Guest

Cisco 4400 Series Wireless LAN Controllers

Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 3.2.202.0

  • Viewing Options

  • PDF (342.6 KB)
  • Feedback
Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 3.2.202.0

Table Of Contents

Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 3.2.202.0

Contents

Cisco Unified Wireless Network Solution Components

Controller Requirements

Software Release Information

Finding the Software Release

Upgrading to a New Software Release

Installation Notes

Warnings

Safety Information

FCC Safety Compliance Statement

Safety Precautions

Installation Instructions

Important Notes

802.1q Priority in ICMP Requests

Using Web Policy

Resetting the Configuration on 2006 Controllers

Multicast Group Address Not Supported on 2006 Controllers

Service Modules Supported in the Catalyst 6500 Series Switch

VLANs on the Cisco WiSM

DHCP Servers Must Have Duplicate IP Checking Enabled

RADIUS Server Failover Behavior

Access Points Fail to Join Controllers If MTU Setting Is Less Than 1500

Workarounds

Changing the Default Values of SNMP Community Strings

Using the GUI to Change the SNMP Community String Default Values

Using the CLI to Change the SNMP Community String Default Values

Changing the Default Values for SNMP v3 Users

Using the GUI to Change the SNMP v3 User Default Values

Using the CLI to Change the SNMP v3 User Default Values

FIPS 140-2

Controllers Must Run Release 3.2.116.21 or Later to Support -P Regulatory Domain

Voice WLAN Configuration

Inter-Subnet Roaming

Operating Mesh Networks Through Switches and Routers

Heavily Loaded Controller CPU

RADIUS Servers and the Management VLAN

RADIUS Configuration for Management Users

Cisco 7920 Wireless IP Phone Support

Client Channel Changes

Exclusion List (Blacklist) Client Feature

Maximum MAC Filter Entries

Cisco Aironet 1030 Remote Edge Lightweight Access Points and WPA2-PSK

RADIUS Servers

Management Usernames and Local Netuser Names

802.1x and Microsoft Wireless Configuration Manager

Cisco Aironet 1030 Remote Edge Lightweight Access Point Default Operation

Using the Backup Image

Home Page Retains Web Auth Login with IE 5.x

Ad-Hoc Rogue Containment

RLDP Enable/Disable

Apple iBook

Features Not Supported on 2000 Series Controllers

Some Clients See Only 64 Access Point MAC Addresses (BSSIDs) at a Time

Pinging from Any Network Device to a Dynamic Interface IP Address Is Not Supported

2006 Image Not Supported for 3504 Controllers

Running a 3504 Image on a 2000 Series Controller

Cisco Lightweight Access Points Fail to Join Cisco Controllers

Upgrading External Web Authentication

Caveats

Resolved Caveats

Open Caveats

Closed Caveats

If You Need More Information

Troubleshooting

Documentation Updates

Omissions

Related Documentation

Obtaining Documentation, Support, and Security Guidelines


Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 3.2.202.0


November 15, 2007

These release notes describe open and resolved caveats for operating system release 3.2.202.0 for Cisco 2000, 4100, and 4400 Series Wireless LAN Controllers; Cisco Wireless Services Modules (WiSM); Cisco Wireless LAN Controller Network Modules; and Cisco Aironet 1000, 1130, 1200, 1240, and 1500 Series Lightweight Access Points, which comprise part of the Cisco Unified Wireless Network (Cisco UWN) Solution.


Note Unless otherwise noted, all of the Cisco wireless LAN controllers are hereafter referred to as controllers, and all of the Cisco lightweight access points are hereafter referred to as access points.


Contents

These release notes contain the following sections:

Cisco Unified Wireless Network Solution Components

Controller Requirements

Software Release Information

Installation Notes

Important Notes

Caveats

Troubleshooting

Documentation Updates

Related Documentation

Obtaining Documentation, Support, and Security Guidelines

Cisco Unified Wireless Network Solution Components

The following components are part of the Cisco UWN Solution and are compatible in this release:

Operating system software release 3.2.202.0 for all Cisco controllers and lightweight access points

Cisco Wireless Control System (WCS) software release 4.0.97.0

Location appliance software release 2.1.34.0, 2.1.39.0, or 2.1.42.0

Cisco 2700 Series Location Appliances

Cisco 2000, 4100, and 4400 Series Wireless LAN Controllers

Cisco Wireless Service Module (WiSM) for Cisco Catalyst 6500 Series Switches

Cisco Wireless LAN Controller Network Module for Cisco Integrated Services Routers

Cisco Aironet 1000, 1130, 1200, 1240, and 1500 Lightweight Access Points


Note The 1130, 1200, and 1240 series access points are not supported on the 4100 and 3504 controllers.


Controller Requirements

The controller graphical user interface (GUI) requires the following operating system and web browser:

Windows XP SP1 or higher or Windows 2000 SP4 or higher

Internet Explorer 6.0 SP1 or higher


Note Internet Explorer 6.0 SP1 or higher is the only browser supported for accessing the controller GUI and for using web authentication.


Software Release Information

Operating system software is factory installed on your controller and automatically downloaded to the access points after a release upgrade and whenever an access point associates to a controller. As new releases become available for the controllers and their associated access points, consider upgrading.


Note The Cisco WiSM requires software release SWISMK9-32 or later.


Finding the Software Release

To find the software release running on your controller, look on the Monitor > Summary page of the controller GUI or enter show sysinfo on the controller command line interface (CLI).

Upgrading to a New Software Release

When a controller is upgraded, the code on its associated access points is also automatically upgraded. When an access point is loading code, each of its lights blinks in succession.


Caution Do not power down the controller or any access point during this process; otherwise, you might corrupt the software image! Upgrading a controller with a large number of access points can take as long as 30 minutes. The access points must remain powered, and the controller must not be reset during this time.

Cisco recommends the following sequence when performing an upgrade:

1. Upload your controller configuration files to a server to back them up.

2. Turn off the controller 802.11a and 802.11b networks.

3. Upgrade your controller to the latest software release, following the instructions in the latest version of the Cisco Wireless LAN Controller Configuration Guide. Click this link to browse to that document:

http://www.cisco.com/en/US/products/ps6366/products_installation_and_configuration_guides_list.html

4. Re-enable your 802.11a and 802.11b networks.


Note Controllers can be upgraded from one release to another. However, should you require a downgrade from one release to another, you may be unable to use the higher release configuration. The workaround is to reload the previous controller configuration files saved on the backup server or to reconfigure the controller.


Installation Notes

This section contains important information to keep in mind when installing your controllers and access points.

Warnings


Warning This warning means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents.



Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment.



Warning Do not locate any antenna near overhead power lines or other electric light or power circuits, or where it can come into contact with such circuits. When installing antennas, take extreme care not to come in contact with such circuits, as they may cause serious injury or death. For proper installation and grounding of the antenna, refer to national and local codes (e.g. U.S.: NFPA70, National Electrical Code, Article 810, in Canada: Canadian Electrical Code, Section 54).



Warning This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than 120 VAC, 15A U.S. (240vac, 10A International).



Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground connector. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available.



Warning Read the installation instructions before you connect the system to its power source.



Warning Do not work on the system or disconnect cables during periods of lightning activity.



Warning Do not operate your wireless network near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use.



Warning In order to comply with radio frequency (RF) exposure limits, the antennas for this product should be positioned no less than 6.56 ft (2 m) from your body or nearby persons.



Warning This unit is intended for installation in restricted access areas. A restricted access area can be accessed only through the use of a special tool, lock and key, or other means of security.


Safety Information

Follow the guidelines in this section to ensure proper operation and safe use of the controllers and access points.

