Cisco 5700 Series Wireless LAN Controllers

Release Notes for Cisco 5700 Series Wireless LAN Controller, Cisco IOS XE Release 3.3.xSE

  • Viewing Options

  • PDF (291.0 KB)
  • Feedback

Table of Contents

Release Notes for Cisco 5700 Series Wireless LAN Controller, Cisco IOS XE Release 3.3.xSE



What’s New in Cisco IOS XE Release 3.3.1SE

What’s New in Cisco IOS XE Release 3.3.0SE

Supported Hardware

Controller Models

Other Supported Products

Compatibility Matrix

Wireless Web UI Software Requirements

Software Version

Upgrading the Controller Software


Interoperability with Other Client Devices

Important Notes


Open Caveats

Resolved Caveats in Cisco IOS XE Release 3.3.2SE

Resolved Caveats in Cisco IOS XE Release 3.3.1SE

Resolved Caveats in Cisco IOS XE Release 3.3.0SE


Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco 5700 Series Wireless LAN Controller, Cisco IOS XE Release 3.3.xSE

First Published: October 7, 2013

Last Updated: February 28, 2014



This release note describes the features and caveats for the Cisco IOS XE 3.3.xSE software on the Cisco WLC 5700 Series.


The Cisco 5700 Series Wireless LAN Controller (Cisco WLC 5700 Series) is designed for 802.11ac performance with maximum services, scalability, and high resiliency for mission-critical wireless networks. With an enhanced software programmable ASIC, the controller delivers wire-speed performance with services such as Advanced QoS, Flexible NetFlow Version 9, and downloadable ACLs enabled in a wireless network. The controller works with other controllers and access points to provide network managers with a robust wireless LAN solution. The Cisco WLC 5700 provides:

  • Network traffic visibility through Flexible NetFlow Version 9
  • Radio frequency (RF) visibility and protection
  • Support for features such as CleanAir, ClientLink 2.0, and VideoStream

The Cisco IOS XE software represents the continuing evolution of the preeminent Cisco IOS operating system. The Cisco IOS XE architecture and well-defined set of APIs extend the Cisco IOS software to improve portability across platforms and extensibility outside the Cisco IOS environment. The Cisco IOS XE software retains the same look and feel of the Cisco IOS software, while providing enhanced future-proofing and improved functionality.

For more information about the Cisco IOS XE software, see

What’s New in Cisco IOS XE Release 3.3.1SE

  • Support added for Cisco Aironet 3700 Series Access Points—The Cisco Aironet 3700 Series Access Points with the 802.11ac module is supported in this release. For more information about the AP, see .
  • Wired Guest Access—Uses Ethernet in IP (RFC3378) within the centralized architecture to create a tunnel across a Layer 3 topology between two WLC endpoints. No additional protocols or segmentation techniques are needed to isolate guest traffic from the enterprise.

Note Detailed documentation for this feature will be made available at a later date. In the meantime, see information about configuring Wired Guest Access on Catalyst 3850 Series Switches at

What’s New in Cisco IOS XE Release 3.3.0SE

  • Wireshark—A packet analyzer program that supports multiple protocols and presents information in a text-based user interface. Wireshark analyzes wired traffic and wireless traffic.
  • Wired Guest Access—Uses Ethernet in IP (RFC3378) within the centralized architecture to create a tunnel across a Layer 3 topology between two WLC endpoints. No additional protocols or segmentation techniques are needed to isolate guest traffic from the enterprise.
  • Service Discovery Gateway feature—Enables multicast Domain Name System (mDNS) to operate across Layer 3 boundaries by filtering, caching, and redistributing services from one Layer 3 domain to another. This feature enhances Bring Your Own Device (BYOD).
  • Captive Portal Bypassing for Local Web Authentication—Support for Apple devices that need to resolve Wireless Internet Service Provider roaming (WISPr) and have support for captive portal bypass.
  • Multicast Fast Convergence with Flex Links Failover feature—Reduces the convergence time of multicast traffic after a Flex Links failure.
  • High Availability (HA)

Controller Stack—This release supports a stack of two controllers connected using the stack cable, working together using the Cisco StackWise-480 technology. The HA feature is enabled by default when the controllers are connected using the stack cable and the Cisco StackWise-480 technology is enabled.

Access Point Stateful Switchover—Controller supports 1000 access points and 12000 clients. When a switchover from the active controller to standby controller occurs, the access points continue to remain connected during the active-to-standby switchover. However, all the clients are deauthenticated and need to be reassociated with the new active controller.

