About the Release Notes

This release notes document describes what is new or changed in this release, instructions to upgrade to this release, and provides information about the open and resolved caveats for this release. Unless otherwise noted, in this document, Cisco Wireless Controllers are referred to as controllers, and Cisco lightweight access points are referred to as access points or APs.


The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on standards documentation, or language that is used by a referenced third-party product.

Revision History

Table 1. Revision History

Modification Date

Modification Details

August 23, 2018

Open Caveat—Added CSCvk44249

July 24, 2018

Added the CIMC Utility Upgrade for 5520 and 8540 Controllers section.

January 29, 2018

Key Features Not Supported in Cisco Virtual WLCs section—Modified information about FlexConnect central switching.

October 16, 2017

Key Features Not Supported in 1560, 1810 OEAP, 1810W, 18915, 1830, 1850, 2800, and 3800 Series APs section—Added SIP snooping with FlexConnect in local switching mode

October 10, 2017

Key Features Not Supported in Cisco Virtual WLCs section—Added Wired Guest and FlexConnect central switching

June 02, 2017

What's New in This Release section—Added - Important Upgrade Information for 2500 Series Controllers

Supported Cisco Wireless Controller Platforms

The following Cisco Wireless Controller platforms are supported in this release:

  • Cisco 2500 Series Wireless Controllers (Cisco 2504 Wireless Controller)

  • Cisco 5500 Series Wireless Controllers (Cisco 5508 and 5520 Wireless Controllers)

  • Cisco Flex 7500 Series Wireless Controllers (Cisco Flex 7510 Wireless Controller)

  • Cisco 8500 Series Wireless Controllers (Cisco 8510 and 8540 Wireless Controllers)

  • Cisco Virtual Wireless Controller (vWLC) on the following platforms:

    • VMware vSphere Hypervisor (ESXi) Version 5.x and 6.x

    • Hyper-V on Microsoft Servers 2012 and later versions


      Support introduced in Release 8.4.

    • Kernel-based virtual machine (KVM)


      Support introduced in Release 8.1. After KVM is deployed, we recommend that you do not downgrade to a Cisco Wireless release that is earlier than Release 8.1.
  • Cisco Wireless Controllers for High Availability for Cisco 2504 WLC, Cisco 5508 WLC, Cisco 5520 WLC, Cisco Wireless Services Module 2 (Cisco WiSM2), Cisco Flex 7510 WLC, Cisco 8510 WLC, and Cisco 8540 WLC.


    AP Stateful switchover (SSO) is not supported in Cisco 2504 WLCs.
  • Cisco WiSM2 for Cisco Catalyst 6500 Series Switches

  • Cisco Mobility Express Solution

Supported Cisco Access Point Platforms

The following Cisco AP platforms are supported in this release:

  • Cisco Aironet 1600 Series Access Points

  • Cisco Aironet 1700 Series Access Points

  • Cisco Aironet 1810 Series OfficeExtend Access Points

  • Cisco Aironet 1810W Series Access Points

  • Cisco Aironet 1815i and 1815w Access Points

  • Cisco Aironet 1830 Series Access Points

  • Cisco Aironet 1850 Series Access Points

  • Cisco Aironet 2600 Series Access Points

  • Cisco Aironet 2700 Series Access Points

  • Cisco Aironet 2800 Series Access Points

  • Cisco Aironet 3500 Series Access Points

  • Cisco Aironet 3600 Series Access Points

  • Cisco Aironet 3700 Series Access Points

  • Cisco Aironet 3800 Series Access Points

  • Cisco Aironet 700 Series Access Points

  • Cisco Aironet 700W Series Access Points

  • Cisco AP802 Integrated Access Point

  • Cisco AP803 Integrated Access Point

  • Cisco ASA 5506W-AP702

  • Cisco Aironet 1530 Series Access Points

  • Cisco Aironet 1550 Series Access Points with 128-MB memory


    Cisco 1550 APs with 64-MB memory are not supported starting with Release

  • Cisco Aironet 1560 Series Access Points

  • Cisco Aironet 1570 Series Access Points

  • Cisco Industrial Wireless 3700 Series Access Points


Cisco AP802 and AP803 are integrated access points on the Cisco 800 Series Integrated Services Routers (ISRs). For more information about the stock-keeping units (SKUs) for the AP802s and AP803s Cisco ISRs, see


Before you use a Cisco AP802 series lightweight access point with Cisco Wireless Release, you must upgrade the software in the Cisco 800 Series ISRs to Cisco IOS 15.1(4)M or later releases.

In Release 8.4, the following APs are not supported:

  • Cisco Aironet 600 Series OfficeExtend Access Points

  • Cisco Aironet 1550 Series Access Points with 64-MB memory

  • Cisco Aironet 1040 Series Access Points

  • Cisco Aironet 1140 Series Access Points

  • Cisco Aironet 1260 Series Access Points

For information about Cisco Wireless software releases that support specific Cisco access point modules, see the Software Release Support for Specific Access Point Modules section in the Cisco Wireless Solutions Software Compatibility Matrix document.

What's New in This Release

Cisco Umbrella WLAN

The integration of Cisco Umbrella WLAN and controller provides web classification and security for clients connecting to controller. Key differentiators involve granular web classification and reporting by WLAN, user role, and location. This feature is supported on these controllers: 2504, 5508, 5520, 8510, 8540, and WiSM2.

For more information, see the Cisco Umbrella WLAN section in the configuration guide.

Domain-Based Access Control Lists

Domain-based ACLs allow administrators to define domain access control list (ACL) to allow or disallow traffic. This additional level of security is added to the Cisco Wireless solution to allow you to put a specific set of domains in a blocked list or an allowed list.

Domain-based ACL extends the ACL from Layer 3 IP to domain-based ACL. This feature is supported on Cisco 5520 WLCs and Cisco 8540 WLCs, can have up to 64 ACLs, with each ACL supporting 100 rules.

For more information, see the Domain-based Filtering section in the configuration guide.

Simplifying Cisco ISE Configuration on Controllers

This is an option that is provided to apply the default Cisco ISE configuration for controller so that you do not have to explicitly configure some of the settings required to use Cisco ISE.

You can apply the default Cisco ISE configuration in the following scenarios:

  • When you configure a RADIUS authentication server, and in the process enable the default Cisco ISE settings, the following configurations are applied:

    • CoA is enabled by default.

    • The authentication server details (IP and shared-secret) are also applied to the accounting server.

  • When you configure the AAA server to override the use of default servers on a WLAN, and in the process enable the default Cisco ISE settings, the following configurations are applied:

    • When you add the authentication server for a WLAN, the authentication server details are also applied to the accounting server for the WLAN.


      Change on Authentication server back to None is not applied on the accounting server.

    • AAA override is enabled by default.

    • The NAC state is set to ISE NAC by default.

    • DHCP profiling and HTTP profiling are enabled by default, for RADIUS client profiling.

    • Captive bypass mode is enabled by default.

  • When you configure the Employee Network as part of the initial setup using the Cisco WLAN Express Setup method, and in the process enable the default Cisco ISE settings, the following configurations are applied:

    • CoA is enabled by default.

    • The authentication server details (IP and shared-secret) are also applied to the accounting server.

    • When you add the authentication server for a WLAN, the authentication server details are also applied to the accounting server for the WLAN.

    • AAA override is enabled by default.

    • The NAC state is set to ISE NAC by default.

    • DHCP profiling and HTTP profiling are enabled by default, for RADIUS client profiling.

    • Captive bypass mode is enabled by default.

Cisco TrustSec Enhancements

Cisco TrustSec enables organizations to secure their networks and services through identity-based access control to anyone, anywhere, anytime. The solution also offers data integrity and confidentiality services, policy-based governance, and centralized monitoring, troubleshooting, and reporting services. You can combine Cisco TrustSec with personalized, professional service offerings to simplify the solution deployment and management, and is a foundational security component to Cisco Borderless Networks.

  • SXP—From Release 8.4, SXPv4 is supported in FlexConnect mode APs.

  • PAC Provisioning and Device Enrollment—Any device that participates in a Cisco TrustSec network must be authenticated as a trusted device. To facilitate the authentication process, new devices connected to a Cisco TrustSec network undergo an enrollment process, wherein a device receives the credentials that are specifically needed for the device's authentication along with general Cisco TrustSec environment information.

    Controller device enrollment is initiated by controller as part of Protected Access Credential (PAC) provisioning with the Cisco ISE server. Controller initiates EAP-FAST and gets a PAC. This is accomplished by using the infrastructure of LOCAL-EAP EAP-FAST PAC provisioning. The PAC that is obtained uniquely maps to the device ID. If the device ID changes, the PAC data associated with the previous device ID is removed from the PAC store. PAC provisioning is triggered when a RADIUS server instance is enabled to provision the PAC.

  • Environment Data—Cisco TrustSec environment data is a set of information or attributes that helps controller to perform Cisco TrustSec-related functions.

  • Inline Tagging—Inline tagging is a transport mechanism using which a controller or a Cisco AP understands the source SGT.