FCC Safety Compliance Statement

FCC Compliance with its action in ET Docket 96-8, has adopted a safety standard for human exposure to RF electromagnetic energy emitted by FCC certified equipment. When used with approved Cisco Aironet antennas, Cisco Aironet products meet the uncontrolled environmental limits found in OET-65 and ANSI C95.1, 1991. Proper operation of this radio device according to the instructions in this publication results in user exposure substantially below the FCC recommended limits.

Safety Precautions

Each year hundreds of people are killed or injured when attempting to install an antenna. In many of these cases, the victim was aware of the danger of electrocution but did not take adequate steps to avoid the hazard.

For your safety, and to help you achieve a good installation, read and follow these safety precautions. They may save your life!

1. If you are installing an antenna for the first time, for your own safety as well as others, seek professional assistance. Your Cisco sales representative can explain which mounting method to use for the size and type of antenna you are about to install.

2. Select your installation site with safety as well as performance in mind. Electric power lines and phone lines look alike. For your safety, assume that any overhead line can kill you.

3. Call your electric power company. Tell them your plans and ask them to come look at your proposed installation. This is a small inconvenience considering your life is at stake.

4. Plan your installation carefully and completely before you begin. Successfully raising a mast or tower is largely a matter of coordination. Each person should be assigned to a specific task and should know what to do and when to do it. One person should be in charge of the operation to issue instructions and watch for signs of trouble.

5. When installing an antenna, remember:

a. Do not use a metal ladder.

b. Do not work on a wet or windy day.

c. Do dress properly—shoes with rubber soles and heels, rubber gloves, and a long-sleeved shirt or jacket.

6. If the assembly starts to drop, get away from it and let it fall. Remember that the antenna, mast, cable, and metal guy wires are all excellent conductors of electrical current. Even the slightest touch of any of these parts to a power line completes an electrical path through the antenna and the installer: you!

7. If any part of an antenna system should come in contact with a power line, do not touch it or try to remove it yourself. Call your local power company. They will remove it safely.

8. If an accident should occur with the power lines, call for qualified emergency help immediately.

Installation Instructions

Refer to the appropriate Quick Start Guide or Hardware Installation Guide for instructions on installing your controllers and access points.


Note To meet regulatory restrictions, all external antenna configurations must be professionally installed.


Personnel installing the controllers and access points must understand wireless techniques and grounding methods. Access points with internal antennas can be installed by an experienced IT professional.

The controller must be installed by a network administrator or qualified IT professional, and the proper country code must be selected. Following installation, access to the controller should be password protected by the installer to maintain compliance with regulatory requirements and ensure proper unit functionality.

Important Notes

This section describes important information about the controllers and access points.

802.1q Priority in ICMP Requests

In Layer 3 LWAPP mode, the 802.1q priority in ICMP requests from the controller is not designed to match the 802.1p value on the WLAN (CSCsj33921). Rather, ICMP request traffic from the controller is tagged based on the following conversion rules from the IEEE 802.11e UP to AVVID802.1p UP table.

Table 1 IEEE 802.11e UP to AVVID802.1p UP Conversion Chart

802.1p Value on WLAN (AVVID 802.1p UP)
802.1q Priority in ICMP Request (IEEE 802.11e UP)

1

1

2

2

3

0

4

3

5

4

6

5

7

6


Using Web Policy

The Web Policy parameter on the WLANs > Edit page cannot be used with the following Layer 3 security policies: L2TP, IPSec, and VPN Passthrough.

Resetting the Configuration on 2006 Controllers

If you wish to reset the configuration to factory defaults on a 2006 controller, perform one of the following:

From the controller GUI, choose Commands > Reset to Factory Default > Reset.

From the controller CLI (after system bootup and login), enter clear config. Then after the configuration has been cleared, enter reset system without saving the current configuration.

From the controller console (after system bootup), enter Recover-Config at the User Name prompt.


Caution Do not attempt to reset the controller's configuration by choosing Option 5, Clear Config, from the boot menu unless you have successfully upgraded to the _ER.aes image on Cisco.com.

Multicast Group Address Not Supported on 2006 Controllers

If you choose Multicast from the Ethernet Multicast Mode drop-down box on the Controller > General page, a Multicast Group Address edit box appears to the right of the drop-down box. However, this edit box should not appear for 2006 controllers because they do not support a Multicast Group Address.

Service Modules Supported in the Catalyst 6500 Series Switch

The Catalyst 6500 Series Switch chassis can support up to five Cisco WiSMs without any other service module installed. If one or more service modules are installed, the chassis can support up to a maximum of four service modules (WiSMs included).

VLANs on the Cisco WiSM

Do not configure the service VLAN as one of the VLANs on a data port on the Cisco WiSM.

DHCP Servers Must Have Duplicate IP Checking Enabled

For the Cisco WiSM, you need to enable duplicate IP detection on your DHCP servers. Otherwise, multiple clients may be assigned the same IP addresses.

RADIUS Server Failover Behavior

If you enter the config radius aggressive-failover enable command, the RADIUS server switches over to the backup server if it fails to answer one RADIUS request after five retransmissions. This is the default behavior. If you enter the config radius aggressive-failover disable command, the RADIUS server switches over to the backup server only if it fails to answer three consecutive RADIUS requests (where each RADIUS request is retransmitted five times).

Access Points Fail to Join Controllers If MTU Setting Is Less Than 1500

When the network path between access points and the controller is configured for an MTU size less than 1500, the controller does not receive join requests from access points in local mode. (MTU settings less than 1500 are common when you use tunneling protocols such as IPsec VPN, GRE, and MPLS.) The access point join request is larger than 1500 bytes, so the request is fragmented. The size of the first fragment is 1500 bytes (including IP and UDP header) and the second fragment is 54 bytes (including IP and UDP header).

Access points in REAP mode are not affected by this limitation, and the problem is resolved in the 4.0 software release because the LWAPP tunnel can reassemble up to four fragments. The problem occurs when all four of these conditions exist on your network:

Your controller runs software release 3.2 or earlier

Your controller is configured for Layer 3 LWAPP

The network path MTU between the access point and the controller is less than 1500 bytes

The access point is in local access point (LAP) mode (not REAP mode)

Workarounds

Use one of these workarounds to resolve the problem on your network:

Upgrade to controller software release 4.0 if the controller platform supports it.

Use 1030 series access points in REAP mode for locations reachable through low-MTU paths.

Increase the network path MTU to 1500 bytes.


Note New out-of-the-box access points default to local mode and run a special image that helps them join the controller but does not contain this fix. If you use these access points in hybrid-REAP mode across a WAN, have them first join the controller to resolve this issue before deploying them across the WAN in the remote office.


Changing the Default Values of SNMP Community Strings

The controller has commonly known default values of "public" and "private" for the read-only and read-write SNMP community strings. Using these standard values presents a security risk. Therefore, Cisco strongly advises that you change these values.

Using the GUI to Change the SNMP Community String Default Values

Follow these steps to change the SNMP community string default values through the controller GUI.


Step 1 Click Management and then Communities under SNMP. The SNMP v1 / v2c Community page appears.

Step 2 If "public" or "private" appears in the Community Name column, click Remove to delete this community.

Step 3 Click New to create a new community.

Step 4 When the SNMP v1 / v2c Community > New page appears, enter a unique name containing up to 16 alphanumeric characters in the Community Name field. Do not enter "public" or "private."

Step 5 In the remaining fields, enter the IP address from which this device accepts SNMP packets with the associated community and the IP mask, choose Read Only or Read/Write to specify the access level for this community, and choose Enable or Disable to specify the status of this community.

Step 6 Click Apply to commit your changes.

Step 7 Click Save Configuration to save your settings.

Step 8 Repeat this procedure if a "public" or "private" community still appears on the SNMP v1 / v2c Community page.


Using the CLI to Change the SNMP Community String Default Values

Follow these steps to change the SNMP community string default values through the controller CLI.


