Recommended Cisco IOS XE Releases for Catalyst 9800 Wireless LAN Controllers

Available Languages

Download Options

  • PDF     (195.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (150.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (193.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 1, 2026
Document ID:214749

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes guidance for you to find the most reliable Cisco IOS® XE software for Catalyst 9800 Wireless LAN Controllers (C9800 WLCs). 

    Background

    The information in this document is applicable to different form factors of C9800 WLC which includes :

    • Appliances (9800-40,9800-80,9800-L, CW9800M, CW9800H1, CW9800H2)
    • Virtual Controllers (9800-CL in private and public cloud environments)
    • Embedded Wireless Controllers on Catalyst 9000 Series switches
    • Embedded Wireless Controllers on Catalyst Access Points (EWC-AP)

    Access Point models supported by the C9800 include

    • Cisco IOS based 11ac Wave 1 Access Points  (1700/2700/3700/1572) (not in all releases)
    • COS based 11ac Wave 2 Access points (1800/2800/3800/4800/1540/1560)
    • COS based Catalyst 11ax 91xx Series Access Points (9105/9115/9117/9120/9130/9136/9164/9166)
    • Cisco Wireless 917x Series Access Points (CW9171/CW9172/CW9174/CW9176/CW9178/CW9179)

    Co-existence of AireOS WLCs with C9800 WLC is taken into account for these recommendations. The recommendations cover all the releases Cisco IOS XE software applicable to Catalyst 9800 WLCs. Typically, a newly released version (either maintenance release or new code train) is given a minimum of 6-8 weeks soak time in the field, and only if no catastrophic issues are reported, it becomes a candidate for Cisco general recommendation. These recommendations are updated as we receive feedback through internal testing, TAC cases, and so on. 

    TAC Recommended Builds

    Note:
    1) SMUs and APSPs require a Network Advantage License. For deployments with Network Essentials license,  Escalation Image that can be requested from Cisco TAC. Upgrading to an Escalation Image requires downtime.
    2) APSPs are incremental, that is each APSP version includes fixes from all previous versions of APSPs.
    3) Latest APSP is always recommended. Evaluate the bugs under APSP and apply those APSPs that includes fixes for AP models in your deployment.
    4) Most of the short-lived releases like Cisco IOS XE releases 17.10.1, 17.11.1 and older maintenance releases like 17.9.1, 17.9.2 are not mentioned in this document as they have reached End of Vulnerability / Security Support. End of Life (EOL) notices of all the Cisco IOS XE releases for C9800 WLC can be reviewed at: EoL Bulletin
    5) The document only lists bug fixes for the releases that we see in a large set of deployments. For bugs affecting specific releases, use the Bug Search Tool.

    Cisco Wireless Platform Recommended Release
    Cisco Catalyst CW9800M  Cisco IOS XE 17.15.4d + APSP
    Cisco Catalyst CW9800H1 / Cisco Catalyst CW9800H2 Cisco IOS XE 17.15.4d + APSP
    Cisco Catalyst 9800-CL Cisco IOS XE 17.12.6a + APSP
    Cisco Catalyst 9800-80 Cisco IOS XE 17.12.6a + APSP
    Cisco Catalyst 9800-40 Cisco IOS XE 17.12.6a + APSP
    Cisco Catalyst 9800-L Cisco IOS XE 17.12.6a + APSP
    Embedded Wireless Controller (EWC) on APs Cisco IOS XE 17.12.6a + APSP
    Embedded Wireless Controller (EWC) on Catalyst switches Cisco IOS XE 17.12.6a + APSP
    Any WLC controller platform supporting Cisco Wireless APs CW9176 or CW9178 Cisco IOS XE 17.15.4d + APSP
    Any WLC controller platform supporting Cisco Wireless APs CW9172 Cisco IOS XE 17.15.4d + APSP

    Table 1. Summary View of Recommended Cisco IOS-XE Release for different WLC platforms

    warning-icon

    Warning: Due to a collateral introduced in 17.15 and later versions, ISSU process must be avoided when upgrading to 17.15 and 17.18 releases. Normal upgrade can be used safely. Cisco recommends only doing ISSU towards 17.15.5 and 17.18.3 releases and later when available. This is due to CSCws19380 CSCws35670 & CSCwr15775

    IOS XE 17.18

    Cisco IOS XE 17.18 is the newest long-lived release train. The new features supported in this release are listed in the release notes

    17.18.2

    If you plan to, or already deployed WiFi-7, or need a feature brought by 17.18, it is recommended that you use 17.18.2. This version is not a generally recommended yet.