  • SGACL—You can control the operations that users can perform based on the security group assignments of users and destination resources, using the Security Group Access Control Lists (SGACLs). Policy enforcement in a Cisco TrustSec domain is represented by a permission matrix, with the source security group on one axis and destination security group numbers on the other axis. Each cell in the matrix body contains an ordered list of SGACLs, which specifies the permissions that must be applied to packets originating from the source security group and destined for the destination security group. When a wireless client is authenticated, it downloads all the SGACLs in the matrix cells.

For more information, see the Cisco TrustSec section in the configuration guide.

Cisco Virtual Wireless Controller N+1 High Availability

Support is added for High Availability (HA) with N+1 in Cisco Virtual Wireless Controller (vWLC).

HyperV Support for Cisco Virtual Wireless Controller

Support is added for Cisco vWLC in Hyper-V hypervisor. Cisco vWLC is now supported in any x86 server with VMware Hypervisor ESXi4.x, 5.x, and 6.x as well as KVM and Hyper-V.

EoGRE Enhancements

  • Wave 1 APs (AP1600, AP1700, AP2600, AP2700, AP3600, and AP3700)—Added EoGREv6 tunnel support from FlexConnect+Local switching AP to gateway.

  • Wave 2 APs (AP1560, AP1810, AP1815, AP1830, AP1850, AP2800, and AP3800)—Added EoGREv4 and EoGREv6 tunnel support from FlexConnect+Local switching AP to gateway.

  • Path MTU discovery is supported in FlexConnect APs.

For more information, see the Ethernet over GRE Tunnels section in the configuration guide.

IPv6 Support on Wave 2 Access Points

Support is added for infrastructure and native IPv6 functionality in Cisco 802.11ac Wave 2 Access Points.

FlexConnect Support on Wave 2 APs

Support is added for FlexConnect functionality in Wave 2 APs for these features:

  • Proxy ARP—AP acts as an ARP proxy to respond to ARP requests on behalf of wireless clients.

  • NAT/PAT—AP supports NAT and PAT for central DHCP.

  • AAA QoS Override per Client—Clients can assign QoS profile based on AAA.

Support for VLAN on AUX ports of Cisco Aironet 2700 APs

Support is introduced for non-native VLAN in CAPWAP tunneled and non-tunneled mode in Cisco Aironet 2700 APs.

Support for Cisco Hyperlocation in High Availability Environment

Cisco Hyperlocation is supported in a High-Availability environment. The global and per AP group hyperlocation configuration is mirrored from the active controller to the standby controller. The standby controller updates only the internal state and does not forward any configuration information to the Cisco APs.

For Cisco MSE message encryption, the controller generates an encryption key and sends it to the Cisco APs and to the Cisco MSE, which uses it for encryption and decryption as end clients. The standby controller does not generate an encryption key and the Cisco APs and the Cisco MSE use the actual key shared by the active controller.

Guest User Management (Client Whitelisting)

This feature prevents unauthorized access of the network. Using this feature, users with read and write or lobby administrator privileges can control which clients can access the network. The administrators can filter the clients based on the client MAC address and group them to provide access to the network.

For more information, see the Client Whitelisting section in the configuration guide.

LAG in Transition

A controller that supports link aggregation (LAG) can go into a LAG-in-Transition (LAT) mode during transition between LAG to non-LAG mode or vice versa. The transition is complete only when controller is rebooted. In LAT mode, you can make configuration or interface changes and also revert to the previous LAG mode. After controller is rebooted, your configuration might get lost or you might encounter a system failure. However, from Release 8.4, it is possible to prevent such incidents by restricting interface-related configuration changes when controller is in LAT state.

Parallel Redundancy Protocol Enhancement on AP and WGB

Cisco Wireless Release 8.4 provides the Parallel Redundancy Protocol (PRP) enhancement to improve wireless network availability for wired clients behind Workgroup Bridge (WGB), and improve the roaming performance by allowing wired clients to have dual wireless connections.

For more information, see the Parallel Redundancy Protocol Enhancement on AP and WGB section in the configuration guide.

Important Upgrade Information for Cisco 2500 Series WLCs

If you are using a Cisco 2500 Series WLC and want to upgrade to Release, you must install Cisco Wireless LAN Controller Field Upgrade Software, Release or a later release. For more information, see http://www.cisco.com/c/en/us/support/wireless/2500-series-wireless-controllers/products-release-notes-list.html#anchor512.

Download the Cisco Wireless LAN Controller Field Upgrade Software for Cisco 2500 Series WLC from the Download Software page.

For other controller platforms, see the respective Cisco Wireless LAN Controller Field Upgrade Software release notes for recommended FUS images.

Discontinuation of Support for Some Access Points

The following access points are not supported from this release:

  • Cisco Aironet 600 Series OfficeExtend Access Points

  • Cisco Aironet 1550 Series Access Points with 64-MB memory

  • Cisco Aironet 1040 Series Access Points

  • Cisco Aironet 1140 Series Access Points

  • Cisco Aironet 1260 Series Access Points

GLC-TE Support in Cisco 5508 WLCs

The GLC-TE 1000BASE-T SFP module is supported in Cisco 5508 WLCs. The Cisco 5508 WLCs that have the GLC-TE SFP module must run Release 8.3 or a later release. The GLC-TE SFP module is a replacement of GLC-T, which has reached its end-of-sale date as of June 1, 2017. For more information about end-of-sale and end-of-life announcement for select Cisco 1000BASE-T SFP modules, see http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/eos-eol-notice-c51-737325.html.

Software Release Types and Recommendations

Table 2. Release Types

Release Type



Maintenance Deployment (MD)

Software releases that provide bug-fix support and ongoing software maintenance. These releases are categorized as Maintenance Deployment (MD).

These are long-living releases with ongoing software maintenance.

Provides you with a software release that offers stability and long support duration with periodic maintenance releases (MRs).

Early Deployment (ED)

Software releases that provide new features and new hardware platform support in addition to bug fixes. These releases are categorized as Early Deployment (ED).

These are short-lived releases.

Allows you to deploy the latest features and new hardware platforms or modules.

For detailed release recommendations, see the Guidelines for Cisco Wireless Software Release Migration Bulletin at:


Table 3. Upgrade Path to Cisco WLC Software Release

Current Software Release

Upgrade Path to Software


You can upgrade directly to Release


You can upgrade directly to Release

Upgrading the Cisco WLC Software Release

Guidelines and Limitations

  • The AAA database size is increased from 2048 entries to 12000 entries for some Cisco WLC platforms (Cisco Flex 7510, 8510, 5520, and 8540 WLCs). Therefore, if you downgrade from Release 8.4 to an earlier release that does not include this enhancement, you might lose most of the AAA database configuration, including management user information. To retain at least 2048 entries, including management user information, we recommend that you follow these downgrade instructions and back up the configuration file before proceeding with downgrade:

    1. From Release 8.4, downgrade to one of the following releases, which support 2048 database size and include the enhancement.

      • Release or a later 8.3 release

      • Release or a later 8.2 release

      • Release or a later 8.0 release

    2. Downgrade to a release of your choice.

  • If you are using Release 8.4 and want to upgrade to a later release, it is necessary that you upgrade to Release and then move to a later release.


    This restriction is applicable only to Release 8.4 and not any other release.
  • Release 8.4 supports additional configuration options for 802.11r FT enable and disable. The additional configuration option is not valid for releases earlier than Release 8.4. If you downgrade from this release to Release 8.2 or an earlier release, the additional configuration option is invalidated and defaulted to FT disable. When you reboot Cisco WLC with the downgraded image, invalid configurations are printed on the console. We recommend that you ignore this because there is no functional impact, and the configuration defaults to FT disable.

  • If you downgrade from Release 8.4 to a 7.x release, the trap configuration is lost and must be reconfigured.

  • If you downgrade from Release 8.4 to Release 8.1, the Cisco Aironet 1850 Series AP whose mode was Sensor prior to the downgrade is shown to be in unknown mode after the downgrade. This is because the Sensor mode is not supported in Release 8.1.

  • If you have an IPv6-only network and are upgrading to Release or a later release, ensure that you perform the following activities:

    • Enable IPv4 and DHCPv4 on the network—Load a new Cisco WLC software image on all Cisco WLCs along with the Supplementary AP Bundle images on Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2 or perform a predownload of AP images on the required Cisco WLCs.

    • Reboot Cisco WLC immediately or at the preset time.

    • Ensure that all Cisco APs are associated with Cisco WLC.

    • Disable IPv4 and DHCPv4 on the network.

  • After downloading new software to the Cisco APs, it is possible that a Cisco AP may get stuck in an upgrading image state. In such a scenario, it might be necessary to forcefully reboot Cisco WLC to download a new image or to reboot Cisco WLC after the download of the new image. You can forcefully reboot Cisco WLC by entering the reset system forced command.

  • It is not possible to download some of the older configurations from Cisco WLC because of the Multicast and IP address validations. See the Restrictions on Configuring Multicast Mode section in the configuration guide for detailed information about platform support for Global Multicast and Multicast Mode.