Step 1 To see the current list of SNMP communities for this controller, enter this command:

show snmp community

Step 2 If "public" or "private" appears in the SNMP Community Name column, enter this command to delete this community:

config snmp community delete name

The name parameter is the community name (in this case, "public" or "private").

Step 3 To create a new community, enter this command:

config snmp community create name

Enter up to 16 alphanumeric characters for the name parameter. Do not enter "public" or "private."

Step 4 To enter the IP address from which this device accepts SNMP packets with the associated community, enter this command:

config snmp community ipaddr ip_address ip_mask name

Step 5 To specify the access level for this community, enter this command, where ro is read-only mode and rw is read/write mode:

config snmp community accessmode {ro | rw} name

Step 6 To enable or disable this SNMP community, enter this command:

config snmp community mode {enable | disable} name

Step 7 To save your changes, enter save config.

Step 8 Repeat this procedure if you still need to change the default values for a "public" or "private" community string.


Changing the Default Values for SNMP v3 Users

The controller uses a default value of "default" for the username, authentication password, and privacy password for SNMP v3 users. Using these standard values presents a security risk. Therefore, Cisco strongly advises that you change these values.

Using the GUI to Change the SNMP v3 User Default Values

Follow these steps to change the SNMP v3 user default values through the controller GUI.


Step 1 Click Management and then SNMP V3 Users under SNMP.

Step 2 If "default" appears in the User Name column, click Remove to delete this SNMP v3 user.

Step 3 Click New to add a new SNMP v3 user.

Step 4 When the SNMP V3 Users > New page appears, enter a unique name in the User Profile Name field. Do not enter "default."

Step 5 In the remaining fields, choose Read Only or Read Write to specify the access level for this user, choose the authentication and privacy protocols to be used, and enter a password for each.

Step 6 Click Apply to commit your changes.

Step 7 Click Save Configuration to save your settings.


Using the CLI to Change the SNMP v3 User Default Values

Follow these steps to change the SNMP v3 user default values through the controller CLI.


Step 1 To see the current list of SNMP v3 users for this controller, enter this command:

show snmpv3user

Step 2 If "default" appears in the SNMP v3 User Name column, enter this command to delete this user:

config snmp v3user delete username

The username parameter is the SNMP v3 username (in this case, "default").

Step 3 To create a new SNMP v3 user, enter this command:

config snmp v3user create username {ro | rw} {none | hmacmd5 | hmacsha} {none | des} auth_password privacy_password

where

username is the SNMP v3 username,

ro is read-only mode and rw is read/write mode,

none, hmacmd5, and hmacsha are the authentication protocol options,

none and des are the privacy protocol options,

auth_password is the authentication password, and

privacy_password is the privacy password.

Do not enter "default" for the username and password parameters.

Step 4 To save your changes, enter save config.


FIPS 140-2

The Cisco 4400 Series Controllers are on the NIST FIPS 140-2 Pre-Validation List.

Controllers Must Run Release 3.2.116.21 or Later to Support -P Regulatory Domain

To support access points configured for use in Japan, you must upgrade the controller software to release 3.2.116.21 or later. Earlier releases do not support access points configured for use in Japan (regulatory domain -P).

Voice WLAN Configuration

Cisco recommends that aggressive load-balancing always be turned off in any wireless LAN that is supporting voice, regardless of vendor. When aggressive load-balancing is turned on, voice clients can hear an audible artifact when roaming, and the handset is refused at its first reassociation attempt.

Inter-Subnet Roaming

Currently, multicast traffic cannot be passed during inter-subnet roaming.

Operating Mesh Networks Through Switches and Routers

In mesh networks that operate through low-speed switches and routers, access points can disconnect from the controller, causing the controller to generate alerts.

Heavily Loaded Controller CPU

When the controller CPU is heavily loaded (for example, when doing file copies or other tasks), it does not have time to process all of the ACKs that the NPU sends in response to configuration messages. When this happens, the CPU generates error messages. However, the error messages do not impact service or functionality.

RADIUS Servers and the Management VLAN

The RADIUS server can be on any subnet as long as it can be reached by the management VLAN subnet.

The controllers can be managed via the management VLAN subnet from any other subnet that can reach the management VLAN subnet.

RADIUS Configuration for Management Users

To authenticate management users using RADIUS, set the IETF attribute Service-Type to Administrative for the user or group.

Cisco 7920 Wireless IP Phone Support

When using Cisco 7920 Wireless IP Phones with controllers, make sure that the phones and controllers are configured as follows:

Aggressive load balancing must be disabled on a per-controller basis. Otherwise, the initial roam attempt by the phone may fail, causing a disruption in the audio path.

The QoS Basis Service Set (QBSS) information element (IE) must be enabled. The QBSS IE enables the access points to communicate their channel usage to wireless devices. Because access points with high channel usage might not be able to handle real-time traffic effectively, the 7920 phone uses the QBSS value to determine if it should associate with another access point. Use the following commands to enable the QBSS IE:

sh wlan summary


Note Use this command to determine the WLAN ID number of the WLAN to which you want to add QBSS support.


config wlan disable wlan_id_number

config wlan 7920-support ap-cac-limit enable wlan_id_number

config wlan enable wlan_id_number

sh wlan wlan_id_number


Note Use this command to verify that the WLAN is enabled and the Dot11-Phone Mode (7920) field is configured for compat mode.


save config

The Dynamic Transmit Power Control (DTPC) information element (IE) must be enabled using the config 802.11a dtpc enable command. The DTPC IE is a beacon and probe information element that allows the access point to broadcast information on its transmit power. The Cisco 7920 Wireless IP Phone uses this information to automatically adjust its transmit power to the same level as the access point to which it is associated. In this manner, both devices are transmitting at the same level.

The 7920 phones and the controllers do not currently use compatible fast roaming mechanisms. The phone uses CCKM while the controllers use proactive key caching (PKC). To minimize roaming latency, static WEP is the recommended security mechanism.

When configuring WEP, there is a difference in nomenclature for the controller and the 7920 phone. Configure the controller for 104 bits when using 128-bit WEP for the 7920.

Client Channel Changes

Cisco access points are known to go off channel for up to 30 seconds while identifying rogue access point threats. This activity can cause occasional dropped client connections.

Exclusion List (Blacklist) Client Feature

If a client is not able to connect to an access point and the security policy for the WLAN and/or client is correct, the client has probably been disabled. In the controller GUI, you can view the client's status on the Monitor > Summary page under Client Summary. If the client is disabled, click Remove to clear the disabled state for that client. The client automatically comes back and, if necessary, reattempts authentication.

Automatic disabling happens as a result of too many failed authentications. Clients disabled due to failed authorization do not appear on the permanent disable display. This display is only for those MACs that are set as permanently disabled by the administrator.

Maximum MAC Filter Entries

The controller database can contain up to 2048 MAC filter entries for local netusers. The default value is 512. To support up to 2048 entries, you must enter this command in the controller CLI:

config database size MAC_filter_entry

where MAC_filter_entry is a value from 512 to 2048.

Cisco Aironet 1030 Remote Edge Lightweight Access Points and WPA2-PSK

Cisco Aironet 1030 Remote Edge Lightweight Access Points do not support WPA2-PSK in REAP standalone mode.

RADIUS Servers

This product has been tested with the following RADIUS servers:

CiscoSecure ACS v3.2

Funk Odyssey Client v1.1 and 2.0

Funk Steel-Belted RADIUS release 4.71.739 and 5.03 Enterprise Edition

Microsoft Internet Authentication Service (IAS) release 5.2.3790.1830 on Windows 2003 server

Management Usernames and Local Netuser Names

Management usernames and local netuser names must be unique because they are stored in the same database. That is, you cannot assign the same name to a management user and a local netuser.

