Recommended Cisco IOS XE Releases for Catalyst 9800 Wireless LAN Controllers

Introduction

This document describes guidance for you to find the most reliable Cisco IOS XE software for Catalyst 9800 Wireless LAN Controllers (C9800 WLCs). 

Background

The information in this document is applicable to different form factors of C9800 WLC which includes :

• Appliances (9800-40,9800-80,9800-L)
• Virtual Controllers (9800-CL in private and public clouds)
• Embedded Wireless Controllers on Catalyst 9000 Series switches
• Embedded Wireless Controllers on Catalyst Access Points (EWC-AP)

Access Point models supported by the C9800 include

• IOS based 11ac Wave 1 Access Points  (1700/2700/3700/1572) (not in all releases)
• COS based 11ac Wave 2 Access points (1800/2800/3800/4800/1540/1560)
• COS based Catalyst 11ax 91xx Series Access Points (9105/9115/9117/9120/9130/9136/9164/9166)

Co-existence of AireOS WLCs with C9800 WLC is taken into account for these recommendations. The recommendations cover all the releases Cisco IOS XE software applicable to Catalyst 9800 WLCs. Typically, a newly released version (either maintenance release or new code train) is given a minimum of 2-3 weeks soak time in the field, and only if no catastrophic issues are reported, it becomes a candidate for Cisco general recommendation. These recommendations are updated frequently as we receive feedback through internal testing, TAC cases, and so on.

TAC Recommended Builds

IOS XE 17.15

IOS XE 17.15 is a long-live train with several maintenance releases (MR) planned.

17.15.1

IOS XE 17.15.1 is the first version of the 17.15 train. This is the recommended release if you are using the new CW9800H or CW9800M WLCs who can only run versions later than 17.14

17.15.1 contains the fix for the "regreSSHion" vulnerability on access points depicted in Cisco bug ID CSCwk62269

IOS XE 17.14.1

Cisco IOS XE 17.14.1 is a short-lived release with no MRs planned. The new features supported in this release are listed in 17.14 release notes

This is the first release to support CW9800M and CW9800H1/2 WLCs. Those WLCs can only run releases later than 17.14.

IOS XE 17.13.1

Cisco IOS XE 17.13.1 is a short-lived release with no MRs planned. The new features supported in this release are listed in 17.13 release notes

Dublin 17.12

The new features supported in this release are listed in 17.12 release notes.Cisco recommends 17.12.3 for all deployments. Both 17.9.5 and 17.12.3 are recommended at this time.

Some of the major advantages of 17.12 over 17.9 include :

• More countries support for 6GHz
• Possibilty to use a single WPA2+WPA3 SSID for 5 and 6GHz.
• An RRM-based algorithm to load-balance APs across WNCd processes

17.12.4

Cisco IOS XE 17.12.4 is the third bug-fix release in the 17.12 train. It is not the recommended release for 17.12 yet but is being considered for it. 17.12.4 contains the fix for the "regreSSHion" vulnerability on access points  depicted in Cisco bug ID CSCwk62269 .

17.12.3

Cisco IOS XE 17.12.3 is the second bug-fix release in the 17.12 train. This is the version recommended for all deployments using features or hardware supported in 17.10.1 or later releases.

In case you have an SD-Access deployment, be aware of Cisco bug ID CSCwj04031 : WLC forces SGT to 0 when the client releases IPv6 link-local address. Contact TAC to get a SMU patch if you are affected.

17.12.2

Cisco IOS XE 17.12.2 is the first bug-fix release in the 17.12 train and includes the fix for CVE-2023-20198 CVE-2023-20273 / CSCwh87343. This is the version recommended for all deployments using features or hardware supported in 17.10.1 or later releases.