  • Client Count per WLAN—You can configure client limits per WLAN, per AP per WLAN, and per AP per Radio. The number of clients that you can configure for each WLAN depends on the platform that you are using.
  • 802.11w support—Support for the 802.11w standard as defined by the Management Frame Protection (MFP) service. Disassociation, Deauthentication, and Robust Action frames increase Wi-Fi network security by protecting the management frames from being spoofed.
  • 802.11r support in local mode—Support for IEEE Standard for fast roaming allows the handshake with the new access point before the client roams to the target access point. Allows clients to move between access points without breaking a session.
  • Wi-Fi Direct Client Policy—Devices that are Wi-Fi Direct capable can connect directly to each other quickly and conveniently to do tasks such as printing, synchronization, and sharing of data. Wi-Fi Direct devices may associate with multiple peer-to-peer (P2P) devices and with infrastructure wireless LANs (WLANs) concurrently. You can use the controller to configure the Wi-Fi Direct Client Policy, on a per WLAN basis, where you can allow or disallow association of Wi-Fi devices with infrastructure WLANs, or disable Wi-Fi Direct Client Policy altogether for WLANs.
  • Assisted Roaming—The 802.11k standard allows clients to request neighbor reports containing information about known neighbor access points that are candidates for a service set transition. The use of the 802.11k neighbor list can limit the need for active and passive scanning. The assisted roaming feature is based on an intelligent and client-optimized neighbor list.
  • Support for IPv6 wireless clients—Client policies can have IPv4 and IPv6 filters.
  • Support for 802.11ac module—The 802.11ac radio module, which is based on the IEEE 802.11ac Wave 1 standard, is available on the Cisco lightweight access points.

The 802.11ac module provides enterprise-class reliability and wired-network-like performance. The 802.11ac module supports three spatial streams and 80 MHz-wide channels for a maximum data rate of 1.3 Gbps. The 802.11ac standard is a 5-GHz-only technology, which is faster and a more scalable version of the 802.11n standard.

  • Application Visibility and Control—Classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR2) engine and provides application-level visibility into Wi-Fi networks.

Note The capability of dropping or marking the data traffic (control part) is not supported in the Cisco IOS XE 3.3.0SE.

  • Security Enhancements

Manage Rogue devices—The controller continuously monitors all the nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network. For more information about managing rogue devices, see the “Managing Rogue Devices” section in the System Management Configuration Guide.

Classify rogue access points—The controller software enables you to create rules that can organize and display rogue access points as Friendly, Malicious, or Unclassified. For more information about classifying rogue access points, see the “Classifying Rogue Access Points” section in the System Management Configuration Guide.

wIPS—The Cisco Adaptive wireless intrusion prevention system (wIPS) continually monitors wireless traffic on both the wired and wireless networks and uses network intelligence to analyze attacks and more accurately pinpoint and proactively prevent attacks in the future. You can configure an access point to work in wIPS mode if the access point is in the Monitor or Local mode.

Radio Frequency Grouping—A radio frequency (RF) group is a logical collection of controllers that coordinate to perform radio resource management (RRM) in a globally optimized manner to perform network calculations on a per-radio basis. An RF group exists for each 802.11 network type. Clustering controllers into a single RF group enables the RRM algorithms to scale beyond the capabilities of a single controller.

  • Lightweight Directory Access Protocol Server mode—Operates as the backend database for web authentication to retrieve user credentials and authenticate the user.
  • Wireless Flexible NetFlow—Enables flow monitoring and control of wireless traffic.
  • Enhanced QoS support for wireless IPv6 clients—Support for IPv6 ACLs and DSCP-matching of IPv6 packets.

Supported Hardware

Controller Models


Table 1 Cisco WLC 5700 Models

Part Number


Cisco 5760 Wireless Controller for up to 25 Cisco access points


Cisco 5760 Wireless Controller for up to 50 Cisco access points


Cisco 5760 Wireless Controller for up to 100 Cisco access points


Cisco 5760 Wireless Controller for up to 250 Cisco access points


Cisco 5760 Wireless Controller for up to 500 Cisco access points


Cisco 5760 Wireless Controller for up to 1000 Cisco access points


Cisco 5760 Series Wireless Controller for High Availability

Other Supported Products

Table 2 lists the supported products of the Cisco 5700 Series WLC.