802.1x and Microsoft Wireless Configuration Manager

Clients using the Microsoft Wireless Configuration Manager and 802.1x must use WLANs configured for 40- or 104-bit key length. Configuring for 128-bit key length results in clients that can associate but not authenticate.

Cisco Aironet 1030 Remote Edge Lightweight Access Point Default Operation

When a controller reboots, dropped Cisco Aironet 1030 Remote Edge Lightweight Access Points attempt to associate to any available controller. If the access points cannot contact a controller, they continue to offer 802.11a/b/g service on WLAN 1 only.

Using the Backup Image

The controller bootloader (ppcboot) stores a copy of the active primary image and the backup image. If the primary image becomes corrupted, you can use the bootloader to boot with the backup image.

With the backup image stored before rebooting, be sure to choose Option 4: Change Active Boot Image from the boot menu to set the backup image as the active boot image. Otherwise, when the controller resets, it again boots off the corrupted primary image.

After the controller boots, the active boot image can be changed to the backup image using the config boot backup command.

Home Page Retains Web Auth Login with IE 5.x

Due to a caching issue in the Internet Explorer 5.x browser, the home page retains the web authentication login. To correct this issue, clear the history or upgrade your workstation to Internet Explorer 6.x.

Ad-Hoc Rogue Containment

Client card implementations may mitigate the effectiveness of ad hoc containment.

RLDP Enable/Disable

The RLDP protocol detects rogues on your wired network. When RLDP is enabled, the controller reports a threat alarm for each rogue detected on the wired network. When RLDP is disabled, rogues detected on the wired network are shown in the Alert state.

Disabling RLDP stops the controller from detecting rogues on the wired network. Rogues can be manually contained by changing the status of the detected rogues. When rogues are being contained, you must manually disable containment for each rogue individually.

Apple iBook

Some Apple operating systems require shared key authentication for WEP. Other releases of the operating system do not work with shared key WEP unless the client saves the key in its key ring. How you should configure your controller is based on the client mix you expect to use. Cisco recommends testing these configurations before deployment.

Features Not Supported on 2000 Series Controllers

These hardware features are not supported on 2000 series controllers:

Power over Ethernet

Service port (separate out-of-band management 10/100-Mbps Ethernet interface)

These software features are not supported on 2000 series controllers:

VPN termination (such as IPSec and L2TP)

Termination of guest controller tunnels (Origination of guest controller tunnels is supported)

External web authentication web server list

Layer 2 LWAPP

Spanning tree

Port mirroring

Cranite

Fortress

AppleTalk

QoS per-user bandwidth contracts

IPv6 pass-through

Some Clients See Only 64 Access Point MAC Addresses (BSSIDs) at a Time

In a crowded RF environment, clients may not be able to detect the desired SSID because of internal table limitations. Sometimes disabling and then enabling the client interface forces a rescan. Your RF environment needs to be controlled. Cisco UWN rogue access point detection and containment can help you to enforce RF policies in your buildings and campuses.

Pinging from Any Network Device to a Dynamic Interface IP Address Is Not Supported

Clients on the WLAN associated with the interface pass traffic normally.

2006 Image Not Supported for 3504 Controllers

The 2006 controller image is supported for use with only 2000 series controllers. Do not install the 2006 image on a 3504 controller. Otherwise, errors may occur. Install only the 3504 image on a 3504 controller.

Running a 3504 Image on a 2000 Series Controller

It is possible to run a 3504 controller image on a 2000 series controller, but Cisco Aironet 1130, 1200, and 1240 series access points will not be able to connect to the controller.

Cisco Lightweight Access Points Fail to Join Cisco Controllers

When a Cisco lightweight access point is connected to a terminal server port and reboots because of a join failure or timeout, this sequence repeats until the access point returns to the boot prompt and remains there. This condition occurs when there is no telnet session to the access point's console port and when the controller is not responding to the access point's join response.

Workaround: Disconnect the access point's console port from the terminal server. Reprogram the controller to have it respond to the access point's join request. Power cycle the access point to force a restart.

Upgrading External Web Authentication

When upgrading a controller from operating system release 2.0 or 2.2.127.4 to release 3.2.116.21 or later, update the external web authentication configuration as follows:

1. Instead of using a preauthentication ACL, the network manager must configure the external web server IP address using this command:

config custom-web ext-webserver add index IP-address


Note IP-address is the address of any web server that performs external web authentication.


2. The network manager must use the new login_template shown here:

<html>
<head>
<meta http-equiv="Pragma" content="no-cache"> <meta HTTP-EQUIV="Content-Type" 
CONTENT="text/html; charset=iso-8859-1"> <title>Web Authentication</title> <script>

function submitAction(){
     var link = document.location.href;
     var searchString = "redirect=";
     var equalIndex = link.indexOf(searchString);
     var redirectUrl = "";
     var urlStr = "";
     if(equalIndex > 0) {
            equalIndex += searchString.length;
            urlStr = link.substring(equalIndex);
            if(urlStr.length > 0){
   redirectUrl += urlStr;
         if(redirectUrl.length > 255)
        redirectUrl = redirectUrl.substring(0,255);
       document.forms[0].redirect_url.value = redirectUrl;
  }
     }

     document.forms[0].buttonClicked.value = 4;
     document.forms[0].submit();
}

function loadAction(){
     var url = window.location.href;
     var args = new Object();
     var query = location.search.substring(1);
     var pairs = query.split("&");
     for(var i=0;i<pairs.length;i++){
          var pos = pairs[i].indexOf('=');
          if(pos == -1) continue;
          var argname = pairs[i].substring(0,pos);
          var value = pairs[i].substring(pos+1);
          args[argname] = unescape(value);
     }
     //alert( "AP MAC Address is " + args.ap_mac);
     //alert( "The Switch URL is " + args.switch_url);
     document.forms[0].action = args.switch_url;

     // This is the status code returned from webauth login action
     // Any value of status code from 1 to 5 is error condition and user
     // should be shown error as below or modify the message as it suits
     // the customer
     if(args.statusCode == 1){
        alert("You are already logged in. No further action is required on your 
part.");
     }
     else if(args.statusCode == 2){
        alert("You are not configured to authenticate against web portal. No further 
action is required on your part.");
     }
     else if(args.statusCode == 3){
        alert("The username specified cannot be used at this time. Perhaps the user is 
already logged into the system?");
     }
     else if(args.statusCode == 4){
        alert("Wrong username and password. Please try again.");
     }
     else if(args.statusCode == 5){
        alert("The User Name and Password combination you have entered is invalid. 
Please try again.");
     }
 
}

</script>
</head>
<body topmargin="50" marginheight="50" onload="loadAction();"> <form method="post"> 
<input TYPE="hidden" NAME="buttonClicked" SIZE="16" MAXLENGTH="15" value="0"> <input 
TYPE="hidden" NAME="redirect_url" SIZE="255" MAXLENGTH="255" VALUE=""> <input 
TYPE="hidden" NAME="err_flag" SIZE="16" MAXLENGTH="15" value="0">
 
<div align="center">
<table border="0" cellspacing="0" cellpadding="0"> <tr> <td>&nbsp;</td></tr>
 
<tr align="center"> <td colspan="2"><font size="10" color="#336699">Web 
Authentication</font></td></tr>
 
<tr align="center">
 
<td colspan="2"> User Name &nbsp;&nbsp;&nbsp;<input type="TEXT" name="username" 
SIZE="25" MAXLENGTH="63" VALUE=""> </td> </tr> <tr align="center" > <td colspan="2"> 
Password &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="Password" name="password" 
SIZE="25" MAXLENGTH="24"> </td> </tr>
 
<tr align="center">
<td colspan="2"><input type="button" name="Submit" value="Submit" class="button" 
onclick="submitAction();"> </td> </tr> </table> </div>

</form>
</body>
</html>

Caveats

This section lists resolved, open, and closed caveats for Cisco controllers and lightweight access points.

