Introduction
This document describes guidance for you to find the most reliable Cisco IOS XE software for Catalyst 9800 Wireless LAN Controllers (C9800 WLCs).
Background
The information in this document is applicable to different form factors of C9800 WLC which includes :
- Appliances (9800-40,9800-80,9800-L)
- Virtual Controllers (9800-CL in private and public clouds)
- Embedded Wireless Controllers on Catalyst 9000 Series switches
- Embedded Wireless Controllers on Catalyst Access Points (EWC-AP)
Access Point models supported by the C9800 include
- IOS based 11ac Wave 1 Access Points (1700/2700/3700/1572) (not in all releases)
- COS based 11ac Wave 2 Access points (1800/2800/3800/4800/1540/1560)
- COS based Catalyst 11ax 91xx Series Access Points (9105/9115/9117/9120/9130/9136/9164/9166)
Co-existence of AireOS WLCs with C9800 WLC is taken into account for these recommendations. The recommendations cover all the releases Cisco IOS XE software applicable to Catalyst 9800 WLCs. Typically, a newly released version (either maintenance release or new code train) is given a minimum of 2-3 weeks soak time in the field, and only if no catastrophic issues are reported, it becomes a candidate for Cisco general recommendation. These recommendations are updated frequently as we receive feedback through internal testing, TAC cases, and so on.
TAC Recommended Builds
Dublin 17.12.1
Cisco IOS XE 17.12.1 is the first release in the long-lived 17.12.x release train. The new features supported in this release are listed in 17.12 release notes
Dublin 17.11.1
Cisco IOS XE 17.10.1 is a short-lived release with no MRs planned. See 17.11 EoL Bulletin. The new features supported in this release are listed in 17.11.1 Release Notes. For all features and hardware supported starting 17.10.1 or 17.11.1, you are recommended to use 17.12.1
Dublin 17.10.1
Cisco IOS XE 17.10.1 is a short-lived release with no MRs planned. See 17.10 EoL Bulletin .The new features supported in this release are listed in 17.10.1 Release Notes. For all features and hardware supported starting 17.10.1, you are recommended to use 17.12.1
Cupertino 17.9
Cisco IOS XE 17.9.x is a long-lived train with several MRs planned. Cisco recommends 17.9.3 CCO image for all deployments.
17.9.3
Cisco IOS XE 17.9.3 is a bug fix release that also adds
- Support for IW9167E
- Ability to specify site load for better loadbalancing APs across Wireless Network Control daemon (WNCd) instances on the C9800
- Reintroduces support for Wave 1 Access Points (1700/2700/3700/1572) but this support does not extend beyond the normal product lifecycle support. Features for these APs are in parity with features on 17.3 and upgrade from 17.3.x to 17.9.3 is supported for x >=4c. For more details, see the FAQ
- Command to disable AAA Interim Accounting on the C9800
Caution:
1. Before upgrading to 17.9.3,
a. if the C9800 WLC is not running 17.3.6+APSP6, 17.3.7 or 17.6.5, then COS APs registered over WAN to the WLC are at risk for image corruption. Refer to How to avoid boot loop due to image corruption document both to avoid getting APs stuck in boot loop or to recover APs stuck in boot loop.
b. Upgrade ROMMON version on C9800-40 to 17.7(3r). Refer to FPGA section fo this doc for other platforms and upgrade procedure
2. CSCwe01579 C9800 crashes at scale of 4k APs if an RF tag is misconfigured to point to a non-existent RF profile. impacts 17.9.3, 17.6.5, 17.3.7, 17.10 and 17.11.
17.9.3 APSP1
17.9.3 APSP1 provides AP fixes for:
CSCwd91054 When clients in Flex central authentication deployment, do Sticky Key Caching (SKC) roaming with old PMKID, they get stuck in Authenticating state.
CSCwe55390 3802AP buffering UP6/voice traffic for ~500ms after Spectralinkphone roam causes audio issues like robotic voice
CSCwe04602 COS AP fails to forward traffic to wireless client for about 60 seconds in SDA Fabric WLANs
CSCwe66515 9136 AP in 17.9.2 version not registering the M2 response from client
CSCwe88776 EWC capable MAP waiting 3 mins in capwap init
Note: These fixes are also available in 17.9 Escalation Image that can be requested from Cisco TAC.