    17.18.1

    17.18.1 is the first release of the 17.18 train and is now not recommended to run anymore, consider upgrading to 17.18.2

    IOS XE 17.17.1

    Cisco IOS XE 17.17 is a short-lived release with no MRs planned. The new features supported in this release are listed in 17.17.1 Release Notes.

    IOS XE 17.16.1

    Cisco IOS XE 17.16 is a short-lived release with no MRs planned. It is important to note that Cisco IOS XE 17.16 does not support Wi-Fi 7 APs and does not allow Cisco IOS-based APs to join anymore. The new features supported in this release are listed in 17.16.1 Release Notes.

    IOS XE 17.15

    Cisco IOS XE 17.15 is a long-live train with several maintenance releases (MR) planned. The new features supported in this release are listed in 17.15.1 Release Notes.

    Cisco recommends 17.15.4d for all deployments.

    17.15.5

    17.15.5 was recently released and contains all the fixes from all the 17.15.4 releases, including the fix for ISSU upgrades. It is currently being evaluated for recommendation.

    17.15.4d

    17.15.4d has been posted with all the fixes previously in 17.15.4b+ the latest APSP.

    17.15.4b

    17.15.4b has been posted with all the fixes previously in 17.15.4 on top of the fix for the mDNS issue (Cisco bug ID CSCwr09565 ). It continues to be considered a stable release when all the APSPs are added, however 17.15.4d regroups all of them in a single software along with the ISSU upgrade issue fix.

    17.15.4

    17.15.4 has been removed for download from cisco.com due to an mDNS gateway regression (Cisco bug ID CSCwr09565 ).

    17.15.3

    Cisco IOS XE 17.15.3 is the second maintenance release in the 17.15 release train.

    Cisco suggests considering the application of the non-reload Software Maintenance Upgrade (SMU) CSCwo95396 , which addresses the issue where the Wireless LAN Controller (WLC) reloads during provisioning from Catalyst Center, along with the APSP3 CSCwp18505 for Catalyst 9800 Wireless LAN Controllers or to go to the recommended 17.15.4b release

    These bugs are resolved in this APSP.

    CSCwn18885 Wi-Fi6E/7 AP reboot with Access Violation without crash files, reload reason 'unknown' SF#07624324

    CSCwo94810 IOT client with TI WiFi module(PIT truck) cannot associate to 916x/9130/917x [SF 07835314]

    Note : This APSP has fixes from previous APSP

    CSCwo81133 Channel mismatch was seen on Multiple IW9167 APs after beacon stuck and it took long time to recover

    CSCwo70926 [CW9172I/CW9172H] 17.15.3 and 17.17.1 CCO images u-boot update

    17.15.2b

    Cisco IOS XE 17.15.2b is introduced only to support CW9172I access point deployments and you are expected to upgrade to IOS XE 17.15.4b.

    17.15.2

    Cisco IOS XE 17.15.2 is the first maintenance release in the 17.15 release train and introduces support for

    • WiFi7
      • Access Points (CW9176I, CW9176D1, CW9178I)
      • Multi-Link Operation (MLO) for WiFi7 APs
      • WPA3 Security Considerations
    • Global Use AP (Decoupling of AP PID/SKU from boot mode and regulatory domain)
    • Cisco Network Subscription
    • AP AnyLocate / UltraWide Band Ranging Technology

    Caution: For Flexconnect deployments with Local Switching, client roam on a webauth SSID could randomly cause client to lose reachability to its gateway, check CSCwn17412 for more details.

