Recommended Cisco IOS XE Releases for Catalyst 9800 Wireless LAN Controllers

Available Languages

Download Options

  • PDF     (138.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (146.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (183.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 20, 2023
Document ID:214749

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes guidance for you to find the most reliable Cisco IOS XE software for Catalyst 9800 Wireless LAN Controllers (C9800 WLCs). 

    Background

    The information in this document is applicable to different form factors of C9800 WLC which includes :

    • Appliances (9800-40,9800-80,9800-L)
    • Virtual Controllers (9800-CL in private and public clouds)
    • Embedded Wireless Controllers on Catalyst 9000 Series switches
    • Embedded Wireless Controllers on Catalyst Access Points (EWC-AP)

    Access Point models supported by the C9800 include

    • IOS based 11ac Wave 1 Access Points  (1700/2700/3700/1572) (not in all releases)
    • COS based 11ac Wave 2 Access points (1800/2800/3800/4800/1540/1560)
    • COS based Catalyst 11ax 91xx Series Access Points (9105/9115/9117/9120/9130/9136/9164/9166)

    Co-existence of AireOS WLCs with C9800 WLC is taken into account for these recommendations. The recommendations cover all the releases Cisco IOS XE software applicable to Catalyst 9800 WLCs. Typically, a newly released version (either maintenance release or new code train) is given a minimum of 2-3 weeks soak time in the field, and only if no catastrophic issues are reported, it becomes a candidate for Cisco general recommendation. These recommendations are updated frequently as we receive feedback through internal testing, TAC cases, and so on.

    TAC Recommended Builds

    Dublin 17.10.1

    Cisco IOS XE 17.10.1 is a short-lived release with no MRs planned. The new features supported in this release are listed in 17.10.1 Release Notes. For all features and hardware supported starting 17.10.1, you are recommended to use 17.10.1

    Cupertino 17.9

    Cisco IOS XE 17.9.x is a long-lived train with several MRs planned. This is the first release to support Cisco Catalyst 916x Series APs. The new features supported in this release are listed in 17.9.1 Release Notes. For all deployments needing support for any new hardware or features available starting 17.7 or 17.8 or 17.9 are recommended to run 17.9.2

    17.9.2

    Cisco IOS XE 17.9.2 is a bug fix release with the exception of a couple of new features (check the release notes for more information). Several critical bug fixes and support for newer versions of some Catalyst WiFi6 Access Points (refer Field Notice 72424) is available in 17.9.2. You are recommended to upgrade to 17.9.2

    17.9.2 APSP1

    17.9.2 APSP1 provides fix for CSCwd80290 that allows IW3700 APs to join C9800 WLC even after Dec 4, 2022. For more details, refer to https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html and Field Notice FN72524.

    17.9.1

    Caution: Support for newer versions of some Catalyst WiFi6 Access Points (refer Field Notice 72424) is NOT available in 17.9.1 but is in 17.9.2

    Cupertino 17.8.1

    Cisco IOS XE 17.8.1 is a short-lived release with no MRs planned. The new features supported in this release are listed in 17.8.1 Release Notes . For all features and hardware supported starting 17.8.1, you are recommended to use 17.9.1

    Note: Deployments with C9130s and C9124s, if running 17.3.3 need to upgrade to 17.3.4c before upgrading to 17.8.1

    Cupertino 17.7.1

    Cisco IOS XE 17.7.1 is a short-lived release with no MRs planned. See 17.7.1 EoL Bulletin. The new features supported in this release are listed in 17.7.1 Release Notes. For all features and hardware supported starting 17.7.1, you are recommended to use 17.9.1

    Caution: 17.7.1 is impacted by CSCwb13784  which prevents wave 2 and 11ax APs from joining if the path MTU drops under 1000 bytes

    Bengaluru 17.6

    Cisco IOS XE 17.6.x is a long-lived train with several MRs planned. Cisco recommends 17.6.5 CCO image for all deployments without these specific IOS APs (1700/2700/3700/1572).

    17.6.5

    Cisco IOS XE 17.6.5 is a bug fix only release and adds the configuration, under Policy Profile, to disable Interim Accounting. 

    17.6.4

    Cisco IOS XE 17.6.4 is a bug fix only release and adds the configuration, under AP Join Profile, to enable AP serial console. Several critical bug fixes and support for newer versions of some Catalyst WiFi6 Access Points (refer Field Notice 72424) is available in 17.6.4. You are recommended to upgrade to 17.6.5.