17.9.2
Cisco IOS XE 17.9.2 is a bug fix release with the exception of a couple of new features (check the release notes for more information). Several critical bug fixes and support for newer versions of some Catalyst WiFi6 Access Points (refer Field Notice 72424) is available in 17.9.2. You are recommended to upgrade to 17.9.3
17.9.2 APSP1
17.9.2 APSP1 provides fix for CSCwd80290 that allows IW3700 APs to join C9800 WLC even after Dec 4, 2022. For more details, refer to https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html and Field Notice FN72524.
17.9.1
Cisco IOS XE 17.9.1 is the first release in the long-lived 17.9.x release train. This is the first release to support Cisco Catalyst 916x Series APs. The new features supported in this release are listed in 17.9.1 Release Notes.
Caution: Support for newer versions of some Catalyst WiFi6 Access Points (refer Field Notice 72424) is NOT available in 17.9.1 but is in 17.9.2
Cupertino 17.8.1
Cisco IOS XE 17.8.1 is a short-lived release with no MRs planned. See 17.8.1 EoL Bulletin. The new features supported in this release are listed in 17.8.1 Release Notes . For all features and hardware supported starting 17.8.1, you are recommended to use 17.9.3
Note: Deployments with C9130s and C9124s, if running 17.3.3 need to upgrade to 17.3.4c before upgrading to 17.8.1
Cupertino 17.7.1
Cisco IOS XE 17.7.1 is a short-lived release with no MRs planned. See 17.7.1 EoL Bulletin. The new features supported in this release are listed in 17.7.1 Release Notes. For all features and hardware supported starting 17.7.1, you are recommended to use 17.9.3
Caution: 17.7.1 is impacted by CSCwb13784 which prevents wave 2 and 11ax APs from joining if the path MTU drops under 1000 bytes
Bengaluru 17.6
Cisco IOS XE 17.6.x is a long-lived train with multiple MRs. There are only 2 more MRs targeted for 17.6 train. Refer 17.6 End of Life bulletin. Cisco recommends customers to start planning migration to 17.9.3 CCO image for all deployments.
17.6.5
Cisco IOS XE 17.6.5 is a bug fix only release and adds the configuration, under Policy Profile, to disable Interim Accounting. 17.6.5
17.6.4
Cisco IOS XE 17.6.4 is a bug fix only release and adds the configuration, under AP Join Profile, to enable AP serial console. Several critical bug fixes and support for newer versions of some Catalyst WiFi6 Access Points (refer Field Notice 72424) is available in 17.6.4. Cisco recommends to migrate to 17.9.3.
17.6.4 APSP1
17.6.4 APSP provides fix for CSCwd80290 that allows IW3700 APs to join C9800 WLC even after Dec 4, 2022. For more details, refer to https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html and Field Notice FN72524.
17.6.3
Cisco IOS XE 17.6.3 is a bug-fix only release. It includes all the fixes in 17.3.5a + the fix for CSCwb13784.
For customers using location with CMX or DNA Spaces, please be aware of CSCwb65054. SMU (hot patch) posted on cisco.com.
Many bug fixes delivered via SMU patches in 17.6.3 and support for newer versions of some of the Catalyst WiFi6 Access Points (refer Field Notice 72424) is available in 17.6.4. Cisco recommends to migrate to 17.9.3.
17.6.2
Cisco IOS XE 17.6.2 adds support for handful of features.
- Support of 802.1 with Web Authentication on MAC Authentication Failure
- Mesh and Mesh + Flex support on C9124AXI/E/D outdoor APs
- Per Client bi directional rate-limiting on 802.11ac wave 2 and 11ax Catalyst APs
Many critical bugs on 17.6.2, for example CSCwb13784 which prevents wave 2 and 11ax APs from joining if the path MTU drops below 1000 bytes, are resolved in 17.6.4. Cisco recommends to migrate to 17.9.3.
17.6.1
The new features supported in this release are documented in 17.6 Release Notes . 17.6.1 is vulnerable to several critical defects and should be avoided.
Bengaluru 17.5.1
Cisco IOS XE 17.5.1 is a short-lived release with no MRs planned. Refer 17.5 End of Life Bulletin The list of features supported in this release are listed in 17.5 Release Notes. For all new hardware and features supported starting 17.5, Cisco recommends you migrate to 17.9.3.
Bengaluru 17.4.1
Cisco IOS XE 17.4.1 is a short-lived release with no MRs planned. Refer 17.4 End of Life Bulletin. The list of features supported in 17.4 are listed in 17.4 Release Notes. For all new hardware and features supported starting 17.4, Cisco recommends you migrate to 17.9.3.