    17.15.1

    Cisco IOS XE 17.15.1 is the first version of the 17.15 train. For all hardware and features supported starting 17.13.1, 17.14.1, and 17.15.1, Cisco recommends you to migrate your deployment to 17.15.4b

    17.15.1 contains the fix for the "regreSSHion" vulnerability on access points depicted in Cisco bug ID CVE-2024-6387 / CSCwk62269

    IOS XE 17.14.1

    Cisco IOS XE 17.14.1 is a short-lived release with no MRs planned. The new features supported in this release are listed in 17.14.1 Release Notes. This is the first release to support newer Catalyst 9800 Series WLCs

    • Cisco Catalyst CW9800M Wireless Controller
    • Cisco Catalyst CW9800H1 and CW9800H2 Wireless Controller

    For all new hardware and features supported starting 17.13.1 or 17.14.1, Cisco recommends you to upgrade to 17.15.2d.

    IOS XE 17.13.1

    Cisco IOS XE 17.13.1 is a short-lived release with no MRs planned. The new features supported in this release are listed in 17.13.1 Release Notes. For all new hardware and features supported starting 17.13.1, Cisco recommends you to upgrade to 17.15.2d.

    Dublin 17.12

    The new features supported in this release are listed in 17.12.1 Release Notes.Cisco recommends 17.12.6a for all deployments when Wi-Fi 7 or 17.15 specific features are not needed.

    Some of the major advantages of 17.12 over 17.9 include :

    • More countries support for 6GHz
    • Possibilty to use a single WPA2+WPA3 SSID for 5 and 6GHz.
    • An RRM-based algorithm to load-balance APs across WNCd processes

    17.12.7

    17.12.7 got released recently and is currently evaluated for recommendation over 17.12.6. It contains all the fixes from the 17.12.6 APSPs

    17.12.6a

    17.12.6a contains all the fixes from 17.12.6 on top of the mDNS issue fix (Cisco bug ID CSCwr09565 ).

    APSP1 contains the fix for CSCwf25731 where cnssdeamon log file on the AP grows too large and impacts future upgrade by filling the flash partition. Cisco recommends installing APSP4 which contains all the necessary fixes.

    17.12.6

    17.12.6 has been removed for download from cisco.com due to an mDNS gateway regression (Cisco bug ID CSCwr09565 ).

    17.12.5

    Cisco IOS XE 17.12.5 is the fourth bug-fix release in the 17.12 train. It incorporates the fixes in SMUs and APSPs for 17.12.4 and many more bug fixes.

    SMU CSCwo62157  :Reload SMU, Memory leak observed in tdl_mac_addr object

    17.12.5 APSP6 includes fixes listed in release notes

    17.12.4

    Cisco IOS XE 17.12.4 is the third bug-fix release in the 17.12 train. 

    17.12.4 APSP8 or 17.12.4.208 includes fixes listed in

    17.12.4 APSP8 Release Notes

    17.12.3

    Cisco IOS XE 17.12.3 is the second bug-fix release in the 17.12 train. 

    Caution:
    1) In case you have an SD-Access deployment, be aware of CSCwj04031 : WLC forces SGT to 0 when the client releases IPv6 link-local address. Contact TAC to get a SMU patch if you are affected.
    2) For HA deployments, Ha failover could lead to config loss on C9800 WLC leasding to wireless outage. This is tracked under CSCwj73634  where config can be lost upon HA failover.

    17.12.2

    Cisco IOS XE 17.12.2 is the first bug-fix release in the 17.12 train and includes the fix for CVE-2023-20198 CVE-2023-20273 / CSCwh87343. 

    Cupertino 17.9

    17.9.8

    Cisco IOS XE 17.9.8 is expected to be the last release of the 17.9 train (except potential future security vulnerability updates).  Cisco recommends you migrate to 17.15.4d

    Bengaluru 17.6

    Cisco IOS XE 17.6.x is a long-lived train with several maintenance releases. Refer17.6 End of Life bulletin . Cisco recommends you to migrate to 17.12.6a. This is a direct upgrade. Refer Upgrade Path to 17.12.x for more details. 

    17.6.8

    Cisco IOS XE 17.6.8 is the last maintenance release that provides fixes for recent vulnerability advisories. 

