Skip to main content
Cisco Meraki Documentation

916X Management Mode Checklist and Troubleshooting

Pre-flight checklist

How to use this document

The Cisco series 916x access points come pre-loaded with both DNA and Meraki images. This allows for flexibility in choosing which management mode will best suit you, the user. This document contains a pre-flight checklist for migrating APs from Meraki managed mode to DNA mode. If you are interested in migrating from DNA mode to Meraki management mode, please review this document.

Meraki Dashboard to DNA management mode checklist 

The following items need to be verified before migrating your AP into DNA management mode:

Confirm that there are no dashboard alerts related to regulatory or config fetch

The migration can't be performed if the APs have alerts related to regulatory or config fetch.

Screenshot at Aug 02 16-16-21.png

If you find alerts related to regulatory please follow this doc to fix them.

Is Meshing disabled on the Network?

In order to ensure that APs without wired uplinks don't lose their connections during a migration, mesh networking must be disabled on an AP's network before it is allowed to migrate. If you try using the Dashboard UI to migrate an AP on a network where meshing is enabled, you'll get an error message saying "Node cannot be migrated unless meshing is disabled for the node's network." It will be necessary to either disable meshing via the Network-wide > General page or move the AP to a network where it's safe to disable meshing before migrating the node.

If there are non CW916X APs in the network that require meshing, move the APs to be migrated over to a new network where Meshing can be disabled.

Do you have an IOS-XE controller?

The controller can be a physical 9800-CL or virtual vWLC in the cloud. DNA management mode APs cannot run in autonomous mode and require a controller to operate. 

Is the controller running 17.9 or higher?

CW916X APs only support this code or higher. The current version can be seen from the Dashboard landing page of the WLC:


Additionally, you can use the following command to verify the code version:

#sh running-config
Building configuration...
Current configuration : 20397 bytes
! Last configuration change at 16:33:58 UTC Wed Jul 27 2022 by ****
! NVRAM config last updated at 02:44:18 UTC Wed Jun 22 2022 by ****
version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console virtual

Here is a guide to upgrading 9800 controller firmware.

Has the controller been configured? 

APs will only be able to join a controller once its minimum configurations have been applied. The following documentation can assist you in making these configurations:

Are all Meraki regulatory domains included in the 9800 country code list? 

It is important that each AP being migrated has its regulatory domain configuration pre-configured. The regulatory domain can be checked in Dashboard by viewing the Organization > inventory page:


This information can be viewed in the WLC by navigating to Configuration > Wireless > Access Points > Country.


Additionally, the following command can be used to check the currently configured countries: 

9800-30#sh wireless country configured  

Configured Country................ Multiple Countries : DE,US  
Configured Country Codes 
     DE  - Germany               802.11a Indoor,Outdoor/ 802.11b Indoor,Outdoor/ 802.11g Indoor,Outdoor/ 802.11 6GHz Indoor  
     US  - United States         802.11a Indoor,Outdoor/ 802.11b Indoor,Outdoor/ 802.11g Indoor,Outdoor/ 802.11 6GHz Indoor  

Here is a guide for configuring country codes inside of a 9800 WLC. 

Is the wireless management interface set? 

This is part of the basic configuration but can be missed. It can be checked via the command "sh wireless interface summary" 

9800-40#sh wireless interface summary  

Wireless Interface Summary 

Interface Name Interface Type VLAN ID IP Address IP Netmask NAT-IP Address   MAC Address 
Vlan25     Management 25      706d.1535.6b0b

Here is a guide for configuring a wireless management interface on a 9800.

Has a trust point been set? 

It is important to verify on virtual WLCs. This establishes a certificate authority on the 9800. View this with the command "sh wireless management trustpoint" 

9800-cl#sh wireless management trustpoint  
Trustpoint Name  : 9800-cl_WLC_TP 
Certificate Info : Available 
Certificate Type : SSC 
Certificate Hash : ee0252c9da4a12c7fded2b2e72febd4f3cbdccc6 
Private key Info : Available 
FIPS suitability : Not Applicable

 Instructions on creating a self-signed trustpoint for 9800-CL (Virtual WLCs)

All other hardware-based controller models (such as 9800-40 and 9800-L) are pre-configured for trustpoint to be the manufacturer's cert and may not need to be configured explicitly. Example below: 

9800-L#sh wireless management trustpoint 
Katar4#sh wireless management trustpoint  
Trustpoint Name  : CISCO_IDEVID_SUDI 
Certificate Info : Available 
Certificate Type : MIC 
Private key Info : Available 
FIPS suitability : Not Applicable

Do you have a DHCP server for the APs?

The APs need to obtain an IP address and can leverage DHCP for CAPWAP discovery

Do you have a CAPWAP discovery mechanism?

  • Local broadcast discovery: APs and controller wireless management interface are on same vlan/subnet.
  • DNS resolution: cisco-capwap-controller name DNS entry for the local domain is pointing to the controller wireless management IP address 
  • DHCP Option 43 or DHCPv6 52: DHCP pool has option 43 configured in hex for IPv4 discovery, or if using IPv6, option 52 

The value always starts with f1:04: when you configure only one wireless mgmt IP address. Example of option43 configured on a MX DHCP server when the wireless MGMT IP address is (ac:10:01:19).

Screenshot at Jul 29 13-27-43.png

  •  PnP Public redirection service: Controller redirection using PnP functionality. The SN of the AP is set to be redirected to a controller profile. This uses DNS resolution

Each discovery mechanism is detailed here.

A DNA management mode AP can be accessed via console (see "Accessing a DNA AP after management mode change" section) to have its WLC set manually. The following command will achieve this: "capwap ap primary-base <controller hostname> <controller mgmt IP>"

Does the controller have a valid time source?

A valid time source / NTP server needs to be configured in order for the WLC to service clients. Use the command "sh ntp associations" to review the configuration.

9800-cl#sh ntp associations  
  address         ref clock       st   when   poll reach  delay  offset   disp 
*~    2    673   1024   377 21.951  -4.346 20.019 
 ~  .TIME.          16      -     64     0  0.000   0.000 16000. 
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured 

Can the APs send traffic to the controller via UDP ports 5246/5247? 

APs will use the CAPWAP protocol to join the controller. UDP port 5246 is used for control traffic and 5247 is for data. The APs need to communicate bi-directionally on both these UDP ports in order to operate. 

Have you transferred important configuration secrets?

Configurations between management modes will not be migrated. Things like SSID, PSK, Radius Secrets, and Splash Pages will not be migrated. 

 Everything is ready

Once you confirm everything is set up in place and you are ready for the migration.

Extra considerations when changing management mode

What happens if no Cisco controller is available for migrated APs? 

Once the migration is initiated,  Meraki management mode APs will lose Dashboard connectivity. They will then remain in a "looking for controller" state. A WLC is required in order to change DNA management mode to Meraki management mode. 

DNA management mode APs will broadcast Syslog messages locally should they run into errors in joining a WLC. A Syslog server can be used to view these messages and troubleshoot the error codes they contain. This option is ideal for deployments where physical access to each AP is not possible. 

Accessing a DNA AP after management mode change

Once the AP leaves Dashboard and boots into DNA management mode, It will be accessible by console connection. The default credentials are username: "Cisco" password: "Cisco", enable password: "Cisco" (no quotes).

Confirm the AP boot mode

If you are on-site and have visibility to the AP, reboot the AP and watch the LEDs. 

In Meraki mode the LED blinks in this sequence:

  1. Orange for ~40secs
  2. Off for ~8 secs
  3. Rainbow sequence 
  4. Solid green or blue when associated to a dashboard

For more details, you can check this doc.

In Cisco mode, the LED blinks in this sequence:

  1. Orange for ~3secs
  2. Green/off for ~25 secs
  3. Off for ~2 mins
  4. Green/off/orange/off ~2mins
  5. Solid green or blue when associated to a WLC

Alternative, run a packet capture on the port where the AP is connected and review the Platform field of the CDP packets.

Example of a CDP packet sent by a CW9164I AP in Meraki mode:


  • Was this article helpful?