These caveats are open in controller software release 184.108.40.206.
- CSCsb77595—When logging out from Telnet/SSH sessions, the session always prompts the user to save changes, even when no changes have been made.
Workaround: Ignore the prompt and exit as usual.
- CSCsd54928—The CPU ACL is unable to block LWAPP packets that are destined for the IP address of the dynamic interface.
- CSCsd84706—Containment information for ad-hoc rogue access points is not shown on the controller GUI.
Workaround: Use the controller CLI.
- CSCsd95723—Some users might be confused when presented with the None and DHCP options for configuring the service port interface in the initial controller setup wizard. These options are available for a controller that has no configuration and the setup wizard is being used to configure it.
Workaround: Users can interpret the None option as Static and a logical alternative to DHCP.
- CSCse06202—When a controller’s IKE lifetime expires, a rekey is not offered.
- CSCse06206—The controller sends a DEL notification when the IKE lifetime expires, but it does not send the notice to the client.
- CSCse87087—A controller with link aggregation (LAG) enabled fails Ethernet link redundancy. This problem occurs when the controller uses an Ethernet copper gigabit interface converter (GBIC) instead of a fiber GBIC and one of two Ethernet cables is pulled out of the GBIC.
Workaround: Clear the configuration on the controller. Then reconfigure the controller and perform the redundancy test.
- CSCsg04831—There are not enough debugs to determine the packet flow in the controller for guest access.
Workaround: Use a wireless sniffer trace.
- CSCsg48089—If you lose your controller password and have not backed up the configuration, the recovery mechanism is to revert to the factory default settings.
- CSCsg66040—After a software upgrade, controllers might experience intermittent access to the management interface through HTTPS.
Workaround: Follow these steps to workaround the issue:
a. Make sure HTTPS is enabled on the controller’s management interface, reboot the controller from the CLI, and monitor the last service if error messages appear after the controller prompts you to enter a username and password to login.
b. Login with the relevant credentials and reconfigure the virtual interface with this CLI command:
config interface address virtual 220.127.116.11
c. Reboot the controller and make sure the Secure Web service shows up as OK.
d. Generate a certificate using this CLI command:
config certificate generate webauth
e. Click Yes when prompted and wait a few minutes for the certificate to generate.
f. Reboot the controller.
- CSCsg68046—The complete reason for a TFTP download failure needs to appear on the controller GUI. If the controller cannot find the software file on the TFTP server during a software upgrade, it reports that the transfer failed rather than that the file is not present.
Workaround: Make sure that the file and filename are entirely correct before upgrading, or upgrade using the CLI to receive a more accurate reason for the failure. Further details are available if you use the debug transfer all enable command prior to upgrade.
- CSCsg74578—If you change a controller’s management IP address, it is not sent to the access point unless the access point is reset. As a result, multicasting does not work until the change is made on the access point.
Workaround: Reset the access point so that it rejoins the controller and the controller updates the access point with the new configuration.
- CSCsg84209—The export foreign controller is not deleting the client device when it receives a HandoffEnd message.
- CSCsg87111—While editing a WLAN configured for WPA1+WPA2 with a conditional web redirect to 802.1X, the MIB browser shows a commit failure error.
Workaround: Do not directly change from WPA1+WPA2+conditional web redirect to 802.1X+conditional web redirect. Instead, follow these steps:
a. Remove conditional web redirect and save your change.
b. Change Layer2 to 802.1X and save your change.
c. Change Layer3 to conditional web redirect and save your change.
- CSCsg88704—When you use the default controller setting of 512 for the controller database size, the following problems may occur:
– If you attempt to add a MAC address to a very long MAC filter list, the following error message appears: “Error in creating MAC filter.”
– If you add a large number of users to the local database, some user entries might be silently ignored.
– If you add SSCs for the access points, at some point no more entries can be added, and the following error message appears: “Authorization entry does not exist in Controller’s AP Authorization List.”
Workaround: Configure a larger value for the controller database, such as 2048.
- CSCsg95474—Lightweight access points do not queue disassociation messages, causing the Cisco 7921 phone to remain in a registering loop. This problem occurs when you change the data rate on the access point.
Workaround: Power cycle the 7921 phone.
- CSCsh11086—If you press Ctrl-S and Ctrl-Q to pause and restart the output of a command such as debug dot1x event enable, the controller reboots.
Workaround: Do not stop the console using Ctrl-S.
- CSCsh15411—When an access point drops the IAPP packet from a CCX client just after association, the CCX Layer 2 roam history may not be available for CCX clients on the controller.
- CSCsh31104—The word channel is misspelled in the message log.
- CSCsi06191—After you reboot the controller, the master controller mode is disabled.
- CSCsi13399—The Expiration Timeout for Rogue AP Entries parameter on the Rogue Policies page applies to both rogue access point entries and rogue client entries. The parameter name should be changed to reflect both types of entries.
Workaround: None. This is a cosmetic issue.
- CSCsi17242—If a controller starts a timer (such as reauthentication or keylife time) after running for approximately 52 days, the timer might take a long time to fire (up to another 52 days).
Workaround: Clean up the timers. If the problem is related to the client, deauthenticate the client to clean the timer. If the problem is related to the WLAN, such as a broadcast key update, disable and then re-enable the WLAN.
