Solved: Why, when AP joins EWC, the AP gets an EWC image

Shiden · ‎02-26-2024

Hi all,

This is my first time working with EWC, and I'm a bit confused about the joining process of the access point.

First, here are the hardware components I'm working with:

Access Point: C9120AXE-E

EWC: C9130AXE-EWC-E

Version: 17.9.4a

I don't understand why when the access points join the EWC, they get an EWC image. Is this image necessary for the access points to function with an EWC, or would CAPWAP be sufficient?

Here's what's happening after the access points join the EWC:

When I display the joined access points, I see:

These access points should only function as simple access points.

Is it recommended to change the image type to CAPWAP?

What is the difference between the EWC and CAPWAP image types?

I already say thanks to the people who will take time to answer this post.

Best regards

carstenp · ‎04-15-2024

Hello Shiden,

I can absolutely confirm your findings. Sorry that I saw this and confirmed it so lately...

For me it is the reason to never sell again cisco in small business and tell customers that there are cheaper, less time consuming and smarter products availible at market.

The point is in my case, that there were 2 out of 12 C9120 ordered as EWC, the other 10 APs C9120 as capwap. The sso construct of the two EWC were relatively easy to set up (Nothing really works like described in Documentation). As soon as i connected one of the capwap to the sso-network (static IP addresses) they first took the corresponending capwap image from EWC and after the automatic restart the AP was loading another image (no other tftp nor Internet connection), which leads into an EWC-Image and being part of the sso. So - there were 3 Controller in sso state. This applied to all capwap APs. Why is this? Is it clever having more than 3 Controllers in a sso state? By the Way: In the Web-Gui not even the name of the EWC is showed as the Active Controller, it is the name of the AP. Makes sense, since the sso should use same name, ip and mac. But how ti identify the active one? Yes simply take the Name of the AP - wich has nothing to do with the sso contruct. More strange: Factory default there was a Version 17.9.5.027. At u-boot there was a message "Image use only for development". After an upgrade to the official 17.9.5, it showed a Version 17.9.5.047. Of course i couldnt find any Information about this. And additional: this version is always installed bundle mode - no way to change this. After the whole process, which took about nearly 30min, i had to change the "accidently" EWC back to capwap at GUI. It never took me so long to setup 12 APs - not even 20 years ago, where i had to configure all by hand at every Access-Point.

This shows were Cisco is heading since years: sell expansive Products and get the QA by users.

Regards Carsten

View solution in original post

marce1000 · ‎02-26-2024

- You can convert an EWC-AP to function only as CAPWAP by
executing a single command in the access point CLI as in : AP# ap-type capwap
Note: The access point will reboot and the AP type will change to NOT EWC CAPABLE. Also,
after the AP is converted to CAPWAP, it will no longer participate in the master election process ; so having multiple EWC CAPABLE AP's provides redundancy ,

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Shiden · ‎02-26-2024

Hello @marce1000 ,

Thank you for your prompt response. Yes, I'm aware of this command. However, after executing this command, it still indicates that the access point remains EWC capable. I suspect this is due to the still presence EWC image on the access point, even the access point is using the CAPWAP image.

Best regards

Rich R · ‎02-26-2024

The AP files you load on your TFTP server for the APs to download are the EWC files so that is what the AP's will download by default. You can manually load the CAPWAP/lightweight software onto the AP. ***

Is it recommended to change the image type to CAPWAP? I'd say yes.

What is the difference between the EWC and CAPWAP image types? Any EWC-capable AP can take over the role of EWC controller while CAPWAP purely connect to a controller and will never become controller. You only need up to 2 EWC capable APs - one as active/primary controller and one as backup.

*** getting rid of the EWC software can be tricky and although it's not supposed to, it can sometimes reactivate unexpectedly (when the AP can't find a WLC). I generally recommend using https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9120axi-access-point/217537-repairing-c9120-c9115-access-points-from.html to completely re-flash the AP which also removes the IOS-XE software from all partitions. That installs 8.10.130.0 CAPWAP software. Then upgrade to 8.10.190.0 CAPWAP software - 15.3(3)JK10 - and then upgrade to your desired 17.9.4a CAPWAP software version - 15.3(3)JPN3.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/release-notes/rn-17-9-9800.html#Cisco_Concept.dita_59a2987f-2633-4630-8c7b-a8e8aecdeaf7

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Shiden · ‎02-26-2024

Hi @Rich R ,

Thank you a lot for your prompt and precise response. I am not using an TFTP Server. The access points are directly loading the EWC image from the EWC itself. Is it not possible to configure that the EWC only transmit the CAPWAP image to the access points?

Is it recommended to change the image type to CAPWAP? I'd say yes.

So what's the best practice in this case? Manually load the CAPWAP image to each access point, or change all access points to the CAPWAP image type after they downloaded the EWC image? I have approximately 50 access points that will join the EWC. So it would be really inefficient to load the CAPWAP image on every single access point. What would you suggest in my case?

