We are deploying a few 9130AX with eWLC and we noticed an issue.

In a network with multiple 9130AX/eWLC, one AP would be elected as Primary WLC, another AP would be elected as Secondary WLC. What we noticed is that, if the CAPWAP is IPv6, the AP Primary WLC will behave strangely. It will broadcast WLANs as usual, however, only Open WLANs can be connected. Any other WLANs, regardless its Enterprise or Pre-shared Key, WPA2 or WPA3, would be unable to connect. Client would simply says connection failed. In Mac, it might prompt Password required, even the WLAN is WPA3 OWE.

If the Primary WLC AP power cycled, the Secondary WLC AP would become Primary, and the symptom moves with it. Thus, at any given moment, there is an AP would broadcast non-connectable WLANs and disrupting the operations.

During the investigation, we deployed one single 9130AX in an isolated IPv6-only network, the issue is 100% reproducible. We also find, if we plug the console cable to the AP and reload the eWLC in the console, once eWLC is off, the AP will run standalone and the WLAN are all working normally. However, once the eWLC back online and AP rejoins it, all encrypted WLANs are broken again.

This issue essentially renders IPv6-only deployment impossible. Are there any documents or workarounds?

Software: IOSXE 17.15.04

P.S., to make things a bit more annoying, even the eWLC is operated in dual-stack and CAPWAP is set to IPv4 preferred (since Central Authentication is mandatory in eWLC), it still blocks using IPv6 radius server. Once an IPv6 radius server is configured and used for 802.1X authentication, the client would fail to auth, and the eWLC console would have:

*Aug 24 20:53:31.642: %IOSXE_INFRA-4-BSO_MSG_RIB_WATCH_WARN: BSO message RIB watch start error
-Traceback= 1#51f831fc725b0a59ceabac5d8451fb7e :10000+3BB2E8 :10000+382C508 :10000+382AA58 bsock_ios:7D160000+CEA8 bsock_ios:7D160000+7A2A bsock_ios:7D160000+D21C :10000+382D7D0 :10000+D758DC :10000+18A546C

for each WLAN auth attempt