Dublin 17.11.1

Cisco IOS XE 17.10.1 is a short-lived release with no MRs planned. See 17.11 EoL Bulletin. The new features supported in this release are listed in 17.11.1 Release Notes. For all features and hardware supported starting 17.10.1 or 17.11.1, you are recommended to use 17.12.2

Dublin 17.10.1

Cisco IOS XE 17.10.1 is a short-lived release with no MRs planned. See 17.10 EoL Bulletin .The new features supported in this release are listed in 17.10.1 Release Notes. For all features and hardware supported starting 17.10.1, you are recommended to use 17.12.2

Cupertino 17.9

Cisco IOS XE 17.9.x is a long-lived train with several MRs planned.  Cisco recommends 17.9.5 for all deployments. Both 17.9.5 and 17.12.3 are recommended at this time.

Note:
1) SMUs and APSPs require a Network Advantage License. For deployments with Network Essentials license, the bug fixes are available in 17.9 Escalation Image that can be requested from Cisco TAC. Upgrading to an Escalation Image requires downtime.
2) APSPs are incremental, that is each APSP version includes fixes from all previous versions of APSPs.
3) Evaluate the bugs under APSP and apply those APSPs that includes fixes for AP models in your deployment.

17.9.5

Cisco IOS XE 17.9.5 is a bug fix release, fixing all the issues covered by 17.9.4a as well as the APSPs. If you have 9162 APs, be aware of CSCwj45141 which is an issue that started in 17.9.4APSP8

In case you have an SD-Access deployment, be aware of Cisco bug ID CSCwj04031 : WLC forces SGT to 0 when the client releases IPv6 link-local address. Contact TAC to get a SMU patch if you are affected.

17.9.4a

Cisco IOS XE 17.9.4a is published to address multiple vulnerabilities in the Cisco IOS XE Software Web UI Feature described in CVE-2023-20198 CVE-2023-20273 / CSCwh87343.

In case you have an SD-Access deployment, be aware of Cisco bug ID CSCwj04031 : WLC forces SGT to 0 when the client releases IPv6 link-local address. Contact TAC to get a SMU patch if you are affected.

17.9.4a APSP6 (AP version: 17.9.4.201) 

17.9.4a APSP6 includes same fixes as 17.9.4 APSP6 even though the AP version label is different than 17.9.4 APSP6. These fixes include:

CSCwh61011 Cisco 9120 and 9115 APs unexpected disjoins from WLC and not able to establish DTLS again

CSCwh74663 3800 not sending QoS data frames downstream due to RadarDetected flag as TRUE

CSCwh81332 9130APs had kernel panic crashes after upgrade to 17.6.6 (regression fix for CSCwf87904

CSCwh60483 9136I-ROW AP - Wrong temperature readings, off by 100s degrees

CSCwf53520Cisco 1815 AP running version 17.9.2: Kernel panic crash observed

CSCwf93992 2800 flex APs are not processing EAP-TLS fragmented packets if delay is more than 50ms

CSCwf85025 C9166-ROW AP with country code GB,  reduces txpower after channel change causing clients to fail to connect.

CSCwh02913AP kernel crash due to assert:"TXPKTPENDTOT(wlc)== 0" failed: file "wlc_mutx.c:4247"

CSCwh08625 Kernel Panic on C9105, C9115, C9120 APs with PC is at _raw_spin_unlock

CSCwf68131 C9105AXW - bad block monitoring

CSCwf50177 C9105AXW - large number of bad blocks

17.9.4

Cisco IOS XE 17.9.4 is primarily a bug fix release that also adds

• Product Analytics Support
• ROW support for UAE

  Caution:
  1) 17.9.4 and 17.9.4a are impacted by CSCwf83132 which results in client being unable to associate on 11r enabled SSIDs on flexconnect APs after a mobility group name change. 

17.9.4 SMU_CSCwh87343 (cold SMU ; requires reload)

17.9.4 SMU provides fix for

CSCwh87343/ CVE-2023-20198 CVE-2023-20273 Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature. WLC needs to be reloaded to apply this SMU.