- CSCsi26248—You might lose connectivity when adding or recovering a second link aggregation (LAG) link.
Workaround: Recover the LAG link when service is not in use. You might also want to consider not using this type of configuration.
- CSCsi30541—Loss of connectivity to the management interface occurs when you add a new dynamic interface and the configured DHCP server on all other interfaces is in the new dynamic interface subnet and the new interface has a shorter mask than the other interfaces.
Workaround: Configure a 10/24 interface or a different 10/16 subnet such that the new dynamic interface does not contain the DHCP server IP address currently defined on all interfaces.
- CSCsi40354—Traffic stream metrics (TSM) information is not sorted chronologically on the controller GUI.
- CSCsi72324—A service port with IP address 0.0.0.0 responds to an ARP for the AP-manager interface.
Workaround: Unplug the service port and reconfigure it on the correct subnet.
- CSCsi72578—After you set up the mobility anchor feature between two controllers, the client does not successfully connect to the specified anchor controller when the WLAN QoS profile is set to bronze.
Workaround: Change the WLAN QoS profile on both the internal controller and the anchor controller to silver.
- CSCsi72767—A script runs each time you generate a dependency file, which makes the build very slow.
- CSCsj03124—RLDP behavior is inconsistent when initiated from a Cisco 1250 series access point.
Workaround: Use access points other than the 1250 when RLDP needs to be used.
- CSCsj06245—Portions of the output of the show tech-support CLI command might be formatted incorrectly, making the information difficult to read.
- CSCsj10755—When multicast mode multicast and IGMP snooping are enabled, the controller periodically sends out IGMP query messages to the clients. This IGMP query is sent as individual queries to each access point.
- CSCsj10945—The controller does not factor in the antenna gain when reducing the output power.
Workaround: Manually adjust the antenna gain, but this action can interfere with auto RF.
- CSCsj14255—Sometimes the multicast stream to wireless clients stops, and the upstream router does not receive IGMP reports. This problem occurs when there are multiple IGMP requests on the same VLAN and the controller responds only to the last query or when simultaneous IGMP queries are sent from more than five VLANs and the controller responds to only the first five.
- CSCsj14304—With IGMP snooping enabled, MGIDs are assigned to reserved multicast addresses.
Workaround: Use an upstream ACL if packets with reserved multicast addresses need to be blocked.
- CSCsj17054—A misleading message appears on the controller GUI when you upload software or certificates.
Workaround: Ignore the message and choose the correct options to upload files on the controller.
- CSCsj29501—When the session slot or telnet command times out on the supervisor on the Cisco WiSM and you try to log in again, any character that you enter is duplicated.
Workaround: Use a direct console connection to the Cisco WiSM.
- CSCsj44861—An access point might transmit neighbor messages when it is not connected to a controller.
- CSCsj54064—The downstream throughput is low when using a long packet size with ACLs on the 4400 series controller and the Catalyst 3750G Wireless LAN Controller Switch.
- CSCsj59237—The traffic stream metric (TSM) packet count is not reported correctly.
- CSCsj59441—Channel information for a rogue access point does not appear on the rogue access point report.
Workaround: Enable the rogue access point trap for the registered controllers or view the channel information on the controller.
- CSCsj61649—Whenever a log analysis report is generated on a CCXv5 client using WCS, the DHCP and AAA logs are swapped.
Workaround: Use the controller CLI to view this information.
- CSCsj67447—When you use the controller GUI to modify an existing (or newly created) guest LAN and you choose an ingress interface that is already in use, no error appears. The error that appears on the CLI should also appear on the GUI: “ Ingress interface is in use by some other guest lan.”
- CSCsj85329—The controller GUI should explain how the password changes with RADIUS compatibility mode. The RADIUS server names help users match to their type of RADIUS server, but the server types should be explained:
– Cisco ACS—In the RADIUS access-request packet, the username is the client MAC address, and the password is the client MAC address.
– Free RADIUS—In the RADIUS access-request packet, the username is the client MAC address, and the password is the controller’s shared secret with the RADIUS server.
– Other—In the RADIUS access-request packet, the username is the client MAC address, and the password is not sent in the RADIUS access-request packet.
- CSCsj87925—The controller GUI netmask for an ACL accepts arbitrary values.
Workaround: Enter a valid netmask.
- CSCsj88889—WGB and wired WGB clients are shown using different radios.
- CSCsj88990—Rogue access point client information shown for the access point does not match the client information from the Rogue Client Details link.
Workaround: View the current rogue client information from the controller.
- CSCsj96589—Using the MAC address from the label on an 1131 or 1242 access point in the debug mac addr command produces limited debug output.
- CSCsj97900—The call admission control (CAC) TSPEC is not traffic shaping and allows a new call setup when the physical data rate is higher than one single data rate configured on the controller.
Workaround: Follow the instructions in the VoWLAN deployment guide to enable a realistic higher data rate for the Cisco 7921 phone and turn on the supported rate as recommended.
- CSCsk01633—The EAPOL key message is truncated with an invalid replay counter.
- CSCsk08401—The formatting for the config paging ? CLI command needs to be corrected.
- CSCsk08707—The 1250 series access points receive console error messages indicating that the primary discover decode failed.