Table 2 Cisco 5700 Series WLC Supported Products

Platform Supported

Access Point

Cisco Aironet 1040, 1140, 1260, 1600, 2600, 3500, 3600, 3700

Mobility Services Engine

3355, Virtual Appliance

Table 3 lists the specific supported Cisco access points.


Table 3 Supported Access Points

Access Points

Cisco Aironet 1040 Series





Cisco Aironet 1140 Series





Cisco Aironet 1260 Series





Cisco Aironet 1600 Series



Cisco Aironet 2600 Series



Cisco Aironet 3500 Series







Cisco Aironet 3600 Series



Cisco Aironet 3700 Series




Compatibility Matrix

Table 4 lists the software compatibility matrix.


Table 4 Software Compatibility Matrix

Cisco 5700 WLC
Catalyst 3850
Catalyst 3650
Cisco 5508 WLC or WiSM2
Cisco PI







5.2, 5.3








5.2, 5.3


1.Cisco WLC Release 7.6 is not compatible with Cisco Prime Infrastructure 2.0.

2.Prime Infrastructure 2.0 enables you to manage Cisco WLC with the features of Cisco WLC and earlier releases. Prime Infrastructure 2.0 does not support any features of Cisco WLC including the new AP platforms.

For more information on the compatibility of wireless software components across releases, see the Cisco Wireless Solutions Software Compatibility Matrix .

Wireless Web UI Software Requirements

  • Operating Systems

Windows XP

Windows 7

Mac OS X 10.7.5

  • Browsers

Google Chrome—Version 23.x

Microsoft Internet Explorer—Versions 10.x

Mozilla Firefox—Version 22.x

Software Version

Table 5 shows the mapping of the Cisco IOS XE version number and the Cisco IOS version number.

Table 5 Cisco IOS XE to Cisco IOS Version Number Mapping

Cisco IOS XE Version
Cisco IOSd Version
Cisco Wireless Control Module Version
Access Point Version










Upgrading the Controller Software

To upgrade the Cisco IOS XE software, use the software install privileged EXEC command to install the packages from a new software bundle file. You can install the software bundle from the local storage media or it can be installed over the network using TFTP or FTP.

The software instal l command expands the package files from the specified source bundle file and copies them to the local flash: storage device. When the source bundle is specified as a tftp: or ftp: URL, the bundle file is first downloaded into the switch's memory (RAM); the bundle file is not copied to local storage media.

After the package files are expanded and copied to flash: the running provisioning file (flash:packages.conf) is updated to reflect the newly installed packages, and the controller displays a reload prompt.

MC#software install file tftp://
Preparing install operation ...
[1]: Downloading file tftp:// to active switch 1
[1]: Finished downloading file tftp:// to active switch 1
[1]: Starting install operation
[1]: Expanding bundle ct5760-ipservicesk9.SPA.03.03.00.SE.150-1.EZ.bin
[1]: Copying package files
[1]: Package files copied
[1]: Finished expanding bundle ct5760-ipservicesk9.SPA.03.03.00.SE.150-1.EZ.bin
[1]: Verifying and copying expanded package files to flash:
[1]: Verified and copied expanded package files to flash:
[1]: Starting compatibility checks
[1]: Finished compatibility checks
[1]: Starting application pre-installation processing
[1]: Finished application pre-installation processing
[1]: Old files list:
Removed ct5760-base.SPA.03.02.03.SE.pkg
Removed ct5760-drivers.SPA.03.02.03.SE.pkg
Removed ct5760-infra.SPA.03.02.03.SE.pkg
Removed ct5760-iosd-ipservicesk9.SPA.150-1.EX3.pkg
Removed ct5760-platform.SPA.03.02.03.SE.pkg
Removed ct5760-wcm.SPA.
[1]: New files list:
Added ct5760-base.SPA.03.03.00SE.pkg
Added ct5760-drivers.SPA.03.03.00SE.pkg
Added ct5760-infra.SPA.03.03.00SE.pkg
Added ct5760-iosd-ipservicesk9.SPA.150-1.EZ.pkg
Added ct5760-platform.SPA.03.03.00SE.pkg
Added ct5760-wcm.SPA.
[1]: Creating pending provisioning file
[1]: Finished installing software. New software will load on reboot.
[1]: Committing provisioning file
[1]: Do you want to proceed with reload? [yes/no]:


The Cisco 5700 Series WLC is the first Cisco IOS-based controller built with smart ASIC for next generation unified wireless architectures. The Cisco 5700 Series WLC can be deployed both as a Mobility Controller (MC) in Converged Access solutions and as a Centralized Controller.