Amsterdam 17.3
Cisco IOS XE 17.3.x is a long-lived train with several maintenance releases (MRs). 17.3 has reached End of Software Maintenance as documented in 17.3 End of Life Bulletin. The last MR for 17.3 will be a psirt-only release targeted for September 2023. Cisco recommends 17.3.7 as minimum code and for customers looking to adopt WiFi-6E technology, new hardware or features beyond 17.3, Cisco recommends 17.9.3 CCO image.
17.3.7
Cisco IOS XE 17.3.7 is the last bug-fix MR in the 17.3 release train. For customers looking to stay on 17.3 train, Cisco recommends 17.3.7.
17.3.6
Cisco IOS XE 17.3.6 is primarily a bug-fix release. It adds support for
- Mesh and mesh+flex feature for 9124 AXI/E/D access points
- Newer versions (VIDs) of some Catalyst WiFi6 Access Points (refer Field Notice 72424).
17.3.6 APSP7
APSP7 deliver IOS fixes in APSP5 and COS AP fixes in APSP6 as a unified patch.
17.3.6 APSP6 via
17.3.6 APSP6 supersedes 17.3.6 APSP2 and fixes multiple COS AP (11ac wave2 and Catalyst 11ax) defects :
CSCvx32806 COS-APs stuck in bootloop due to image checksum verification failed
CSCwc32182 AP 1852 Radio Firmware Crash (SF 06029787/06121536/06208256)
CSCwc89719 AP1832 Crashed due to radio failure(radio recovery failed) (SF#06180501)
CSCvz99036 Cisco Access Points VLAN Bypass from Native VLAN Vulnerability
CSCwd37092 Slow TCP downloads, failing TLS authentications in 8.10.181.0/17.3.6 - 2800/3800/4800 series
CSCwc78435 9130 sending incorrect channel list on out of band DFS event causing client connectivity issues
CSCwc88148 Additional enhancement for mac suspend issue (CSCwc72194 ) on driver side.
17.3.6 APSP5 via CSCwd83653
17.3.6 APSP5 provides fix for Cisco bug ID CSCwd80290 that allows Cisco IOS APs to join C9800 WLC even after Dec 4, 2022. For more details, refer to https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html and Field Notice FN72524.
17.3.6 APSP2 via CSCwd40096
17.3.6 APSP2 provides fix for Cisco bug ID CSCwd37092
Symptom: Slow downloads and EAP-TLS authentication failures for 2800/3800/4800/1560/6300 Access Points. To confirm the bug, run #show controllers nss stats on AP and check if INNER_CAPWAP_REASM_FAILED counter is incrementing
Workaround: None; TCP download issue only seen on C9800 when tcp-adjust-mss 1250 has been explictly disabled under AP Join Profile. Enabling the setting prevents slow TCP downloads but UDP download slowness and EAP-TLS failures persists.
It also includes fix for Cisco bug ID CSCvz99036 and Cisco bug ID CSCwc78435.
17.3.5b
Cisco IOS XE 17.3.5b is an updated iteration of 17.3.5a which incorporates bug fixes being delivered via SMU patches and escalation image on 17.3.5a. Refer Resolved Defects in 17.3.5b for complete list.
17.3.5a
Cisco IOS XE 17.3.5a several important fixes including
- Fixes for known triggers of high CPU in WNCd (probes, ARP storm among others)
- CAPWAP keepalive prioritization to prevent APs from dropping when WNCd CPU utilization spikes.
- Syslog to diagnose when SSID stops broadcasting and CLI recovery mechanism. Refer CSCwb01162.
Caution: 17.3.5a CCO image is impacted by CSCwb13784 which prevents wave 2 and 11ax APs from joining if the path MTU drops below 1000 bytes and prevents Cisco IOS APs (1700/2700/3700) from joining if the path MTU drops below 1500 bytes.
Fix: SMU (hot patch) posted to cisco.com provides fix for the issue and is mandatory to apply.
17.3.4c
Cisco IOS XE 17.3.4c fixes several critical and wide impact bugs in 17.3.4.
17.3.4
Cisco IOS XE 17.3.4 is a bug-fix only release.
Note: Deployments with C9130s and C9124s, if running 17.3.3 need to upgrade to 17.3.4c before upgrading to 17.8.1, 17.9.1.
17.3.3
Cisco IOS XE 17.3.3 is a bug-fix only release.
Caution: 17.3.3 is vulnerable to CSCvy11981
Symptom: WNCD crash
Trigger: If an AP name is 32 or more characters, there is memory corruption which leads to this crash
Workaround: Ensure number of characters for AP name is 31 or less.