    17.6.4 APSP1

    17.6.4 APSP provides fix for CSCwd80290 that allows IW3700 APs to join C9800 WLC even after Dec 4, 2022. For more details, refer to https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html and Field Notice FN72524.

    17.6.3

    Cisco IOS XE 17.6.3 is a bug-fix only release. It includes all the fixes in 17.3.5a + the fix for CSCwb13784

    For customers using location with CMX or DNA Spaces, please be aware of CSCwb65054. SMU (hot patch) posted on cisco.com.

    Many bug fixes delivered via SMU patches in 17.6.3  and support for newer versions of some of the Catalyst WiFi6 Access Points (refer Field Notice 72424) is available in 17.6.4.  You are recommended to upgrade to 17.6.5.

    17.6.2

    Cisco IOS XE 17.6.2 adds support for handful of features.

    • Support of 802.1 with Web Authentication on MAC Authentication Failure
    • Mesh and Mesh + Flex support on C9124AXI/E/D outdoor APs
    • Per Client bi directional rate-limiting on 802.11ac wave 2 and 11ax Catalyst APs

    Many critical bugs on 17.6.2, for example CSCwb13784 which prevents wave 2 and 11ax APs from joining if the path MTU drops below 1000 bytes, are resolved in 17.6.4. You are recommended to upgrade to 17.6.5.

    17.6.1

    The new features supported in this release are documented in 17.6 Release Notes . 17.6.1 is vulnerable to several critical defects and you are recommended to upgrade to 17.6.5

    Bengaluru 17.5.1

    Cisco IOS XE 17.5.1 is a short-lived release with no MRs planned. Refer 17.5 End of Life Bulletin  The list of features supported in this release are listed in 17.5 Release Notes. For all new hardware and features supported starting 17.5, you are recommended to migrate to 17.6.5.

    Bengaluru 17.4.1

    Cisco IOS XE 17.4.1 is a short-lived release with no MRs planned. Refer 17.4 End of Life Bulletin. The list of features supported in 17.4 are listed in 17.4 Release Notes. For all new hardware and features supported starting 17.4, you are recommended to migrate to 17.6.5.

    Amsterdam 17.3

    Cisco IOS XE 17.3.x is a long-lived train with several MRs planned. 17.3 is the last Cisco IOS XE release for C9800 WLC to support Cisco IOS APs (with the exception of IW3700 which is supported even on later releases). Cisco recommends 17.3.6 + APSP5 + APSP6 CCO image for all deployments with IOS APs (1700/2700/3700/1572).

    17.3 End of Life Bulletin has been announced with last planned MR due by March 31, 2023. Use this timeline to plan your migration to 17.6 release

    17.3.6

    Cisco IOS XE 17.3.6 is primarily a bug-fix release. It adds support for

    • Mesh and mesh+flex feature for 9124 AXI/E/D access points
    • Newer versions (VIDs) of some Catalyst WiFi6 Access Points (refer Field Notice 72424). 

    17.3.6 APSP7

    APSP7 deliver IOS fixes in APSP5 and COS AP fixes in APSP6 as a unified patch.

    17.3.6 APSP6 via CSCwd89180

    17.3.6 APSP6 supersedes 17.3.6 APSP2 and fixes multiple COS AP (11ac wave2 and Catalyst 11ax) defects :

    CSCvx32806 COS-APs stuck in bootloop due to image checksum verification failed
    CSCwc32182  AP 1852 Radio Firmware Crash (SF 06029787/06121536/06208256)

    CSCwc89719 AP1832 Crashed due to radio failure(radio recovery failed) (SF#06180501)

    CSCvz99036 Cisco Access Points VLAN Bypass from Native VLAN Vulnerability
    CSCwd37092 Slow TCP downloads, failing TLS authentications in 8.10.181.0/17.3.6 - 2800/3800/4800 series
    CSCwc78435 9130 sending incorrect channel list on out of band DFS event causing client connectivity issues
    CSCwc88148  Additional enhancement for mac suspend issue (CSCwc72194 ) on driver side.

    17.3.6 APSP5 via CSCwd83653

    17.3.6 APSP5 provides fix for Cisco bug ID CSCwd80290 that allows Cisco IOS APs to join C9800 WLC even after Dec 4, 2022. For more details, refer to https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html and Field Notice FN72524.