  • If you upgrade from Release to a later release, the config redundancy mobilitymac mac-addr command's setting is removed. You must manually reconfigure the mobility MAC address after the upgrade.

  • If you downgrade to Release or 8.0.15x.0, and later upgrade to a later release and and also have the multiple country code feature configured, then the configuration file could get corrupted. When you try to upgrade to a later release, special characters are added in the country list causing issues when loading the configuation. For more information, see CSCve41740.


    Upgrade and downgrade between other releases does not result in this issue.
  • If you have ACL configurations in a Cisco WLC, and downgrade from a 7.4 or later release to a 7.3 or earlier release, you might experience XML errors on rebooting Cisco WLC. However, these errors do not have any impact on any of the functionalities or configurations.

  • If you are upgrading from a 7.4.x or an earlier release to a release later than 7.4, the Called Station ID type information is mapped to the RADIUS Accounting Called Station ID type, which, by default, is set to apradio-mac-ssid. You can configure the RADIUS Authentication Called Station ID type information by using the config radius auth callStationIdType command.

  • When FlexConnect APs (known as H-REAP APs in the 7.0.x releases) that are associated with a Cisco WLC that has all the 7.0.x software releases prior to Release, upgrade to this release, the APs lose the enabled VLAN support configuration. The VLAN mappings revert to the default values of the VLAN of the associated interface. The workaround is to upgrade from Release and later 7.0.x releases to this release.


    In case of FlexConnect VLAN mapping deployment, we recommend that the deployment be carried out using FlexConnect groups. This allows you to recover VLAN mapping after an AP rejoins the Cisco WLC without having to manually reassign the VLAN mappings.
  • When a client sends an HTTP request, the Cisco WLC intercepts it for redirection to the login page. If the HTTP GET request that is intercepted by the Cisco WLC is longer than 2000 bytes, the Cisco WLC drops the packet. Track CSCuy81133 for a possible enhancement to address this restriction.

  • We recommend that you install Cisco Wireless Controller Field Upgrade Software (FUS), which is a special AES package that contains several system-related component upgrades. These include the bootloader, field recovery image, and FPGA or MCU firmware. Installing the FUS image requires special attention because it installs some critical firmware. The FUS image is independent of the runtime image. For more information about FUS and the applicable Cisco WLC platforms, see the Field Upgrade Software release notes listing.

  • If FIPS is enabled in Cisco Flex 7510 WLC, the reduced boot options are displayed only after a bootloader upgrade.


    Bootloader upgrade is not required if FIPS is disabled.

  • If you have to downgrade from one release to another, you might lose the configuration from your current release. The workaround is to reload the previous Cisco WLC configuration files that are saved in the backup server, or to reconfigure Cisco WLC.

  • It is not possible to directly upgrade to this release from a release that is earlier than Release

  • When you upgrade Cisco WLC to any intermediate release, you must wait until all the APs that are associated with Cisco WLC are upgraded to the intermediate release before you install the latest Cisco WLC software. In large networks, it can take some time to download the software on each AP.

  • You can upgrade to a new release of the Cisco WLC software or downgrade to an earlier release even if FIPS is enabled.

  • When you upgrade to the latest software release, the software on the access points associated with the Cisco WLC is also automatically upgraded. When an access point is loading software, each of its LEDs blinks in succession.

  • We recommend that you access the Cisco WLC GUI using Microsoft Internet Explorer 11 or a later version, or Mozilla Firefox 32 or a later version.

  • Cisco WLCs support standard SNMP MIB files. MIBs can be downloaded from the Software Center on Cisco.com.

  • The Cisco WLC software is factory installed on your Cisco WLC and is automatically downloaded to the APs after a release upgrade and whenever an AP joins a Cisco WLC. We recommend that you install the latest software version available for maximum operational benefit.

  • Ensure that you have a TFTP, FTP, or SFTP server available for the software upgrade. Follow these guidelines when setting up a server:

    • Ensure that your TFTP server supports files that are larger than the size of Cisco WLC software image. Some TFTP servers that support files of this size are tftpd32 and the TFTP server within the Prime Infrastructure. If you attempt to download the Cisco WLC software image and your TFTP server does not support files of this size, the following error message appears: TFTP failure while storing in flash.

    • If you are upgrading through the distribution system network port, the TFTP or FTP server can be on the same subnet or a different subnet because the distribution system port is routable.

  • When you plug a Cisco WLC into an AC power source, the bootup script and power-on self test is run to initialize the system. During this time, press Esc to display the bootloader Boot Options menu. The menu options for the Cisco 5508 WLC differ from the menu options for the other Cisco WLC platforms.

    The following is the Bootloader menu for Cisco 5508 WLC:

    Boot Options
    Please choose an option from below:
    1. Run primary image
    2. Run backup image
    3. Change active boot image
    4. Clear Configuration
    5. Format FLASH Drive
    6. Manually update images
    Please enter your choice:

    The following is the Bootloader menu for other Cisco WLC platforms:

    Boot Options
    Please choose an option from below:
    1. Run primary image
    2. Run backup image
    3. Manually update images
    4. Change active boot image
    5. Clear Configuration
    Please enter your choice:
    Enter 1 to run the current software, enter 2 to run the previous software, enter 4 (on Cisco 5508 WLC), 
    or enter 5 (on Cisco WLC platforms other than 5508 WLC) to run the current software and set 
    the Cisco WLC configuration to factory defaults. Do not choose the other options unless directed to do so.


    See the Installation Guide or the Quick Start Guide of the respective Cisco WLC platform for more details on running the bootup script and the power-on self test.

  • The Cisco WLC bootloader stores a copy of the active primary image and the backup image. If the primary image becomes corrupted, you can use the bootloader to boot with the backup image.

    With the backup image stored before rebooting, choose Option 2: Run Backup Image from the Boot Options menu to boot from the backup image. Then, upgrade with a known working image and reboot Cisco WLC.

  • You can control the addresses that are sent in the Control and Provisioning of Wireless Access Points (CAPWAP) discovery responses when NAT is enabled on the Management Interface using the following command:

    config network ap-discovery nat-ip-only {enable | disable}

    The following are the details of the command:

    enable —Enables use of NAT IP only in a discovery response. This is the default. Use this command if all the APs are outside the NAT gateway.

    disable —Enables use of both NAT IP and non-NAT IP in a discovery response. Use this command if APs are on the inside and outside the NAT gateway, for example, Local Mode and OfficeExtend APs are on the same Cisco WLC.


    To avoid stranding of APs, you must disable AP link latency (if enabled) before you use the disable option for the config network ap-discovery nat-ip-only command. To disable AP link latency, use the config ap link-latency disable all command.

  • Do not power down Cisco WLC or any AP during the upgrade process. If you do this, the software image might get corrupted. Upgrading Cisco WLC with a large number of APs can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent AP upgrades supported, the upgrade time should be significantly reduced. The APs must remain powered, and Cisco WLC must not be reset during this time.

  • To downgrade from this release to Release 6.0 or an earlier release, perform either of these tasks:

    • Delete all the WLANs that are mapped to interface groups, and create new ones.

    • Ensure that all the WLANs are mapped to interfaces rather than interface groups.

  • After you perform the following functions on Cisco WLC, reboot it for the changes to take effect:

    • Enable or disable LAG

    • Enable a feature that is dependent on certificates (such as HTTPS and web authentication)

    • Add a new license or modify an existing license

    • Increase the priority of a license

    • Enable HA

    • Install the SSL certificate

    • Configure the database size

    • Install the vendor-device certificate

    • Download the CA certificate

    • Upload the configuration file

    • Install the Web Authentication certificate

    • Make changes to the management interface or the virtual interface

    • Make changes to TCP MSS settings

  • From Release 8.3 or a later release, ensure that the configuration file that you back up does not contain the < or > special characters. If either of the special characters is present, the download of the backed up configuration file fails.

Changes in Images and Installation Procedure for Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2

Due to an increase in the size of the Cisco WLC software image, the Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2 software images are split into the following two images:

  • Base Install image, which includes the Cisco WLC image and a subset of AP images (excluding some mesh AP images and AP80x images) that are packaged in the Supplementary AP Bundle image

  • Supplementary AP Bundle image, which includes AP images that are excluded from the Base Install image. The APs that feature in the Supplementary AP Bundle image are:

    • AP802

    • Cisco Aironet 1530 Series AP

    • Cisco Aironet 1550 Series AP (with 128-MB memory)

    • Cisco Aironet 1570 Series APs


There is no change with respect to the rest of the Cisco WLC platforms.

Image Details

The following table lists the Cisco WLC images that you have to download to upgrade to this release for the applicable Cisco WLC platforms:

Table 4. Image Details of Cisco 2504 WLC, 5508 WLC, and WiSM2

Cisco WLC

Base Install Image

Supplementary AP Bundle Image 1

Cisco 2504 WLC



Cisco 5508 WLC





Cisco WiSM2




AP_BUNDLE or FUS installation files from Release 8.4 for the incumbent platforms should not be renamed because the filenames are used as indicators to not delete the backup image before starting the download.

