Table of Contents
Release Notes for Cisco 5760 Controller, CiscoIOSXERelease3.2.xSE
What’s New in Cisco IOS XE Release 3.2.3SE
Cisco Prime Infrastructure (PI) 2.0
Captive Portal Bypassing for Local Web Authentication
What’s New in Cisco IOS XE Release 3.2.2SE
Enhanced Bring Your Own Device (BYOD) Support
Cisco Wireless LAN Controller Models
Upgrading the Controller Software
Comprehensive End-to-End Security
Interoperability with Other Client Devices
Caveats Resolved in Cisco IOS XE Release 3.2.3SE
Caveats Resolved in Cisco IOS XE Release 3.2.2SE
Caveats Resolved in Cisco IOS XE Release 3.2.1SE
System Management Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
Configuring Fast SSID Changing
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco 5760 Controller, Cisco IOS XE Release 3.2.xSE
First Published: January 29, 2013
Last Modified: September 3, 2014
This release note describes the features and caveats for the Cisco IOS XE 3.2.xSE software on the Cisco 5760 controller.
Contents
- Introduction
- What’s New in Cisco IOS XE Release 3.2.3SE
- What’s New in Cisco IOS XE Release 3.2.2SE
- Supported Hardware
- Web UI System Requirements
- Software Version
- Upgrading the Controller Software
- Features
- Interoperability with Other Client Devices
- Important Notes
- Limitations and Restrictions
- Caveats
- Documentation Updates
- Troubleshooting
- Related Documentation
- Obtaining Documentation and Submitting a Service Request
Introduction
The Cisco 5760 controller is designed for 802.11ac performance with maximum services, scalability, and high resiliency for mission-critical wireless networks. With an enhanced software programmable ASIC, the controller delivers wire-speed performance with services such as Advanced QoS, Flexible NetFlow Version 9, and downloadable ACLs enabled in wireless network. The controller works with other controllers and access points to provide network managers with a robust wireless LAN solution. The Cisco 5760 controller provides:
- Network traffic visibility through Flexible NetFlow Version 9
- RF visibility and protection
- Support for features such as CleanAir, ClientLink 2.0, and VideoStream
The Cisco IOS XE software represents the continuing evolution of the preeminent Cisco IOS operating system. The Cisco IOS XE architecture and well-defined set of APIs extend the Cisco IOS software to improve portability across platforms and extensibility outside the Cisco IOS environment. The Cisco IOS XE software retains the same look and feel of the Cisco IOS software, while providing enhanced future-proofing and improved functionality.
For more information about the Cisco IOS XE software, see http://www.cisco.com/en/US/prod/collateral/iosswrel/ps9442/ps11192/ps11194/QA_C67-622903.html
What’s New in Cisco IOS XE Release 3.2.3SE
Cisco Prime Infrastructure (PI) 2.0
Cisco PI 2.0 manages both wired and wireless LAN devices such as Catalyst 3850 switches, Cisco 5760 controllers, Cisco 5500 series wireless controllers, and access points. PI 2.0 provides unified management for the features that are common to both switches and wireless controllers. After your devices are added to Prime Infrastructure, you can use the Initial Device Setup workflow to configure the wired and wireless features on switches and controllers.
For more details on PI 2.0, see the documents at this URL:
http://www.cisco.com/en/US/products/ps12239/tsd_products_support_series_home.html
Captive Portal Bypassing for Local Web Authentication
In Cisco IOS XE Release 3.2.2SE, Apple devices that need to resolve Wireless Internet Service Provider roaming (WISPr) and have support for captive portal bypass could not get local web authentication. This issue is resolved in Cisco IOS XE Release 3.2.3SE.