    17.3.6 APSP2 via CSCwd40096

    17.3.6 APSP2 provides fix for Cisco bug ID CSCwd37092

    Symptom: Slow downloads and EAP-TLS authentication failures for 2800/3800/4800/1560/6300 Access Points. To confirm the bug, run #show controllers nss stats on AP and check if INNER_CAPWAP_REASM_FAILED counter is incrementing

    Workaround: None; TCP download issue only seen on C9800 when tcp-adjust-mss 1250 has been explictly disabled under AP Join Profile. Enabling the setting prevents slow TCP downloads but UDP download slowness and EAP-TLS failures persists.

    It also includes fix for Cisco bug ID CSCvz99036  and Cisco bug ID CSCwc78435.

    17.3.5b

    Cisco IOS XE 17.3.5b is an updated iteration of 17.3.5a which incorporates bug fixes being delivered via SMU patches and escalation image on 17.3.5a.  Refer Resolved Defects in 17.3.5b for complete list.

    17.3.5a

    Cisco IOS XE 17.3.5a several important fixes  including

    • Fixes for known triggers of high CPU in WNCd (probes, ARP storm among others)
    • CAPWAP keepalive prioritization to prevent APs from dropping when WNCd CPU utilization spikes. 
    • Syslog to diagnose when SSID stops broadcasting and CLI recovery mechanism. Refer CSCwb01162.

    Caution: 17.3.5a CCO image is impacted by CSCwb13784 which prevents wave 2 and 11ax APs from joining if the path MTU drops below 1000 bytes and prevents Cisco IOS APs (1700/2700/3700) from joining if the path MTU drops below 1500 bytes.
    Fix: SMU (hot patch) posted to cisco.com provides fix for the issue and is mandatory to apply.

    17.3.4c

    Cisco IOS XE 17.3.4c fixes several critical and wide impact bugs in 17.3.4. 

    17.3.4

    Cisco IOS XE 17.3.4 is a bug-fix only release. 

    Note: Deployments with C9130s and C9124s, if running 17.3.3 need to upgrade to 17.3.4c before upgrading to 17.8.1, 17.9.1.

    17.3.3

    Cisco IOS XE 17.3.3 is a bug-fix only release.

    Caution: 17.3.3 is vulnerable to CSCvy11981
    Symptom: WNCD crash
    Trigger: If an AP name is 32 or more characters, there is memory corruption which leads to this crash
    Workaround: Ensure number of characters for AP name is 31 or less.

    17.3.2a

    Cisco IOS XE 17.3.2a , though a maintenance release, introduces features in addition to bug fixes. These features include

    • Smart Licensing using Policy [GUI Config only available in 17.4.1]
    • OEAP Personal SSID
    • AP Authorization using Serial Number [extended to all APs beyond those that present wlancc+FIPS +LSC certificate]
    • Assurance and IoT Services Coexistence Without iCAP
    • TLS tunnel to DNA-C on Cloud

    17.3.1

    Cisco IOS XE 17.3.1 introduced support for below hardware and solutions

    • 9105I and 9105W Access Points
    • Higher throughput template on 9800CL
    • Embedded Wireless on Catalyst 9k switches (non-SDA)
    • User Defined Network (UDN) and UDN Mobile Application
    • BLE Management on Controller
    • IOT Module Management

    For full list, refer to 17.3 Release Notes

    Amsterdam 17.2.1

    Cisco IOS XE 17.2.1 is a short lived train with no maintenance releases planned. See 17.2 End of Life Bulletin  All 17.2.x releases for C9800 are deferred.due to Field Notice FN70577  and CSCvu24770 . Cisco recommends migration to 17.3.5b for deployments using Cisco IOS APs (1700/2700/3700/1572) or 17.6.4 without  these Cisco IOS APs (1700/2700/3700/1572).

    Amsterdam 17.1.1

    Cisco IOS XE 17.1.1 is a short-lived release with no maintenance planned. See 17.1 End of Life - Bulletin. All 17.2.x releases for C9800 are deferred.due to Field Notice FN70577  and CSCvu24770 . Cisco recommends migration to 17.3.5b for deployments using Cisco IOS APs (1700/2700/3700/1572) or 17.6.4 without  these Cisco IOS APs (1700/2700/3700/1572).

    Gibraltar 16.12

    Cisco IOS XE 16.12 is the first long-lived release train for the 9800.  16.12.1 introduced support for these hardware and solutions.