If renamed and if they do not contain “AP_BUNDLE” or “FUS” strings in their filenames, the backup image will be cleaned up before starting the file download, anticipating a bigger sized regular base image.

Upgrading the Cisco WLC Software (GUI)


Step 1

Upload your Cisco WLC configuration files to a server to back up the configuration files.


We highly recommend that you back up your Cisco WLC configuration files prior to upgrading the Cisco WLC software.

Step 2

Follow these steps to obtain Cisco Wireless software:

  1. Browse to the Cisco Software Central at https://software.cisco.com/download/navigator.html.

  2. Click Software Download.

  3. On the Download Software page, choose Wireless > Wireless LAN Controller.

    The following options are displayed. Depending on your Cisco WLC platform, select one of these options:

    • Integrated Controllers and Controller Modules

    • Mobility Express

    • Standalone Controllers

  4. Select the Cisco WLC model number or name.

  5. Click Wireless LAN Controller Software.

  6. The software releases are labeled as follows to help you determine which release to download. Click a Cisco WLC software release number:

    • Early Deployment (ED)—These software releases provide new features and new hardware platform support as well as bug fixes.

    • Maintenance Deployment (MD)—These software releases provide bug fixes and ongoing software maintenance.

    • Deferred (DF)—These software releases have been deferred. We recommend that you migrate to an upgraded release.

  7. Click the filename (filename.aes).


    For Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2, the Cisco WLC software image is split into two images, the Base Install image and the Supplementary AP Bundle image. Therefore, in order to upgrade, repeat Step 2 through Step 14 to complete the installation of both the Base Install image and the Supplementary AP Bundle image.

    Download the Supplementary AP Bundle image only if you are using any of these APs: AP802, Cisco Aironet 1530 Series AP, Cisco Aironet 1550 Series AP (with 128-MB memory), Cisco Aironet 1570 Series APs, or all.

  8. Click Download.

  9. Read the Cisco End User Software License Agreement and click Agree.

  10. Save the file to your hard drive.

  11. Repeat steps a through j to download the remaining file.

Step 3

Copy the Cisco WLC software file (filename.aes) to the default directory on your TFTP, FTP, or SFTP server.

Step 4

(Optional) Disable the Cisco WLC 802.11 networks.


For busy networks, Cisco WLCs on high utilization, and small Cisco WLC platforms, we recommend that you disable the 802.11 networks as a precautionary measure.

Step 5

Choose Commands > Download File to open the Download File to Controller page.

Step 6

From the File Type drop-down list, choose Code.

Step 7

From the Transfer Mode drop-down list, choose TFTP, FTP, or SFTP.

Step 8

In the IP Address field, enter the IP address of the TFTP, FTP, or SFTP server.

Step 9

If you are using a TFTP server, the default value of 10 retries for the Maximum Retries field, and 6 seconds for the Timeout field should work correctly without any adjustment. However, you can change these values, if desired. To do so, enter the maximum number of times that the TFTP server attempts to download the software in the Maximum Retries field and the amount of time (in seconds) for which the TFTP server attempts to download the software, in the Timeout field.

Step 10

In the File Path field, enter the directory path of the software.

Step 11

In the File Name field, enter the name of the software file (filename.aes).

Step 12

If you are using an FTP server, perform these steps:

  1. In the Server Login Username field, enter the username with which to log on to the FTP server.

  2. In the Server Login Password field, enter the password with which to log on to the FTP server.

  3. In the Server Port Number field, enter the port number on the FTP server through which the download occurs. The default value is 21.

Step 13

Click Download to download the software to the Cisco WLC.

A message appears indicating the status of the download.


For Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2, the Cisco WLC software image is split into two images: the Base Install image and the Supplementary AP Bundle image. Therefore, in order to upgrade, repeat Step 2 through Step 14 to complete the installation of both the Base Install image and the Supplementary AP Bundle image.

Download the Supplementary AP Bundle image only if you are using any of these APs: AP802, Cisco Aironet 1530 Series AP, Cisco Aironet 1550 Series AP (with 128-MB memory), and/or Cisco Aironet 1570 Series APs.


Ensure that you choose the File Type as Code for both the images.

Step 14

After the download is complete, click Reboot.

Step 15

If you are prompted to save your changes, click Save and Reboot.

Step 16

Click OK to confirm your decision to reboot the Cisco WLC.

Step 17

For Cisco WiSM2, check the port channel and re-enable the port channel, if necessary.

Step 18

If you have disabled the 802.11 networks, re-enable them.

Step 19

To verify that the Cisco WLC software is installed on your Cisco WLC, on the Cisco WLC GUI, click Monitor and view the Software Version field under Controller Summary.

CIMC Utility Upgrade for 5520 and 8540 Controllers

The AIR-CT5520-K9 and AIR-CT8540-K9 controller models are based on Cisco UCS server C series, C220 and C240 M4 respectively. These controller models have CIMC utility that can edit or monitor low-level physical parts such as power, memory, disks, fan, temperature, and provide remote console access to the controllers.

We recommend that you upgrade the CIMC utility to Version 3.0(4d) that has been certified to be used with these controllers. Controllers that have older versions of CIMC installed are susceptible to rebooting without being able to access FlexFlash, with the result that the manufacturing certificates are unavailable, and thus SSH and HTTPS connections will fail, and access points will be unable to join. See: CSCvo33873.

The CIMC 3.0(4d) images are available at the following locations

Table 5. CIMC Utility Software Image Information


Link to Download the CIMC Utility Software Image

Cisco 5520 Wireless Controller


Cisco 8540 Wireless Controller


For information about upgrading the CIMC utility, see the "Updating the Firmware on Cisco UCS C-Series Servers" chapter in the Cisco Host Upgrade Utility 3.0 User Guide:


Updating Firmware Using the Update All Option

This section mentions specific details when using CIMC utility with Cisco 5520 or 8540 controllers. For general information about the software and UCS chassis, see Release Notes for Cisco UCS C-Series Software, Release 3.0(4) at:


Table 6. Open Caveats for Release 3.0(4d)

Caveat ID



After upgrading CIMC to 3.04d, only after power reset, UCS-based controller is coming up.


Not able to logon to the CIMC GUI with the username and password that are configured from the controller.

Table 7. Resolved Caveats for Release 3.0(4d)

Caveat ID



Symptom: The system will stop working or reboot during OS operation with PROCHOT, MEMHOT, and DMI Timeout-related events reported in the System Event Log (SEL).

Conditions: C220-M4 or C240-M4

Workaround: No workaround is available.

This bug fix changes the default BIOS option for ASPM (Active State Power Management) from 'L1 only' to 'Disabled', and the ASPM setting can no longer be modified. This change was made to help increase system stability and eliminate some system crash scenarios.


Symptom: The system will stop working or reboot during OS operation with PROCHOT, MEMHOT, and DMI Timeout-related events reported in the System Event Log (SEL).

Conditions: C220-M4 or C240-M4

Workaround: No workaround is available.

This bug fix changes the BIOS option "Package C-State limit" default value from C6 Retention to C0/C1 to help increase system stability and eliminate some crash scenarios.

Once upgraded, reset the BIOS settings to default or manually change Package C-State limit to C0/C1.

Interoperability With Other Clients

This section describes the interoperability of Cisco WLC Software with other client devices.

The following table describes the configuration used for testing the client devices.

Table 8. Test Bed Configuration for Interoperability

Hardware/Software Parameter

Hardware/Software Configuration Type


Cisco WLC

Cisco 5508 Wireless Controller

Access points

AIR-CAP3802E-B-K9, AIR-AP1852E-B-K9


802.11ac, 802.11a, 802.11g, 802.11n (2.4 GHz / 5.0 GHz)




ACS 5.3, ISE 2.2

Types of tests

Connectivity, traffic (ICMP), and roaming between two access points

The following table lists the client types on which the tests were conducted. The clients included laptops, handheld devices, phones, and printers.

