Here are the common reasons Access Points may not join the IoT Orchestrator after onboarding the Cisco Catalyst 9800 Wireless Controller:

1. Reachability: The access point's subnet cannot reach the IoT Orchestrator's subnet. Use the following steps to troubleshoot:

   • Verify ping connectivity between the Access Point and IoT Orchestrator.

   • Ensure no filtering rules exist in routing devices between Access Points and IoT Orchestrator. Open TCP ports 50221 and 43626 for discovery and communication in firewalls between Access Points and IoT Orchestrator.

2. AP Profiles: The IoT Orchestrator automatically enables GRPC only in the default-ap-profile. Access Points using a profile other than the default-ap-profile must manually configure GRPC on those profiles. Add the configuration line cisco-dna grpc to each ap-profile.

3. Spaces Connector interaction with Wireless IoT Orchestrator: Cisco Spaces Connector cannot be configured at the same time as IoT Orchestrator. You must disable IoT Services on the Cisco Spaces Connector before deploying IoT Orchestrator. Follow these steps if this was not done:

   1. Disable IoT Services within Cisco Spaces Connector.

   2. In IoT Orchestrator, go to the Administrator section, then select 9800 Wireless Controller configuration. Redeploy the username and password to ensure the correct JWT token is pushed to the Cisco Catalyst 9800 Wireless Controller, prompting APs to re-join the IoT Orchestrator.

Here are the common reasons why the wireless IoT Orchestrator UI cannot be accessed from a laptop or computer:

1. Initial Wait Time: After installing IoT Orchestrator, wait until it reaches the Running state in the Configuration > Services > IoT Services page on the Cisco Catalyst 9800 Wireless Controller UI. The system will take 1-2 minutes to detect the deployment type (standalone or SSO). If needed, it will sync databases with the standby controller. During this period, the access to the IoT Orchestrator UI will be unavailable.

2. Reachability: Use the ping command to verify that the IoT Orchestrator can be reached from your laptop or computer. If necessary, adjust the routing configuration in your network to ensure your PC or laptop can reach the IoT Orchestrator. If routing changes are not possible, consider configuring NAT. For information, see the NAT Configuration.

Follow these steps to troubleshoot connectivity issues related to NAT configuration on the Cisco Catalyst 9800 Wireless Controller.

1. Ensure that the ports on your outside interface are not currently in use by another application on the Cisco Catalyst 9800 Wireless Controller.

   1. Remove the NAT configuration from the outside interface on the Cisco Catalyst 9800 Wireless Controller.

   2. Run the following commands to verify that each TCP port used for NAT is not in conflict:

      
      Device# show tcp brief | include <tcp port>
      Device# show platform software tcpudpport | include <tcp port>

      Note	Ensure these commands return no conflicts for the ports configured for NAT.

2. Examine the NAT entries in the NAT table to ensure the inside IP address matches the IP address of the IoT Orchestrator. Also, confirm that the TCP ports listed are correct.

   
   Device# show platform software nat chassis active F0 translation 
   Pro  Inside global         Inside local          Outside local         Outside global 
   tcp  172.18.29.7:9433      192.168.1.1:443       ---                   --- 
   tcp  192.168.2:50221       192.168.1.1:50221     ---                   --- 
   tcp  192.168.2:43626       192.168.1.1:43626     ---                   --- 
   Total number of translations: 3
   

3. Verify that the IP addresses used for NAT are among those configured in the Cisco Catalyst 9800 Wireless Controller. These must be identical, as different IP addresses within the same subnet are not supported. For more information, refer to CSCwn12646.

If the admin user's password is lost, follow the Password Recovery process outlined below:

1. Log in to the Cisco Catalyst 9800 Wireless Controller using the ssh connection.

2. Log in to the IoT Orchestrator shell:

   
   Device# app-hosting connect appid IoT_Orchestrator session bash
   root@96e268c7acb8:/#
   

3. Touch the following file in shell:

   root@96e268c7acb8:/#touch /iox_data/recovery/passwordRecovery

4. Open a new browser window and open a connection to the IoT Orchestrator GUI.

   The Day 0 banner is displayed. Read the terms and conditions and click I Accept.

   The IoT Orchestrator login page is displayed.

5. Enter admin for username and password for password (default credentials).

6. Log in with the new username.

   Note	This process deletes all users created in IoT Orchestrator (Spaces Orchestrator Software) database and returns the login to the Day 0 credentials.

Here are the common issues encountered during the installation of IoT Orchestrator:

1. Application Configuration Failed: During Day 0 installation, there is some configuration that is done on the Cisco Catalyst 9800 Wireless Controller. This means the IP addresses chosen for IoT Orchestrator were incorrect, as they were already used by the Cisco Catalyst 9800 Wireless Controller. Ensure that you use a unique IP subnet for the IoT Orchestrator.

2. Installation of IoT Orchestrator failed: After the failure, syslog messages are displayed on the Cisco Catalyst 9800 Wireless Controller console, such as:

   %IOXCAF-6-INSTALL_MSG: Chassis 2 R0/0: wncloudm: app-hosting: Failed to install IoT_Orchestrator: app-hosting infrastructure is busy! Try again later

   If IoT Orchestrator fails to install for any reason, it will automatically revert any changes made to the configuration (for instance, VirtualPortGroup configuration) and return to the Day 0 page. The fields for entering the IP address, subnet mask, default gateway, and NAT IP address are prepopulated with previous values. Some of the most common causes include:

   1. The IP address selected for IoT Orchestrator and default gateway are not in the same subnet (according to the subnet mask provided).

   2. If the tar file is extracted, modified, and repacked, the IoT Orchestrator image signed by Cisco root CA is verified during installation by the Cisco Catalyst 9800 Wireless Controller. If you modify the tar file, the installation fails.

   3. Another IOx application is installed on the Cisco Catalyst 9800 Wireless Controller. IoT Orchestrator must run as the only IOx application on the C9800 Wireless Controller. If another application, such as GuestShell, is running, the installation will fail, reporting that not enough resources are available. For more information, see the CSCwo66172.

Using app-hosting control commands with IoT Orchestrator is not supported, and this could cause the IoT Services webpage to become unresponsive. If the IoT Orchestrator application has been altered using an app-hosting command, apply the appropriate app-hosting CLI to revert the changes.

If the IoT Services UI page remains unresponsive, you can perform the following actions:

• Restart HTTP server on Cisco Catalyst 9800 Wireless Controller, by executing the following commands from its console:

  
  Device(config)#no ip http server
  Device(config)#ip http server
  

• Reload the Cisco Catalyst 9800 Wireless Controller during a maintenance window.

• Open a case with Cisco TAC.