17.3.2a
Cisco IOS XE 17.3.2a , though a maintenance release, introduces features in addition to bug fixes. These features include
- Smart Licensing using Policy [GUI Config only available in 17.4.1]
- OEAP Personal SSID
- AP Authorization using Serial Number [extended to all APs beyond those that present wlancc+FIPS +LSC certificate]
- Assurance and IoT Services Coexistence Without iCAP
- TLS tunnel to DNA-C on Cloud
17.3.1
Cisco IOS XE 17.3.1 introduced support for below hardware and solutions
- 9105I and 9105W Access Points
- Higher throughput template on 9800CL
- Embedded Wireless on Catalyst 9k switches (non-SDA)
- User Defined Network (UDN) and UDN Mobile Application
- BLE Management on Controller
- IOT Module Management
For full list, refer to 17.3 Release Notes
Amsterdam 17.2.1
Cisco IOS XE 17.2.1 is a short lived train with no maintenance releases planned. See 17.2 End of Life Bulletin All 17.2.x releases for C9800 are deferred.due to Field Notice FN70577 and CSCvu24770 . Cisco recommends migration to 17.9.3 for all deployments.
Amsterdam 17.1.1
Cisco IOS XE 17.1.1 is a short-lived release with no maintenance planned. See 17.1 End of Life - Bulletin. All 17.2.x releases for C9800 are deferred.due to Field Notice FN70577 and CSCvu24770 . Cisco recommends migration to 17.9.3 for all deployments.
Gibraltar 16.12
Cisco IOS XE 16.12 is the first long-lived release train for the 9800. 16.12.1 introduced support for these hardware and solutions.
- 9800-L
- 9800-CL on Google Cloud
- 9120AXE, 9130AXI
- Embedded Wireless Controller on Catalyst Access Point (EWC-AP)
16.12.8
All 16.12.x release from 16.12.2 through 16.12.7 are bug-fix only releases. 16.12.8 is the last planned MR in this train. Refer 16.12 End of Life Bulletin. Cisco recommends migration to 17.9.3 for all deployments.
Note:All 16.12.x releases prior to 16.12.4a (16.12.1, 16.12.1s, 16.12.1t, 16.12.2s, 16.12.2t, 16.12.3, 16.12.3s) are deferred to address CSCvu24770.
Gibraltar 16.11.1
Cisco IOS XE 16.11.1 is a short-lived release with no more maintenance planned. Refer End of Life - Bulletin. For all features in 16.x, Cisco recommends migration to 17.9.3 for all deployments
Gilbraltar 16.10.1
Cisco IOS XE 16.10.1 is the first release of Cisco IOS XE software that officially supports Catalyst 9800 SKUs (Appliances: 9800-40, 9800-80; 9800 on private/public cloud; 9800-CL, as well as 9800 software on Catalyst 9300 Switches). Cisco IOS XE 16.10.1e is the first release to support Cisco DNA Center integration with the Catalyst 9800. This is short-lived release with no maintenance releases (MRs) planned. Refer End of Life - Bulletin. For all features in 16.x, Cisco recommends migration to 17.9.3 for all deployments.
Field Programmable (FPGA) Firmware on Hardware 9800 WLC
On physical Catalyst 9800 WLCs (9800L, 9800-40, 9800-80), besides IOS-XE, there are two other pieces of code that can be upgraded.
- ROM Monitor (ROMMON) - It is the bootstrap program that initializes hardware and boots the IOS-XE software on the C9800 appliance. You can check the ROMMON version running on your appliance by executing this command.
#show rom-monitor chassis {active | standby} R0
- PHY - It refers to physical layer, specifically, the Shared Port Adapter (SPA) module that supports the front end distribution and uplink ports on C9800 appliances. You can view the PHY version running on your appliance by executing this command.
#show platform hardware chassis active qfp datapath pmd ifdev | include FW
New firmware is typically released to protect the health of the system (temperature sensors, fan, power supply and so on) and to address problems with data forwarding ina nd out of the physical ports. Cisco recommends upgrading to latest FPGA firmware available. Upgrade Procedure along with the specific defects that for which new firmware was released if documented at Upgrade C9800 FPGA. Table 1 lists the version for each platform.
|
ROMMON |
Ethernet PHY |
Fiber PHY |
9800-L-F |
16.12(3r) |
N/A |
17.11.1 |
9800-L-C |
16.12(3r) |
17.11.1 |
N/A |
9800-40 |
17.7(3r) |
N/A |
16.0.0 |
9800-80 |
17.3(3r) |
N/A |
16.0.0 |
High Availability Software Maintenance on 9800 WLC
C9800 provides multiple features that ensure availability during software maintenance phase of the deployment lifecycle. These include In-Service Software Upgrade (ISSU), Rolling AP upgrade, Hot and Cold Patch to address WLC defects or psirts, AP patches to address AP specific fixes as well as to support newer AP models on existing controller code.