Resolved Caveats

These caveats are resolved in software release 3.2.202.0.

CSCsb81363—The bootloader version does not appear in the output of the show sysinfo CLI command when the controller is booted with the backup image. The bootloader version appears only when the controller is booted with the primary image.

CSCsb88588—Incorrect power levels are reported for access points when the controller is set to country code SG.

CSCsd75425—Only one direction of ping traffic is shown to be PXF switched on a Cisco 10000 series router. This problem occurs on a router that is configured as a Provider Edge-1 (PE1) device of an MPLS VPN network when a PPP over ATM session is brought up and when pings are initiated across the MPLS VPN network.

CSCse33427—If you set the interface port to an incorrect value (3 or 4) on a 4402 controller using the controller CLI, an incorrect error message appears, and the controller sets the wrong port on the interface.

CSCsf26896—After you change the controller's management IP address, the controller replies to ARP requests from other devices with the old IP address.

CSCsg06736—The output from the show run CLI command is missing the output from the show auth-list command.

CSCsg18369 and CSCsh55789—When a large number of access points and clients are connected to the controller, the following error message appears, and the controller remains unresponsive: "Msg `MAC Entry Add Msg 1' of MAC Table failed for Mac 00:11:11:11:01:13, error value = 0xfffffffc."

CSCsg32267—Even if you disable 1M and 2M 802.11b operational rates, data is transmitted from the access point at that rate.

CSCsg56010—Some unnecessary access point images are not removed after an upgrade.

CSCsg72036—The controller might occasionally experience problems with certain client cards sending incorrect information to the 1240 series access point, which results in the access point going into discovery mode and generating an "L2 Queue Full" error message.

CSCsg75863 and CSCsd33178—The controller does not defend dynamic interface IP addresses. If another device on the network takes over the ap-manager IP address, the ap-manager does not defend its address. This behavior leaves the default router with the wrong MAC address, causing the access points to drop off the controller and bring down the wireless network.

CSCsg93477—On a 1000 series access point, the username and password may be lost when upgrading 4.0.

CSCsh56879—The Cisco WiSM reboots in the SNMPTask thread when you attempt to refresh the configuration from the controller using WCS.

CSCsh57637—When a controller is rebooted repeatedly, the Cisco 1000 series access points that are connected to the controller and using PoE may reboot during start-up. This is a relatively rare condition that can occur when the Ethernet port on the controller flaps during the access point start-up process.

CSCsh58395—After web authentication completes successfully, a gray web page appears with the following text: "Web Authentication." The web browser appears to be loading a page but never does. The original URL destination (such as http://www.cisco.com) never loads.

CSCsh61233—The controller cannot be upgraded directly from a 3.2 software release to a 4.1 software release.

CSCsh67667 and CSCsh67699—If you try to set an invalid physical port number for the management interface, an error message appears indicating that the requested port is not available. However, the controller accepts the invalid physical port number.

CSCsh80542—The controller shows multiple ARP entries for a 1000 series access point. This problem occurs when the access point is connected to the controller, has both radios disabled, and obtains a new IP address.

CSCsh82248—Dynamic frequency selection (DFS) should be enabled for the 5.250-to-5.350-GHz channels in the -A regulatory domain.

CSCsh86954—The Cisco Wireless LAN Controller Network Module for Cisco Integrated Services Routers might display Cisco Crash Handler messages during an upgrade of the controller software.

CSCsi16738—The controller might reboot due to a failure of the apfProbeThread task.

CSCsi23404—A FOMA client is unable to associate to an access point because the client does not support all of the data rates in the Basic Service Set parameter (0x0012).

CSCsi30659—The controller might reboot due to a failure of the mmListen task.

CSCsi39920—The controller might reboot with the following error message: "Rebooting with a trigger value of 0."

CSCsi71840—When you assign an invalid physical port number of 25 or less to the ap-manager and dynamic interfaces, the "Could not set the configuration" error message appears, and the invalid physical port number is set.

CSCsi77362—The ap-manager interface might go down after you upgrade the controller software.

CSCsj00849—The 2006 controller sends a disassociation request to the FOMA client even before the user idle timeout expires.

CSCsj07176—On rare occasions, a Cisco 1000 series access point may reboot when attempting to send a deauthentication frame to a client that is in power save mode.

CSCsj17743—If you set an invalid management, dynamic, or ap-manager port number larger than 26, the following incorrect error message appears: "Valid range is 0 <> 25."

CSCsj21964—The error message that appears when WLANs 9 through 16 are configured is incorrect. It should read, "Not all types of APs support WLAN IDs greater than 8, do you wish to continue?"

CSCsj25462—The SSC settings might be lost when you upgrade the controller software from software release 3.2.193.5 to 3.2.195.10.

CSCsj33948—When many access points are registered to the controller, the output for the show run-config CLI command is truncated at the Airwave director config.

CSCsj37792—A 1000 series access point might reboot due to a failure of the apHandlePowerMgt function when calling the semTake function and with the Data Access Register set to 0x4. This problem occurs when a large number of clients in power save mode are continually forced to roam between two access points.

CSCsj50127—A 4400 series controller running software release 3.2.171.5 reboots due to a failure of the mmSSHPeerRegister task.

CSCsj50149—An access point might reboot when tNetTask is not running and heartBeatJobAdded equals 1.

CSCsj75294—When you ping a controller from WCS, the ping receive count is not always equal to the number of pings sent.

CSCsj99816—"Port Mgmt failed" and "LRAD Table failed" errors appear on the controller console when the repeat controller switches over for a week or more.

CSCsk07866—When the access point and client association is repeated, the controller might reboot due to a failure of the SNMPTask.

CSCsk16686—While you are downloading software on the Cisco WiSM, the hapiMmcReceiveData() error message might appear.

CSCsk52653—A 4000 series controller might reboot due to a failure at 0x10292b1c (osapiReaperStart+108).

Open Caveats

These caveats are open in software release 3.2.202.0.

CSCar14535—When configuring a mobility group anchor that is not part of the mobility member list, the controller displays an "Invalid Parameter Provided" error message.

Workaround: Make sure that the anchor controller is a mobility group member.

CSCsa95763—The controller GUI cannot display more than 80 local net users on the Security > AAA > Local Net Users page.

Workaround: Use the controller CLI to view all the Local Net User entries.

CSCsb38486—The Cisco Aironet 1500 Series Lightweight Outdoor Access Point Bridge CLI does not accept 10-character bridge group names.

Workaround: Use 9-character bridge group names.

CSCsb52557—Cisco access points do not connect to the 4400 series controller if the time is not set first.

Workaround: Set the time on the controller before allowing the access points to connect to the controller.

CSCsb55937—VLAN-tagged large ICMP packets that need to be fragmented are not sent by Cisco Aironet 1000 series access points in direct-connection mode. Ping replies never come back when the access point sends requests to a gateway from a wireless client using large 1500-byte packets and with RADIUS override configured with any 1p tag.

Workaround: None.

CSCsb77595—When logging out from Telnet/SSH sessions, the session always prompts the user to save changes, even when no changes have been made.

Workaround: Answer Yes or No when prompted.

CSCsb85113—When users download the code image to WiSM using the CLI, associated access points are sometimes disconnected.

Workaround: Download new code images to the WiSM at times when there are no clients to be affected.

CSCsc01221—When downstream test data is sent from the wired endpoint to four wireless clients at different priority levels (voice, video, background, and best effort), the Cisco Aironet 1000 series access points crash.

Workaround: None.

CSCsc02741—In the bootloader mode, users are unable to exit or return to the main prompt. If users make mistakes while entering values, they cannot quit the step and are unable to go back and change existing values.