17.9.4 APSP6 (AP version: 17.9.4.206) 

17.9.4 APSP5 includes fixes in APSP1, APSP2 and APSP5 and also adds fixes for:

CSCwh61011 Cisco 9120 and 9115 APs unexpected disjoins from WLC and not able to establish DTLS again

CSCwh74663 3800 not sending QoS data frames downstream due to RadarDetected flag as TRUE

CSCwh81332 9130APs had kernel panic crashes after upgrade to 17.6.6 (regression fix for CSCwf87904) 

CSCwh60483 9136I-ROW AP - Wrong temperature readings, off by 100s degrees

17.9.4 APSP5 (AP version: 17.9.4.205) 

17.9.4 APSP5 includes fixes in APSP1 and APSP2 and also adds fixes for:

CSCwf53520Cisco 1815 AP running version 17.9.2: Kernel panic crash observed

CSCwf93992 2800 flex APs are not processing EAP-TLS fragmented packets if delay is more than 50ms

17.9.4 APSP2 (AP version: 17.9.4.202) 

17.9.4 APSP2 includes all APSP1 fixes and also adds fixes for:

CSCwf85025 C9166-ROW AP with country code GB,  reduces txpower after channel change causing clients to fail to connect.

CSCwh02913AP kernel crash due to assert:"TXPKTPENDTOT(wlc)== 0" failed: file "wlc_mutx.c:4247"

CSCwh08625 Kernel Panic on C9105, C9115, C9120 APs with PC is at _raw_spin_unlock

17.9.4 APSP1 (AP version: 17.9.4.201)

17.9.4 APSP1 provides fixes for C9105AXW that address:

CSCwf68131 C9105AXW - bad block monitoring

CSCwf50177 C9105AXW - large number of bad blocks

.

17.9.3

Cisco IOS XE 17.9.3 is a bug fix release that also adds

• Support for IW9167E
• Ability to specify site load for better loadbalancing APs across Wireless Network Control daemon (WNCd) instances on the C9800
• Reintroduces support for Wave 1 Access Points (1700/2700/3700/1572) but this support does not extend beyond the normal product lifecycle support. Features for these APs are in parity with features on 17.3 and upgrade from 17.3.x to 17.9.3 is supported for x >=4c. For more details, see the FAQ
• Command to disable AAA Interim Accounting on the C9800

If you are running 17.9.3, Cisco recommends, at the minimum, to apply SMUs and applicable APSPs and HTTP ACLs for CSCwh87343 until WLC can be upgraded to  17.9.4 + SMU_CSCwh87343 + APSP (as needed) OR 17.9.4a + APSP (as needed)

17.9.3 + SMUs + APSP4 CCO image for deployments with 11ac wave 2 AP Series (2800, 3800, 4800, 1560, 6300) to address Field Notice FN74035 / CSCwf67316

17.9.3 + SMUs + APSP5 CCO image for deployments with 11ax Catalyst AP series (C9105) to address CSCwf68131 and CSCwf50177

17.9.3 + SMUs + APSP3 CCO image for all other deployments. 

Caution: Before upgrading to 17.9.3,
  a. if the C9800 WLC is not running 17.3.6+APSP6, 17.3.7 or 17.6.5, then COS APs registered over WAN to the WLC are at risk for image corruption. Refer to How to avoid boot loop due to image corruption document both to avoid getting APs stuck in boot loop or to recover APs stuck in boot loop. 
  b. Upgrade ROMMON version on C9800-40 to 17.7(3r) to avoid CSCvp25150 . Refer to FPGA section of this doc for recommended version of ROMMON on other platforms and the ROMMON upgrade procedure.

17.9.3 SMUs

Three SMUs are posted for 17.9.3 that includes fixes for:

CSCwf55303 Active WLC reboots when RP link comes up (hitless, does not require WLC reload)

CSCwe01579 WNCd crash observed at rrm_client_coverage_rssi_record_create during rrm scale (requires WLC reload)

CSCwf60151 Memory leak with pubd triggering crash on WLC (hitless, does not require WLC reload)

