Symptom
APs will not be able to re-join the 9800 controller (if the AP disjoin for some reason) after a switchover if AES encryption is enabled and if one of the SSID broadcasted by the APs is configured with a PSK containing special characters. The AP configuration cannot be pushed from the controller (because it cannot decrypt the PSK) and this prevents the AP to stay joined the controller.
Conditions
This issue happens only if a switchover occurs the first time after enabling AES encryption on the 9800 controller and if the PSK contains "special" characters (within the range 32-126 (decimal) of the ASCII characters. The issue will appear if the APs disjoin after the first switchover, the APs won't be able to stay joined to the controller until applying the workaround.
Workaround
Re-apply a new PSK to the WLAN configuration (it can be the same one) as "unencrypted". The PSK will automatically get encrypted since AES encryption is already enabled on the 9800.
Further Problem Description
Logs seen on the controller :
(ERR): Failed to decrypt wpa psk data
(ERR): aaaa.bbbb.cccc Failed to bssid fill vap oper record. Error to set WPA PSK data in BSSID
(ERR): aaaa.bbbb.cccc Failed to process config for AP.
Logs seen on the AP :
AP has joined controller 9800-17-3-RMI-RP-HA
Re-Tx Count=1, Max Re-Tx Value=8, SendSeqNum=17, NumofPendingMsgs=13
Re-Tx Count=2, Max Re-Tx Value=8, SendSeqNum=18, NumofPendingMsgs=14
Re-Tx Count=3, Max Re-Tx Value=8, SendSeqNum=19, NumofPendingMsgs=15
...
