1
Level 1

‎10-10-2025 01:48 PM

This is super-specific to iOS 26, mobile Safari, and 9800-L controllers (17.3.7).  2802i access points.  Some external sites and some of our internal sites, are very very slow to load.  WLAN with basic PSK 2 or even captive portal.  Fast Transition Disabled, Adaptive, Enabled, no difference.  Switch to Chrome mobile, no issues.  iOS 18?  No issues.  Anyone else?

Labels:
0 Helpful
4 Replies 4

Mark Elsen
Hall of Fame
Hall of Fame

‎10-10-2025 10:16 PM

 

  - @panderson25   The software version on the controller is very old. Consider upgrading to latest advisory (17.15.3)

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Rich R
VIP
VIP

‎10-12-2025 06:03 AM

As @Mark Elsen says you are using a very old version of code which has numerous known bugs!
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/ios-xe-17-3-x-eol.html
Cisco stopped testing and fixing that code more than 2 years ago and even security vulnerabilities are no longer fixed.

More generally - have you tried turning off iCloud Private Relay (either globally or on the SSID options) which Safari uses and Chrome does not?

As per the Best Practices guide (link below) have you checked your TCP MSS setting?

Note changing Fast Transition settings would only affect device association (it either works or doesn't) not device performance once connected.  And Adaptive is not recommended anymore (again that's in the Best Practices guide).

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

panderson25
Level 1
Level 1
In response to Rich R

‎10-12-2025 07:15 AM

Thank you!

We are a few weeks away from updating the code because of some older WAPs. We disabled all security protections in iOS but only disabling Limit IP Address Tracking made a difference. Case is open with TAC as well.
0 Helpful

Rich R
VIP
VIP
In response to panderson25

‎10-12-2025 05:58 PM

only disabling Limit IP Address Tracking
So that confirms that the problem is related to iCloud Private Relay.

Have you checked the TCP MSS setting? (recommended value 1250)
Is it small enough to avoid fragmentation on all intervening links? (taking into account CAPWAP encapsulation + anything else in the path like GRE or IPSEC or both).

Also is there anything else in the path (like a router or firewall) which might be overriding with a larger TCP MSS setting than what the AP sets?

Have you done packet captures to see what's actually happening when that slow performance happens?
eg: do you see fragmentation/retransmissions/lost packets etc?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card