17.9.3 APSP5 (AP Version: 17.9.3.205)

17.9.3 APSP4 provides AP fixes for:

CSCwf68131 C9105AXW - bad block monitoring

CSCwf50177 C9105AXW - large number of bad blocks

17.9.3 APSP4 (AP Version: 17.9.3.204)

17.9.3 APSP3 provides AP fixes for:

CSCwf67316 - 2800/3800/4800/1560/IW6300 can not detect radar on the required levels

17.9.3 APSP3 (AP Version: 17.9.3.203)

17.9.3 APSP3 provides AP fixes for:

CSCwe73758 9115 AX AP Beacon stuck on 5GHz
CSCwf07605 C9105AXW and 1815W Mac device cannot get an IP address in the Ethernet port after AAA VLAN override
CSCwe91394 Aeroscout T15e Tags not reporting temp data due to extra bytes after upgrading WLC to 17.92 or 17.10.1
CSCwf29742 FW crashed While Running Multicast & Longevity with 80+ clients (After 12 Hrs)

17.9.3 APSP2 (AP Version: 17.9.3.202)

17.9.2 APSP2 provides AP fixes for:

CSCwe32853 AP C9124AXI does not forward RLAN traffic to the upstream network. [SF 06513662]
CSCwd41463 Cisco 3800, 4800 APs stop sending IGMP membership report

17.9.3 APSP1 (AP Version: 17.9.3.201)

17.9.3 APSP1 provides AP fixes for:
CSCwd91054 When clients in Flex central authentication deployment, do Sticky Key Caching (SKC) roaming with old PMKID, they get stuck in Authenticating state.
CSCwe55390 3802AP buffering UP6/voice traffic for ~500ms after Spectralinkphone roam causes audio issues like robotic voice
CSCwe04602 COS AP fails to forward traffic to wireless client for about 60 seconds in SDA Fabric WLANs
CSCwe66515 9136 AP in 17.9.2 version not registering the M2 response from client
CSCwe88776 EWC capable MAP waiting 3 mins in capwap init  

17.9.2

Cisco IOS XE 17.9.2 is a bug fix release with the exception of a couple of new features (check the release notes for more information). Several critical bug fixes and support for newer versions of some Catalyst WiFi6 Access Points (refer Field Notice 72424) is available in 17.9.2. You are recommended to upgrade to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed)

17.9.2 APSP1

17.9.2 APSP1 provides fix for CSCwd80290 that allows IW3700 APs to join C9800 WLC even after Dec 4, 2022. For more details, refer to https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html and Field Notice FN72524.

17.9.1

Cisco IOS XE 17.9.1 is the first release in the long-lived 17.9.x release train. This is the first release to support Cisco Catalyst 916x Series APs. The new features supported in this release are listed in 17.9.1 Release Notes. You are recommended to upgrade to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed)

Caution: Support for newer versions of some Catalyst WiFi6 Access Points (refer Field Notice 72424) is NOT available in 17.9.1 but is in 17.9.2

Cupertino 17.8.1

Cisco IOS XE 17.8.1 is a short-lived release with no MRs planned. See 17.8.1 EoL Bulletin. The new features supported in this release are listed in 17.8.1 Release Notes . For all features and hardware supported starting 17.8.1, you are recommended to use 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed)

Note: Deployments with C9130s and C9124s, if running 17.3.3 need to upgrade to 17.3.4c before upgrading to 17.8.1

Cupertino 17.7.1

Cisco IOS XE 17.7.1 is a short-lived release with no MRs planned. See 17.7.1 EoL Bulletin. The new features supported in this release are listed in 17.7.1 Release Notes. For all features and hardware supported starting 17.7.1, you are recommended to use 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed)

Caution: 17.7.1 is impacted by CSCwb13784  which prevents wave 2 and 11ax APs from joining if the path MTU drops under 1000 bytes

Bengaluru 17.6

Cisco IOS XE 17.6.x is a long-lived train with multiple MRs. There is only 1 more MR targeted for 17.6 train for security fixes only. Refer17.6 End of Life bulletin..Cisco recommends you to migrate to  17.9.5 for all deployments.

