Cisco Support Community

WLC High Availability (AP SSO) Guidelines

WLC High Availability (AP SSO) Guidelines


This document is to provide education on issues we have seen with this feature for the various WLC code versions.


Overall Recommendations


  • If you are running any code version prior to you need to upgrade the controller to avoid any of these issues.
  • For HA deployments, it is recommended that even if you are running that you upgrade to the latest MR which is



Current 7.3 bugs

CSCuc34199 - Silent crash on WLC running

No workaround. The system does stay up, but switches back and forth between primary and secondary quite frequently.

CSCuc74677 - High Availability controller rebooting and losing its ap count license. You have to re-install the ap-count license on the active controller in order to recover from this bug.

CSCub95009 - Pmalloc memory corruption seen on the active HA WLC

Current 7.4 bugs

CSCue61613 : Privacy Bit not set in the Beacon after HA failover
This causes dot1x clients to fail association after about an hour after failover.
To be included in next MR. Workaround is to disable and re-enable the wlan after a failover.

CSCue02707 - HA redundancy does not fail-over to standby when powercycled
To be included in next MR.

CSCue02718 - HA redundancy does not fail-over to standby when removing ETH cable
This bug has other symptoms like: Reload request Category: Default Gateway is not reachable.
To be included in next MR.

CSCud78928- HA secondary controller goes in a rebooting loop
To be included in next MR.

CSCue33125 Unable to enable "bootp-broadcast" with HA SSO configured
To be included in next MR.

CSCue17421 - RRM AP Neighbor list is not synced to HA Standby after switchover

CSCue90110 - Clients not removed from AP after HA failover
Use different SSID for local mode APs if you have local & flex APs. 
Reboot APs after failover

CSCud98562 - HA redundancy configuration is not shown in run-config commands

CSCue38133 - Need to reset 90 day license timer on secondary controller

CSCue79462 - mobility to other WLCs (on 7.0/7.2) goes down after a failover to standby controller.
This is an incompatibility between 7.3/7.4 and 7.0/7.2. Please keep in mind that this issue happens if the WLCs are on the same VLAN.
A good workaround is to put the 7.3/7.4 HA pair on a different subnet to 7.0/7.2 controllers.

CSCuj17884 - Memory leak on HA AP SSO

This is resolved in the MR2 beta image that can be obtained via Tac or this support document 7.4MR2 Pre-release Image Download Available



Webauth Certificates

The webauth certificate has to be installed on BOTH controllers prior to setting up HA. If the controllers are already setup in HA and you install the certificate, it will only be installed on the primary wlc. It does not get copied to the secondary unit like the configuration. If the primary fails over to the secondary for some reason, webauth clients will get the certificate warning error until the primary becomes active again. This is noted in the configuration guide for 7.3 and 7.4, but worth mentioning here. If this is not done prior to enabling HA, then it will have to be disabled in order to install the certificate on the secondary controller.