Workaround: Reset the system through IOS or power the device off and on if necessary.

CSCsc03072—Cisco lightweight access points do not always produce complete logs.

Workaround: None.

CSCsc11660—The current country screen is not 100% accurate for all deployment scenarios, which may cause confusion in some instances.

Workaround: None.

CSCsc22084—Error messages and traps are not triggered when a PoE controller with CDP causes Cisco Aironet 1200 series access points to disable their radios.

Workaround: Disabling CDP resolves this issue.

CSCsc22663—Deleting a mobility member mapped to a controller as an anchor removes the anchor's entry as well, but the Auto Anchor knob remains enabled even though only the mobility anchor mapping is deleted.

Workaround: Before deleting a mobility member, first delete the controller to which it is mapped from the WLAN.

CSCsc35784—The transmit power control adjustment levels 3, 4, and 5 are not supported on Cisco Aironet 1500 Series Lightweight Outdoor Access Points in the 5745-to-5825-MHz band. The transmit power control adjustment levels 4 and 5 are not supported on Cisco Aironet 1500 series access points that operate in the 5500-to-5700-MHz band and at 2.4 GHz.

These levels correspond to -6, -9, and (in the case of 5500 to 5700 MHz) -12 dB from the maximum power, respectively. Power levels 1, 2, and (in the case of 5500 to 5700 MHz) 3 are supported, which correspond to maximum power for the particular data rate and channel, and -3 dB relative to this maximum, at which these adjustment levels provide little or no further reduction in transmit power output.

Workaround: Set the transmit power level to either 1 or 2 for 5745 to 5825 MHz. Set the transmit power level to either 1, 2, or 3 for all other bands.

CSCsc40648—Rooftop access points are displayed in the web interface as poletop access points for more than four minutes, which prevents them from being configured.

Workaround: Configure the access point as a rooftop access point using the controller CLI.

CSCsc41313—The Cisco Aironet 1500 Series Lightweight Outdoor Access Points are configured by default to allow old bridges. When this configuration is enabled, the shared secret key set on the controller is not passed to the access points, so a few access points might be running on the old key. If these access points reset or new access points are waiting to join the running network, they may take a very long time to connect to the network or might not join at all. The default value has been changed to not allow old bridges to authenticate.

Workaround: Configure the controller using this command: config network allow-old-bridge-aps disable.

CSCsc56684 and CSCsd83743—Authentication fails if you enter a RADIUS-server key with more than 31 characters on the ACS server and a 4400 series controller.

Workaround: Do not enter more than 31 characters for the RADIUS-server key.

CSCsc75351—The controller CLI command debug mac addr client_mac_address, which is designed to limit debug output to the specified client, is not filtering client traffic.

Workaround: None.

CSCsc90425 and CSCsb71060—Internal LAG errors occur when the management interface is changed from tagged to untagged.

Workaround: Leave the WiSM management interface as tagged or untagged.

CSCsc92865—The session timeout value is not modified when issuing a CLI or WEP+802.1x WLAN GUI selection. The default value of 1800 seconds is retained.

Workaround: None.

CSCsd10643 and CSCse08725—A Vocera badge running MS-PEAP fails when trying to associate to an AP1010. This problem occurs because the controller is dropping the packets.

Workaround: None.

CSCsd18462—The transfer download tftppktTimeout ? command uses the wrong tag.

Workaround: None.

CSCsd25491—The management IP address of a controller incorrectly sends an ARP request for a client IP address on a WLAN subnet over the wired interface. The ARP request is not answered because the management IP address and the client WLAN are on different subnets.

Workaround: None.

CSCsd34555—If the access point is not in protection mode, the PC350 client adapter is unable to pass traffic.

Workaround: None.

CSCsd39873—The controller may report a WEP key encryption error for Intel 2200BG clients operating with OEM driver version 9.0.1.9, 9.0.2.5, or 9.0.3.9 and using some form of EAP authentication (PEAP, LEAP, EAP-FAST, or EAP-TLS).

Workaround: None. However, the client will attempt to reauthenticate and upon successful EAPOL key exchanges will communicate in a normal, encrypted fashion.

CSCsd41602—The controller may reboot due to a failure with the pemReceiveTask software watchdog.

Workaround: None.

CSCsd52483—When you make changes in the boot loader of a 2006 controller or a Controller Network Module, the bootup process may halt, and the controller may stop responding.

Workaround: None. The controller must be returned for repair through the RMA process.

CSCsd69158—After a RADIUS session timeout expires, the access point does not send a unicast key to the client.

Workaround: None.

CSCsd77121—Only one CLI session is permitted from the router into the controller, even if multiple sessions are configured.

Workaround: None.

CSCsd95723—Some users might be confused when presented with the None and DHCP options for configuring the service port interface in the initial controller setup wizard. These options are available for a controller that has no configuration and is being configured with the setup wizard.

Workaround: Users can interpret the None option as Static and a logical alternative to DHCP.

CSCse02235—Access points occasionally delay the transmission of beacons by 0.1 or 0.2 seconds. This condition occurs when the access points do not have any associated clients.

Workaround: None.

CSCse06202—When a controller's IKE lifetime expires, a rekey is not offered.

Workaround: None.

CSCse06206—The controller sends a DEL notification when the IKE lifetime is expired, but it does not send the notice to the client.

Workaround: None.

CSCse11202 and CSCse17260—WPA clients may receive an error message indicating that the WEP key is configured incorrectly on the client.

Workaround: None.

CSCse31500 and CSCsc02860—When users download the code image to a WiSM for the first time, the WiSM fails to download the new image to flash memory.

Workaround: Download new code images to the WiSM a second time.

CSCse32656—The 4402 controller supports an enhanced security module (ESM) card only in slot 1, not in slot 2. Slot 2 is reserved for 4404 controllers.

Workaround: Use slot 1, which is the slot closest to the power outlet, for an ESM card in the 4402 controller.

CSCse40636—The foreign controller incorrectly forwards multicast traffic onto the auto-anchor WLAN.

Workaround: Configure the WLAN on the foreign controller to map to an invalid VLAN.

CSCse60689—The controller may reboot due to a failure with the sshpmAddIPv4IpsecRules software.

Workaround: None.

CSCse68342—On a 2006 controller running software release 3.2.78 or 3.2.116, an SNMP query of the ipAddrTable, IP section of rfc1213 results in the return of 127.0.0.1 and looping (loopback is not configured). This may cause an "Agent in distress: spinning in ipAddrTable" error on the network management system (NMS) or an "OID not increasing: IP-MIB::ipAdEntrAddr.127.0.0.1" error.

Workaround: None.

CSCse87087—A controller with link aggregation (LAG) enabled fails Ethernet link redundancy. This problem occurs when the controller uses an Ethernet copper gigabit interface converter (GBIC) instead of a fiber GBIC and one of two Ethernet cables is pulled out of the GBIC.

Workaround: Clear the configuration on the controller. Reconfigure the controller and perform the redundancy test.

CSCse93890—The controller and access point clocks are not synchronized. Therefore, the access points may report timestamps that are out of sync with each other and the controller.

Workaround: Upgrade to controller software release 4.0 and use the management frame protection (MFP) feature to achieve clock synchronization across your controllers and access points.

CSCsf09647 and CSCse04713—The controller detects a rogue access point, but it may not acknowledge it as a "Rogue on Wired Network" access point on WCS.

Workaround: You can try to resolve this problem by downgrading your controller software to a release prior to 3.2.78.0.

CSCsf10167—The controller may reboot due to a failure with the pemReceiveTask software watchdog.

Workaround: None.

CSCsf11862—Controllers sometimes reboot during a software upgrade.

Workaround: Download the software image twice. On the second try, the controller successfully loads the new image.

CSCsf27201—You may receive a "Multicast Rx queue is full" message in your msglog even if multicast is disabled and no multicast traffic exists.