Table 9. Client Types

Client Type and Name



Intel 6300
Intel 6205
Intel 7260
Intel 7265
Intel 3160
Intel 8260
Broadcom 4360
Dell 1520/Broadcom 43224HMS
Dell 1530 (Broadcom BCM4359)
Dell 1560
Dell 1540
Samsung Chromebook 55.0.2883.103
HP Chromebook 55.0.2883.103
MacBook Pro OSX 10.11.6
MacBook Air old OSX 10.11.5
MacBook Air new OSX 10.11.5
Macbook Pro with Retina Display OSX 10.12
Macbook New 2015 OSX 10.12.4


HP Color LaserJet Pro M452nw


Apple iPad2 iOS 10
Apple iPad3 iOS 10
Apple iPad mini with Retina display iOS 10
Apple iPad Air iOS 10
Apple iPad Air 2 iOS 10
Apple iPad Pro iOS 10
Samsung Galaxy Tab Pro SM-T320 Android 4.4.2
Samsung Galaxy Tab 10.1- 2014 SM-P600 Android 4.4.2
Samsung Galaxy Note 3 - SM-N900 Android 5.0
Microsoft Surface Pro 3 Windows 8.1
Driver: 15.68.3093.197
Microsoft Surface Pro 2 Windows 8.1
Driver: 14.69.24039.134
Microsoft Surface Pro 4 Windows 10
Driver: 15.68.9040.67
Google Nexus 9 Android 6.0.1
Google 10.2" Pixel C Andriod 7.1.1
Toshiba Thrive AT105 Android 4.0.4

Mobile Phones

Cisco 7926G CP7925G-
Cisco 7925G-EX CP7925G-
Cisco 8861 Sip88xx.10-2-1-16
Cisco-9971 sip9971.9-4-1-9
Cisco-8821 sip8821.11-0-3ES2-1
Apple iPhone 4S iOS 10.2.1
Apple iPhone 5 iOS 10.2.1
Apple iPhone 5s iOS 10.2.1
Apple iPhone 5c iOS 10
Apple iPhone 6 iOS 10.2.1
Apple iPhone 6 Plus iOS 10.2.1
Apple iPhone 6s iOS 10.2.1
Apple iPhone 7 iOS 10.2.1
HTC One Android 5.0
OnePlusOne Android 4.3
OnePlus3 Android 6.0.1
Samsung Galaxy S4 T-I9500 Android 5.0.1
Sony Xperia Z Ultra Android 4.4.2
Nokia Lumia 1520 Windows Phone 8.10.14219.341
Google Nexus 5 Android 6.0.1
Google Nexus 5X Android 6.0.1
Google Pixcel Android 7.1.1
Samsung Galaxy S5-SM-G900A Android 4.4.2
Samsung Galaxy S III Android 4.3
Samsung Galaxy S4 Android 5.0.1
Samsung Galaxy S5 Android 4.4.2
Samsung Galaxy S6 Android 6.0.1
Samsung Galaxy S7 Android 6.0.1
Samsung Galaxy Nexus GTI9200 Android 4.4.2
Samsung Galaxy Mega SM900 Android 4.4.2
LG G4 Android 5.1
Xiaomi Mi 4c Android 5.1
Xiaomi Mi 4i Android 6.0.1

Key Features Not Supported in Controller Platforms

This section lists the features that are not supported on the different controller platforms:


In a converged access environment that has controllers running AireOS code, High Availability Client SSO and native IPv6 are not supported.

Key Features Not Supported in Cisco 2504 WLCs

  • Domain-based ACLs

  • Autoinstall

  • Controller integration with Lync SDN API

  • Application Visibility and Control (AVC) for FlexConnect local switched APs

  • Application Visibility and Control (AVC) for FlexConnect centrally switched APs


    However, AVC for local mode APs is supported.


  • Bandwidth Contract

  • Service Port

  • AppleTalk Bridging

  • Right-to-Use Licensing

  • PMIPv6

  • EoGRE

  • AP Stateful Switchover (SSO) and client SSO

  • Multicast-to-Unicast

  • Cisco Smart Software Licensing


  • The features that are not supported on Cisco WiSM2 and Cisco 5508 WLC are not supported on Cisco 2504 WLCs too.

  • Directly connected APs are supported only in the local mode.

Key Features Not Supported in Cisco WiSM2 and Cisco 5508 WLCs

  • Domain-based ACLs

  • Spanning Tree Protocol (STP)

  • Port Mirroring

  • VPN Termination (such as IPSec and L2TP)

  • VPN Passthrough Option


    You can replicate this functionality on a Cisco 5508 WLC by creating an open WLAN using an ACL.

  • Configuration of 802.3 bridging, AppleTalk, and Point-to-Point Protocol over Ethernet (PPPoE)

  • Fragmented pings on any interface

  • Right-to-Use Licensing

  • Cisco 5508 WLC cannot function as mobility controller (MC). However, Cisco 5508 WLC can function as guest anchor in a New Mobility environment.

  • Cisco Smart Software Licensing

Key Features Not Supported on Cisco Flex 7510 WLCs

  • Domain-based ACL

  • Cisco Umbrella—Not supported in FlexConnect local switched WLANs; however, it is supported in central switched WLANs.

  • Static AP-manager interface


    For Cisco Flex 7510 WLCs, it is not necessary to configure an AP-manager interface. The management interface acts as an AP-manager interface by default, and the APs can join on this interface.

  • IPv6 and dual-stack client visibility


    IPv6 client bridging and Router Advertisement Guard are supported.

  • Internal DHCP server

  • APs in local mode


    A Cisco AP associated with a controller in the local mode should be converted to the FlexConnect mode or Monitor mode, either manually or by enabling the autoconvert feature. From the Cisco Flex 7510 WLC CLI, enable the autoconvert feature by entering the config ap autoconvert enable command.

  • Mesh (use Flex + Bridge mode for mesh-enabled FlexConnect deployments)

  • Spanning Tree Protocol (STP)

  • Cisco Flex 7510 WLC cannot be configured as a guest anchor controller. However, it can be configured as a foreign controller to tunnel guest traffic to a guest anchor controller in a DMZ.

  • Multicast


    FlexConnect local-switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect APs do not limit traffic based on Internet Group Management Protocol (IGMP) or MLD snooping.

  • PMIPv6

  • Cisco Smart Software Licensing

Key Features Not Supported in Cisco 5520, 8510, and 8540 WLCs

  • Internal DHCP Server

  • Mobility controller functionality in converged access mode

  • Spanning Tree Protocol (STP)

  • Port Mirroring

  • VPN Termination (such as IPsec and L2TP)

  • VPN Passthrough Option

  • Configuration of 802.3 bridging, AppleTalk, and Point-to-Point Protocol over Ethernet (PPPoE)

  • Fragmented pings on any interface


Cisco Smart Software Licensing is not supported on Cisco 8510 WLC.

Key Features Not Supported in Cisco Virtual WLCs

  • Cisco Umbrella

  • Domain-based ACLs

  • Internal DHCP server

  • Cisco TrustSec

  • Access points in local mode

  • Mobility/Guest Anchor

  • Wired Guest

  • Multicast


    FlexConnect local-switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect access points do not limit traffic based on IGMP or MLD snooping.

  • FlexConnect central switching in large-scale deployments


    • FlexConnect central switching is supported in only small-scale deployments, wherein the total traffic on controller ports is not more than 500 Mbps.

    • FlexConnect local switching is supported.

  • Central switching on Microsoft Hyper-V deployments

  • AP and Client SSO in High Availability

  • PMIPv6

  • Datagram Transport Layer Security (DTLS)

  • EoGRE (Supported in only local switching mode)

  • Workgroup Bridges

  • Client downstream rate limiting for central switching

  • SHA2 certificates

  • Controller integration with Lync SDN API

  • Cisco OfficeExtend Access Points

Key Features Not Supported in Access Point Platforms

Key Features Not Supported in Cisco Aironet 1560, 1810 OEAP, 1810W, 1815, 1830, 1850, 2800, and 3800 Series APs

Table 10. Key Features Not Supported in Cisco Aironet 1560, 1810 OEAP, 1810W, 1815, 1830, 1850, 2800 and 3800 Series APs

Operational Modes

  • Autonomous Bridge and Workgroup Bridge (WGB) mode

  • Spectrum Expert Connect

  • Mesh mode


    Supported on 1560 APs.

  • Flex + Mesh

  • 802.1x supplicant for AP authentication on the wired port

  • LAG behind NAT or PAT environment


  • 802.11u

  • Full Cisco Compatible Extensions (CCX) support

  • Rogue Location Discovery Protocol (RLDP)

  • Telnet

  • Internet Group Management Protocol (IGMP) v3


  • CKIP, CMIC, and LEAP with Dynamic WEP

  • Static WEP for CKIP

  • WPA2 + TKIP

    WPA +TKIP and TKIP + AES protocols are supported.

Quality of Service

Cisco Air Time Fairness (ATF)

Location Services

Data RSSI (Fast Locate)

FlexConnect Features

  • Bidirectional rate-limiting

  • Split Tunneling

  • PPPoE

  • Multicast to Unicast (MC2UC)

  • Traffic Specification (TSpec)

    • Cisco Compatible Extensions (CCX)

    • Call Admission Control (CAC)

  • DHCP Option 60

  • VSA/Realm Match Authentication

  • Link aggregation (LAG)

  • SIP snooping with FlexConnect in local switching mode


For Cisco Aironet 1850 Series AP technical specifications with details on currently supported features, see the Cisco Aironet 1850 Series Access Points Data Sheet.

