Showing results for 
Search instead for 
Did you mean: 

Issue with moving AP from 5508 WLC to 9800-l


Hi all,


I have a WLC 5508 controller running and I am trying to move the access points off this controller to a 9800-l running ios-xe 16.12.3


When I move an AP from the 5508 to the 9800 it will not join.

I have checked the other posts with similar issues and I have enabled data encryption on the AP and on the 9800-L controller as per the documentation. but this didn't solve the issue.


In the packet capture on the 9800 I can see the

1. discover request and response

2. Client Hello and response

3. Client Key exchange followed by the change cipher from the controller with everything set to use DTLS 1.0

4. AP sends a capwap join request 

5. the WLC responds with a encrypted alert message. 

6 the ap tries to send data but the WLC does not respond.


within the packet capture taken of the join request I can see the mac address of the of the ap (WTP Board data Base MAC Address) This address is on the 9800.


At this stage I am stuck, as there is nothing in the 9800-l logs to prevent it from joining.

I will be very grateful for some assistance on the issue.


Ian Vickery



11 Replies 11

Scott Fella
Hall of Fame
Hall of Fame
Is your AP’s supported on the IOS-XE code? You didn’t mention what ap(s) you have. Also, DTLS is not required, mobility is not required if you are moving AP’s to the 9800. It’s the same as AireOS. Make sure you have the time, country code defined and make sure the aps are supported.
*** Please rate helpful posts ***

The Access points are 2800.

I have used a brand new unit and it connected successfully to the 9800 controller

I failed this to the 5800, and the AP associated fine.

I then went to reassociate the same ap back to the 9800 but will not join.


I have check the date and time settings and they are correct and in sync.


Do you have any other suggestions?

Factory reset the ap. Hold the mode button and power up the ap. Hold the mode button for >20 seconds. The led will flash red then release. Try that.
*** Please rate helpful posts ***

since it is in a remote location  I have done a factory reset via the CLI

I haven't tried it with the mode button.


In the packet captures taken it discovers the WLC authenticates sends the join message, and receives an encrypted alert back from the WLC.


I do notice the CAPwap tunnel is using TLS1.0  but when connected to the 5508 it is using TLS1.2



Ian Vickery 

It would of been better to test locally first to make sure things work. I have a 4802 not a 2800 and I had no issue. Again, could just be something with the 2800. Have you opened a TAC case? I know folks were having a lot of issues with the 2800/3800.
*** Please rate helpful posts ***

Yes I have now opened a TAC case. 

We will post the solution here. when I get a response.

Can you post show certificate all from 5508 controller?

I can't find the details right now but I seem to recall that the AP needs to be running a very recent AireOS image before it can join to 9800 so upgrade the AP to then try to join to 9800. You obviously can't upgrade the 5508 to that so you may need to download the image directly to the AP or setup a virtual WLC for the purpose of the transition.
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in and latest 9800 IOS-XE releases
     also fixed in (8.5 mainline) and (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs


Is this the only solution. Because I am also having a similar scenario. Wherein my customer has 2800/3800 series AP and 5508 WLC. Not the 5508 is running on code which refers to 15.3(3)JF14 IOS version on AP and if I check the wireless compatibility matrix then I need to have 15.3.(3)JPJ10 IOS version on the AP to get the AP connected to C9800 WLC. So its obvious that to get the AP to 15.3(3)JPJ10 I need to also upgrade 5508 WLC which is not possible since the last code support for 5508 WLC is which refers to 15.3(3)JF15. which will not help in the migration. So how can we upgrade only the IOS version of the AP that too in bulk option. Because the AP count is very high. Doing it one by one would take a lot of time.  

Hi Rahul,

I would suggest your 9800 to be on 17.9.3 code and test moving one AP across to test & see how it goes. I would not expect major issues


Rahul Pawar

Thanks Rasika. Your input helps. Also I did found one article wherein it is mentioned we can do pre download image on the AP using the WLANPoller tool. Not sure of this tool. Have not heard or used this before. Below is the link.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: