Cisco Wireless LAN Controller Software

Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release

  • Viewing Options

  • EPUB (122.6 KB)
  • MOBI (226.4 KB)
  • PDF (715.6 KB)
  • Feedback

Table of Contents

Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release


Cisco Unified Wireless Network Solution Components

Controller Platforms Not Supported

What’s New in This Release?

Software Release Support for Access Points

Upgrading to Controller Software Release

Guidelines and Limitations

Upgrading to Controller Software Release (GUI)

Special Notes for Licensed Data Payload Encryption on Cisco Wireless LAN Controllers

Downloading and Installing a DTLS License for an LDPE Controller

Upgrading from an LDPE to a Non-LDPE Controller

Interoperability With Other Clients in

Features Not Supported on Controller Platforms

Features Not Supported on Cisco 2500 Series Controllers

Features Not Supported on WiSM2 and Cisco 5500 Series Controllers

Features Not Supported on Cisco Flex 7500 Controllers

Features Not Supported on Cisco 8500 Controllers

Features Not Supported on Cisco Wireless Controller on Cisco Services-Ready Engine

Features Not Supported on Cisco Virtual Wireless Controllers

Features Not Supported on Mesh Networks


Open Caveats

Resolved Caveats

Installation Notes


Safety Information

FCC Safety Compliance Statement

Safety Precautions

Installation Instructions

Service and Support

Information About Caveats


Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release

First Published: August 2013

Last Updated: February 2014



These release notes describe what is new in this release, instructions to upgrade to this release, and open and resolved caveats for this release.

NoteUnless otherwise noted, all of the Cisco Wireless LAN controllers are referred to as controllers, and all of the Cisco lightweight access points are referred to as access points or APs.

Cisco Unified Wireless Network Solution Components

The following components are part of the Cisco UWN Solution and are compatible in this release:

NoteFor more information on the compatibility of wireless software components across releases, see theCisco Wireless Solutions Software Compatibility Matrix.

  • Cisco IOS Release 15.2(2)JB2
  • Cisco Prime Infrastructure 1.3 and later releases
  • Mobility Services Engine (MSE) software release and context-aware software

Note Client and tag licenses are required to get contextual (such as location) information within the context-aware software. For more information, see the Release Notes for Cisco 3350 Mobility Services Engine for Software Release

  • Cisco 3355 Mobility Services Engine, Virtual Appliance
  • Cisco 2500 Series Wireless LAN Controllers
  • Cisco 5500 Series Wireless LAN Controllers
  • Cisco Flex 7500 Series Wireless LAN Controllers
  • Cisco 8500 Series Wireless LAN Controllers
  • Cisco Virtual Wireless Controllers on Cisco Services-Ready Engine (SRE) or Cisco Wireless LAN Controller Module for Integrated Services Routers G2 (UCS-E)
  • Cisco Wireless Controllers for high availability (HA controllers) for 5500 series, WiSM2, Flex 7500 series, and 8500 series controllers
  • Cisco Virtual Wireless Controllers on Cisco Services-Ready Engine (SRE) or Cisco Wireless LAN Controller Module for Integrated Services Routers G2 (UCS-E)
  • Cisco Wireless Services Module 2 (WiSM2) for Catalyst 6500 Series switches
  • Cisco Aironet 1550 (1552) series outdoor 802.11n mesh access points; Cisco Aironet 1520 (1522, 1524) series outdoor mesh access points
  • Cisco 1040, 1130, 1140, 1240, 1250, 1260, 1600, 2600, 3500, 3500p, 3600, Cisco 600 Series OfficeExtend Access Points, AP801, and AP802

The AP801 and AP802 are integrated access points on the Cisco 800 Series Integrated Services Routers (ISRs). For more information about the stock-keeping units (SKUs) for the access points and the ISRs, see the following data sheets:

  • AP860:

  • AP880:

  • AP890:

NoteThe AP802 is an integrated access point on the Next Generation Cisco 880 Series ISRs.

NoteBefore you use an AP802 series lightweight access point with controller software release, you must upgrade the software in the Next Generation Cisco 880 Series ISRs to Cisco IOS 151-4.M or later releases.

Controller Platforms Not Supported

The following controller platforms are not supported:

  • Cisco 4400 Series Wireless LAN Controller
  • Cisco 2100 Series Wireless LAN Controller
  • Cisco Catalyst 3750G Integrated Wireless LAN Controller
  • Cisco Wireless LAN Controller software on Cisco Services-Ready Engine (SRE) running on ISM 300, SM 700, SM 710, SM 900, and SM 910
  • Cisco Catalyst 6500 Series/7600 Series Wireless Services Module (WiSM)
  • Cisco Wireless LAN Controller Module (NM/NME)

What’s New in This Release?

There are no new features or enhancements in this release. For more information about the updates in this release, see the Caveats section.

Software Release Support for Access Points

Table 1 lists the controller software releases that support specific Cisco access points. The First Support column lists the earliest controller software release that supports the access point. For access points that are not supported in ongoing releases, the Last Support column lists the last release that supports the access point.


Table 1 Software Support for Access Points

Access Points
First Support
Last Support

1000 Series




Airespace AS1200




1100 Series



1130 Series


1140 Series



1220 Series





1230 Series









1240 Series



1250 Series




1260 Series




1300 Series



1400 Series

Standalone Only

1600 Series













2600 Series

















3500 Series










3600 Series








600 Series



Note The Cisco 3600 Access Point was introduced in If your network deployment uses Cisco 3600 Access Points with release, we highly recommend that you upgrade to or a later release.

1500 Mesh Series



1520 Mesh Series


-A and N: or 5.2 or later1

All other reg. domains: or 5.2 or later1


-A and N: or 5.2 or later1

All other reg. domains: or 5.2 or later1


-A and N: or 5.2 or later1

All other reg. domains: or 5.2 or later1

AIR-LAP1522CM or later.


-A, C and N: 6.0 or later

All other reg. domains: or later.


-A: or 5.2 or later1

















1.These access points are supported in the separate 4.1.19x.x mesh software release or with release 5.2 or later releases. These access points are not supported in the 4.2, 5.0, or 5.1 releases.

The access point must always be connected to the POE-IN port to associate with the controllers. The POE-OUT port is for connecting external devices only.

Upgrading to Controller Software Release

Guidelines and Limitations

  • When H-REAP access points that are associated with a controller that has all the 7.0.x software releases that are prior to upgrade to the release, the access points lose their VLAN support configuration if it was enabled. The VLAN mappings revert to the default values of the VLAN of the associated interface. This issue does not occur if you upgrade from or later 7.0.x release to the release.
  • While a client sends an HTTP request, the Controller intercepts it for redirection to login page. If the HTTP request intercepted by Controller is fragmented, the Controller drops the packet as the HTTP request does not contain enough information required for redirection.
  • We recommend that you install Wireless LAN Controller Field Upgrade Software for Release, which is a special AES package that contains several system-related component upgrades. These include the bootloader, field recovery image, and FPGA/MCU firmware. Installing the FUS image requires special attention because it installs some critical firmware. The FUS image is independent of the runtime image. For more information, see .
  • If you are using a Cisco 2500 Series controller and you intend to use the Application Visibility and Control (AVC) and NetFlow protocol features, you must install Wireless LAN Controller Field Upgrade Software for Release This is not required if you are using other controller hardware models. For more information, see .
  • When you enable LAG on a Cisco 2500 Series Controller with which a direct-connect access point is associated, the direct-connect access point dissociates with the controller. When LAG is in enabled state, the direct-connect access points are not supported. For direct-connect access points to be supported, you must disable LAG and reboot the controller.

If LAG is enabled on the Cisco 2500 Series Controller and the controller is downgraded to a non-LAG aware release, the port information is lost and it requires manual recovery.

  • After you upgrade to the 7.4 release, networks that were not affected by the existing preauthentication ACLs might not work because the rules are now enforced. That is, networks with clients configured with static DNS servers might not work unless the static server is defined in the preauthentication ACL.
  • On 7500 controllers if FIPS is enabled, the reduced boot options are displayed only after a bootloader upgrade.

Note Bootloader upgrade is not required if FIPS is disabled.

  • If you require a downgrade from one release to another, you might lose the configuration from your current release. The workaround is to reload the previous controller configuration files saved on the backup server or to reconfigure the controller.
  • It is not possible to directly upgrade to the release from a release that is older than
  • You can upgrade or downgrade the controller software only between certain releases. In some instances, you must first install an intermediate release prior to upgrading to software release Table 2 shows the upgrade path that you must follow before downloading software release


Table 2 Upgrade Path to Controller Software Release

Current Software Release
Upgrade Path to Software or later 7.0 releases

You can upgrade directly to

Note If you have VLAN support and VLAN mappings defined on H-REAP access points and are currently using a 7.0.x controller software release that is prior to, we recommend that you upgrade to the release and then upgrade to to avoid losing those VLAN settings.

You can upgrade directly to

7.2. or later 7.2 releases

You can upgrade directly to

Note If you have an 802.11u HotSpot configuration on the WLANs, we recommend that you first upgrade to the controller software release and then upgrade to the controller software release.

You must downgrade from the controller software release to a 7.2.x controller software release if you have an 802.11u HotSpot configuration on the WLANs that is not supported.

7.3 or later 7.3 releases

You can upgrade directly to

  • When you upgrade the controller to an intermediate software release, you must wait until all of the access points that are associated with the controller are upgraded to the intermediate release before you install the latest controller software. In large networks, it can take some time to download the software on each access point.
  • If you upgrade to the controller software release from an earlier release, you must also upgrade to Cisco Prime Infrastructure 1.3 and MSE 7.4.
  • You can upgrade to a new release of the controller software or downgrade to an older release even if Federal Information Processing Standard (FIPS) is enabled.
  • When you upgrade to the latest software release, the software on the access points associated with the controller is also automatically upgraded. When an access point is loading software, each of its LEDs blinks in succession.
  • We recommend that you access the controller GUI using Microsoft Internet Explorer 6.0 SP1 (or a later release) or Mozilla Firefox (or a later release).
  • Cisco controllers support standard SNMP Management Information Base (MIB) files. MIBs can be downloaded from the Software Center on
  • The controller software is factory installed on your controller and automatically downloaded to the access points after a release upgrade and whenever an access point joins a controller. We recommend that you install the latest software version available for maximum operational benefit.
  • Ensure that you have a TFTP, FTP, or SFTP server available for the software upgrade. Follow these guidelines when setting up a server:

Ensure that your TFTP server supports files that are larger than the size of the controller software release Some TFTP servers that support files of this size are tftpd32 and the TFTP server within the Prime Infrastructure. If you attempt to download the controller software and your TFTP server does not support files of this size, the following error message appears: “TFTP failure while storing in flash.”

If you are upgrading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable.

  • When you plug a controller into an AC power source, the bootup script and power-on self-test run to initialize the system. During this time, you can press Esc to display the bootloader Boot Options Menu. The menu options for the 5500 differ from the menu options for the other controller platforms.

Bootloader Menu for 5500 Series Controllers:

Boot Options
Please choose an option from below:
1. Run primary image
2. Run backup image
3. Change active boot image
4. Clear Configuration
5. Format FLASH Drive
6. Manually update images
Please enter your choice:

Bootloader Menu for Other Controller Platforms:

Boot Options
Please choose an option from below:
1. Run primary image
2. Run backup image
3. Manually update images
4. Change active boot image
5. Clear Configuration
Please enter your choice:

Enter 1 to run the current software, enter 2 to run the previous software, enter 4 (on a 5500 series controller), or enter 5 (on another controller platform) to run the current software and set the controller configuration to factory defaults. Do not choose the other options unless directed to do so.

Note See the Installation Guide or the Quick Start Guide for your controller for more details on running the bootup script and power-on self-test.

  • The controller bootloader stores a copy of the active primary image and the backup image. If the primary image becomes corrupted, you can use the bootloader to boot with the backup image.

With the backup image stored before rebooting, be sure to choose Option 2: Run Backup Image from the boot menu to boot from the backup image. Then, upgrade with a known working image and reboot the controller.

  • Control which address(es) are sent in CAPWAP discovery responses when NAT is enabled on the Management Interface using the following command:

config network ap-discovery nat-ip-only { enable | disable }


enable — Enables use of NAT IP only in a discovery response. This is the default. Use this command if all APs are outside of the NAT gateway.

disable —Enables use of both NAT IP and non-NAT IP in a discovery response. Use this command if APs are on the inside and outside of the NAT gateway; for example, Local Mode and OfficeExtend APs are on the same controller.

Note To avoid stranding APs, you must disable AP link latency (if enabled) before you use the disable option for the config network ap-discovery nat-ip-only command. To disable AP link latency, use the config ap link-latency disable all command.

  • You can configure 802.1p tagging by using the config qos dot1p-tag { bronze | silver | gold | platinum } tag. For the and later releases, if you tag 802.1p packets, the tagging has impact only on wired packets. Wireless packets are impacted only by the maximum priority level set for QoS.
  • You can reduce the network downtime using the following options:

You can predownload the AP image.

For FlexConnect access points, use the FlexConnect AP upgrade feature to reduce traffic between the controller and the AP (main site and the branch). For more information about the FlexConnect AP upgrade feature, see the Cisco Wireless LAN Controller FlexConnect Configuration Guide .

Note Predownloading a version on a Cisco Aironet 1240 access point is not supported when upgrading from a previous controller release. If predownloading is attempted to a Cisco Aironet 1240 access point, an AP disconnect will occur momentarily.

  • Do not power down the controller or any access point during the upgrade process; otherwise, you might corrupt the software image. Upgrading a controller with a large number of access points can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent access point upgrades supported, the upgrade time should be significantly reduced. The access points must remain powered, and the controller must not be reset during this time.
  • If you want to downgrade from the release to a 6.0 or an older release, do either of the following:

Delete all WLANs that are mapped to interface groups and create new ones.

Ensure that all WLANs are mapped to interfaces rather than interface groups.

  • After you perform these functions on the controller, you must reboot the controller for the changes to take effect:

Enable or disable link aggregation (LAG)

Enable a feature that is dependent on certificates (such as HTTPS and web authentication)

Add a new license or modify an existing license

Increase the priority for a license

Enable the HA

Install SSL certificate

Configure the database size

Install vendor device certificate

Download CA certificate

Upload configuration file

Install Web Authentication certificate

Changes to management or virtual interface


Upgrading to Controller Software Release (GUI)

Step 1 Upload your controller configuration files to a server to back them up.

Note We highly recommend that you back up your controller’s configuration files prior to upgrading the controller software.

Step 2 Follow these steps to obtain the controller software:

a. Click this URL to go to the Software Center:

b. Choose Wireless from the center selection window.

c. Click Wireless LAN Controllers .

The following options are available:

Integrated Controllers and Controller Modules

Standalone Controllers

d. Depending on your controller platform, click one of the above options.

e. Click the controller model number or name. The Download Software page is displayed.

f. Click a controller software release. The software releases are labeled as follows to help you determine which release to download:

  • Early Deployment (ED) —These software releases provide new features and new hardware platform support as well as bug fixes.
  • Maintenance Deployment (MD) —These software releases provide bug fixes and ongoing software maintenance.
  • Deferred (DF) —These software releases have been deferred. We recommend that you migrate to an upgraded release.

g. Click a software release number.

h. Click the filename ( filename .aes).

i. Click Download .

j. Read Cisco’s End User Software License Agreement and then click Agree .

k. Save the file to your hard drive.

l. Repeat steps a. through k. to download the remaining file.

Step 3 Copy the controller software file ( filename .aes) to the default directory on your TFTP, FTP, or SFTP server.

Step 4 (Optional) Disable the controller 802.11a/n and 802.11b/g/n networks.

NoteFor busy networks, controllers on high utilization, or small controller platforms, we recommend that you disable the 802.11a/n and 802.11b/g/n networks as a precautionary measure.

Step 5 Disable any WLANs on the controller.

Step 6 Choose Commands > Download File to open the Download File to Controller page.

Step 7 From the File Type drop-down list, choose Code .

Step 8 From the Transfer Mode drop-down list, choose TFTP , FTP , or SFTP .

Step 9 In the IP Address text box, enter the IP address of the TFTP, FTP, or SFTP server.

Step 10 If you are using a TFTP server, the default values of 10 retries for the Maximum Retries text field, and 6 seconds for the Timeout text field should work correctly without any adjustment. However, you can change these values if desired. To do so, enter the maximum number of times that the TFTP server attempts to download the software in the Maximum Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the software in the Timeout text box.

Step 11 In the File Path text box, enter the directory path of the software.

Step 12 In the File Name text box, enter the name of the software file ( filename .aes).

Step 13 If you are using an FTP server, follow these steps:

a. In the Server Login Username text box, enter the username to log on to the FTP server.

b. In the Server Login Password text box, enter the password to log on to the FTP server.

c. In the Server Port Number text box, enter the port number on the FTP server through which the download occurs. The default value is 21.

Step 14 Click Download to download the software to the controller. A message appears indicating the status of the download.

Step 15 After the download is complete, click Reboot .

Step 16 If prompted to save your changes, click Save and Reboot .

Step 17 Click OK to confirm your decision to reboot the controller.

Step 18 After the controller reboots, repeat Choose Commands > Download File to open the Download File to Controller page. to Click OK to confirm your decision to reboot the controller. to install the remaining file.

Step 19 Reenable the WLANs.

Step 20 For Cisco WiSM2 on the Catalyst switch, check the port channel and reenable the port channel if necessary.

Step 21 If you have disabled the 802.11a/n and 802.11b/g/n networks in (Optional) Disable the controller 802.11a/n and 802.11b/g/n networks., reenable them.

Step 22 To verify that the controller software is installed on your controller, click Monitor on the controller GUI and look at the Software Version field under Controller Summary.


Special Notes for Licensed Data Payload Encryption on
Cisco Wireless LAN Controllers

Datagram Transport Layer Security (DTLS) is required for all Cisco 600 Series OfficeExtend Access Point deployments to encrypt data plane traffic between the APs and the controller. You can purchase Cisco Wireless LAN Controllers with either DTLS that is enabled (non-LDPE) or disabled (LDPE). If DTLS is disabled, you must install a DTLS license to enable DTLS encryption. The DTLS license is available for download on

Important Note for Customers in Russia

If you plan to install a Cisco Wireless LAN Controller in Russia, you must get a Paper PAK, and not download the license from The DTLS Paper PAK license is for customers who purchase a controller with DTLS that is disabled due to import restrictions but have authorization from local regulators to add DTLS support after the initial purchase. Consult your local government regulations to ensure that DTLS encryption is permitted.

NotePaper PAKs and electronic licenses available are outlined in the respective controller datasheets.