If you have configured virtual IP resulting in a successful web authentication, but when you log out, you receive a popup window prompting you to click a link to log out, you can disable this popup by following these steps:
For more information about captive portal bypassing, see http://www.cisco.com/en/US/docs/wireless/controller/7.5/config_guide/b_cg75_chapter_01010001.html
What’s New in Cisco IOS XE Release 3.2.2SE
New and Enhanced GUI Features
In the earlier releases, the controller web user interface is accessed by entering http:// ipaddress (the ipaddress is the controller IP address) in the browser. Now, you can enter http:// ipaddress /wireless in the browser, which will also allow you to access the web user interface.
The controller web user interface is enhanced to support the following:
The Configuration Wizard—After initial configuration of the IP address and the local username/password or auth via the authentication server (privilege 15 needed), the wizard provides a method to complete the initial wireless configuration. Start the wizard through Configuration -> Wizard and follow the nine-step process to configure the following:
- Admin Users
- NMP System Summary
- Management Port
- Wireless Management
- RF Mobility and Country code
- Mobility configuration
- WLANs
- 802.11 Configuration
- Set Time
- Displays summary details of controller, clients, and access points.
- Displays all radio and AP join statistics.
- Displays air quality on access points.
- Displays list of all Cisco Discovery Protocol (CDP) neighbors on all interfaces and the CDP traffic information.
- Displays all rogue access points based on their classification—friendly, malicious, ad hoc, classified, and unclassified.
- Enables you to configure the controller for all initial operation using the web Configuration Wizard. The wizard allows you to configure user details, management interface, and so on.
- Enables you to configure the system, internal DHCP server, management, and mobility management parameters.
- Enables you to configure the controller, WLAN, and radios.
- Enables you to configure and set security policies on your controller.
- Enables you to access the controller operating system software management commands.
The Administration tab enables you to configure system logs.
Enhanced Bring Your Own Device (BYOD) Support
When supporting personal devices on a corporate network, you must protect network services and enterprise data by authenticating and authorizing users and their devices. A Cisco Identity Services Engine (ISE) Advanced License provides the tools that you need to allow employees to securely use personal devices on a corporate network.
- Device Profiling—When a client device tries to associate with a WLAN, the controller collects information related to DHCP, RADIUS, HTTP, and so on and sends that information in the form of RADIUS packets to the Cisco Identity Services Engine (ISE). As a result, the client type can be determined.
- Single SSID and Dual SSID support—In the single SSID scenario, one SSID is used for certificate enrollment, provisioning, and network access. In the dual SSID scenario, one SSID provides certificate enrollment and provisioning and a second SSID provides secure network access. This certificate is used by the client to authenticate with the ISE EAPTLS protocols after it is provisioned in the first SSID (open). For more details, see the Cisco Identity Services Engine User Guide at this URL:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_user_guide.html
Fast SSID Changing
Fast SSID changing allows wireless clients to move from one SSID to another without delay. For more information, see Configuring Fast SSID Changing.
Supported Hardware
Catalyst 3850 Switch Models
Network Modules
Table 2 lists the three optional uplink network modules with 1-Gigabit and 10-Gigabit slots. You should only operate the switch with either a network module or a blank module installed.
Four 1-Gigabit SFP module slots. Any combination of standard SFP modules are supported. SFP+ modules are not supported.
Optics Modules
The Catalyst 3850 switches support a wide range of optics. Because the list of supported optics is updated on a regular basis, consult the tables at this URL for the latest SFP compatibility information:
http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
Cisco Wireless LAN Controller Models
Table 4 lists the supported products of the 5760 controller.
Cisco Aironet 1040, 1140, 1260, 16001, 2600, 3500, 3600
Compatibility Matrix
Table 6 lists the software compatibility matrix.
7.3.112.02
For more information on the compatibility of wireless software components across releases, see the Cisco Wireless Solutions Software Compatibility Matrix .
Software Version
Table 7 shows the mapping of Cisco IOS XE version number and the Cisco IOS version number.
Upgrading the Controller Software
For information about how to upgrade the controller software, see the Cisco IOS File System, Configuration Files, and Bundle Files Appendix at the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/
system_management/appendix/swiosfs.html#wp1311040
Features
The Cisco 5760 controller is the first Cisco IOS-based controller built with smart ASIC for next generation unified wireless architectures. The 5760 controller can be deployed both as a Mobility Controller (MC) in Converged Access solutions and as a Centralized Controller.
The device has these features:
- Scalability
- High-Performance
- High Resiliency
- Cisco IOS-Based Controller
- ClientLink 2.0
- CleanAir
- RF Management
- Comprehensive End-to-End Security
- High Performance Video
- End-to-End Voice
- Advanced QoS
- Advanced ACL
- Flexible NetFlow v9
- Mobility and Security
- IPv6
- Wireless Features
ClientLink 2.0
Cisco ClientLink 2.0 technology improves downlink performance to all mobile devices including one, two, and three-spatial-stream devices on 802.11n while improving battery life on mobile devices such as smartphones and tablets.
CleanAir
Cisco CleanAir technology provides proactive, high-speed spectrum intelligence to combat performance problems due to wireless interference.
RF Management
Provides both real-time and historical information about RF interference impacting network performance across controllers, via system-wide Cisco CleanAir technology integration.
Comprehensive End-to-End Security
Offers control and provisioning of wireless access points (CAPWAP)-compliant DTLS encryption to ensure encryption between access points and controllers or between controllers.
IPv6
- Supports IPv6 addressing on interfaces with appropriate show commands for monitoring and troubleshooting.
- IPv6 ACLs are processed in hardware to provide line-rate performance.
- Supports IPv6 clients. The configuration for IPv6 mobility is the same as IPv4 mobility and requires no separate software on the client side to achieve seamless roaming.
Wireless Features
Table 8 is a detailed list of wireless features supported on the device.
Interoperability with Other Client Devices
This section describes the interoperability of this version of the controller software release with other client devices.
Table 9 lists the client types on which the tests were conducted. The clients included laptops, handheld devices, phones, and printers.
Caveats
If you need information about a specific caveat that does not appear in these release notes, you can use the Cisco Bug Toolkit to find caveats of any severity. Click this URL to browse to the Bug Toolkit:
http://tools.cisco.com/Support/BugToolKit/
(If you request a defect that cannot be displayed, the defect number might not exist, the defect might not yet have a customer-visible description, or the defect might be marked Cisco Confidential.)
The following sections lists Open Caveats and Resolved Caveats for the Cisco 5760 controller, Cisco IOS XE Release 3.2.xSE.
Open Caveats
The following tracebacks are noticed on normal setup:
DATACORRUPTION-1-DATAINCONSISTENCY: strstr_s: dmax exceeds max, -PC= 0x240BE60Cz
-Traceback= 190BA74z 182D4C8z 5E68CD5z 5E68B63z 55817EBz 55815D7z 558154Dz 5580E60z 5580444z 55802CAz
There is no workaround. There is no functional impact.
When the Ethernet management port receives a frame whose destination MAC address is not FA1, it does not drop the traffic. Instead, the port uses the vrf mgmtVrf routing table to route the traffic back.
In very rare cases, all traffic to and from the controller ceases; all access points and LAG links disconnect as the controller fails to transmit the LACP PDUs; however, the management interfaces function.
Run the sh platform punt statistics port-asic 0 cpuq -1 direction tx command to verify whether the suspend/unsuspend count is stuck for any of the transmission queues. Run the command several times to make sure that the suspend/unsuspend counters are no longer incrementing, and the TX suspend count = TX unsuspend count + 1. If you see this problem on any of the transmission queues, open a case with the TAC, or contact your Cisco technical support representative.
There is no workaround. Reboot the controller.
When the same PV HQOS policies are applied to both directions of an interface, the output policy stops working when the input policy is removed.
The workaround is to detach the output policy and reapply it to the interface.
After a HQOS policy is attached to interface and the interface speed or bandwidth is changed while the policy is attached, the HQOS policy gets detached from the interface.