    • 9800-L
    • 9800-CL on Google Cloud
    • 9120AXE, 9130AXI
    • Embedded Wireless Controller on Catalyst Access Point (EWC-AP)

    16.12.6a

    All 16.12.x release from 16.12.2 through 16.12.6a are bug-fix only releases. 16.12.6a is the last planned MR in this train. Refer  16.12 End of Life Bulletin.  Cisco recommends migration to 17.3.6 + APSP5 + APSP6 for all deployments using IOS APs (1700/2700/3700/1572) or 17.6.4 + APSP1 without these IOS APs (1700/2700/3700/1572).

    Note:All 16.12.x releases prior to 16.12.4a (16.12.1, 16.12.1s, 16.12.1t, 16.12.2s, 16.12.2t, 16.12.3, 16.12.3s) are currently deferred to address CSCvu24770.

    Gibraltar 16.11.1

    Cisco IOS XE 16.11.1 is a short-lived release with no more maintenance planned. Refer End of Life - Bulletin. For all features in 16.x, Cisco recommends migration to 17.3.5b for deployments using IOS APs (1700/2700/3700/1572) or 17.6.4 without  these IOS APs (1700/2700/3700/1572).

    Gilbraltar 16.10.1

    Cisco IOS XE 16.10.1 is the first release of Cisco IOS XE software that officially supports Catalyst 9800 SKUs (Appliances: 9800-40, 9800-80; 9800 on private/public cloud; 9800-CL, as well as 9800 software on Catalyst 9300 Switches).  Cisco IOS XE 16.10.1e is the first release to support Cisco DNA Center integration with the Catalyst 9800. This is short-lived release with no maintenance releases (MRs) planned. Refer  End of Life - Bulletin. For all features in 16.x, Cisco recommends migration to 17.3.5b for deployments using IOS APs (1700/2700/3700/1572) or 17.6.4 without  these IOS APs (1700/2700/3700/1572).

    Field Programmable (FPGA) Firmware on Hardware 9800 WLC

    On physical Catalyst 9800 WLCs (9800L, 9800-40, 9800-80), besides IOS-XE, there are two other pieces of code that can be upgraded. 

    • ROM Monitor (ROMMON) -  It is the bootstrap program that initializes hardware and boots the IOS-XE software on the C9800 appliance.  You can check the ROMMON version running on your appliance by executing this command. 
    #show rom-monitor chassis {active | standby} R0
    • PHY - It refers to physical layer, specifically, the Shared Port Adapter (SPA) module that supports the front end distribution and uplink ports on C9800 appliances. You can view the PHY version running on your appliance by executing this command.
    #show platform hardware chassis active qfp datapath pmd ifdev | include FW

    New firmware is typically released to protect the health of the system (temperature sensors, fan, power supply and so on) and to address problems with data forwarding ina nd out of the physical ports. Cisco recommends upgrading to latest FPGA firmware available.  Upgrade Procedure along with the specific defects that for which new firmware was released if documented at Upgrade C9800 FPGA. Table 1 lists the version for each platform.

    ROMMON Ethernet PHY Fiber PHY
    9800-L-F 16.12(3r) N/A 17.3.2
    9800-L-C 16.12(3r) 17.3.2 N/A
    9800-40 N/A N/A 16.0.0
    9800-80 17.3(3r) N/A 16.0.0

    High Availability Software Maintenance on 9800 WLC

    C9800 provides multiple features that ensure availability during software maintenance phase of the deployment lifecycle. These include In-Service Software Upgrade (ISSU), Rolling AP upgrade, Hot and Cold Patch to address WLC defects or psirts, AP patches to address AP specific fixes as well as to support newer AP models on existing controller code. 

    ISSU

    ISSU support was introduced in 17.3.1 and is limited to long-lived releases (17.3.x, 17.6.x, and 17.9.x). That is, ISSU works

    1. Within long-lived major releases , for example, 17.3.x to 17.3.y, 17.6.x to 17.6.y, 17.9.x to 17.9.y
    2. Between long-lived major releases , for example, 17.3.x to 17.6.x, 17.3.x to 17.9.x

    Note: This is limited to two long-lived releases after the current supported long-lived release.

    ISSU is NOT supported

    1. Within minor releases of short-lived release trains, for example 17.4.x to 17.4.y or 17.5.x to 17.5.y 
    2. Between minor and major releases of short-lived release trains, for example 17.4.x to 17.5.x 
    3. Between long-lived and short-lived releases 17.3.x to 17.4.x or 17.5.x to 17.6.x.

    Software Maintenance Upgrade (SMU) Patch

    C9800 supports both Cold and Hot Patching which enables bug fixes to be provided as a Software Maintenance Upgrade (SMU) file.  