Key Features Not Supported in Cisco Aironet 1810 OEAP and 1810W Series APs

Table 11. Key Features Not Supported in Cisco Aironet 1810 OEAP and 1810W Series APs

Operational Modes

  • Monitor Mode

  • Mobility Express

FlexConnect Features

Local AP Authentication

Key Features Not Supported in Cisco Aironet 1830 and 1850 Series and 1815 Series APs

Table 12. Key Features Not Supported in Cisco Aironet 1830 and 1850 Series and 1815 Series APs

Operational Modes

Monitor Mode

FlexConnect Features

Local AP Authentication

Features Not Supported in Mesh Networks

  • Load-based call admission control (CAC). Mesh networks support only bandwidth-based CAC or static CAC

  • High availability (fast heartbeat and primary discovery join timer)

  • AP acting as supplicant with EAP-FASTv1 and 802.1X authentication

  • AP join priority (mesh APs have a fixed priority)

  • Location-based services

Key Features Not Supported on Cisco Aironet Mesh 1560 APs

  • Noise Tolerant Fast Convergence


Open Caveats

Table 13. Open Caveats

Caveat ID Number



3602 AP losing MAC address


AP starts CAC timer after rolling back to lower bandwidth


Cisco 2504 WLC configuration restoration failure due to multicast mode command


Radio resets on 702w AP


1532i AP low throughput (FlexConnect Local switching + EoGRE)

CSCva87833 AIR-CT8510-K9 stopped working; SSO disabled


WiSM2 stopped working with Task Name 'IPv6_Msg_Task'


Standby WLC reboots continuously with reason that XML were not transferred from Active to Standby WLC


Cisco 5508 WLC runs out of memory


Cisco WLC multicast configuration not coherent for code upload or download


Cisco 8510 WLC stopped working due to TempStatus task

CSCvb97383 Cisco WLC deauthenticating roaming client with idle timeout


AP retransmits packet even though client sends ACK


Cisco WLC stops working during multiple login sessions either with local user or with TACACS+


Defect of msglog corresponding to 'AP Message Timeout: Max retransmissions reached on AP ...'

CSCvc30828 AP does not allow world mode to be set via GUI on 15.3(3)JD


IR829/AP803: uWGB cannot pass traffic downstream


Cisco WLC tears down connected AP due to unequal load balance between SPAM queues high load


AP radio reset happens multiple times without trigger


AP generates flood of received and decoded a DMS client request payload successfully


WGB wired client randomly stuck in the DHCP_REQD state after layer 2 roaming between the controllers


Wave 1 AP transmits on disabled rate (24Mb)


Cisco WLC HA redundancy management interface not reachable for a short time after failover


WGB HSR 802.11v neighbor report validation fails when Infrastructure MFP is enabled


IP call setup fails after L3 handover occurs during call among 1832 AP


Cisco WLC reports tracebacks reported very frequently but no unresponsiveness


CPU ACL configured to block access to Virtual IP does not work as expected


Cisco WLC profiles 7925 incorrectly


Cisco 8510 WLC's AP-SSO stopped working on portalProcessLogout


Cisco WLC data plane stopped working due to fragmentation


Silent reboot on Cisco 5508 WLC or Cisco WiSM2


WLC sets Zero 11e QoS for downstream voice traffic when CAC is disabled


AVC profile is not applied on client behind WGB


Cisco WLC returns nothing for SNMP get WEB ACL - cldcClientAaaOverrideAclName


vWLC does not learn client IP address; client stuck in DHCP_REQD

CSCvc83465 3800 AP sometimes stops sniffing on DFS channel


Redundancy Mobility MAC address does not stay, Primary WLC's MAC address is always set instead


ISE endpoint purge not working on Foreign-Anchor setup


1810W AP sending invalid AC_NAME when WLC hostname is 31 bytes long


1832 or 1852 AP: Power injector/Normal mode in spite of power supply by AIR-PWR-C


1702I AP stopped working with DOT11-2-RADIO_RX_BUF: Corrupt buf: errors


Wave 2 APs: Allows direct routing to AP IP address from client WLANs with FlexConnect local switching


Tracebacks and MFP queue logs filling up the msglog on WLC

CSCvc94648 Evaluation of WLC for OpenSSL Jan 2017


GUI-ping output not throwing proper privilege error with read-only user


702W AP: Unable to view or configure dot11U manager in GUI

CSCvc96076 WiSM2 HA: Standby WLC stopped working with task name spamApTask2 in ideal state


1830 AP: 2.4-GHz radio stopped working at 0x009915D7


Wired WGB client is removed from parent AP's association table


2800 AP or 3800 AP: capwapd init unsuccessful creating 2 capwapd causing WCPD watchdog reset

CSCvd02303 Flex+Bridge AP stopped working while joining the WLC


Cisco WLC stopped working on SNMPTask


AP firmware corrupt after power cycle bad mzip file, unknown zip method reboot loop


Rogue Rule substring-ssid turns invalid on Cisco WLC when user-configured SSID is included in PI template


AP memory leak on QoS/AVC FlexConnect module


Rule creation with CLRuleConfigEntry stops the Cisco WLC from working


Cisco WLC stopped working on SNMP set performed on clrRrmDot11BandGrpMemberEntry


Cisco WLC memory corruption when TACACS+ responds with unknown attributes


3800 AP detecting DFS false triggers


Client associated to MAP does not get AAA override in Flex+Bridge mode. Bug ID CSCut91086 not fixed


Anchor1 WLC does not free client sessions after client roaming to Anchor2 WLC; client entries stale


ROKHid inconsistent for 802.11r roaming in FlexConnect and NAT setup


Cisco WLC stopped working when multicasting traffic and accessing WLC GUI


AAA AVC Override: AVC profile retained after roaming


WLAN-VLAN mapping is not removed after deleting WLAN


WGB wired clients not seen by Cisco WLC


Cisco WLC GUI trapflags for client association with statistics does not display correct configuration

CSCvd23902 1532 AP: Root bridge drops packets from non-root bridge in non-native VLAN


SNMP system stopped working when attempted to create tunnel with clGatewayTunnelEntry MiB


Unit of probe suppression hysteresis should be dB


EAP-FAST EAP-Chaining on wired 1810W AP port does not work


Incorrect number of clients reported on AP by WLC


AP802 incorrect base radio MAC assigned not ending with zero causing to only support one BSSID


AP sends RTS at 6 data rate when data rate 6 is disabled


Apple iPhone 7 dissociates after session timeout


Standby WLC stopped working @rmgrReboot


Mobility multicast IP address reverse in TACACS+ packets


3800 AP or 2800 AP: Not enforcing WLAN WFD policy

CSCvd36190 Cisco 5520 WLC stopped working due to haSSOServiceTask6 task


AP in local switching or local authentication disconnects EAP-SIM client idle for more than 0.5 second


show run-config commands: Incorrect index numbers for RADIUS Accounting Servers


1600 AP ping loss on Ethernet interface


Wave 1 AP on Release 8.2 falsely show 100% channel utilization

CSCvd42321 1832 AP drops CAC SIP 486 Packet


Standby WLC stopped working on performing SNMP Set on bsnDot11QosProfileEntry


Cisco 2500 WLC stopped working


ACL counter was not incremented after applying ACL rule


Client traffic dropped in anchor foreign AirOS setup with new mobility if foreign WLC is behind NAT

CSCvd45744 AP reboots after 4 hours while doing Site Survey


Cisco WLC stopped working due to emWeb task


Audit-Session-ID information is missing after reauthentication


System stopped working multiple times on ping rx task


1140 AP: 2.4GHz radio resets with reason code 71 on event.r0

CSCvd53765 After restarting WLC NMSP goes down on CMX
CSCvd54154 All 1850 APs connected to primary AP stop working in a loop due to watchdog reset


FlexConnect local switching, local auth not supported when PMF is enabled


Error cause 403 generated for 'RFC-3576 Disconnect-Request'

CSCvd56588 2800 AP or 3800 AP: Incorrect RSSI values displayed when client associates with XOR radio


WLC is allowing selective reanchor to be enabled on wrong WLAN


Getting 'max containments reached...:3' message on 1852 AP in monitor mode


System stopped working on PMIPV6_Thread_0 during creation of LMA entry


Anchor not deleting webauth req client beyond webauth timeout


FlexConnect AP reconnect, radio reset during DTLS setup


Cisco WLC stopped working at task nmspRxServerTask


cLApWlanStatsOnlineUserNum is not current number of online user


Cisco Flex 7510 WLC stopped working due to Taskmaster Reaper reset


Local EAP LDAP request with incorrect password lockout users


Antenna Gain on 2.4-Ghz radio resets to default after 3800 E AP reboot


AP with WSM module enabled sending RRM data every 5 seconds for each radio


Blackberry passport is not redirected to the webauth portal

CSCvd86566 Client with incorrect NAI realm gets Access-Accept message from RADIUS Server


Cisco WLC stopped working due to nmspTxServerTask


Cisco WLC applies incorrect ACL to clients when performing CWA


AP 3800 and/or AP 2800: Kernel panic, stopped working at insectivorous+0xc/0xa4 [ap8x]


1852 AP detects high noise level on 5-GHz radio


Unknown user name when switching from open to dot1x SSID


Incorrect SNMP OID issue for FT -


HA: configuration sync failed on standby WLC when FlexConnect AP configuration is modified