17.6.7

Cisco IOS XE 17.6.7 is a bug fix only release. This is the recommended release if you have to stick with the 17.6 software train.

17.6.6a

Cisco IOS XE 17.6.6a fixes CSCwh87343: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability. It supersedes 17.6.6.

17.6.6

Cisco IOS XE 17.6.6 is a bug fix only release.

17.6.5

Cisco IOS XE 17.6.5 is a bug fix only release and adds the configuration, under Policy Profile, to disable Interim Accounting. 17.6.5

17.6.4

Cisco IOS XE 17.6.4 is a bug fix only release and adds the configuration, under AP Join Profile, to enable AP serial console. Several critical bug fixes and support for newer versions of some Catalyst WiFi6 Access Points (refer Field Notice 72424) is available in 17.6.4. Cisco recommends to migrate to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed)

17.6.4 APSP1

17.6.4 APSP provides fix for CSCwd80290 that allows IW3700 APs to join C9800 WLC even after Dec 4, 2022. For more details, refer to https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html and Field Notice FN72524.

17.6.3

Cisco IOS XE 17.6.3 is a bug-fix only release. It includes all the fixes in 17.3.5a + the fix for CSCwb13784. 

For customers using location with CMX or DNA Spaces, please be aware of CSCwb65054. SMU (hot patch) posted on cisco.com.

Many bug fixes delivered via SMU patches in 17.6.3  and support for newer versions of some of the Catalyst WiFi6 Access Points (refer Field Notice 72424) is available in 17.6.4.  Cisco recommends to migrate to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed)

17.6.2

Cisco IOS XE 17.6.2 adds support for handful of features.

• Support of 802.1 with Web Authentication on MAC Authentication Failure
• Mesh and Mesh + Flex support on C9124AXI/E/D outdoor APs
• Per Client bi directional rate-limiting on 802.11ac wave 2 and 11ax Catalyst APs

Many critical bugs on 17.6.2, for example CSCwb13784 which prevents wave 2 and 11ax APs from joining if the path MTU drops under 1000 bytes, are resolved in 17.6.4. Cisco recommends to migrate to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed)

17.6.1

The new features supported in this release are documented in 17.6 Release Notes . 17.6.1 is vulnerable to several critical defects and must be avoided.

Bengaluru 17.5.1

Cisco IOS XE 17.5.1 is a short-lived release with no MRs planned. Refer 17.5 End of Life Bulletin  The list of features supported in this release are listed in 17.5 Release Notes. For all new hardware and features supported starting 17.5, Cisco recommends you migrate to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed)

Bengaluru 17.4.1

Cisco IOS XE 17.4.1 is a short-lived release with no MRs planned. Refer 17.4 End of Life Bulletin. The list of features supported in 17.4 are listed in 17.4 Release Notes. For all new hardware and features supported starting 17.4, Cisco recommends you migrate to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed)

Amsterdam 17.3

Cisco IOS XE 17.3.x is a long-lived train with several maintenance releases (MRs). 17.3 has reached End of Software Maintenance as documented in 17.3 End of Life Bulletin. The last MR for 17.3 is a psirt-only release targeted for September 2023. Cisco recommends you to migrate to 17.9.5 for all deployments if you are on an earlier release.

17.3.7

Cisco IOS XE 17.3.7 is the last bug-fix MR in the 17.3 release train. For customers looking to stay on 17.3 train, Cisco recommends 17.3.7.

17.3.6

Cisco IOS XE 17.3.6 is primarily a bug-fix release. It adds support for

• Mesh and mesh+flex feature for 9124 AXI/E/D access points
• Newer versions (VIDs) of some Catalyst WiFi6 Access Points (refer Field Notice 72424). 

17.3.6 APSP7

APSP7 deliver IOS fixes in APSP5 and COS AP fixes in APSP6 as a unified patch.