Except for taking up more space on the access point, are there any disadvantages to also having the EWC image on the access point when it's functioning with the CAPWAP image?

However, I still don't get why, per default, the EWC transmits an EWC image to the access points that are joining the WLC. Does the EWC only have the EWC image, which contains the CAPWAP image?

Best regards

Rich R · ‎02-26-2024

> The access points are directly loading the EWC image from the EWC itself. Is it not possible to configure that the EWC only transmit the CAPWAP image to the access points?
That's only possible for APs which run the same image as the EWC. All others need to fetch their image from the configured TFTP server.

> What would you suggest in my case?
Well you can change them to CAPWAP mode while still EWC capable and accept the risk that EWC could activate unexpectedly. This might be ok for you if you don't want the hassle of updating the software.

> Except for taking up more space on the access point, are there any disadvantages to also having the EWC image on the access point when it's functioning with the CAPWAP image?
Depends on your setup. More of a problem if you use an actual WLC where you especially do not want an AP to start being a controller.

> However, I still don't get why, per default, the EWC transmits an EWC image to the access points that are joining the WLC. Does the EWC only have the EWC image, which contains the CAPWAP image?
That's the way Cisco designed it <smile>

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Shiden · ‎02-26-2024

Hi @Rich R ,

Thank you again for you answer.

All others need to fetch their image from the configured TFTP server.

But I haven't configured a TFTP Server. So how do the access points get their image in this case? The only thing I did was update the WLC after day 0 provisioning.

What would you suggest in my case?.
Well you can change them to CAPWAP mode while still EWC capable and accept the risk that EWC could activate unexpectedly. This might be ok for you if you don't want the hassle of updating the software.

But do I have any other choices to do it like this?

So as I understood, it's basically more of a problem of bad design, right? In this case, it would have been better to buy an EWC from the same series as the access points. Am I correct?

Best regards

Rich R · ‎02-26-2024

Well your choice is run them as pure CAPWAP software or EWC capable in CAPWAP mode.
https://www.cisco.com/c/en/us/support/docs/wireless/embedded-wireless-controller-on-catalyst-access-points/215303-embedded-wireless-controller-conversion.html#toc-hId-1622399608
You can also use DHCP option 43 to set CAPWAP mode for you automatically. Obviously that requires using DHCP not static IPs which is the recommended approach anyway:
https://www.cisco.com/c/en/us/products/collateral/wireless/embedded-wireless-controller-catalyst-access-points/white-paper-c11-743398.html#Conversion
But be aware of https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc75102 although that should not affect 17.9.4a

Yes ideally you would order only 2 EWC and the rest as lightweight.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Shiden · ‎02-26-2024

Hi @Rich R ,

The DHCP option 43 is a good point, thanks! It just tried it and it work well. I will probably use this solution.

Well your choice is run them as pure CAPWAP software or EWC capable in CAPWAP mode.

But as we discussed before it would not be possible to run them as pure CAPWAP access points because at the end they have to join the EWC and get again the EWC image or am I wrong?

Rich R · ‎02-27-2024

They don't become EWC unless you buy them with the factory installed EWC SKU or you manually convert them. If you manually install the CAPWAP only image I believe they should stay that way. They should be able to update the AP image without installing the IOS-XE image, but I haven't actually tried that myself.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Shiden · ‎02-27-2024

Hi @Rich R ,

Thanks you for your answers. But here we are at my initial question again. Before they join the EWC, the access points (C9120AXE) have the pure CAPWAP image installed , I verified it. It's only when they join the EWC (C9130AXE-EWC) they automatically get the EWC image and swap from CAPWAP to EWC.

So what I should do is updating each access point one by one with the same version than the EWC? That would be a lot of effort.

Rich R · ‎02-27-2024

That is surprising! Are you 100% sure they have never had EWC installed before?

But if that is the way they are behaving (automatically converting to EWC) then yes your only option will be manual software update.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Shiden · ‎02-27-2024

Hi @Rich R ,

Yes, I am. This is why I was surprised and why I wrote this post. I don't understand why the EWC behaves like that. For me, it makes no sense to transmit by default an EWC image to access points that initially only have an CAPWAP image and should only function as lightweight access points.

Rich R · ‎02-27-2024

I'm still a bit sceptical - what part number were these APs ordered with:

Cisco Catalyst 9120AXE Access Point: Indoor, challenging environments, with external antennas

● C9120AXE-x: Cisco Catalyst 9120AX Series
or

Cisco Catalyst 9120AXE Access Point: Indoor, challenging environments, with external antennas, with embedded wireless controller

● C9120AXE-EWC-x: Cisco Catalyst 9120AX Series

If they were ordered with the EWC part number (SKU) then the EWC software was factory installed.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Shiden · ‎02-27-2024

Hi @Rich R ,

As described in my first post, the C9130AXE-EWC-E has been bought as wireless controllers with the factory installed EWC software and the C9120AXE-E as access point with only the CAPWAP image installed (not C9120AXE-EWC).

Best regards