    Amsterdam 17.3

    Cisco IOS XE 17.3.x is a long-lived train with several maintenance releases (MRs). 17.3 has reached End of Software Maintenance as documented in 17.3 End of Life Bulletin. The last MR for 17.3 is a psirt-only release targeted for September 2023. Cisco recommends you to migrate to 17.12.6a. This migration could require staggered upgrade, depending on 17.3.x release you are currently running. Refer to Upgrade Path to 17.12.x  for more details. 

    17.3.8a

    Cisco IOS XE 17.3.8a is the last bug-fix MR in the 17.3 release train. If you cannot migrate to recommended release and need to stay on 17.3 train, Cisco recommends 17.3.8a.

    Gibraltar 16.x

    Cisco IOS XE 16.10.1 is the first release of Cisco IOS XE software that officially supports Catalyst 9800 SKUs (Appliances: 9800-40, 9800-80; 9800 on private/public cloud; 9800-CL, as well as 9800 software on Catalyst 9300 Switches) and is currently end-of-life ( EoL ). Since two releases were published for 16.x release train - 16.11.1 (EoL) and 16.12.1 (EoL). Cisco IOS XE 16.12.1 was the first long-lived traing for C9800 WLCs which added support for 9800-L, 9800-CL on Google Cloud and Embedded Wireless Controller on Catalyst Access Point (EWC-AP), among other features.

    16.12.8

    This is the last maintenance release (MR) in the 16.x train. Cisco recommends you to migrate your deployment to 17.12.6a. This migration requires staggered upgrade. Refer Upgrade Path to 17.12.x  for more details. 

    Field Programmable (FPGA) Firmware on Hardware 9800 WLC

    On physical Catalyst 9800 WLCs (9800L, 9800-40, 9800-80), besides Cisco IOS XE, there are two other pieces of code that can and can require an upgrade.

    • ROM Monitor (ROMMON) -  It is the bootstrap program that initializes hardware and boots the IOS XE software on the C9800 appliance.  You can check the ROMMON version running on your appliance by executing this command. 
    #show rom-monitor chassis {active | standby} R0
    • PHY - It refers to physical layer, specifically, the Shared Port Adapter (SPA) module that supports the front end distribution and uplink ports on C9800 appliances. It can also be called Ethernet/Hardware Programmables. You can view the PHY version running on your appliance by executing this command.
    #show platform hardware chassis active qfp datapath pmd ifdev | include FW

    New firmware is typically released to protect the health of the system (temperature sensors, fan, power supply and so on) and to address problems with data forwarding in and out of the physical ports. Cisco recommends upgrading to latest FPGA firmware available.

    Upgrade Procedure along with the specific defects that for which new firmware was released if documented at Upgrade C9800 FPGA. 

    Table 1 lists the version for each platform.

    ROMMON Ethernet PHY Fiber PHY

    9800-L-F

    16.12(3r)

    N/A

    17.11.1

    9800-L-C

    16.12(3r)

    17.11.1

    N/A

    9800-40

    17.12(1r)

    N/A

    16.0.0

    9800-80

    17.12(2r)

    N/A

    16.0.0

    CW9800M

    17.15(1r)

    N/A

    N/A

    CW9800H1

    17.15(1r)

    N/A

    N/A

    CW9800H2

    17.15(1r)

    N/A

    N/A

    High Availability Software Maintenance on 9800 WLC

    C9800 provides multiple features that ensure availability during software maintenance phase of the deployment lifecycle. These include In-Service Software Upgrade (ISSU), Rolling AP upgrade, Hot and Cold Patch to address WLC defects or psirts, AP patches to address AP specific fixes as well as to support newer AP models on existing controller code. 

    ISSU

    ISSU support was introduced in 17.3.1 and is limited to long-lived releases (17.3.x, 17.6.x, and 17.9.x). That is, ISSU works

    1. Within long-lived major releases , for example, 17.3.x to 17.3.y, 17.6.x to 17.6.y, 17.9.x to 17.9.y
    2. Between long-lived major releases , for example, 17.3.x to 17.6.x, 17.3.x to 17.9.x

    Note: This is limited to two long-lived releases after the current supported long-lived release.