17.3.6 APSP6 via CSCwd89180

17.3.6 APSP6 supersedes 17.3.6 APSP2 and fixes multiple COS AP (11ac wave2 and Catalyst 11ax) defects :

CSCvx32806 COS-APs stuck in bootloop due to image checksum verification failed
CSCwc32182  AP 1852 Radio Firmware Crash (SF 06029787/06121536/06208256)

CSCwc89719 AP1832 Crashed due to radio failure(radio recovery failed) (SF#06180501)

CSCvz99036 Cisco Access Points VLAN Bypass from Native VLAN Vulnerability
CSCwd37092 Slow TCP downloads, failing TLS authentications in 8.10.181.0/17.3.6 - 2800/3800/4800 series
CSCwc78435 9130 sending incorrect channel list on out of band DFS event causing client connectivity issues
CSCwc88148  Additional enhancement for mac suspend issue (CSCwc72194 ) on driver side.

17.3.6 APSP5 via CSCwd83653

17.3.6 APSP5 provides fix for Cisco bug ID CSCwd80290 that allows Cisco IOS APs to join C9800 WLC even after Dec 4, 2022. For more details, refer to https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html and Field Notice FN72524.

17.3.6 APSP2 via CSCwd40096

17.3.6 APSP2 provides fix for Cisco bug ID CSCwd37092

Symptom: Slow downloads and EAP-TLS authentication failures for 2800/3800/4800/1560/6300 Access Points. To confirm the bug, run #show controllers nss stats on AP and check if INNER_CAPWAP_REASM_FAILED counter is incrementing

Workaround: None; TCP download issue only seen on C9800 when tcp-adjust-mss 1250 has been explictly disabled under AP Join Profile. Enabling the setting prevents slow TCP downloads but UDP download slowness and EAP-TLS failures persists.

It also includes fix for Cisco bug ID CSCvz99036  and Cisco bug ID CSCwc78435.

17.3.5b

Cisco IOS XE 17.3.5b is an updated iteration of 17.3.5a which incorporates bug fixes being delivered via SMU patches and escalation image on 17.3.5a.  Refer Resolved Defects in 17.3.5b for complete list.

17.3.5a

Cisco IOS XE 17.3.5a several important fixes  including

• Fixes for known triggers of high CPU in WNCd (probes, ARP storm among others)
• CAPWAP keepalive prioritization to prevent APs from dropping when WNCd CPU utilization spikes. 
• Syslog to diagnose when SSID stops broadcasting and CLI recovery mechanism. Refer CSCwb01162.

Caution: 17.3.5a CCO image is impacted by CSCwb13784 which prevents wave 2 and 11ax APs from joining if the path MTU drops under 1000 bytes and prevents Cisco IOS APs (1700/2700/3700) from joining if the path MTU drops under 1500 bytes.
Fix: SMU (hot patch) posted to cisco.com provides fix for the issue and is mandatory to apply.

17.3.4c

Cisco IOS XE 17.3.4c fixes several critical and wide impact bugs in 17.3.4. 

17.3.4

Cisco IOS XE 17.3.4 is a bug-fix only release. 

Note: Deployments with C9130s and C9124s, if running 17.3.3 need to upgrade to 17.3.4c before upgrading to 17.8.1, 17.9.1.

17.3.3

Cisco IOS XE 17.3.3 is a bug-fix only release.

Caution: 17.3.3 is vulnerable to CSCvy11981
Symptom: WNCD crash
Trigger: If an AP name is 32 or more characters, there is memory corruption which leads to this crash
Workaround: Ensure number of characters for AP name is 31 or less.

17.3.2a

Cisco IOS XE 17.3.2a , though a maintenance release, introduces features in addition to bug fixes. These features include

• Smart Licensing using Policy [GUI Config only available in 17.4.1]
• OEAP Personal SSID
• AP Authorization using Serial Number [extended to all APs beyond those that present wlancc+FIPS +LSC certificate]
• Assurance and IoT Services Coexistence Without iCAP
• TLS tunnel to DNA-C on Cloud

17.3.1

Cisco IOS XE 17.3.1 introduced support for these hardware and solutions

• 9105I and 9105W Access Points
• Higher throughput template on 9800CL
• Embedded Wireless on Catalyst 9k switches (non-SDA)
• User Defined Network (UDN) and UDN Mobile Application
• BLE Management on Controller
• IOT Module Management

For full list, refer to 17.3 Release Notes

Amsterdam 17.2.1

Cisco IOS XE 17.2.1 is a short lived train with no maintenance releases planned. See 17.2 End of Life Bulletin  All 17.2.x releases for C9800 are deferred.due to Field Notice FN70577  and CSCvu24770 . Cisco recommends migration to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed) for all deployments.