Silent reboot after memory usage goes to 85%


2802 AP rogue detection configuration changed back to Enabled state after AP reboot


WLC data plane is not responding to capwap-data keep-alive


Foreign WLC leaks IPv6 and IPv4 multicast client traffic out of EoIP tunnel


When client roams between AP, DP may not plumb tclas while having active call


2800 AP or 3800 AP sends multicast with AES when client is TKIP


FlexConnect ARP responds to wired clients

CSCve26935 2800 AP or 3800 AP IPv4 TCP low throughput with Windows 10 Creator


AP shows public IP address on Cisco WLC GUI, but private IP address in CLI


Configuration upload fails due to WLANs having special or invalid characters


Cisco 8540 WLC modifies IP Header 'Router Alert' to 'End of Option List' when IGMP snooping enabled


2800 AP or 3800 AP: False 100% channel utilization seen


WLC 5508 - foreign mapping is missing on a WLAN when restoring a backup

Resolved Caveats

Table 14. Resolved Caveats

Caveat ID Number



IPv6 traffic-filter command not working on subinterface


AP with Hyperlocation module: AP dot1x credentials are lost after second reload


HTTP profiling support for 1850 AP


Cisco 602 AP private key extraction vulnerability


3800 AP sending unencrypted ARP requests over the air


3802 AP sends VHT SGI frames to STA that does not support SGI


3800 AP does not reassemble wireless fragmented frames


3800 FlexConnect AP: Does not honor Operating Mode Notification IE from STA


3800 AP incorrectly shows 0x01 (extension channel above) for ch 161


3800 AP indicates support for MCS32 Duplicate mode


3800 AP not updating HT Op Mode bits in presence of legacy AP


3800 AP sends out multicast packets with no clients associated


WLC GUI: client Current TxRateSet shows wrong value for 802.11ac rates


3800 AP: WLAN client fails on >= 1500 bytes with ICMP traffic in standalone mode


Wave 2 APs: FlexConnect AAA overridden ACL is not plumbed in the WLC


Cisco AP IOS software TCP Denial of Service Vulnerability


No bridge-group X spanning-disabled command is lost after reboot


Web passthrough URL redirection fails with HTTPS web addresses


AP might fail to get an IP address if hostname is short


AIR-CAP1552 not showing temperature on Cisco WLC


MAP not joining Cisco WLC when invalid static IP configured


Mode changed from wireless mesh to FlexConnect when auto-convert enabled


No data connectivity on wired client when RAP from SPF fiber to wireless


Improper message: Received unsupported MSG event 0 for Hotspot task


1810 AP stops forwarding multicast traffic to RLAN port randomly


602 OEAP Txpower set to static minimum after upgrade from 8.0 to 8.2.x release


1572 AP Inventory incorrect on WLC CLI and GUI for NAME&DESCR


A-MSDU cannot be enabled on VO


2800 AP: Client upstream data packets drop due to CCMP PN mismatch


1810 AP: show ip int brief and show interfaces commands to be updated correctly


1810 OEAP associated with Cisco 8540 WLC: Network diagnostics reports an error on the AP


1810 AP: Interface status in CLI output not matching with OEAP GUI


LED state on 1852 ME reenables even after manually disabling


AP load information not clear/reset after AP radios are disabled


1570 MAP Best-Effort tx queue stuck on 5-GHz interface


AP803 error in setting antenna type when channel changed


SC2 Radio randomly sending corrupted timestamp BCN on hidden SSID


Wi-Fi Interface Input Counter Not Reflecting Total Packets


Changes from CSCux82091 need backed out and fixed


SSID name is NULL when using Hotspot 2.0


AP returns incorrect value for


SGT-IP bindings through SXP are not propagated by WLC after WAN connectivity restored


702W AP LAN port clients do not get IP addresses on Cisco 8510 WLC


Configurations allowed on 802.11ac radio Sniffer mode AP


Dot2 radio up even after 11ac-support disabled in WLC


Same AP image shows up on primary and backup side


Able to delete RADIUS server without index number or value in 8540 WLC


Controller Interface override issues when user changes-INTERFACE group


In WLC GUI, user is unable to apply ACL in local policy


IP address of PC for failed authentication displayed in reverse format in WLC msglog


Local EAP fails after wrong username login


RADIUS interim accounting updates GUI/CLI config option should be removed for Guest WLAN


Cisco WLC stopped working after applying CPU ACL


AP SSH/telnet global configuration missing on the standby WLCs


config ap tftp-downgrade command does not recognize valid IPv6 TFTP address


SNMP trap for "AP Interface Up/down Traps" not getting generated.




WLC EoGRE profile name above 31 characters does not work


'ap-manager' should not be accepted as dynamic interface name


8510 WLC DP packet-capture size swapped due to endianness


Data plane stopped working on Cisco 5508 WLC


Cisco 8510 WLC stopped working with "fp_main_task" during boot


WLC DP stopped working; wqe stuck


WLC incorrectly sends disassociation frame using base radio MAC address


AP core dump config not synced to standby when config is done via GUI


WLC HA transfer download failure with legitimate network latency


ciscoLwappReapMIB table not returning all APs for FlexConnect and Flex+Bridge


default-flex-group shows wrong count in FlexConnect and Flex+Bridge combination


FlexConnect AVC config not pushed if WLAN is added to the AP group later


FlexConnect group RADIUS configurations are not pushed to AP


WLAN and L2ACL mapping config is not applied on the FlexConnect AP


Cisco 2500 WLC client display error: UnavailableUnavailable


Cisco WLC losing IPv6 connectivity


Observing Traceback after joining AP to WLC (ARP entry Related traceback)


vWLC: Silent reboots with Kernel error


Cisco WLC failed to handle ARP request from wired server within the same VLAN


Cisco WLC gateway not reachable after disabling LAG


Bad Payload Len 4 - dropping packet error on WLC


Check wireless LAN controller AP radios are installed properly


Cisco WLC drops NMSP packet from MSE


Cisco WLC stopped working accessing MAC Address Database


Able to configure mesh backhaul slot ID with character


Mesh: SNMP not returning value for VHT Data Rates


Cisco WLC stopped working on spamApTask5


'config mobility group anchor' config is removed after WLC upgrading


Cisco 5500 WLC as MC showing stale connections from MA clients


AP drop of from network due to large set of mobility groups in down/down


Client unable to get anchored at GA controller


Old Mobility Ping traffic drops in wired m/c when roaming from F to F


Tracebacks on sh run in Release 8.3, due to partially removed feature


Media stream is not showing the client details


WLC Netflow: Flow durations showing higher than 90 seconds


Maximum length for NTP key configuration fails on Cisco Flex 7510 WLC with HEX


Cisco 8510 WLC in HA stopped working; Task Name: nmspRxServerTask


Cisco WLC stops working when running 'show run-config' command with no APs


IPv6 MLD from PMIPv6 client show client MAC on Layer3/2 switch


CWA not working on Cisco 8500 WLC as Guest anchor with Accounting enabled


Token Bucket leak messages with QoS Roles and with WebAuth on


WLC cap the traffic as per QoS WLAN policy instead of applying exception


5-GHz radio using higher power than max TPC channel UNI III


5-Ghz radio down with Macedonia as the country code


802.11a RF Grouping CLI returns redundant info and incorrect characters


802.11a/b l2roam rf-param configs output not present in show running-config


Channel changed trap with Unknown Radio Type on dual band radio


clrRrmDot11BandGrpMemberTable row creation is success; still throwing error


clrRrmDot11BandGrpMemberTable row creation is success; still throwing error


config 802.11a or abgn command hit several issues for 3802 AP


Cisco WLC stopped working while editing RF profiles


Issue in CleanAir when client serving band is 5 GHz


MA is connected but Mobility Agents RF membership information shown 0


Optimized roaming trap log shows reason as: Unknown Reason Code 34


RF Profiles only has MCS indices 0-23 vs global 0-31


Rx-SOP threshold values are pushed to unsupported model AP


SNMP: Channel Number returned for NOS module inserted to an AP


New active (Secondary) WLC sending trap using redundancy Management IP


SGT-IP bindings CTS tag is missing from WLC after reauth WAN connection recovery


Cisco WLC not propagating SGT-IP bindings via SXP after role change


IN WLC CLI, url-acl not accepting special characters as profile name


WLC FlexConnect MediaStream client count is wrong


3802 XOR operational state inconsistent issues


5 indices with same 1601 after changing EAP to PSK on GUI without applying the changes


Downloaded AVP page keeps reloading automatically-readonly user


During editing of Guest User, it is accepting out of range value


Either local or RADIUS profiling must be supported; not both at the same time


Error in creating ACL name in UTF-8 character in WLC GUI.