The workaround is to detach the policy, change the bandwidth or speed of the interface, and reattach the policy.
No output is displayed on the USB console when the USB console cable is inserted after the image starts booting from the RJ-45 port.
The workaround is to insert the USB console cable before booting the image from the RJ-45 port.
Rogue Location Discovery Protocol (RLDP) does not work when the AP is in local mode. This problem occurs when there is no WLAN configured in controller or monitor mode AP.
The workaround is to ensure that you configure one SSID on the controller when AP is in local mode. RLDP does not work when the AP is in monitor mode and there is no workaround.
The class video counters for the AP port policy appear as zero when you use the show policy-map interface wireless ap command.
When a class is removed from a queuing policy map that is attached to a wired port, the queue programming in the hardware is removed.
The workaround is to remove the policy from the port before making modifications.
When the incoming rate is far beyond the rate configured in a policy map through policing, the traffic is not properly shaped.
The workaround is to configure the policy map with priority level 1 percent and priority level 2 percent instead of configuring the policy with priority level x and policing.
When you modify the webauth virtual IP while there are active webauth sessions, the session stays in the pending-delete state and you cannot create a new session.
The workaround is to not make CLI changes when authorized webauth sessions are in use.
When a policy with priority and a policer is attached to a range of interfaces on an uplink, in some scenarios, any change made to the policer rate causes the policy to be unprogrammed on one or more ports.
The workaround is to remove the policy from the affected ports and reattach it.
When configuring policy maps using absolute values, the maximum rate is limited to 2G/second.
The workaround is to configure policy maps using the priority level 1 percent x command instead of configuring absolute values with the priority level 1 x command.
When policers are attached to uplink interfaces using the range command, the policers do not always work.
The workaround is to attach the policy to each port, one by one.
In a hierarchical queueing policy, a table map under the child policy continues to mark traffic after the policy is detached from an interface.
The workaround is to attach a default policy, for example:
After a queuing policy is deleted from one uplink port (10 G), the queueing policy on the other 1-G uplink stops working.
The workaround is to detach the policy and reattach it.
When using hierarchical policies, the child classification does not work properly when its matching value is a subset of the parent class's matching values for COS, DSCP, UP, and PREC classes.
The workaround is to configure hierarchical policies to achieve one of these results:
– The parent class has only class-default and the child class has user-defined classes.
– The parent class has user-defined classes and the child has only class-default.
The management port on the device may stop working when it is connected to a Fast Ethernet port.
The workaround is to use the shutdown and no shutdown commands to clear and restart the management port.
The snmp get command on cLMobilityExtMoMcLinkStatus for a given mobility controller (MC) and on cLMobilityExtMcAssocTime for a given mobility controller's client returns incorrect values.
The workaround is to use the following commands:
– show wireless mobility oracle summary to display the link status between the mobility oracle and the mobility controller
– show wireless mobility controller client summary to display the client association time.
After a per-VLAN policy is removed from a port, the policer stays active. The VLAN has an SVI with a policy attached that is performing a set.
The workaround is to remove the policy from the SVI before removing it from the port.
The Cisco 5760 controller console may stop responding on AIR-CT5760-6 with 5000 clients and high CPU usage after entering WLAN shutdown and no shutdown commands.
The workaround is to SSH to the AIR-CT5760-6 instead of using direct Telnet to the console connection. You can also press Ctrl , Shift-6 .
The DHCP snooping database agent fails to start while changing the DNS entry that the URL pointed to or when restarting the DHCP server. To avoid this issue, use another file transport mechanism like SCP or TFTP.
The workaround is to reload the controller.
When a 1-G port on a Catalyst 3850 switch is connected to a 10-G port on a 5760 controller with a 1-G SFP module, the 10-G controller port stays up even when the switch port is shut down.
In WebUI, it takes up to 10 to 15 seconds for the home page to load.
If you copy and paste several wireless configuration lines into the configuration, the system drops the first few characters from every other line. The number of characters dropped appears to be related to how long the command takes to execute. The issue does not occur on non-wireless configuration lines.
The workaround is to copy and paste line by line.
Multicast traffic travels on the WLAN-mapped VLAN rather than on the AP-group mapped VLAN when an AP is placed in an AP group where VLAN is overridden for the SSID and a client associates with the AP that is broadcasting this SSID.
The console displays %IPC-5-WATERMARK log messages repeatedly.
There is no workaround. There is no functional impact.
ARP traffic is occasionally dropped. The ARP loss corresponds with buffer counter under “failures” incrementing in the output of show platform punt client.
If IP device tracking is not required and neither dot1x or DAI is used, then the workaround is to add the nmsp attachment suppress command at the interface level of all switchports. This stops ARP snooping from being enabled on the ports.
When a fiber interface is configured with the default configuration, the following error message is displayed:
and the interface is placed in the error-disabled state.
The workaround is to configure the interface with the no keepalive command.
When the Network Time Protocol (NTP) configuration is removed from the controller, the Cisco IOS software unexpectedly halts.
Resolved Caveats
Caveats Resolved in Cisco IOS XE Release 3.2.3SE
Caveats Resolved in Cisco IOS XE Release 3.2.3SE
During many simultaneous dot1x authentication operations, sessions may time out and fail to correctly authenticate. The console will continuously report authorization and authentication messages.
The switch can crash when there are concurrent sessions and you try remove an existing password from the console or VTY. Various inconsistencies can be seen in the running configuration that can result in a crash.
The workaround is to minimize configuration changes to the password, and to use a standalone switch when making such changes.
All wireless clients become stuck in idle state. Once idle, the clients cannot reconnect to the wireless network. New clients can connect, but will become idle on disconnect.
The workaround is to reload the affected device or stack and upgrade to release 3.3.0(SE) or greater.
A port channel is in the “not connect” status when BPDU packets are received.
Layer 3 traffic routed on one switch or stack member fails for newly added devices.
There is no direct workaround. Reload the impacted switch to recover.
When the internal process takes more than 3 seconds to process the mobility state change request, the client can be stuck in local state on the foreign switch. As a result, traffic is not forwarded through the anchor; instead, traffic is forwarded through the foreign switch.
When multiple activities such as the following are running in parallel, the controller may unexpectedly reboot.
– multiple show-tech CLI commands executed
There is an QoS ACL matching issue when multiple classes match in the ACL range.
The workaround is to remove auto qos voip cisco-softphone from all attaching interfaces and then reattach the policy.
Katana-3.11.22-3500TSIM Clients for WLAN in client excluded state when with ACL.
Workaround: Do not use an ACL.
Access Points cannot register to the 5760 controller when the wireless management VLAN is 1 and the SVI IP address is 172.16.140.230/231.
The workaround is to use a different IP address in this subnet.
BW of the show interfaces port-channel privileged EXEC command does not display correctly.
The external webauth page redirect stops working after some time.
The workaround is to reboot the system.
After a TACACS authentication, the wireless GUI is not available on the switch.
The workaround is to use CLI interface (Telnet, Console, SSH) and configure the device.
The WLC5760 controller crashes during CWA client association when ISE is unreachable.
Segmentation fault crash in process cpf_msg_rcvq_process.
fFED crash on a WLC5760 controller running 3.2.2 SE.
Egress SSID policy does not install in FED.
The workaround is to use default QoS.
In rare cases, Mac Learning does not occur for either ports 1-24 or ports 25-48 on one stack member in a switch stack. The other stack members are not affected.
Caveats Resolved in Cisco IOS XE Release 3.2.2SE
The results of the snmp get command on the following MIBs in the cLWlanConfigTable are inconsistent:
The snmp set command on the cLWlanNACSupport MIB does not work.
The workaround is to use the show wlan name profile name command.