Downloading and Installing a DTLS License for an LDPE Controller

Step 1 Download the Cisco DTLS license.

a. Go to the Cisco Software Center at this URL:

b. On the Product License Registration page, choose Get New > IPS, Crypto, Other Licenses .

c. Under Wireless , choose Cisco Wireless Controllers (2500/5500/7500/8500/WiSM2) DTLS License .

d. Complete the remaining steps to generate the license file. The license file information will be sent to you in an e-mail.

Step 2 Copy the license file to your TFTP server.

Step 3 Install the DTLS license. You can install the license either by using the controller web GUI interface or the CLI:

  • To install the license using the web GUI, choose:

Management > Software Activation > Commands > Action : Install License

  • To install the license using the CLI, enter this command:

license install tftp ://ipaddress /path /extracted-file

After the installation of the DTLS license, reboot the system. Ensure that the DTLS license that is installed is active.


Upgrading from an LDPE to a Non-LDPE Controller

Step 1 Download the non-LDPE software release:

a. Go to the Cisco Software Center at this URL:

b. Choose the controller model from the right selection box.

c. Click Wireless LAN Controller Software .

d. From the left navigation pane, click the software release number for which you want to install the non-LDPE software.

e. Choose the non-LDPE software release: AIR-X-K9-X-X.X.aes

f. Click Download .

g. Read Cisco’s End User Software License Agreement and then click Agree .

h. Save the file to your hard drive.

Step 2 Copy the controller software file ( filename .aes) to the default directory on your TFTP or FTP server.

Step 3 Upgrade the controller with this version by following the instructions from Copy the controller software file (filename.aes) to the default directory on your TFTP, FTP, or SFTP server. through To verify that the controller software is installed on your controller, click Monitor on the controller GUI and look at the Software Version field under Controller Summary. detailed in the “Upgrading to Controller Software Release” section.


Interoperability With Other Clients in

This section describes the interoperability of the version of controller software with other client devices.

Table 3 describes the configuration used for testing the clients.


Table 3 Test Bed Configuration for Interoperability

Hardware/Software Parameter
Hardware/Software Configuration Type



Cisco 5500 Series Controller

Access points

1131, 1142, 1242, 1252, 3500e, 3500i, and 3600


802.11a, 802.11g, 802.11n2, 802.11n5




ACS 4.2, ACS 5.2

Types of tests

Connectivity, traffic, and roaming between two access points

Table 4 lists the client types on which the tests were conducted. The clients included laptops, handheld devices, phones, and printers.


Table 4 Client Types

Client Type and Name

Intel 3945/4965 or, v13.4

Intel 5100/5300/6200/6300


Intel 1000/1030/6205


Dell 1395/1397/Broadcom 4312HMG(L)

XP/Vista: Win7:

Dell 1501 (Broadcom BCM4313)


Dell 1505/1510/Broadcom 4321MCAG/4322HM

Dell 1515(Atheros)

Dell 1520/Broadcom 43224HMS

Dell 1530 (Broadcom BCM4359)


Cisco CB21


Atheros HB92/HB97

Atheros HB95

MacBook Pro (Broadcom)

Handheld Devices

Apple iPad

iOS 5.0.1

Apple iPad2

iOS 6.0(10A403)

Apple iPad3

iOS 6.0(10A403)

Asus Slider

Android 3.2.1

Asus Transformer

Android 4.0.3

Sony Tablet S

Android 3.2.1

Toshiba Thrive

Android 3.2.1

Samsung Galaxy Tab

Android 3.2

Motorola Xoom

Android 3.1

Intermec CK70

Windows Mobile 6.5 /

Intermec CN50

Windows Mobile 6.1 /

Symbol MC5590

Windows Mobile 6.5 /

Symbol MC75

Windows Mobile 6.5 /

Phones and Printers

Cisco 7921G


Cisco 7925G


Ascom i75


Spectralink 8030


Vocera B1000A

Vocera B2000

Apple iPhone 4

iOS 6.0(10A403)

Apple iPhone 4S

iOS 6.0(10A403)