GUI error configuration failed when deleting a key while PSK is disabled


GUI of WLC must display channel as NA for 2800 AP in monitor mode


In GUI observing error message while creating WLAN with 802.1X security


Mismatch in WLC CLI and GUI page for NTP polling time interval range


Monitor annoying warning and operational state of radio provisioning


Refresh button not working in interface groups page in WLC GUI


TACACS+ Accounting Message is not sent when CPU ACL changed


Unable to configure anything on "FlexConnect" tab of FlexConnect mode AP


Unable to create IPSec profile name with UTF-8 Char


Unable to set the radio in Rapid Update mode when right-clicked on CleanAir


WebUI displays wrong WLAN ID under AP for FlexConnect AVC mappings at FlexConnect group


WLAN name not shown properly on monitor and client page in WLC GUI


WLC GUI client filter fails with spaces used in the Client Name


WLC: GUI does not allow to change sniffer channel


Cisco TrustSec: DHCP Proxy IP empty unable to determine which DHCP server not work


Display showing unreasonable 110% or 120% in % interference Impact


WLC 8510/2504 flooding Tracebacks on syslog level debugs enable


8510 WLC stopped working on apfProcessClientAssocRespForRldp


Issues regarding CLI command of 'config rogue ap'


Old AP keeps doing containment even after enabling auto contain monitor

CSCuz89259 Cisco Catalyst 3850 switch elected as RF group leader instead of Cisco 5508 WLC running Release 8.2
CSCuz96996 CHD-WLC CLI command to set voice packet count does not work properly
CSCva50180 AIR-CAP1602I-E-K9 stopped working
CSCvb66073 RLAN clients being sent as RADIUS:NAS-Port-Type = Wireless - IEEE 802.11 for RLAN
CSCva42271 2800 AP entry removed from WLC with Exception stack message
CSCva03113 FlexConnect: WLAN Ordering-AP specific VLAN gets changed to Native VLAN
CSCva03427 FlexConnect: WLAN mappings change to WLAN specific during fault tolerance
CSCvb59172 Controller log messages do not report RTU licensing status or issues
CSCuz17445 Rx-SOP: WLC setting global threshold values after upgrading/reloading WLC
CSCva89704 Inconsistent LED behavior on AIR-AP1810W
CSCvb25382 1810 OEAP: Channel selection when set to Auto shows blank on the UI
CSCvb80938 OEAP 1810 Local UI can be accessed with IP address even when it is disabled globally
CSCvb97603 TrustSec: Wave1 FlexConnect AP to update client SGT info when switching from standalone to connected
CSCva04054 EoGRE client gateway IP is different as per the WLAN interface IP
CSCva59149 SNMP set fails when attempted to set a URL ACL rule with 32 characters
CSCva82117 SNMP get-response returns '0' value for the 'adminStatus' value =1
CSCvb17520 Fastlane: Fastlane enable on a WLAN overwrites existing profile


Radio interface input queue gets filled on Autonomous APs.


Error saving config file happens on multiple 2702 APs


DFS false detection on 2700 AP


3802E AP in sniffer mode does not see NullFrames


3802 AP: SensorD stuck in offchannel causing radio to stop working


Client with lower signal strength than Rx-SOP threshold can connect radio


1810W AP radio firmware stopped working (@0x009C30A0/0x0000), memory corruption


AP dropping EAP packets on radio which is seen on wired uplink


AP stopped working with %ENTROPY-0-ENTROPY_ERROR: Unable to collect sufficient entropy


2702 AP unable to upgrade and failing with error: Unable to create temp directory "flash:/update"


ME intermittently flaps with external AP


CCX proxy ARP flag not set in Wave 1 APs


1800/2800/3800 Series AP does not send the platform value via CDP when it is brand new


AIR-AP3802I stopped working due to kernel panic


Layer 2 packet drop of CDP packets for Wave 2 APs


AP1832/AP1852 sometimes does not send authentication response


1532 AP non-root bridge high retransmission and latency rate


AMSDU packets transmission cause 5-second gap of packet transmission to 8821 from Wave 1 AP


Full support for "distance" on 1572 AP


Retried EAP response dropped as a duplicate while first EAP response was not even received on the AP


RM3010L-B-K9 Hyperlocation module stopped working


False positive AP sourced AP impersonation on corrupted beacon


Fix incorrect commit of CSCuu59589 in 8.0 maintenance release


2802 AP drops client ARP packets after web authentication


3800 AP stopped working due to 'WCPD'


2800/3800/1800 AP WCPD stopped working due to double-free in RRM off-channel element


3800 AP: WCPD stopped working at off-channel


Client not getting IP address when moving between SSID


802.1x CCKM roams fail on WGB at GTK key rotation


WGB running 15.3(3)JD WGB takes ~500 ms longer to scan DFS channels vs JBB


WGB sticky to the current AP despite better candidate being available


Local authentication EAP-TLS not working on Microsoft Windows 10


WLC Local EAP with 7925 handshake failure


8821 fails 11r FT roam with "Invalid FTIE MIC"


Release 8.2: Clients unable to authenticate for extra 3 seconds post 1-second cleanup timeout


apAuth flag reset while changing SSID from local switching to central switching having Fast SSID enabled


WLC msglog showing a lot of traceback


DP stopped working on Cisco 5508 WLC running Release


2800/3800 AP: Limit 'best' DCA to 80 MHz also for RF profiles


APs randomly not showing any neighbors on both radios


DCA lists in RF profiles are broken after a backup or restore of Cisco WLC's configuration


When adding or removing country codes, 2.4-GHz channels change


SXP connection on WLC stays off


Smart License on Cisco 5520/8540 WLC: Unable to reset HTTP-Proxy on call home configuration from GUI


Webauth with proxy does not work after Release 8.2


Same channel has been assigned to both the 5-Ghz radios after CAPWAP restart


2800 or 3800 AP: Unable to send proper sequence number and burst rate upstream


1850 AP: Unable to send proper sequence number and burst rate upstream from AP to MSE


Wave 1 APs rebooted due to Kernel Panic-Not Syncing: Out of Memory


AP 3800 stopped working in Monitor mode with wIPS submode


2800/3800 AP WCPD memory leak observed


2800 AP or 3800 AP: Radio coredump generation may get stuck with ca_status leading to IPC call function failures


Wave 2 AP: CAPWAP disconnect stuck in discovery loop


2802 AP: Kernel panic, Dot11Classifier: Mgmt frame not supported 0


Kernel panic at ClientCapabilitiesTracker virtual address invalid band select


Wave 2 AP: FlexConnect Local Auth does not work on WLAN with CCKM security


An AP 3800's radio stopped working due to chatter: wl1: fwHangDetect(357): FTR!


AP stopped working due to kernel panic at WlLoadRateGrp


3800 AP: Surface Pro gives less throughput


1810W Hardware Watchdog reset unresponsiveness PC=0xc03b3ffc, LR=0xc008af24, QCA 02698633


2702 AP aux port goes to disabled after the AP is rebooted


DHCP Option 82 (remote-id) not present is some APs


Stale IP route left on FlexConnect AP config if booting up in standalone mode


AP bridge does not forward BPDUs/VTP frames


1532 AP uplink drops when sending heavy upstream traffic


2700 AP Series radio resets; reason code 71 RADIO_RC_NO_REPORT


AP drops retransmitted M3 from WLC


iPad Pro with iOS10 is getting deauthenticated at times due to M3 timer


Add Kuwait support for Universal AP


aIOS does not forward broadcast multicast frames with dynamic VLAN


AAA override VLAN lost on intercontroller roaming


Cisco WiSM2: Memory leak while handling Cisco AVP POLICY_ROLE_TYPE (cisco_avp_pair="role")


IPv4 CPU ACL - IP-Address with netmask other than does not work


Clients not getting excluded on max EAPid timeouts; reassociation rejected with reason 12


CoA for session timeout not working using free RADIUS server


Cisco WLC stopped working in SNMPTask due to missed software watchdog


SSH to Standby RMI or Service port fails


FlexConnect AP loses VLAN mapping if VLAN tagging is enabled


Cisco WLC sends incorrect VLAN for AAA overridden client reassociating to AP belonging to FlexConnect Group


Cisco WLC stopped working on sisfSwitcherTask


Active controller in HA pair shows different socket errors


Cisco 5520 WLC stopped working with taskname apfProbeThread


The NMSP info/probe notification queue is saturating


Cisco WLC sluggishness due to flooding probe, need probe throttling configurations


Unexpected reload: Task Name: mmListen on


Cisco WiSM2 reaperWatcher stuck on DP0 while retrieving crash and crashed


Cisco WLC set ZERO 802.11e QoS UP for part of the downstream voice packets and APs trust it


Cisco 5520 stops working on running RRM commands on task emWeb


RRM does not update as per configuration on Cisco WLC


Too many channel changes occur on dual radio if working as 5 GHz


Cisco WLC stopped working due to task dtlArpTask


Cisco WLC fails to send SNMP when using untagged interfaces on different ports


Cisco WLC: Constantly increasing memory consumption by SNMPTask


Cisco WLC stopped working due to emWeb when serving an EmWebForm exclusion-list


Cisco WLC stopped working due to emweb task

CSCvb72389 CWA: Redirect traffic from client goes through CAPWAP tunnel instead of VxLan
CSCvd39346 AP 2800 and/or AP 3800 WCPD slow memory leak
CSCvb94716 Cisco WLC stopped working at task:spamReceiveTask


702W AP wired client keeps disconnecting when it is connected to switch with dot1x configured