- CSCsk12420—Sometimes a 1000 series access point does not accept the DHCP offer from a Catalyst 3750 switch.
- CSCsk17001—When a guest LAN with a blank ingress interface name is added to the controller, the application fails with an SNMP exception message.
Workaround: Use the controller CLI to configure a guest LAN. You might need to delete a previous guest LAN if it has a blank ingress interface configured on it and then recreate it. By default, the ingress interface is blank.
- CSCsk22861—An MGID entry is not cleared from the access point when IGMP snooping is disabled.
- CSCsk49157—When you change the session timeout of a WLAN that is using a backend RADIUS authentication server, any existing client that is using that WLAN shows its reauthentication timeout as infinite, even though there is a finite time after which reauthentication occurs.
- CSCsk49200—The hybrid-REAP local switching option should be removed for wired guest LANs.
- CSCsk49282—The guest LAN and WLAN are not clearly differentiated.
- CSCsk50477—The BCAST_Q_ADD_FAILED message contains typographical errors.
- CSCsk60655—The default frequency value in the intrusion detection system (IDS) file should be equal to or greater than the maximum deauthentication packets sent by an access point.
- CSCsk63047—Dynamic transmit power control (DTPC) does not work on Cisco1240 series access points in WGB mode.
- CSCsk68117—U-APSD state changes on a client device are not updated on the controller.
Workaround: Reboot the access point, or disassociate the client from the controller and then reassociate it.
- CSCsk74050— If you configure an ACL name with 32 characters, the ACL override fails during roaming.
Workaround: Use ACL names with up to 31 characters.
- CSCsk78264—A change in the RF domain name takes effect only after a reboot.
Workaround: Reboot the controller after changing the RF domain name.
- CSCsk79382—CCXv4 and CCXv5 clients receive an Adjacent Access Point Report from the controller even though this report should be sent only to CCXv2 and CCXv3 clients.
- CSCsk83426—A hybrid-REAP access point does not reauthenticate after entering standalone mode.
- CSCsk85091—If Rogue Location Detection Protocol (RLDP) is enabled on the controller, you may see radio reset messages on the access point console. There may also be a brief interruption in client traffic flow.
Workaround: Disable RLDP.
- CSCsk86536—The wrong error message appears when you change country channels with the 802.11a radio enabled.
- CSCsl01005—Sometimes bandwidth contracts do not take effect. If a user who has bandwidth restrictions logs in and logs out and then another user who does not have bandwidth restrictions logs in, the bandwidth restrictions are not removed immediately.
Workaround: Reassociate the user between logout of the old user and login of the new user.
- CSCsl03097—When a hybrid-REAP access point in standalone mode is on the DFS channel, the access point’s radio goes down if a radar event occurs on its operating channel.
Workaround: Wait until the access point’s connectivity to the controller recovers, or reboot the access point.
- CSCsl04281—The show run-config command might truncate access point neighbor information in a large environment.
Workaround: To reduce the occurrence of this issue, disable paging using the config paging disable command.
- CSCsl09066—The WCS access point group VLAN profile configuration does not match the actual WLC configuration when you use multiple interface mapping profiles under the same access point group VLAN where all of the SSIDs start with the same letters or numbers.
- CSCsl11352—The console output in software release 4.2 does not indicate which controller an access point joins when you add it to your network.
Workaround: On the access point console, right after you see the “ Press Return to get started” message, enter enable mode (the default password is Cisco), and enter this debug command:
debug ip udp
The output shows all UDP packets sent and received by the access point.
- CSCsl16445—When an access point radio status is down due to lack of CDP response from a neighboring switch, the controller reports Cause=Unknown. However, it should report Cause=Waiting for CDP response.
Workaround: None; this issue is cosmetic.
- CSCsl40018—The hybrid-REAP design and deployment guide incorrectly implies that you can configure NAT on both the hybrid-REAP and controller sides of the network link. In reality, NAT is supported only on the access point side of the network link. The hybrid-REAP design and deployment guide is available at this URL:
- CSCsl41764—An access point should send a neighbor list to its clients as soon as it accepts the association.
- CSCsl42328—The controller should not allow you to use the IP address of the gateway as the interface address.
Workaround: Make sure that the interface IP address and gateway IP address are different.
- CSCsl47720—The link test report for a CCX client generated using the controller GUI does not provide enough information.
Workaround: Use the controller CLI. It always provides the correct link test report, except in cases of a CCX client connected to a hybrid-HREAP access point broadcasting a centrally switched WLAN.
- CSCsl48639—An IP address can be configured on a dynamic interface on a controller when that IP address has already been assigned to another device on the network.
Workaround: Check the ARP table on the switch to see if the IP address is bound to a MAC address on the network that is not the controller MAC address.
- CSCsl48776—Controllers sometimes incorrectly forward SSC authentication requests to a RADIUS server.
- CSCsl52445—The internal web authentication page on the controller accepts up to 2,047 characters, but the internal web authentication page in WCS accepts only 130 characters.
Workaround: If you need to enter more than 130 characters on the internal web authentication page, use the controller interface instead of WCS.