Amsterdam 17.1.1

Cisco IOS XE 17.1.1 is a short-lived release with no maintenance planned. See 17.1 End of Life - Bulletin. All 17.2.x releases for C9800 are deferred.due to Field Notice FN70577  and CSCvu24770 . Cisco recommends migration to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed) for all deployments.

Gibraltar 16.12

Cisco IOS XE 16.12 is the first long-lived release train for the 9800.  16.12.1 introduced support for these hardware and solutions.

• 9800-L
• 9800-CL on Google Cloud
• 9120AXE, 9130AXI
• Embedded Wireless Controller on Catalyst Access Point (EWC-AP)

16.12.8

All 16.12.x release from 16.12.2 through 16.12.7 are bug-fix only releases. 16.12.8 is the last planned MR in this train. Refer  16.12 End of Life Bulletin.  Cisco recommends you to migrate to 17.9.5 for all deployments.

Note:All 16.12.x releases prior to 16.12.4a (16.12.1, 16.12.1s, 16.12.1t, 16.12.2s, 16.12.2t, 16.12.3, 16.12.3s) are deferred to address CSCvu24770.

Gibraltar 16.11.1

Cisco IOS XE 16.11.1 is a short-lived release with no more maintenance planned. Refer End of Life - Bulletin. For all features in 16.x, Cisco recommends migration to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed) for all deployments

Gilbraltar 16.10.1

Cisco IOS XE 16.10.1 is the first release of Cisco IOS XE software that officially supports Catalyst 9800 SKUs (Appliances: 9800-40, 9800-80; 9800 on private/public cloud; 9800-CL, as well as 9800 software on Catalyst 9300 Switches).  Cisco IOS XE 16.10.1e is the first release to support Cisco DNA Center integration with the Catalyst 9800. This is short-lived release with no maintenance releases (MRs) planned. Refer  End of Life - Bulletin. For all features in 16.x, Cisco recommends migration to 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed) for all deployments. 

Field Programmable (FPGA) Firmware on Hardware 9800 WLC

On physical Catalyst 9800 WLCs (9800L, 9800-40, 9800-80), besides IOS-XE, there are two other pieces of code that can be upgraded. 

• ROM Monitor (ROMMON) -  It is the bootstrap program that initializes hardware and boots the IOS-XE software on the C9800 appliance.  You can check the ROMMON version running on your appliance by executing this command. 

#show rom-monitor chassis {active | standby} R0

• PHY - It refers to physical layer, specifically, the Shared Port Adapter (SPA) module that supports the front end distribution and uplink ports on C9800 appliances. You can view the PHY version running on your appliance by executing this command.

#show platform hardware chassis active qfp datapath pmd ifdev | include FW

New firmware is typically released to protect the health of the system (temperature sensors, fan, power supply and so on) and to address problems with data forwarding ina nd out of the physical ports. Cisco recommends upgrading to latest FPGA firmware available.  Upgrade Procedure along with the specific defects that for which new firmware was released if documented at Upgrade C9800 FPGA. Table 1 lists the version for each platform.

High Availability Software Maintenance on 9800 WLC

C9800 provides multiple features that ensure availability during software maintenance phase of the deployment lifecycle. These include In-Service Software Upgrade (ISSU), Rolling AP upgrade, Hot and Cold Patch to address WLC defects or psirts, AP patches to address AP specific fixes as well as to support newer AP models on existing controller code. 