For more information about the features, see the product data sheet at this URL:

Interoperability with Other Client Devices

This section describes the interoperability of this version of the controller software release with other client devices.

Table 6 lists the client types on which the tests were conducted. The clients included laptops, handheld devices, phones, and printers.


Table 6 Client Types

Client Type and Name

Intel 4965 or, v13.4

Intel 5100/6300


Intel 6205


Dell 1395/1397

XP/Vista: Win7:

Dell 1505/1510/Broadcom 4321MCAG/4322HM

Dell 1515 (Atheros)

Dell 1520/Broadcom 43224HMS

Dell 1530 (Broadcom BCM4359)


Cisco CB21


Atheros HB95

MacBook Pro (Broadcom)
Handheld Devices

Apple iPad

iOS 5.0.1

Apple iPad2

iOS 6.0.1

Apple iPad3

iOS 6.0.1

Samsung Galaxy Tab

Android 3.2

Intermec CK70

Windows Mobile 6.5 /

Intermec CN50

Windows Mobile 6.1 /

Symbol MC5590

Windows Mobile 6.5 /

Symbol MC75

Windows Mobile 6.5 /

Phones and Printers

Cisco 7921G


Cisco 7925G


Ascom i75


Spectralink 8030


Vocera B1000A

Vocera B2000

Apple iPhone 4

iOS 6.0.1

Apple iPhone 4S

iOS 6.0.1

Apple iPhone 5

iOS 6.0.1

Ascom i62


HTC Sensation

Android 2.3.3

Samsung Galaxy S II

Android 2.3.3

SpectraLink 8450

Samsung Galaxy Nexus

Android 4.0.2

Important Notes

  • A switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches is not supported.
  • Although visible in the CLI, the following commands are not supported:

switchport mode dot1qtunnel

collect flow username

  • Although visible in the CLI, the authorize-lsc-ap command is not supported. (CSCui93659)
  • The following features are not supported in Cisco IOS XE Release 3.3.0SE:

Outdoor Access Points

Wired Guest Access

Note Wired Guest Access is supported is the Cisco IOS XE Release 3.3.1SE.

Mesh, FlexConnect, and Office Extend Access Point deployment

  • Routing protocols are not supported on Cisco 5700 Series WLCs.


If you need information about a specific caveat that does not appear in these release notes, you can use the Cisco Bug Toolkit to find caveats of any severity. Click this URL to browse to the Bug Toolkit:

(If you request a defect that cannot be displayed, the defect number might not exist, the defect might not yet have a customer-visible description, or the defect might be marked Cisco Confidential.)

Open Caveats

  • CSCuf81658

During an SSO when multicast traffic is flowing on the 5760 controller, spurious unicast packets are transmitted to the multicast client for few seconds.

There is no workaround.

  • CSCug90767

In some circumstances, when the interface on the 5760 controller is in the “down” state, the corresponding port on the neighbor switch might be in the “up” state. This condition is observed when the controller is reloaded with the port being in “admin down” state, and when the switch comes up, the interface is shown as “down” but the port PHY is still “up.”

The workaround is to use the shutdown/no shutdown commands on the controller port.

  • CSCuh25601

ARP traffic is occasionally dropped. The ARP loss corresponds with buffer counter under “failures” incrementing in the output of show platform punt client.

If IP device tracking is not required and neither dot1x or DAI is used, then the workaround is to add the nmsp attachment suppress command at the interface level of all switch ports. This stops ARP snooping from being enabled on the ports.

  • CSCuh64902

When the 5760 controller with HA is heavily loaded, traceback messages are observed during an SSO.

There is no workaround. There is no functional impact.

  • CSCuh97237

The Wireless Guest Access feature does not support wireless clients configured with a static IP address that are trying to join the foreign controller.

The workaround is to ensure that all clients joining the wireless guest access WLAN on the foreign controller are configured to acquire their IP address from the DHCP server.

  • CSCui56229

When configuring the shaper policy, the uplink 1G port follows the uplink 10G port, which causes the uplink 1G port shaper accuracy issue.

The workaround is to use the downlink 1G port instead of the uplink 1G port when you need accurate shaper policy.

  • CSCui56842

When Flexible NetFlow is configured on wireless SSID, multicast traffic received or sent by wireless clients is not reported.

There is no workaround.