    ISSU is NOT supported

    1. Within minor releases of short-lived release trains, for example 17.4.x to 17.4.y or 17.5.x to 17.5.y 
    2. Between minor and major releases of short-lived release trains, for example 17.4.x to 17.5.x 
    3. Between long-lived and short-lived releases 17.3.x to 17.4.x or 17.5.x to 17.6.x.

    Software Maintenance Upgrade (SMU) Patch

    C9800 supports both Cold and Hot Patching which enables bug fixes to be provided as a Software Maintenance Upgrade (SMU) file.  

    • Hot Patch -  System reload is not required meaning WLC and APs continue to operate. In case of 9800 Stateful Switchover (SSO) pair, SMU install process applies the patch to both chassis.
    • Cold Patch -  System reload is needed for Cold Patch. In case of 9800 SSO pair, cold patch can be applied without downtime. 

    Access Point Service Pack

    Fixes for software defects on Access Points (APs) can be delivered via Access Point Service Packs. This requires reload of the APs but not of the 9800 WLC. 

    Access Point Device Pack

    Support for newer AP models is made available on existing WLC code, without needing WLC code upgrade. This AP only supports  the features available in existing WLC code.

    Guidelines and Requirements 

    1. SMU patches are only generated for long-lived releases like 16.12, 17.3, 17.6, 17.9 and so on after their MD release.
    2. SMUs can only be applied on 9800 WLC running Network Advantage License at the minimum. Refer Wireless Features Matrix for different Licenses 
    3. SMUs that are applicable to most deployments, are posted to cisco.com
    4. SMU or a patch is not possible for all bug fixes. Code changes involved in the bug fix typically determine the patchability.
    5. Applicability of SMU is evaluated on a per-defect basis. If your C9800 qualifies for an SMU patch, based on its licensing and you need an SMU for a specific defect, please engage Cisco Technical Assistance Center (TAC) to get the bug evaluated. 

    Refer C9800 WLC Patching Guide for more details on these capabilities.

    Cisco.com Location of SMUs, APSP and APDP images for different 9800s

    Step 1. Navigate to Downloads Home, and search for 9800 in the search bar for Select a Product, choose 9800 form factor applicable to you.

    SDS-search for 9800

    Step 2. From Software Type menu, choose SMU or APSP or APDP as needed.

    9800-SMU-APSP-APDP

    Note for Software Defined Access (SDA)

    Always refer to the SDA Compatibility Matrix for code combination recommendations that work best for SDA. It lists specific combinations of code on Cisco DNA Center, the Identity Service Engine (ISE), switches, routers and Wireless LAN Controller codes that have been tested by the SDA Solution Test team at Cisco.

    Inter Release Controller Mobility (IRCM)

    • IRCM is not supported with 2504/7510/vWLC Controllers and only supported with 5508/8510/5520/8540/3504 platforms.
    • For Inter-Release Controller Mobility (IRCM) compatibility with AireOS WLCs, in general
      • Cisco recommends AireOS 8.10.196.0 for all deployments.
      • For deployments with older WLCs or Access Points in their environment, which cannot be upgraded past AireOS 8.5, TAC recommends 8.5.182.109 (8.5.182.111 for 3504s)   IRCM code.

    Note:Not all 8.5 code versions support IRCM. 8.5 IRCM versions available on cisco.com include 8.5.164.0, 8.5.164.216, 8.5.176.0, 8.5.176.1. 8.5.176.2, 8.5.182.104.

    Caution:
    Deployments with 1800 series APs (1815/1830/1850) running 8.10.185.0 through 8.10.196.0 can report spuriously high channel utilization in 5Ghz, resulting in performance problems, owing to a regression caused by the commit of CSCwb51757
    For 1815 series APs, the fix is in 8.10.190.9 / 8.10.196.7, available from TAC.
    For 1830/1850 series APs, as this fix is unavailable in the 8.10 code train, to avoid this problem, AireOS deployments encountering this issue need to downgrade to code prior to the CSCwb51757 commit, 8.10.183.0.