    • Hot Patch -  System reload is not required meaning WLC and APs continue to operate. In case of 9800 Stateful Switchover (SSO) pair, SMU install process applies the patch to both chassis.
    • Cold Patch -  System reload is needed for Cold Patch. In case of 9800 SSO pair, cold patch can be applied without downtime. 

    Access Point Service Pack

    Fixes for software defects on Access Points (APs) can be delivered via Access Point Service Packs. This requires reload of the APs but not of the 9800 WLC. 

    Access Point Device Pack

    Support for newer AP models is made available on existing WLC code, without needing WLC code upgrade. This AP will only support  the features available in existing WLC code.

    Guidelines and Requirements 

    1. SMU patches are only generated for long-lived releases like 16.12, 17.3, 17.6, 17.9 and so on after their MD release.
    2. SMUs can only be applied on 9800 WLC running Network Advantage License at the minimum. Refer Wireless Features Matrix for different Licenses 
    3. SMUs that are applicable to most deployments, are posted to cisco.com for customers to download on their own. 
    4. SMU or a patch is not possible for all bug fixes. Code changes involved in the bug fix typically determine the patchability.
    5. Applicability of SMU is evaluated on a per-defect basis. If your C9800 qualifies for an SMU patch, based on its licensing and you need an SMU for a specific defect, please engage Cisco Technical Assistance Center (TAC) to get the bug evaluated. 

    Refer C9800 WLC Patching Guide for more details on these capabilities.

    Cisco.com Location of SMUs, APSP and APDP images for different 9800s

    Step 1. Navigate to Downloads Home, and search for 9800 in the search bar for Select a Product, choose 9800 form factor applicable to you.

    SDS-search for 9800

    Step 2. From Software Type menu, choose SMU or APSP or APDP as needed.

    9800-SMU-APSP-APDP

    Note for Software Defined Access (SDA)

    Always refer to the SDA Compatibility Matrix for code combination recommendations that work best for SDA. It lists specific combinations of code on Cisco DNA Center, the Identity Service Engine (ISE), switches, routers and Wireless LAN Controller codes that have been tested by the SDA Solution Test team at Cisco.

    Inter Release Controller Mobility (IRCM)

    • IRCM is not supported with 2504/7510/vWLC Controllers and only supported with 5508/8510/5520/8540/3504 platforms.
    • For Inter-Release Controller Mobility (IRCM) compatibility with AireOS WLCs,
      • TAC recommends AireOS 8.10.171.0 for all deployments.
      • For deployments with older WLCs or Access Points in their environment, which cannot be upgraded past AireOS 8.5, TAC recommends 8.5.182.104 IRCM code.

    Note:Not all 8.5 code versions support IRCM. 8.5 IRCM versions available on cisco.com include 8.5.164.0, 8.5.164.216, 8.5.176.0, 8.5.176.1. 8.5.176.2, 8.5.182.104.

    For AireOS recommended code, please refer to:

    https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

    Features supported On Catalyst 9800 Series Wireless LAN Controllers

    Release Notes

    Cisco IOS XE Wireless Feature List per Release

    AireOS to Cisco IOS XE feature Comparison Matrix

    Flexconnect Feature Matrix for wave2 and 11ax Access Points

    Revision History

    Revision Publish Date Comments
    13.0
    20-Mar-2023
    Recommendation updated to 17.6.5
    12.0
    23-Jan-2023
    Added 17.10/17.9.2
    11.0
    23-Sep-2022
    Recommendation updated to 17.6.4 and added details on 17.9.1 and FN72424
    10.0
    31-Mar-2022
    Updated recommendation to 17.3.5a+SMU with caution for all releases impacted by CSCwb13784
    9.0
    14-Feb-2022
    Fixed typo.
    8.0
    05-Dec-2021
    updated recommendation to 17.3.4c and 17.6.2 Added EoL notices Added note on ISSU and firmware upgrade
    7.0
    04-Nov-2021
    updated bug fix ES
    6.0
    14-Oct-2021
    added note son APSP/SMU + detailed the recommendation some more
    5.0
    27-Sep-2021
    Add apsp link for 9105/9115/9120
    4.0
    19-Sep-2021
    added CSCvz56650 note
    3.0
    18-Sep-2021
    added links to APSP/SMU
    2.0
    01-Sep-2021
    Added 17.6.1 release Updated recommendation to 17.3.3ES10 Listed bugs impacting 17.3.4
    1.0
    16-Aug-2019
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Sudha Katgeri
      CX Technical Leadership

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products