- CSCsl57356—When an 802.11n client is associated to a 1250 series access point, sometimes the client does not show up as 802.11n on the controller GUI and CLI. Instead, the controller shows the associated client using the 802.11a or 802.11b protocol if using the 2.4-GHz or 5-GHz band, respectively. However, the client software shows that the client is connected using the 802.11n protocol and at 802.11n data rates.
- CSCsl67177—The Catalyst Express 500 (CE500) might lose connectivity to a 4400 series controller when one port of the portchannel is shut down.
Workaround: Unplug and then plug in both Etherchannel links on the CE500 or the controller. Plug in or unplug any device on the CE500.
- CSCsl70043—When a client device connects to a secure EAP WLAN and immediately switches to an open WLAN, the access point sends a status 12 association response (which is normal) but sends it from the wrong MAC address and BSSID.
Workaround: On the controller CLI, enter config network fast-ssid-change to allow the client devices to connect without incident.
- CSCsl79260—Wired guest LAN clients do not get an IP address if DHCP proxy is disabled.
Workaround: Do not disable DHCP proxy.
- CSCsl79765—When connected to a controller, 1230 series access points containing AIR-MP31G radios sometimes disable the radios and report that no channel is available.
Workaround: Contact Cisco TAC for more information. A Cisco internal-only procedure can be used to update missing environment variables and burn them into a cookie.
- CSCsl95615—When a master controller exists on the network, an access point that is joined to a secondary or tertiary controller keeps going back to discovery.
Workaround: Disable the master controller mode.
- CSCsm03461—A command is needed to show the ER image or bootloader version that is currently running as well as the one that will be installed on the next bootup. Currently, the bootloader is used to verify if an ER image or bootloader upgrade is successful. However, not all controllers include the bootloader in the ER image.
Workaround: Install the Cisco Unified Wireless Network Controller Boot Software 18.104.22.168 ER.aes file, which contains a new bootloader. A successful transfer and upgrade of the ER file indicates that the ER file has been updated properly.
- CSCsm05607— Large user packets might fail to be successfully forwarded in an EoIP mobility/guest tunnel between controllers.
Workaround: Perform one of the following:
– Reconfigure the IP endpoints to use smaller MTUs.
– If an IOS router is in the IP path used by the IP endpoints, use ip tcp adjust-mss 1300 (or a similar value) to have the endpoints reduce the size of the TCP/IP packets that they transmit.
– Redesign the network path between the EoIP tunnel endpoints to eliminate ICMP filters, tunnels, NAT translation, firewalls, and so on so that it can forward 1500-byte IP packets without fragmentation.
- CSCsm08623—If the config paging disabled CLI command is entered on the controller, the output of the show msglog command is periodically interrupted with the “Would you like to display the next 15 entries?” prompt.
- CSCsm25943—The meaning of the following error message on the controller is not clear. This message does not necessarily imply that any actual “ARP poisoning” is occurring. Rather, this message appears when a WLAN is configured for DHCP Required and a client (after associating to this WLAN) transmits an ARP message without first using DHCP. The client is unable to send or receive any data traffic until it performs DHCP through the controller.
DTL-1-ARP_POISON_DETECTED: STA [00:01:02:0e:54:c4, 0.0.0.0] ARP (op 1) received with invalid SPA 192.168.1.152/TPA 192.168.0.206
Workaround: Perform the following steps:
a. Determine whether you want to force your wireless clients to perform DHCP first, after associating, before they can send IP packets.
- If you do, then disable DHCP Required, and you will not encounter this problem.
- If you do not, then configure all clients to use DHCP.
b. If the client is configured for DHCP but sometimes still sends IP packets after associating without performing DHCP, then perform the following:
- Verify that the client eventually does perform DHCP without undergoing an unacceptable outage. If the outage before performing DHCP is acceptable, then you can ignore this message.
- If the client never does perform DHCP after associating, then it can never pass Layer 3 traffic. In this case, either determine how to change the client’s behavior so that it always performs DHCP after associating, or simply accept that this client does not work in this application or reconsider your decision to use DHCP Required.
- CSCsm32845—The Guest LAN parameter on the Interfaces > Edit page of the controller GUI might cause confusion for users because the guest LAN is used for interfaces involved in wired guest LANs, not for wireless guest WLANs.
- CSCsm34676—Voice quality might be poor with multicast paging.
- CSCsm40870—The following error message should be reworded:
Jan 24 15:20:55.374 apf_80211.c:2552 APF-4-ASSOCREQ_PROC_FAILED: Failed to process an association request from00:13:ce:37:8b:ff. WLAN:2, SSID:TMDInternal-WPA. mobile in exclusion list or marked for deletion
The message should read as follows:
ASSOCREQ_PROC_FAILED: Failed to process an association request from 00:13:ce:37:8b:ff. WLAN:2, SSID:TMDInternal-WPA. Mobile excluded or marked for deletion.
- CSCsm40903—Additional information is needed for the following message: “claspam_lrad.c:1626 LWAPP-6-PORTMAP_ERR: Failed to obtain multicast port map for interface 4, using default index (50).”
- CSCsm40906—The following message appears on the 2106 controller when multicast is disabled: “claspam_lrad.c:1626 LWAPP-6-PORTMAP_ERR: Failed to obtain multicast port map for interface 4, using default index (50).” No multicast messages should appear when multicast is disabled.