  • CSCui67432

Clients fail to rejoin after multiple switchovers in a Cisco WLC 5700 Series with High Availability environment and with a load of 1000 access points and 12000 wireless clients. Multiple manual switchovers are performed. The issue is intermittent. The scaled system may take more than nine switchovers to see the issue.

There is no workaround.

  • CSCui67756

7925G phone on WPA2 CCKM WLAN displays a “Leaving Service Area” message during roaming between APs with 802.11ac modules because of forced full reauthentication. Key-cache roaming seems not to work as expected.

The workaround is not to use 802.11ac modules when CCKM is a requirement for the client.

  • CSCui69907

Policing does not work as expected when a class map contains multiple match VLAN statements.

The workaround is to create a class map with multiple VLANs in a single match; for example:

class-map VLAN
match vlan3, 4
  • CSCui88474

QoS policies created through Wireless Web UI are not listed on the Wireless Web UI page.

There is no workaround.

  • CSCuj10024

After an SSO on the 5760 controller with HA, some clients fail to rejoin.

The workaround is to decrease the number of clients connecting to the controller.

  • CSCuj13219

RF-CAC bandwidth is not released after a shutdown/no shutdown of a WLAN or a radio, resulting in limited CAC bandwidth for future calls.

The workaround is to reload the controller.

  • CSCuj66594

The 802.11k feature is enabled by default in the Cisco IOS XE 3.3.0 software. If you have a 79xx phone-based VoWLAN solution, the phones need the 1.4.5.x or higher version of firmware to interoperate with 802.11k. A workaround is to disable 802.11k on the controller.

  • CSCuj92028

Configuring a server group with a redirect ACL, which has a range option in the access control entries, can cause the controller to reload.

The workaround is using the eq keyword for each port number to prevent the controller from reloading.

  • CSCul47224

When 802.1x authentication starts, continuous tracebacks occur.

There is no workaround.

  • CSCum47451

The downloadable ACL is ineffective when applied to stack member 5 and higher.

There is no workaround.

  • CSCum55918

The controller, running IOS XE 3.3.1, always sends out the Web RADIUS Authentication request to the RADIUS server in clear text Password Authentication Protocol (PAP) even if the controller is configured for Challenge Handshake Authentication Protocol (CHAP).

There is no workaround.

  • CSCum70737

When a stack, running IOS XE 3.3.1SE, has an ACL applied to the management interface, the following problems can occur:

The policy is not correctly applied if ACLs are configured.

ACLs are not correctly programmed on the controller.

After applying the ACL to the management port no further ACLs can be correctly programmed.

The workaround is to remove the ACL from the management interface.

  • CSCum96372

A stack, which has a provisioned controller, returns a false or bad value error when pulling from the cswRingRedundant MIB object type.

The workaround is to unprovision the controller when pulling from the cswRingRedundant MIB object type.

  • CSCun10948

The controller, running the LAN Base image, crashes when an ACL contains an entry with the “log” or “log-input” statement.

The workaround is to remove the log” or “log-input” statement, or upgrade to the IP Base or IP Services image.

Resolved Caveats in Cisco IOS XE Release 3.3.2SE

  • CSCtq21722

SNMP freeing of invalid memory block causes the controller to reload.

There is no workaround.

  • CSCud17778

A memory leak due to SNMP traps causes the device to respond sluggishly to commands and can cause the device to crash. This condition happens when:

More than one snmp-server hosts are configured.

The snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart command is configured.

A host is sending broadcast SNMP traps

The workaround is to use the no snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart command, and then reload the device.

  • CSCui40588

After enabling aaa authentication login , the wireless webUI is not available on the controller.

The workaround is to configure local authentication on the controller. If AAA authentication is necessary, use ONLY the CLI to manage the controller.

  • CSCui75983

After rebooting the switch stack, ingress traffic matching a policy with multiple class maps of different ACLs might match the wrong class map.

The workaround is to remove the policy and reapply the policy on the affected interface.

  • CSCuj58616

Memory leaks can occur if you create a policy map on a WCM that already has policy maps configured.

There is no workaround.

  • CSCuj61051

The Wireless Control Module (WCM) on the controller crashes if the IOSd processing a AAA request and the AAA server is not available.

There is no workaround.

  • CSCuj81941

A sync error occurs on the active controller when a Prime Infrastructure (PI) template with a changed beacon is pushed.

There is no workaround.

  • CSCuj98181

The standby WLC 5760 crashes when an incorrect mobility tunnel is created.

There is no workaround.

  • CSCul19814

After collecting “raw netflow” data, the active switch crashes. The show flow monitor v4 cache privileged EXEC command causes the switch to reboot with the following message: %SCHED-3-TRASHING: Process thrashing on watched message event.

There is no workaround.

  • CSCul21515

Client TCP traffic is restricted to below 300kbps when client policy is set to police at 1Mbps on output direction.

Make sure that client TCP traffic is <1Mbps and closer to it.

  • CSCul26646

Using the slow flow monitor command during a SSH session causes the switch to crash or reboot with the following message: %SCHED-3-TRASHING: Process thrashing on watched message event.

There is no workaround.

  • CSCul30304

Multicast traffic is not routed between vlans. The “rep ri” column will show “0” for the affected multicast groups. Also, the output of the show platform table-manager database resource_type 21 | count F0 command will show more than 3000.

Reloading the switch will temporarily fix the problem but it might come back.

  • CSCul30792

Heavy continuous polling can cause an SNMP leak of 1 MB in 24 hours.

There is no workaround.

  • CSCul31225

The SVI set cos command does not work.

There is no workaround.

  • CSCul32843

Due to the Cisco AVC feature, FED crashes can occur every other day on a WLC 5760 running Cisco IOS XE3.3.0SE or 3.3.1SE.

The workaround is to disable Cisco AVC on the WLC.

  • CSCul39085

Over long periods of wireless AP joining and leaving on short intervals, memory-related crashes might occur. AP join and leave timing may cause memory related crashes. Crashes are in the form of memory corruptions like magic pattern, red zone corruptions or segmentation faults.

These crashes can happen due to these conditions:

Large amount of wireless AP joining and leaving quickly.

Network connectivity between AP and wireless controller is flapping quickly.

Unstable supporting features such as Dot1X, WebAuth or other external server access.

Misconfiguration in wireless-related features causing AP to join and leave quickly.

The workarounds are:

Monitor AP join/leave frequency, isolate APs that might be flapping quickly.

Monitor network connectivity between wireless controller and the core switch, to prevent all APs to join/leave at the same time.

  • CSCul54414

When a password on the switch is changed, sometimes later configurations from the CLI do not work.

There is no workaround. To access the CLI, start a new vty session.

  • CSCul54484

A slow memory leak on the switch in the eicored process occurs when another stack member is reloaded.

There is no workaround.

  • CSCul66968

A crash occurs after configuring a channel-group and bringing a port-channel.

There is no workaround.

  • CSCul79858

A memory leak might occur when the switch, running Cisco IOS XE 3.3.0 or 3.3.1, is being periodically SNMP polled. The switch might then crash after running out of memory.

Avoid periodic SNMP polling of the switch.

  • CSCul84467

Connectivity and traffic loss occurs if the active switch is powered off, and if the active switch is port channeled to a Nexus 7K.

Connectivity and traffic resume only when the switch is powered on.

  • CSCul87219

If a client authentication fails several times and exclusion is configured, the client gets excluded and the exclusion remains even after reloading the WLC. There is no way to remove the client from exclusion and the client is not able to connect to any other WLAN/SSID.

The workaround is to disable exclusion on the WLC to avoid this from happening for other clients. However, clients already excluded are not able to connect to the network.

  • CSCum04129

A crash occurs when removing a VLAN from the VLAN pool.

There is no workaround.

  • CSCum21662

Polling of some QoS SNMP objects can result in a memory leak. The following QoS MIB OIDs contribute to the memory leak:

Object: cportQosEgressQueueStatsEntry


Object: cportQosStatsEntry


Type: CportQosStatsEntry

Avoid polling these objects, or disable QoS.

  • CSCum59496

The switch stops working if a flood of CDP packets causes a memory leak.

There is no workaround.

  • CSCum66933

A crash occurs during IOSd processing due to an igmpsnoop_mrd.c file.

There is no workaround.

  • CSCum78391

The Wireless Control Module (WCM) crashes every 10 to 15 minutes because the WCM fails to assign wireless clients to a VLAN.

There is no workaround.

Resolved Caveats in Cisco IOS XE Release 3.3.1SE

  • CSCsl45701

The TACACS+ per VRF feature is not working and authentication fails.

The workaround is to use the TACACS+ source interface from the global routing table, not VRF.

  • CSCuc63146

Port-channel interface flap when changing vlan allowed list.

  • CSCud08538

WCM unresponsive on 2M at pthread_mutex_lock.

  • CSCue49527

Controller should use a new session ID for every fresh authentication.

There is no workaround.

  • CSCug18767

Apple devices are unable to login to WEB authentication.

The workaround is to connect to the WEB authentication SSID, open a WEB browser, close the browser, change the device's SSID settings to disable Auto-login, and then re-open the browser. The client should then WEB authenticate successfully.

  • CSCui69999

Switches with different images in the same stack are not supported.

The workaround is to ensure that all switches in the same stack are running the same image.

  • CSCuj21417

AID leak causing stale client entries on WLC

The workaround is to disconnect and reconnect AP to clear stale clients.

  • CSCuj34025

AUP PDF page does not display in PDF format.

  • CSCuj48089

The switch is stuck in a broadcast queue that prevents packets to enter the queue.

The workaround for ARP is to re-enable NMSP (no nmsp attachment suppress). This action will allow ARP traffic to be processed. A reload will also clear this state.

  • CSCuj48889

Crash due to eicore_ipc used up CPU.

  • CSCuj51372

In rare cases, Mac Learning does not occur for either ports 1-24 or ports 25-48 on one stack member in a switch stack. The other stack members are not affected.

The workaround is to reload the affected stack member.

  • CSCuj57007

DHCPACK with no DHCPOPT_LEASE_TIME option field should trigger IPDT.

The workaround is to release and then renew the IP address on the Lenovo W520.

  • CSCuj78610

High cpu issue at TUD on 03.12.19.EZP for process Auth-proxy HTTP dae.

There is no workaround.

  • CSCuj81949

WCM stopped responding on AAA authentication code. This issue occurs in a scale environment.

There is no workaround.

  • CSCuj91918

Number of MA RF members is restricted to eight (8) on MC, but allowed limit is 20 members.

There is no workaround.

  • CSCul03186

Hotspot error occurs intermittently on iPad.

  • CSCul06456

There is no SNMP MIB object available to add a local netuser or guest user.

The workaround is to use the CLI to add the user.

  • CSCul06619

Stale IPDT entries causing client to be stuck in DHCP reqd state.

  • CSCul13504

Web authentication logout pop-up window is not disabled.

There is no workaround.

  • CSCul27659

The controller always uses Layer 2 MGID when it sends multicast data to the access point. Every interface created is assigned one Layer 2 MGID.

L2 MGID is not sent to AP for Guest WLANs. So if DHCP NAK (which is broadcast as per current code) is received by AP it gets dropped and never reaches end client.

  • CSCul27717

Cisco APs are disassociated in a large scale setup (500 or more APs) when the debug capwap or debug dtls command is enabled (even with a MAC filter in place).

The workaround is to disable these debug commands.

  • CSCul30051

Clients fail authentication (psk/dot1x) due to uncreated dot1x interface for the AP.

The workaround is to reboot the AP on the client that cannot authenticate.

Resolved Caveats in Cisco IOS XE Release 3.3.0SE

  • CSCua75283

The following tracebacks are noticed on normal setup:

DATACORRUPTION-1-DATAINCONSISTENCY: strstr_s: dmax exceeds max, -PC= 0x240BE60Cz
-Traceback= 190BA74z 182D4C8z 5E68CD5z 5E68B63z 55817EBz 55815D7z 558154Dz 5580E60z 5580444z 55802CAz

There is no workaround. There is no functional impact.

  • CSCuc12774

When the Ethernet management port receives a frame whose destination MAC address is not FA1, it does not drop the traffic. Instead, the port uses the vrf mgmtVrf routing table to route the traffic back.

There is no workaround.

  • CSCuc95293

In very rare cases, all traffic to and from the controller ceases; all access points and LAG links disconnect as the controller fails to transmit the LACP PDUs; however, the management interfaces function.

  • CSCud11467

When the same PV HQOS policies are applied to both directions of an interface, the output policy stops working when the input policy is removed.

The workaround is to detach the output policy and reapply it to the interface.

  • CSCud11552

After a HQOS policy is attached to interface and the interface speed or bandwidth is changed while the policy is attached, the HQOS policy gets detached from the interface.

The workaround is to detach the policy, change the bandwidth or speed of the interface, and reattach the policy.

  • CSCud54501

The class video counters for the AP port policy appear as zero when you use the show policy-map interface wireless ap command.

There is no workaround.

  • CSCud54725

When a class is removed from a queuing policy map that is attached to a wired port, the queue programming in the hardware is removed.

