Omada Hardware Controller fails to update any device firmware on remote sites

My OC200 used to only manage a local site, now it manages 3 sites with a total of 3 gateways and 25 APs. The controllers is located in one of the sites (behind one of the gateways) alongside 18 of the APs.
The second site resulted from migrating it from a software controller that runned on that newwork managing one gateway and 5 APs,
The third site is a new site with only one gateway and 2 APs.
ISP router is in bridge mode in all 3 sites.
Recently there have been a great number of new firmware releases. I've never had a problem updating firmwares before on any of the sites when they were stanalone, but now I can't get the firmware upload to work on any of the devices on any of the remote sites, while it works flawleslly on all devices in the local site. Phisically moving a device from remote to local site (plus forgetting and adopting) lets the device update to succeed.
Googling the problem I found one has to foward certain ports. While this needed step should obviously be done by the omada controller automatically (and only during the updating process), I went ahead and forwareded the ports. Which ports one need to forward depends on what tp-link page you land on, so I've forwarded the ports described on any and all related tp-link pages, forums, reddits and those provided by tp-link support in response to the ticked I opened. Still it doesn't work. I've forwarded ports
8443
443
29810-29820 (currently only untill 29816 is needed, but since they've been adding more ports, I went ahead and left a few extra ports)
All TCP + UPD.
The devices use the controllers dns name, however the controller is ona a fixed public IP. I can see all devices in all sites in OC200. I can otherwise manage all the devices so why can't I just update them?
Also, NONE of the FW update methods work: Single device update, rolling update, manually updating the new firmware file. Manually updating gets stuck at 99%, then fails. His is both if using the web interface locally or through https://omada.tplinkcloud.com/, or android app.
References:
https://community.tp-link.com/en/business/forum/topic/559150
https://community.tp-link.com/en/business/forum/topic/656120
https://www.tp-link.com/en/support/faq/3281/
I'm at a loss. So is TP-Link support. After some back and forth emails they've requested access to my controller, but I'm not about to let that happen just yet for security reasons.
Does anyone has any further suggestions I might try?
Edit: DMZ the controller also didn't work, so it doesn't seem to be a port forwarding issue.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content

I notice that OC200's firmware is not the latest one; can you please update the firmware to the latest one first?
- Copy Link
- Report Inappropriate Content
Hank21 wrote
I notice that OC200's firmware is not the latest one; can you please update the firmware to the latest one first?
Hello @Hank21
The current firmware on the controller is 1.31.3 Build 20240620 Rel.80383 which is the latest, so either it autoupgraded since my first post, or an update came along and I upgraded it. Using the "Check for Upgrade" buttons says it is running the latest version.
Thanks anyway.
- Copy Link
- Report Inappropriate Content

Thank you so much for taking the time to post the issue on TP-Link community!
To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID240907796, please check your email box and ensure the support email is well received. Thanks!
Once the issue is addressed or resolved, welcome to update this topic thread with your solution to help others who may encounter the same issue as you did.
Many thanks for your great cooperation and patience!
- Copy Link
- Report Inappropriate Content
@Tintronic did you find a solution to this? even with my controller in a DMZ i cannot upgrade firmware on 4 devices at a remote site. Everything else works fine, ive a VPN set up between the two sites and can access both lans no problem
- Copy Link
- Report Inappropriate Content
Ryan213 wrote
@Tintronic did you find a solution to this? even with my controller in a DMZ i cannot upgrade firmware on 4 devices at a remote site. Everything else works fine, ive a VPN set up between the two sites and can access both lans no problem
Hello @Ryan213
No, it is still not working.
TP-Link Support has contacted me and asked me for logs, which I sent. They are looking into it.
What is your controller model?
I have an OC300 which currently controls only one site. I'm tempted to move my OC200 controlled remote site to the OC300 to see if that works.
Regards,
Michael K.
- Copy Link
- Report Inappropriate Content
@Tintronic i have an OC200 behind an er707 local and an er605 at the remote site.
frustrating as i also have a small unifi deployment on the same sites and they can upgrade no problem.
does anybody know if there an easy way to change the set inform address on the omada equipment so i could try and upgrade through the VPN instead of the public IP? or even do it through SSH?
- Copy Link
- Report Inappropriate Content
I FIXED IT!
I was no longer able to upgrade firmware on non-omada-router sites as well (or maybe I never did), so I started a port to port comparison of all the related tp-link web page I had ever visited, which I haven't closed for these 7 months.
I fixed the issue just a few days ago. I'm running the latest firmware "1.34.2 Build 20250110 Rel.75707".
All I ended up changing was:
In Global -> System settings, I changed the "HTTPS Port for Controller Management" from 443 to 8043 (and http from 80 to 8088 although it's redirected)
On the controller site, I changed Settings -> Transmittion -> NAT accordingly.
THAT'S IT!

I have been able to bring all my devices firmware on all 4 remote sites up to date (I'm currently connected on a recently created 4th remote site in another country).
I don't remember ever having changed this setting. Then again, I bought this controller back in February 2020 and originally managed only the one local site, so who knows. Maybe they used to have port 443 by default and changed it later? Either that or I changed it to 443 so as to not having to suffix :8043 and remember that port to acces my controller locally (as in 192.168.0.20 versus 192.168.0.20:8043), and forgot all about it.
Either way it shouldn't have been a problem. If the port can be edited, the NAT rules are consistent (I even tried DMZ without success) and devices on remote sites can be adopted, why does only FW update from remote sites not work?
Do you work for TP-Link? Your Member information doesn't say it, but the TP-Link icon next to your avatar makes me thing you do.
I suggest you update https://www.tp-link.com/en/support/faq/3281/ to reflect that a port different than 8043 will make it impossible to upgrade devices FW on remote sites, while this issue is looked into and fixed.
Regards,
Michael K.
- Copy Link
- Report Inappropriate Content
I just took a look at my OC300 which only manages its local site, no remote sites.
It's "HTTPS Port for Controller Management" is at port 443, same as yours.

So if port 443 works for @nicolati on OC300 but was the problem on my OC200, that would point to a bug in the OC200 firmware, as it is behaving differently as OC300.
I might try to create a remote site on OC300 when I return from vacation and try this out.
- Copy Link
- Report Inappropriate Content
One final notice as I'm closing all browser tabs related to this topic
Snapshot from https://community.tp-link.com/en/business/forum/topic/559150 (Edit: Hank21 I just realized this thread was posted by you)

So default port IS 443, but in order for OC200 to be able to upgrade devices on remote sites the port needs to be changed to 8043.
Go figure.
Be aware that changing that port, while it warns that a controller reboot is needed for it to take effect, it acutally REBOOTS AUTOMATICALLY right after clicking on "save".
EDIT 2:
https://www.tp-link.com/us/support/faq/3281/ ALSO says 443 is for omada HARDWARE controller, while 8043 is for SOFTWARE controller.

- Copy Link
- Report Inappropriate Content
It is not the configured ports that made it working... you can use whatever port you like there from the ones mentioned (443, 1024-65535), but you have to make the IP of that OC (SW/200/300) accessible to this configured port from any device from any site... it is mostly a firewall (or IP-bind) issue and because you configured this once for this IP with another port (maybe Software-Controller before...?) it now works when you configure this port again.
But any port configured in "HTTPS port for Controller Management" is told to any adapted device to use when these devices do a firmware upgarde from this controller.
- Copy Link
- Report Inappropriate Content

Information
Helpful: 0
Views: 6007
Replies: 22
Voters 0
No one has voted for it yet.


