I recently deployed the Cisco Catalyst 9800-CL Cloud Wireless Controller in my home lab. My ESXi server is running release 6.7 so the OVA deployment threw the following error. The suggested workaround in the deployment guide suggests using the OVF Tool to deploy the OVA on ESXi 6.5 and later and I was struggling to get that process to work.
No big deal, I manually built the virtual machine according to the specifications in the deployment guide and boot from the ISO image. I followed the setup script in the deployment guide and was quickly able to login to the controller.
Don’t forget to make sure the port group attached to the 9800-CL vNICs is set to Accept for Promiscuous Mode, MAC address changes, and Forged transmits. This seems to be a common missed step. This may look different if you’re using the vSphere client but the concept is the same.
Now it’s time to get an AP joined. I have a spare 3702 in the home lab I figured I would move over from a 2504 but for some reason it would not join. A quick look at the AP Join Statistics showed the 9800-CL was receiving the Join Request and sending a Join Response.
Still, the AP would not join, and of course the error message was very helpful.
I confirmed my wireless management interface trustpoint was configured and at this point I was stumped.
A quick Google search to the rescue landed me on a blog post written by Stefan Leemann who is a CSE at Cisco which suggested disabling SSC Hash Validation on the AireOS WLC I was migrating the AP from. This can be found at Security > Certificate > SSC as shown below.
After applying the change and a few minutes the AP showed up on the 9800-CL and began downloading code.
Now it’s time to familiarize myself with the new configuration model. I hope you found this helpful and thanks for reading.