The ranges for cLQd11aRadioMaxStreams/cLQd11bRadioMaxStreams and cLQd11aClientMaxStreams/cLQd11aClientMaxStreams do not start at 0. This situation occurs when you perform an snmp set on cLQd11aRadioMaxStreams or cLQd11bRadioMaxStreams under cLQd11aCACConfig. The same situation exists for a Radio type.
The snmp get command returns an incorrect value on bsnMobileStationWepState from bsnMobileStationTable.
The workaround is to use the show wlan name profile-name command.
After a roam operation, when you enter the show policy command, the police-conformed rate state under a child policy is displayed incorrectly.
When you perform a continuous SNMPWALK on the table's attributes, the output is inconsistent.
When you perform a set on the cLD11ClientCalibTable, SNMPWALK gives the correct data for the first few minutes and then it does not return any data.
When a nonhierarchical policy is installed on SSID output and when you try to overwrite it with a new policy which is in a hierarchical format, the policy change fails. This problem occurs only when a nonhierarchical policy is overwritten with a hierarchical policy.
The workaround is to unconfigure the existing policy and apply the new policy.
If a client is roaming from Mobility Agent (MA) to Mobility Controller (MC) and joins another MA in a different peer group before complete authentication to MC, and then tries to rejoin to MC, the client entry cannot be deleted from the database. The client will not be able to join on the AP connected to MC but can join anywhere else in the network.
The workaround is to use the test platform llm clear-database client_mac_address true command to remove the client entry on MC.
The controller displays the following message:
The show environment power all command randomly displays a power supply failure message and displays the wattage is displayed incorrectly as 235 W.
When significant traffic (~ 4 billion packets) has traversed the CPU, the controller reloads unexpectedly. Depending on the control traffic pattern, it can take days or weeks for CPU-bound traffic to reach 4 billion. To check for this condition use the
show platform punt stat port-asic 0 cpuq -1 direction rx command.A Macbook client bug causes connectivity problems with a recent OS X update. This problem is triggered by the client sending an out of sequence packet.
The workaround is to disable A-MPDU.
When the auto qos voip cisco-phone command is applied to a port, data traffic over 10 (or 20) Mb/s is dropped at ingress ports.
The workaround is to remove the policer from the following class-map policy:
Service-policy input: AutoQos-4.0-CiscoPhone-Input-Policy
Class AutoQos-4.0-Default-Class
police cir 10000000 bc 8000 be 8000
exceed-action set-dscp-transmit dscp table policed-dscp
When the switch is in VTP client mode, all broadcast traffic is blocked for a given VLAN when a vtp prune event is immediately followed by a re-join event. ARP does not complete and consequently MAC addresses on upstream devices are not learned.
Caveats Resolved in Cisco IOS XE Release 3.2.1SE
In certain boot sequences, the BOOT variable is removed from the switch. At the next reboot attempt, the reboot fails, and the switch remains in the bootloader prompt.
– Boot the switch with boot flash:file_name command.
or– Set the BOOT variable explicitly in the bootloader using BOOT=flash: file_name and, then boot the switch using boot command.
Documentation Updates
Configuring Fast SSID Changing
When the client sends a new association for a different SSID and fast SSID changing is disabled, the client entry in the controller connection table is cleared before the client is added to the new SSID. This means that the controller enforces a delay before clients are allowed to move to a new SSID. When fast SSID changing is enabled, there is no delay, and clients move more quickly from one SSID to another.
Beginning in privileged EXEC mode, follow these steps to configure fast SSID changing:
Troubleshooting
For the most up-to-date, detailed troubleshooting information, see the Cisco TAC website at this URL:
http://www.cisco.com/en/US/support/index.html
Choose Product Support > Wireless. Then choose your product and click Troubleshoot and Alerts to find information for the problem that you are experiencing.
Related Documentation
For additional information about the Cisco controllers, see the documents at this URL:
http://www.cisco.com/en/US/products/ps12598/tsd_products_support_series_home.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html .
Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.