ISSU
ISSU support was introduced in 17.3.1 and is limited to long-lived releases (17.3.x, 17.6.x, and 17.9.x). That is, ISSU works
- Within long-lived major releases , for example, 17.3.x to 17.3.y, 17.6.x to 17.6.y, 17.9.x to 17.9.y
- Between long-lived major releases , for example, 17.3.x to 17.6.x, 17.3.x to 17.9.x
Note: This is limited to two long-lived releases after the current supported long-lived release.
ISSU is NOT supported
- Within minor releases of short-lived release trains, for example 17.4.x to 17.4.y or 17.5.x to 17.5.y
- Between minor and major releases of short-lived release trains, for example 17.4.x to 17.5.x
- Between long-lived and short-lived releases 17.3.x to 17.4.x or 17.5.x to 17.6.x.
Software Maintenance Upgrade (SMU) Patch
C9800 supports both Cold and Hot Patching which enables bug fixes to be provided as a Software Maintenance Upgrade (SMU) file.
- Hot Patch - System reload is not required meaning WLC and APs continue to operate. In case of 9800 Stateful Switchover (SSO) pair, SMU install process applies the patch to both chassis.
- Cold Patch - System reload is needed for Cold Patch. In case of 9800 SSO pair, cold patch can be applied without downtime.
Access Point Service Pack
Fixes for software defects on Access Points (APs) can be delivered via Access Point Service Packs. This requires reload of the APs but not of the 9800 WLC.
Access Point Device Pack
Support for newer AP models is made available on existing WLC code, without needing WLC code upgrade. This AP will only support the features available in existing WLC code.
Guidelines and Requirements
- SMU patches are only generated for long-lived releases like 16.12, 17.3, 17.6, 17.9 and so on after their MD release.
- SMUs can only be applied on 9800 WLC running Network Advantage License at the minimum. Refer Wireless Features Matrix for different Licenses
- SMUs that are applicable to most deployments, are posted to cisco.com for customers to download on their own.
- SMU or a patch is not possible for all bug fixes. Code changes involved in the bug fix typically determine the patchability.
- Applicability of SMU is evaluated on a per-defect basis. If your C9800 qualifies for an SMU patch, based on its licensing and you need an SMU for a specific defect, please engage Cisco Technical Assistance Center (TAC) to get the bug evaluated.
Refer C9800 WLC Patching Guide for more details on these capabilities.
Cisco.com Location of SMUs, APSP and APDP images for different 9800s
Step 1. Navigate to Downloads Home, and search for 9800 in the search bar for Select a Product, choose 9800 form factor applicable to you.

Step 2. From Software Type menu, choose SMU or APSP or APDP as needed.

Note for Software Defined Access (SDA)
Always refer to the SDA Compatibility Matrix for code combination recommendations that work best for SDA. It lists specific combinations of code on Cisco DNA Center, the Identity Service Engine (ISE), switches, routers and Wireless LAN Controller codes that have been tested by the SDA Solution Test team at Cisco.
Inter Release Controller Mobility (IRCM)
- IRCM is not supported with 2504/7510/vWLC Controllers and only supported with 5508/8510/5520/8540/3504 platforms.
- For Inter-Release Controller Mobility (IRCM) compatibility with AireOS WLCs,
- TAC recommends AireOS 8.10.171.0 for all deployments.
- For deployments with older WLCs or Access Points in their environment, which cannot be upgraded past AireOS 8.5, TAC recommends 8.5.182.104 IRCM code.
Note:Not all 8.5 code versions support IRCM. 8.5 IRCM versions available on cisco.com include 8.5.164.0, 8.5.164.216, 8.5.176.0, 8.5.176.1. 8.5.176.2, 8.5.182.104.
For AireOS recommended code, please refer to:
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
Features supported On Catalyst 9800 Series Wireless LAN Controllers
Release Notes
Cisco IOS XE Wireless Feature List per Release
AireOS to Cisco IOS XE feature Comparison Matrix
Flexconnect Feature Matrix for wave2 and 11ax Access Points