The workaround is to remove the policy from the port before making modifications.

  • CSCud55333

When the incoming rate is far beyond the rate configured in a policy map through policing, the traffic is not properly shaped.

The workaround is to configure the policy map with priority level 1 percent and priority level 2 percent instead of configuring the policy with priority level x and policing.

  • CSCud56426

When you modify the webauth virtual IP while there are active webauth sessions, the session stays in the pending-delete state and you cannot create a new session.

The workaround is to not make CLI changes when authorized webauth sessions are in use.

  • CSCud60008

When a policy with priority and a policer is attached to a range of interfaces on an uplink, in some scenarios, any change made to the policer rate causes the policy to be unprogrammed on one or more ports.

The workaround is to remove the policy from the affected ports and reattach it.

  • CSCud60070

When configuring policy maps using absolute values, the maximum rate is limited to 2G/second.

The workaround is to configure policy maps using the priority level 1 percent x command instead of configuring absolute values with the priority level 1 x command.

  • CSCud62982

When policers are attached to uplink interfaces using the range command, the policers do not always work.

The workaround is to attach the policy to each port, one by one.

  • CSCud63110

In a hierarchical queueing policy, a table map under the child policy continues to mark traffic after the policy is detached from an interface.

The workaround is to attach a default policy, for example:

policy-map trust-cos
class class-default
set cos cos table default

You then detach it.

  • CSCud63823

After a queuing policy is deleted from one uplink port (10 G), the queueing policy on the other 1-G uplink stops working.

The workaround is to detach the policy and reattach it.

  • CSCud65034

When using hierarchical policies, the child classification does not work properly when its matching value is a subset of the parent class's matching values for COS, DSCP, UP, and PREC classes.

The workaround is to configure hierarchical policies to achieve one of these results:

The parent class has only class-default and the child class has user-defined classes.

The parent class has user-defined classes and the child has only class-default.

  • CSCud71747

The snmp get command on cLMobilityExtMoMcLinkStatus for a given mobility controller (MC) and on cLMobilityExtMcAssocTime for a given mobility controller's client returns incorrect values.

The workaround is to use the following commands:

show wireless mobility oracle summary to display the link status between the mobility oracle and the mobility controller

show wireless mobility controller client summary to display the client association time.

  • CSCud72626

After a per-VLAN policy is removed from a port, the policer stays active. The VLAN has an SVI with a policy attached that is performing a set.

The workaround is to remove the policy from the SVI before removing it from the port.

  • CSCuf86171

The DHCP snooping database agent fails to start while changing the DNS entry that the URL pointed to or when restarting the DHCP server. To avoid this issue, use another file transport mechanism like SCP or TFTP.

The workaround is to reload the controller.

  • CSCuf93185

When a 1-G port on a Catalyst 3850 switch is connected to a 10-G port on a 5760 controller with a 1-G SFP module, the 10-G controller port stays up even when the switch port is shut down.

There is no workaround.

  • CSCug38523

In WebUI, it takes up to 10 to 15 seconds for the home page to load.

There is no workaround.

  • CSCug41165

If you copy and paste several wireless configuration lines into the configuration, the system drops the first few characters from every other line. The number of characters dropped appears to be related to how long the command takes to execute. The issue does not occur on non-wireless configuration lines.

The workaround is to copy and paste line by line.

  • CSCug58178

Multicast traffic travels on the WLAN-mapped VLAN rather than on the AP-group mapped VLAN when an AP is placed in an AP group where VLAN is overridden for the SSID and a client associates with the AP that is broadcasting this SSID.

There is no workaround.

  • CSCuh20848

The console displays %IPC-5-WATERMARK log messages repeatedly.

There is no workaround. There is no functional impact.

  • CSCui59004

When the Network Time Protocol (NTP) configuration is removed from the controller, the Cisco IOS software unexpectedly halts.

There is no workaround.


For the most up-to-date, detailed troubleshooting information, see the Cisco TAC website at this URL:

Choose Product Support > Wireless. Then choose your product and click Troubleshoot and Alerts to find information for the problem that you are experiencing.

Related Documentation

  • Cisco 5700 controller documentation at this URL:

  • Cisco Validated Designs documents at this URL:

  • Error Message Decoder at this URL:

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation, at:

Subscribe to the What’s New in Cisco Product Documentation , which lists all new and revised Cisco Technical documentation, as an RSS feed and deliver content directly to your desktop using a read application. The RSS feeds are a free service.