- CSCsm65043—1240 series access points might stop accepting new clients. In this case, the show controller d1 command shows the following:
Beacon Flags: 0; Beacons are disabled; Probes are disabled
Workaround: Reboot the access point.
- CSCsm71573—When the following message appears, it fills up the entire message log:
mm_listen.c:5078 MM-3-INVALID_PKT_RECVD: Received an invalid packet from 10.0.x.x. Source member:0.0.0.0. source member unknown.
- CSCsm79901—Wired clients attached to a workgroup bridge (WGB) are retaining the previous IP address after the WGB obtains a new IP address. As a result, the wired client stops sending traffic to the infrastructure network.
Workaround: Release and renew the DHCP IP address manually on the WGB wired client.
- CSCsm80423—The controller cannot block Layer2 multicast traffic.
- CSCsm82725—Clients are able to connect to the Internet without authenticating when using web authentication and port 53 on a proxy server.
- CSCsm82984—When a controller and an access point are brought up with factory default settings, you can Telnet to the access point (even though the show ap config general Cisco_AP CLI command shows the Telnet feature as disabled). Also, once Telnet and SSH are enabled, they are not disabled after you clear the controller’s configuration (even though the output of the show command indicates that they have been disabled).
- CSCsm84952—When you configure wired and wireless guest WLANs on two controllers, a wired guest user obtains an IP address but does not always receive the web authentication page or cannot login properly. Additionally, a reattempt by the wired client might result in obtaining an IP address from the other controller, causing the client to appear to have been handed an IP address from each controller.
Workaround: Disable the wired guest WLAN on one of the controllers and enable it as needed. Using an external DHCP server might resolve this issue as well.
- CSCsm89253—The controller should log a message if it sends “Telnet is not allowed on this port” to Telnet clients.
- CSCsm94702—When the controller is configured through the service port, the VLAN ID and port information do not appear in the output of the show int summary CLI command.
- CSCsm95478—HT protection bits might incorrectly report the operating mode.
- CSCsm96105—The controller does not pass traffic to a client device with a MAC address beginning with 00:00:00:00. This issue occurs with both WGB and wireless clients.
- CSCsm98659—The clcCdpGlobalEnable SNMP variable cannot be set on the controller unless there is at least one access point present on the controller. This creates problems when trying to add a new controller to WCS. When you create a new controller template on WCS and set the Global CDP on APs value to false, the template cannot be pushed out to any controller that does not have an access point associated to it.
Workaround: Add an access point to the controller. Then you can add the controller to WCS or change the CDP parameter.
- CSCso02340—The controller might report a different power level than is actually used by the access point if you change the channel from one supporting one transmit power to another supporting a different transmit power.
Workaround: Reapply the power configuration.
- CSCso02467—When logging into a lobby ambassador account, you are able to create permanent guest user accounts by setting all parameters to “0.” After logging back into the account, you can verify that these permanent accounts were created under Security > Local Net Users.
- CSCso04989—The controller does not acknowledge video and voice streams from the client for about 60 ms. This problem occurs when WMM is used with Intel 4965 clients on Windows Vista.
- CSCso07457—When the controller downloads a file using FTP, WCS shows the previous transfer state as the intermediate state, which is different from the final transfer state.
- CSCso31067—Some clients might experience failures during upstream-only prioritized traffic on 802.11a, despite radio resource management (RRM) features being disabled.
- CSCso31640—When you downgrade a 2100 series controller from software release 5.1 to software release 22.214.171.124, any hybrid-REAP groups configured on the controller are lost after the downgrade.
Workaround: None. You must reconfigure the hybrid-REAP groups.
- CSCso47897—The MAC address table on the switch might show an invalid MAC address coming from the interfaces attached to the controllers.
- CSCso60597—If a 1250 series access point is configured for 20-MHz channel width and is then placed into sniffer mode, you cannot change the channel width to Above 40 MHz or Below 40 MHz. If the access point is configured for Above 40 MHz or Below 40 MHz before it is placed into sniffer mode, you can change the channel width to 20 MHz but not to a 40-MHz setting.
Workaround: Return the access point to local mode in order to modify the channel width settings. Then return it to sniffer mode. This process requires a minimum of two reboots of the access point.
- CSCso66183—Symbol Vocollect devices might disassociate from Cisco 1240 series access points and display the following error message:
"3/30/2008 04:42" Error " Mar 30 04:47:25.626 spam_api.c:816 WAPP-3-MAX_AID: Reached max limit (200) on the association ID for AP 00:1d:a1:90:11:10"
"3/30/2008 04:42" Error " Mar 30 04:47:21.703 spam_api.c:816 WAPP-3-MAX_AID: Reached max limit (200) on the association ID for AP 00:1d:a1:90:11:10"
Workaround: Manually power-cycle the access points.
- CSCso97776—If you enable MFP when a guest LAN is configured, the controller might show unwanted logs.
- CSCsq01766—When you change an access point’s radio configuration, it sends a deauthentication request using the wrong BSSID.
- CScsq06451—If you configure a guest LAN and map the ingress interface to a guest LAN interface, you cannot change the mapping to None using the controller GUI.
Workaround: Use this CLI command to change the mapping to None: config guest-lan ingress-interface 1 none.