Workaround: None.

CSCsf31124 and CSCsh90756—The show run-config command sometimes enters a loop, continually displaying the "--More-- or (q)uit--" message.

Workaround: None.

CSCsf99924—In controller software releases 3.2.183.0 (and later) and 4.0.199.0 (and later), you cannot configure the controller to automatically adjust its local time for daylight saving time. In earlier controller software releases, a Daylight Time check box is available, but it does not correctly adjust the time in the Southern Hemisphere and is not programmed for the newly legislated daylight saving time changes for the United States in 2007.

Workaround: Follow these steps:

a. Configure the controller for Greenwich Mean Time (GMT) with no timezone offset.

b. During standard time, run the controller with the standard offset. Then, when daylight saving time rules go into effect, manually configure the controller to set the offset forward. When the standard time resumes, manually configure the controller to set the offset back.

For example, if your controller is in the Eastern Standard Time (EST) timezone, you would have the offset set to -5 prior to March 11, 2007. Then, at 02:00 on March 11, 2007, you would issue the following CLI command: config time timezone -4. Similarly, at 02:00 on November 4, 2007, you would issue the config time timezone -5 command.

CSCsg13067—An access point loses association with the controller with repeated associations or when free system memory is decreased to 4MB or less. Log information is recorded.

Workaround: None.

CSCsg26643—When the controller is running software release 3.2.150.10, 1030 bridge client traffic stops every 5 minutes because the forwarding table expires.

Workaround: None.

CSCsg48089—If you lose your controller password and have not backed up the configuration, the only recovery mechanism is to revert to the factory default configuration, which causes you to lose your configuration settings.

Workaround: None.

CSCsh05353—An error is returned when you attempt to display the Internal Webauth window. This error occurs when you go to Management > Web Login Page, ensure external webauth is not selected, and click Preview.

Workaround: None.

CSCsh17651 and CSCse06509—The 4400 series controller sends out an undersized frame when it connects to certain Catalyst switches (2970, 3560, or 3750).

Workaround: None.

CSCsh24239—Some class-of-service (CoS) values may be randomly assigned to Internet Control Message Protocol (ICMP) traffic from wireless clients.

Workaround: None.

CSCsh35098—Web authentication sends authentication requests to external authentication servers, even when there is no authentication server configured for the WLAN. If an external authentication server is configured on the controller and a client fails web authentication, web authentication sends the credentials to that external authentication server for validation.

Workaround: Change the Web Radius Authentication type from PAP to CHAP on the Controller > General page.

CSCsh55290—A foreign WLC sends an XID for STAs on the foreign controller when an STA in the foreign state does a DHCP release.

Workaround: None.

CSCsh85278 and CSCse42329—The controller management IP does not an AR-to-HSRP virtual MAC.

Workaround: None.

CSCsh90499—Errors occur when performing failover testing on the Cisco WiSM.

Workaround: None.

CSCsh91578—When you upgrade the controller from software release 3.2.193.5 to 3.2.195.10, the self-signed certificate (SSC) feature becomes disabled, which prevents any access point with a self-signed certificate from being able to rejoin the controller.

Workaround:

a. If SSC is disabled after a software upgrade, perform one of the following to re-enable it:

On the controller GUI, click Security > AP Policies and then check the Accept Self Signed Certificate check box on the AP Policies page.

On the controller CLI, enter this command: config auth-list ap-policy ssc enable

b. If SSC is disabled after a software upgrade and the SSC access point entries have been lost, perform one of the following to re-enable SSC and restore the access point entries:

On the controller GUI, click Security > AP Policies to access the AP Policies page. Then check the Accept Self Signed Certificate check box; enter the MAC address of the SSC access point in the MAC Address field, choose SSC from the Certificate Type drop-down box, and enter a key in the SHA1 Key Hash field; and click Add. Repeat this step for all SSC access points.

On the controller CLI, enter the following commands to enable SSC and restore any lost SSC access point entries:

config auth-list ap-policy ssc enable

config auth-list add ssc ap_mac ap_key

Repeat this step for all SSC access points.


Note A workaround is also available on WCS software release 4.0.97.0. Refer to the Release Notes for Cisco Wireless Control System 4.0.97.0 for Windows or Linux for instructions.


CSCsh96461—The Back button on the following Security > Wireless Protection Policies pages of the controller GUI does not work correctly. When you click the Back button, the current page reappears.

Trusted AP Policies

Rogue Policies

Standard Signatures

Custom Signatures

Client Exclusion Policies

AP Authentication

Workaround: Do not use the Back button. Select a page directly.

CSCsh97956—A controller cannot resolve the Address Resolution Protocol (ARP) after a software update.

Workaround: None.

CSCsi21884 and CSCsh77184—If you disable more than four of the data rates on the 802.11a (or 802.11b/g) Global Parameters page, the supported rates do not exceed 24 Mbps.

Workaround: Set the Radio Policy field to All or 802.11b/g only on the WLANs > Edit page.

CSCsi41700—ARP might not work properly on a 4000 series controller running software release 3.2.195.10.

Workaround: Add the default gateway for the controller into the network.

CSCsi42499—If you do not set the time on the controller through the configuration wizard during the initial installation, the access points cannot join the controller.

Workaround: Configure the time using the controller GUI or CLI.

CSCsi67145—In controller software release 3.2.193.5, clicking the GUI link to preview the web authentication login page causes a "404 Not Found" error message to appear. This problem occurs because the link sends you to http://WLC-IP/login_preview.html instead of to http://WLC-IP/screens/base/login_preview.html.

Workaround: Manually enter the correct path to have the web login page appear correctly.

CSCsj47983 and CSCsc59180—When WCS displays a rogue access point and a user sets the state to Known - External, WCS displays the access point as "Trusted Missing."

Workaround: None.

CSCsj86603—An excessive number of clients are being prevented from joining the controller. This behavior is triggered by the controller when clients are associated to another controller but in the probing state. When this problem occurs, the "Identity theft alert" message appears.

Workaround: Reboot the controller. If the problem continues, reconfigure the management interface ports. The same ports can be used for the reconfiguration.

CSCsj97775—A "Page Not Found" error message appears on a controller running software release 3.2.195.10 if you click Radios 802.11b/g on the Monitor page and then Details for one of the access points listed.

Workaround: You can obtain some of the same information from the Wireless tab on the controller GUI by selecting Radios 802.11b/g and then Details for one of the access points listed. However, none of the graphs included on the Monitor page are displayed.

CSCsk23015—An access point in REAP mode sometimes cannot join the primary controller after the primary controller recovers.

Workaround: Reboot the access point.

CSCsk42898—When the idle and session timeouts expire when using RADIUS authentication to perform device administration for the controller, the session does not terminate.

Workaround: None.

CSCsk63229—When a wireless client in Layer 3 mode roams repeatedly, it cannot associate to the access point joined to the foreign controller.

Workaround: Reboot the controller.

CSCsk97940—If you disable data rates 1, 48, and 54 Mbps, association responses include 24 Mbps as both a supported rate and an extended supported rate.

Workaround: Set data rates 1, 48, and 54 Mbps to Mandatory.

CSCsl03792—The controller loses its connection through Telnet while displaying the output of the show run-config CLI command.

Workaround: None.

CSCsl09263—The controller might reboot and display the following error message without generating a crash log: "Bounce: rebooting with a trigger."

Workaround: None.

CSCsl09407—Sometimes an emweb system crash occurs on the controller during a Telnet session.

Workaround: None.

CSCsl11361—When you enable 802.11b fast roaming, the following incorrect parameters appear in the roaming candidate access point list:

Some access points show the PHY Type as 802.11b in the ReassocRsp packet although the ReassoReq is 802.11g.