ISSU

ISSU support was introduced in 17.3.1 and is limited to long-lived releases (17.3.x, 17.6.x, and 17.9.x). That is, ISSU works

1. Within long-lived major releases , for example, 17.3.x to 17.3.y, 17.6.x to 17.6.y, 17.9.x to 17.9.y
2. Between long-lived major releases , for example, 17.3.x to 17.6.x, 17.3.x to 17.9.x

Note: This is limited to two long-lived releases after the current supported long-lived release.

ISSU is NOT supported

1. Within minor releases of short-lived release trains, for example 17.4.x to 17.4.y or 17.5.x to 17.5.y 
2. Between minor and major releases of short-lived release trains, for example 17.4.x to 17.5.x 
3. Between long-lived and short-lived releases 17.3.x to 17.4.x or 17.5.x to 17.6.x.

Software Maintenance Upgrade (SMU) Patch

C9800 supports both Cold and Hot Patching which enables bug fixes to be provided as a Software Maintenance Upgrade (SMU) file.  

• Hot Patch -  System reload is not required meaning WLC and APs continue to operate. In case of 9800 Stateful Switchover (SSO) pair, SMU install process applies the patch to both chassis.
• Cold Patch -  System reload is needed for Cold Patch. In case of 9800 SSO pair, cold patch can be applied without downtime. 

Access Point Service Pack

Fixes for software defects on Access Points (APs) can be delivered via Access Point Service Packs. This requires reload of the APs but not of the 9800 WLC. 

Access Point Device Pack

Support for newer AP models is made available on existing WLC code, without needing WLC code upgrade. This AP only supports  the features available in existing WLC code.

Guidelines and Requirements 

1. SMU patches are only generated for long-lived releases like 16.12, 17.3, 17.6, 17.9 and so on after their MD release.
2. SMUs can only be applied on 9800 WLC running Network Advantage License at the minimum. Refer Wireless Features Matrix for different Licenses 
3. SMUs that are applicable to most deployments, are posted to cisco.com for customers to download on their own. 
4. SMU or a patch is not possible for all bug fixes. Code changes involved in the bug fix typically determine the patchability.
5. Applicability of SMU is evaluated on a per-defect basis. If your C9800 qualifies for an SMU patch, based on its licensing and you need an SMU for a specific defect, please engage Cisco Technical Assistance Center (TAC) to get the bug evaluated. 

Refer C9800 WLC Patching Guide for more details on these capabilities.

Cisco.com Location of SMUs, APSP and APDP images for different 9800s

Step 1. Navigate to Downloads Home, and search for 9800 in the search bar for Select a Product, choose 9800 form factor applicable to you.

Step 2. From Software Type menu, choose SMU or APSP or APDP as needed.

Note for Software Defined Access (SDA)

Always refer to the SDA Compatibility Matrix for code combination recommendations that work best for SDA. It lists specific combinations of code on Cisco DNA Center, the Identity Service Engine (ISE), switches, routers and Wireless LAN Controller codes that have been tested by the SDA Solution Test team at Cisco.

Inter Release Controller Mobility (IRCM)

• IRCM is not supported with 2504/7510/vWLC Controllers and only supported with 5508/8510/5520/8540/3504 platforms.
• For Inter-Release Controller Mobility (IRCM) compatibility with AireOS WLCs,
  • TAC recommends AireOS 8.10.190.0 for all deployments.
  • For deployments with older WLCs or Access Points in their environment, which cannot be upgraded past AireOS 8.5, TAC recommends 8.5.182.108 (hidden post)  IRCM code.

Note:Not all 8.5 code versions support IRCM. 8.5 IRCM versions available on cisco.com include 8.5.164.0, 8.5.164.216, 8.5.176.0, 8.5.176.1. 8.5.176.2, 8.5.182.104.

For AireOS recommended code, please refer to:

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

Features supported On Catalyst 9800 Series Wireless LAN Controllers

Release Notes

Cisco IOS XE Wireless Feature List per Release

AireOS to Cisco IOS XE feature Comparison Matrix

Flexconnect Feature Matrix for wave2 and 11ax Access Points