- CSCsq06690—The following log might appear unexpectedly on the controller: “Memory 0x3022c8e0 has been freed!”
- CSCsq11933—The controller GUI should show additional client counters, such as device type, rates, current, supported rates, power save, connection-related statistics, and APSD-related information.
- CSCsq14326—A 4400 series controller using a Cisco ACS as a TACACS+ server does not log these CLI commands into the ACS:
– config hreap group name add
– config hreap group name ap add 00:1c:58:34:40:cc
– config hreap group name ap add 00:1a:a1:3f:07:08
– config hreap group name delete
- CSCsq19324—If you enter a long value for the access control list (ACL) name on the Access Control Lists page of the controller GUI and click Apply, the value appears in HTML text below the ACL Name field.
- CSCsq19430—The GUI of a 2106 controller shows a guest LAN interface, even though it is not supported.
- CSCsq19472—Cisco Compatible Extensions RM measurements are inaccurate if beacon, channel load, frame, and noise histograms are triggered together.
Workaround: Trigger the RM measurements one at a time.
- CSCsq21956—An error occurs when you create a guest user and then try to edit the guest user’s parameters such as lifetime, role, and so on through the controller GUI.
Workaround: Use the controller CLI to edit the guest user’s parameters.
- CSCsq22518—CCKM clients using WPA2 reauthenticate when moving between hybrid-REAP access points.
- CSCsq22827—The access point name sometimes disappears from the controller GUI and CLI.
- CSCsq23594—When a CCXv5 request is manually sent to a CCXv5 client, an emergency log message is written to the log and sent to any configured syslog servers.
- CSCsq23806—Guest tunneling might not work if the WLAN on the foreign controller is created using the controller GUI and the WLAN on the anchor controller is created using WCS.
Workaround: Reboot the anchor controller or use the same method (either the controller GUI or WCS) to create the WLAN on both the anchor and foreign controllers.
- CSCsq25129—A controller software upgrade might fail with a Nessus scan running.
- CSCsq26051—When a Cisco terminal server connects to the controller but the user is not logged in through the console, the controller might hang after a reboot.
- CSCsq29243—When you configure the 802.11h channel switch mode, you should be able to enter only 0 or 1, but you can enter any value.
- CSCsq30821—When a WLAN is configured on two controllers using web authentication and the WLAN is on a different VLAN on each controller, web authentication can be bypassed if a client roams from one controller to another controller and then back to the first controller.
Workaround: Make sure that any WLAN spanning two controllers using web authentication is on the same VLAN on both controllers.
- CSCsq31622— An SNMP error occurs when you enable voice and video parameters on the controller using WCS.
Workaround: Disable all WMM-enabled WLANs and enable voice and video parameters.
- CSCsq32038—The config interface CLI command allows up to 31 characters to be entered for the interface name. It should allow up to 32 characters.
- CSCsq34262—A traceback might occur if you include three controllers in the same mobility group and enable a dynamic interface on all of them.
Workaround: Reset the controller.
- CSCsq35402—After you upgrade the controller to software release 126.96.36.199, the following error message appears on the console of the Cisco WiSM controllers: “Mon May 19 12:56:44 2008: dtlARPProtoRecv: Invalid ARP packet!”
- CSCsq35574—The Authorityid and the server key do not accept a value of 17 or greater.
- CSCsq35590—If you change a 1240 series access point’s country of operation from Spain to the U.S., tracebacks might occur while the access point joins the controller.
- CSCsq37810—If you add a controller to WCS and later reboot the controller, WCS does not receive the trap for a cold start, which prevents it from pushing the configuration back to the controller.
Workaround: Manually push the configuration from WCS.
- CSCsq38075—If you change a 1240 series access point’s country of operation to Spain, tracebacks might appear on the access point console.
- CSCsq38700—If you change the power level on an access point radio while clients are associated to the access point, the controller might display DOWN for the operational status of that radio. However, clients continue to pass traffic and function properly.
- CSCsq47493—The cLReapApVlanId is not being updated on the controller, and the API is not throwing any exception to indicate that it has not been set.
Workaround: First change the native VLAN ID. Then change the cLReapApVlanId.
- CSCsq67907—If a large number of rogue access points are present and there is a substantial amount of client activity, the apfRogueTask might report lock asserts.
- CSCsq73118—When a Cisco WiSM is used with multiple WLANs and the VLAN override feature, malformed packets might appear on the native VLAN associated to the link aggregation (LAG) trunk.
Workaround: Isolate the native VLAN on the switch so that it does not propagate malformed packets.
- CSCsq74144—The controller does not show the channel on which an access point in sniffer mode is sniffing. It shows only the last channel on which the access point was broadcasting in local mode.
- CSCsr01195—The controller drops a packet after a train of large packets.
- CSCsr02316—Some SNMPSet operations show a successful status even though the controller is truncating the string.
Workaround: Set a shorter value for the string.
- CSCsr18694—After passing a substantial amount of traffic, the D0 interface might shut down on a controller running software release 188.8.131.52. Some packets might be stuck in the queue.
- CSCsr20434—Missing and invalid message integrity check (MIC) management frame protection (MFP) traps might be reported on 1250 series access points.