The Last Contact field shows the wrong value when the PHY Type is 2 (802.11g).

Workaround: None.

CSCsl12982—The 1100 series access points reboot continuously while trying to join the controller.

Workaround: None.

Closed Caveats

These caveats are listed in the "Open Caveats" section of the controller release notes for software release 3.2.195.13 and have been closed without being resolved in controller software release 3.2.202.0.

CSCsb01980—When the operator enters incorrect data for the management interface in the controller web configuration wizard, error messages are shown only at the end of the wizard, and the user must return to the Management Interface page for correction. The data entered on the Management Interface page, such as the port number, are not validated immediately but at the end of the wizard. As a result, any error messages are shown only at the end.

Workaround: Use the CLI configuration wizard.

CSCsb01983—The controller web configuration wizard is not reachable after making repeated invalid entries for the management interface port. If an operator connects to the wizard on address 192.168.1.1 and enters an invalid port number on the Management Interface page, the operator is redirected at the end of the wizard to the Management Interface page to correct the port. If the operator enters an incorrect port and submits, the wizard becomes inaccessible.

Workaround: Reboot the controller through the CLI to access the wizard again.

CSCsb07168—The AP1000 802.11a radio experiences a very low receive packet count when the receive RSSI is -75 dBm.

Workaround: None.

CSCsb55597—The access point's output power may change after you modify a mandatory data rate.

Workaround: None.

CSCsc70484—Most IPSec VPN clients start using the new security association (SA) immediately upon rekeying. However, the Cisco VPN Client continues to use the old SA for some time before switching to the new one, which results in packet loss until the client switches over.

Workaround: Use these WLAN settings on the controller to ensure that the client controls when the rekey process takes effect and the controller responds to the client for the phase 1 SA rekey:

Session Timeout: 0 seconds

Layer 3 Security: IPsec

IPsec Authentication: HMAC SHA1

IPsec Encryption: AES (If you choose 3DES, configure the IPsec lifetime to a value greater than the expected duration of the client session.)

IKE Phase 1: Aggressive

Lifetime: 43200 to 57600 seconds (12 to 16 hours)

IKE Diffie Hellman Group: Group 2 (1024 bits)

CSCsc77157—Multiple 4100 series controllers may simultaneously reset without crash files or message log entries being generated.

Workaround: None.

CSCsc92354—The Security > MAC Filtering page on the controller GUI shows MAC address filters in this format: XX:XX:XX:XX:XX:XX, which differs from the Cisco standard format of XXXX:XXXX:XXXX.

Workaround: None.

CSCsd44612—Multicast is failing when traffic is passed between two wireless clients on access points directly connected to 2006.

Workaround: None.

CSCse15932—The 4404 controller may reboot if the TimerTickTask software fails.

Workaround: None.

CSCse30514—When an LWAPP-enabled AP1100 or AP1200 first connects to a controller, the secondary controller name on the All APs > Details page in the controller GUI is not blank. The output of the show ap config general command also shows that the secondary controller name is not blank.

Workaround: None.

CSCse34481—Numerous system event messages are received when trying a TFTP download.

Workaround: None.

CSCse52143—IPSec authentication with certificates may not always operate properly.

Workaround: None.

CSCse72413—The controller may reboot due to a failure with the debugMaintask software.

Workaround: None.

CSCse80636—Under heavy traffic conditions, the VPN module may reach capacity and fail to accept additional packets.

Workaround: None.

CSCse88067—An "aborting SA dump due to timeout" error message is received when entering show ipsec brief command on the 4012 controller console.

Workaround: None.

CSCsf04684—On the 4400, the FPGA and VPN module are losing some packets. The packet loss is a small percentage of total throughput.

Workaround: None.

CSCsf17520—With REAP AP connected to the controller, the first WLAN with WMM enabled on the controller does not get a client DHCP IP address.

Workaround: You can disable the WMM from which the client gets the IP address.

CSCsf21931—The Cisco WiSM does not support Layer 2 LWAPP mode.

Workaround: The option to configure Layer 2 LWAPP mode is available through both the controller GUI and CLI.

CSCsf27061—If you are configuring the AP group VLAN, all controller interfaces (CLI, web, and WCS) show the dynamic ap-manager interface in the interface-mapping-to-the-WLAN list. Because dynamic AP manager is not supposed to be mapped to a WLAN, it should not appear in the list.

Workaround: None.

CSCsf28181—When two ct4400s are connected and security mobility is enabled, the client loses the current IP address from the dynamic interface during the handoff and gets a new IP address from the new controller.

Workaround: None.

CSCsh41347—The following warning appears when you enter dynamic interface details and click Apply:

Changing the Interface parameters causes the WLANs to be temporarily disabled and thus 
may result in loss of connectivity for some clients.

After accepting the warning message, the GUI does not apply the interface configuration. This warning occurs only on a ct4000 and ct2006.

Workaround: None.

CSCsh44942—When an ipsec client roams from a 4400 to a 4000 controller, a crash occurs in apfReceiveTask, and a "crypto card not responding" message occurs.

Workaround: None.

CSCsh45097—When associating a client to an ipsec WLAN on a 4000 locally, a "crypto card not responding" error message appears.

Workaround: None.

CSCsh47792—With a Ct3500 and AP1200 in local mode, the AP1200 crashes within 10 to 15 minutes after RLDP is enabled on the controller.

Workaround: None.

CSCsh47973—When the client idle timeout is expired and the client disassociates, the same disassociation packet sent by the access point to the client is repeated numerous times.

Workaround: None.

CSCsh53198—When sending upstream traffic from the wireless client to the wired client, DSCP mapping is not working on an AP1130.

Workaround: None.

CSCsh54674—The wrong default WLAN.1p value on platinum QoS profile displays.

Workaround: None.

CSCsi10071—The access point reboots after controller port recovery. If the access point is associating to the controller through the backup port, then when the primary port comes back, all of the access points reboot. At that time, the access point sends an "LWAPP CNTL ECHO_REQUEST" to the MAC address of the controller's backup port, but there is no response. Then the access point reboots. This behavior only occurs when you change the LWAPP operation mode from Layer 3 (with controller port redundancy enabled) to Layer 2 and you change the management VLAN or IP to a different subnet after changing to Layer 2 mode.

Workaround: None.

CSCsi21632—The access point sends out a deauthentication message (reason code: 0x0001) to FOMA clients at the interval set for WPA broadcast key rotation.

Workaround: None.

If You Need More Information

If you need information about a specific caveat that does not appear in these release notes, you can use the Cisco Bug Toolkit to find caveats of any severity. Click this URL to browse to the Bug Toolkit:

http://tools.cisco.com/Support/BugToolKit/

(If you request a defect that cannot be displayed, the defect number might not exist, the defect might not yet have a customer-visible description, or the defect might be marked Cisco Confidential.)

Troubleshooting

For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at

http://www.cisco.com/en/US/support/index.html

Click Product Support > Wireless. Then choose your product and Troubleshooting to find information on the problem you are experiencing.

Documentation Updates

This section lists updates to user documentation that has not yet been added to either printed or online documents.

Omissions

The Package Contents section in the Quick Start Guide: Cisco 4400 Series Wireless LAN Controllers should be updated to include this item, which is included with the 4400 series controller:

DB-9 to DB-9 null modem cable

Related Documentation

For additional information on the Cisco controllers and lightweight access points, refer to these documents:

The Quick Start Guide for your particular controller or access point

Cisco Wireless LAN Controller Configuration Guide

Cisco Wireless LAN Controller Command Reference

Cisco Wireless LAN Controller Online Help

Cisco Wireless Control System Configuration Guide

Cisco Wireless Control System Online Help

Click this link to browse to the Cisco Support and Documentation page:

http://www.cisco.com/cisco/web/support/index.html

Obtaining Documentation, Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html