    For AireOS recommended code, please refer to:

    https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

    Features supported On Catalyst 9800 Series Wireless LAN Controllers

    Release Notes

    Cisco IOS XE Wireless Feature List per Release

    AireOS to Cisco IOS XE feature Comparison Matrix

    Access Point and WLC Selector

    Revision History

    Revision Publish Date Comments
    41.0
    01-Apr-2026
    Updated the document with 17.12.7 and latest APSPs
    40.0
    22-Jan-2026
    Moved recommendation to 17.15.4d
    39.0
    14-Jan-2026
    added 17.18.2. No recommendation change
    38.0
    10-Dec-2025
    Added a note against ISSU upgrades
    37.0
    20-Nov-2025
    Changed recommended releases
    36.0
    23-Sep-2025
    17.12.6a and 17.15.4b added
    35.0
    08-Sep-2025
    17.12.6 and 17.15.4 removed
    34.0
    28-Aug-2025
    Updated with 17.15.4 and 17.18.1. No change to the recommandation
    33.0
    07-Jul-2025
    Updated recommendation towards 17.15.3
    32.0
    09-May-2025
    Updated the recommendations
    31.0
    04-Apr-2025
    added a mention of newer release but no change of recommendation so far.
    30.0
    21-Jan-2025
    Added the recommended release for CW9800 series
    29.0
    20-Dec-2024
    Added a mention of 17.16.1
    28.0
    12-Dec-2024
    Updated recommendation to 17.9.6 and 17.12.4 + SMUs + APSP or 17.12.4 ES
    27.0
    11-Dec-2024
    Updated recommended releases
    26.0
    06-Aug-2024
    Updated for 17.15
    25.0
    09-Jul-2024
    Added 17.6.7 in the mentions.
    24.0
    22-Jun-2024
    Added 17.12.3 recommendation
    23.0
    08-Apr-2024
    Added 17.9.5 recommendation
    22.0
    27-Feb-2024
    Added 17.13
    21.0
    20-Feb-2024
    Added 17.9.5 and 17.6.6
    20.0
    28-Nov-2023
    Updated recommendation to 17.9.4 + SMU_CSCwh87343 + APSP (as needed) OR 17.9.4a + APSP(as needed)
    19.0
    31-Oct-2023
    Updated recommendation to 17.9.4 + APSP2 + SMU_CSCwh87343
    18.0
    24-Oct-2023
    Updated 17.9.4a and 17.9.4 SMU for Cisco IOS XE Software Web UI Feature described in CVE-2023-20198 CVE-2023-20273
    17.0
    05-Oct-2023
    Updated recommendation to 17.9.4 + APSP2 (17.9.4 SMU applicable only for subset of deployments)
    16.0
    29-Sep-2023
    Updated recommendation to 17.9.4 + SMU + APSP2
    15.0
    01-Sep-2023
    Added 17.12
    14.0
    12-May-2023
    Recommendation updated to 17.9.3
    13.0
    20-Mar-2023
    Recommendation updated to 17.6.5
    12.0
    23-Jan-2023
    Added 17.10/17.9.2
    11.0
    23-Sep-2022
    Recommendation updated to 17.6.4 and added details on 17.9.1 and FN72424
    10.0
    31-Mar-2022
    Updated recommendation to 17.3.5a+SMU with caution for all releases impacted by CSCwb13784
    9.0
    14-Feb-2022
    Fixed typo.
    8.0
    05-Dec-2021
    updated recommendation to 17.3.4c and 17.6.2 Added EoL notices Added note on ISSU and firmware upgrade
    7.0
    04-Nov-2021
    updated bug fix ES
    6.0
    14-Oct-2021
    added note son APSP/SMU + detailed the recommendation some more
    5.0
    27-Sep-2021
    Add apsp link for 9105/9115/9120
    4.0
    19-Sep-2021
    added CSCvz56650 note
    3.0
    18-Sep-2021
    added links to APSP/SMU
    2.0
    01-Sep-2021
    Added 17.6.1 release Updated recommendation to 17.3.3ES10 Listed bugs impacting 17.3.4
    1.0
    16-Aug-2019
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Cisco Wireless TAC
    • Cisco Wireless BU

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products