- CSCsr32354—When a 1250 series access point with an external power supply is connected to a 6548 FE blade inside a Cisco Catalyst 6500 switch, the line protocol does not come up after a reset. This problem also occurs intermittently when a power injector is used.
- CSCsr44439—The web authentication page does not load on the browser when the client connects through a wired guest VLAN on a controller running software release 184.108.40.206.
- CSCsr45163—When IPv6 clients move from an access point group or VLAN to a new access point group or VLAN, they lose connectivity because all traffic is forwarded to the old VLAN.
Workaround: Configure the clients with a static IPv6 address.
- CSCsr53764—When workgroup bridges (WGBs) are installed on a train and clients joined to the WGBs are running some type of application, the WGBs roam very quickly between access points, and some wired clients might become stuck at a specific access point.
Workaround: Reset the WGBs, enter the clear bridge command on the WGBs, or wait for the WGBs to roam back to the access point where the client is stuck.
- CSCsr55953—The controller might drop traffic to the CPU and log the following message: “NP3400_interrupt.c:3766 Could not enqueue pkt_type 6 (proto 0x0000, len 108), return -12.( 6 suppressed msgs).”
- CSCsr58532—The following error message might appear on 2106 controllers: “sim_config.c:194 SIM-3-INTFGET_GIG_ETH_FAIL: Failed to get the interface number of the Gigabit Ethernet Port.”
- CSCsr63100—The controller’s message log sometimes fills with “sysapi.c:160 SYSTEM-3-SYSAPI_ERR” messages after dump-low-level debugs are run.
- CSCsr63356—When a multicast application is in use, the multicast stream does not get the proper 802.1p QoS marking.
- CSCsr67250—1250 series access points do not adjust their power levels correctly and always stay on Tx Power Level 1 or 2.
- CSCsr70862—A Cisco WiSM controller running software release 220.127.116.11 might reboot due to a software failure of the instruction located at 0x1038a140(ewsInternalAbort+348).
Workaround: Set the session timeout to zero or remove Telnet access.
- CSCsr71245—A 4400 series controller without an embedded syslog manager (ESM) might reboot if you enable or disable encryption on the controller using WCS.
- CSCsr72091—The radio resource management (RRM) feature in controller software release 18.104.22.168 is not providing consistent results from coverage hole events and channel assignments.
- CSCsr75350—When a 1230 series access point is joined to a 4404 controller, the 2.4-GHz channel that the access point is on differs between the controller and the access point.
- CSCsr83307—A configuration file that is uploaded with an encryption key can be downloaded without the encryption key.
- CSCsr83671—The auto-RF feature on a Cisco WiSM or 4400 series controller sets 1130 and 1240 series access points to channel 36 for the 5-GHz band (802.11a).
Workaround: Follow these steps to work around the issue:
a. To change the sensitivity level, enter this command:
config advanced 802.11a channel dca sensitivity high
b. To save your changes, enter this command:
c. To verify your changes, enter this command:
show advanced 802.11a channe l
Information similar to the following appears:
DCA Sensitivity Level:...................... HIGH (5 dB)
- CSCsr83684—When link aggregation (LAG) is enabled, the source MAC address for dynamic interfaces might change during operation.
- CSCsr89399—Cisco 1131AG access points that are connected to Cisco WiSM controllers might reboot unexpectedly.
- CSCsr89694—On Cisco WiSM controllers running software release 22.214.171.124, trap logs are generated indicating that the control path between two random mobility members is down. About 10 to 20 minutes later the control path comes back up.
- CSCsr89894—If a client roams from one controller to another and then powers down or leaves the RF range, the client entry on the first (anchor) controller is not deleted even though the client entry on the second (foreign) controller is deleted correctly.
Workaround: Manually delete the client entry from the anchor controller.
- CSCsr97377—Roaming latency might be high (around 300 ms) when 802.11n 5-GHz clients are using WPA2-PEAP with AES on the 40-MHz channel.
- CSCsu00583—Roaming latency might be high (around 200 ms) when 802.11n 2.4-GHz clients are using 802.11g default data rates.
- CSCsu03464—The input radio statistics are incorrect on a 1250 series access point running software release 126.96.36.199.
- CSCsu04143—The radio resource management (RRM) process on the controller can start allocating all available timers, until the controller is unable to register new timers for other processes.
Workaround: Reset the controller.
- CSCsu07730—When you try to configure a network address for the AP-manager on a 4400 series controller, an “Invalid IP” error message sometimes appears.
- CSCsu11528—The 4400 series controllers might drop very large (usually greater than 6000 bytes) UDP and ping frames sourced from a wired node on the Ethernet and originating at 1-Gbps line rate.
Workaround: Drop the line rate to 100 Mbps, decrease the size of UDP or ICMP frames, or use a different brand of wired client card.
- CSCsu12458—When a number of web-authentication users join the wireless network, the sshpmMainTask might spike above 90% on a 2106 controller running software release 188.8.131.52. Once sshpmMainTask spikes, the access points begin to drop off the controller, and access to the controller becomes very sluggish.
Workaround: Disable web authentication or web pass-through for the WLAN.
- CSCsu37449—All of the access points joined to a controller running software release 184.108.40.206 might reboot at the same time.
- CSCsu40636—The access point sometimes violates the CTS duration when receiving a U-APSD trigger frame. Instead of waiting for a few milliseconds to protect an upcoming link exchange, it simply transmits the trigger frame.
- CSCsu40720—The following message might appear on the controller console without further explanation:
Thu Sep 4 20:58:24 2008: mmMfpRequestedState: *** FIXME: Need to update BSSID state distributed to APs for 00:1E:4A:E0:00:A0 radio 1
- CSCsu41774—All workgroup bridges (WGBs) joined to one controller might suddenly disconnect from the external network. However, when a WGB moves to a second controller, it regains connectivity.
- CSCsu44516—A 4404 controller running software release 220.127.116.11 and connected to a Catalyst 3750 stack might sometimes show wireless clients stuck in the DHCP_REQD state and unable to pass traffic. This issue seems to occur for RF hand-held scanners.
Workaround: Reset the controller to purge the client associations.
- CSCsu44722—The following invalid error message appears when you enable IPv6 for a mobility-anchor-enabled WLAN: “Cannot enable IPv6-bridging when DHCP Address Assignment is enabled for WLAN.”
- CSCsu47888—The crash file or controller console should show whether a core dump was generated following a crash and successfully uploaded to a TFTP server.
- CSCsu50080—When you enable web authentication pass-through with email input selected, the controller allows any text to be entered rather than verifying that the email address has been entered in a valid address format.
- CSCsu52812—When the controller is in multicast-unicast mode, it sends unicast traffic to an access point before that access point has fully joined the controller. This behavior can be a serious problem when the access point is running a recovery image like 12.3(11)JX1, which does not drop LWAPP data packets. If the number of data packets sent to the access point before it receives the full image is large enough, the access point locks up and cannot join the controller.
Workaround: To resolve access point join issues, follow these steps:
a. Load recovery image 12.4(10b)JA3 on the access point.
b. Load the full LWAPP image on the access point.
c. Disable multicast-unicast on the controller.
If the multicast mode multicast is supported, change the multicast mode to multicast, or disable multicast.
- CSCsu52837—Preauthenticated clients cannot reach web-authenticated clients on the same WLAN.
- CSCsu62060—A 4400 series controller might reboot due to a software failure of the tplusTransportThread.
- CSCsu67530—When more than six controllers are in a mobility group, client mobility can become sporadic.
- CSCsu72717—The name is corrupted in the interrupt session of the Cisco WiSM controller’s crash file.
- CSCsu74487—Cisco 1131 access points attached to a controller running software release 18.104.22.168 might reboot unexpectedly. If you collect the core dumps to analyze the reason for the reboot, the core dump files produced are 0 bytes in size.
- CSCsu76295—If you try to manage a controller without web authentication by configuring the pre-authentication ACL to allow traffic in both directions, you cannot reach the management interface. You can access the management interface only after web authentication.
- CSCsu80604—The memory monitor configuration returns to default values after the controller reboots.
- CSCsu81856—A 4402 controller running software release 22.214.171.124 and configured with an internal DHCP server might sometimes exhibit DHCP leases for addresses that are statically assigned to various wireless clients.
- CSCsu84220—When Cisco 1131 and 1242 access points are joined to a controller running software release 126.96.36.199 and a WAN outage occurs, the access points come back up, but sometimes the radios do not.
Workaround: Reboot the access points.
- CSCsu84498—The transmit diversity for multicast-broadcast packets is not alternating on the 1240 series access point’s antenna ports.
- CSCsu84629—The 1250 series access points change from maximum uniform transmit power back to maximum transmit power on neighbor discovery packets.
- CSCsu86627—The controller currently issues commands to transmit single neighbor discovery packets. However, the controller should issue bursts of neighbor discovery packets to access point radios in order to force radio transmit power control loops to settle at new power settings.
- CSCsu88532—When you download new software to the controller, a routine system resource notification appears on the controller console.
- CSCsu90335—Intel 4965 client cards might lose connectivity for up to 1 minute when another client connects to the same 1250 series hybrid-REAP access point on a controller running software release 188.8.131.52.
Workaround: Disable local switching on the SSID.
- CSCsu92667—The controller might reboot after you make a change to the configuration.
- CSCsu95855—After you change the mobility group name on some controllers, you cannot remove one of the controllers. An error appears stating that the controller is configured as an anchor for a WLAN, even though none of the existing WLANs has this controller configured as its anchor.
Workaround: If the CLI shows that this controller is configured as an anchor for a WLAN that does not exist, create that WLAN. Then overwrite the WLAN and remove its anchors. Then you can remove the controller from the mobility group.
- CSCsu96916—When you issue the show run-config CLI command via SSH on a 4400 series controller running software release 184.108.40.206 with paging disabled, the output locks up at a certain point, probably because the controller runs out of buffers.
Workaround: Enable paging or use a Telnet session.
- CSCsu98641—The core-dump configuration does not show in the running configuration on the Cisco WiSM.
- CSCsv00108—An invalid message integrity check (MIC) might be reported on beacon frames.
- CSCsv01484—The controller prepends UID usernames with “CN=,” which can cause problems for LDAP authenticated binds. The controller should check for usernames with “UID” but not prepend them with “CN=.”