Apple iPhone 5

iOS 6.0(10A405)

Ascom i62


HTC Legend

Android 2.2

HTC Sensation

Android 2.3.3

LG Optimus 2X

Android 2.2.2

Motorola Milestone

Android 2.2.1

RIM Blackberry Pearl 9100

WLAN version 4.0

RIM Blackberry Bold 9700

WLAN version 2.7

Samsung Galaxy S II

Android 2.3.3

SpectraLink 8450

Samsung Galaxy Nexus

Android 4.0.2

Motorola Razr

Android 2.3.6

Features Not Supported on Controller Platforms

This section lists the features that are not supported in the following platforms:

Features Not Supported on Cisco 2500 Series Controllers

  • Wired guest access
  • Bandwidth contract
  • Service port
  • AppleTalk Bridging
  • Right to Use licensing
  • PMIPv6
  • High Availability
  • Multicast-to-unicast

NoteThe features that are not supported on Cisco WiSM2 and Cisco 5500 Series Controllers are also not supported on Cisco 2500 Series Controllers.

NoteDirectly connected APs are supported only in Local mode.

Features Not Supported on WiSM2 and Cisco 5500 Series Controllers

  • Spanning Tree Protocol (STP)
  • Port mirroring
  • Layer 2 access control list (ACL) support
  • VPN termination (such as IPsec and L2TP)
  • VPN passthrough option

Note You can replicate this functionality on a 5500 series controller by creating an open WLAN using an ACL.

  • Configuration of 802.3 bridging, AppleTalk, and Point-to-Point Protocol over Ethernet (PPPoE)
  • Fragmented pings on any interface
  • Right to Use licensing

Features Not Supported on Cisco Flex 7500 Controllers

  • Static AP-manager interface

Note For Cisco 7500 Series controllers, it is not necessary to configure an AP-manager interface. The management interface acts like an AP-manager interface by default, and the access points can join on this interface.

  • L3 Roaming
  • VideoStream
  • TrustSec SXP
  • IPv6/Dual Stack client visibility

Note IPv6 client bridging and Router Advertisement Guard are supported.

  • Internal DHCP server
  • Access points in the following modes: Local, Rogue Detector, Sniffer, Bridge, and SE-Connect

NoteAn AP associated with the controller in local mode should be converted to FlexConnect mode or Monitor mode, either manually or by enabling the autoconvert feature. On the Flex 7500 controller CLI, enable the autoconvert feature by entering theconfig ap autoconvert enable command.

  • Mesh
  • Spanning Tree Protocol (STP)
  • Cisco Flex 7500 Series Controller cannot be configured as a guest anchor controller. However, it can be configured as a foreign controller to tunnel guest traffic to a guest anchor controller in a DMZ.
  • Multicast

Note FlexConnect local switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect access points do not limit traffic that is based on IGMP or MLD snooping.

  • PMIPv6
  • 802.11w

Features Not Supported on Cisco 8500 Controllers

  • Cisco 8500 Series Controller cannot be configured as a guest anchor controller. However, it can be configured as a foreign controller to tunnel guest traffic to a guest anchor controller in a DMZ.
  • TrustSec SXP
  • Internal DHCP server

Features Not Supported on Cisco Wireless Controller on Cisco Services-Ready Engine

  • Wired guest access
  • Cisco Wireless Controller on Cisco Services-Ready Engine (SRE) cannot be configured as a guest anchor controller. However, it can be configured as a foreign controller to tunnel guest traffic to a guest anchor controller in a DMZ.
  • Bandwidth contract
  • Access points in direct connect mode
  • Service port support
  • AppleTalk Bridging
  • LAG
  • Application Visibility and Control (AVC)

Features Not Supported on Cisco Virtual Wireless Controllers

  • Data DTLS
  • Cisco 600 Series OfficeExtend Access Points
  • Wireless rate limiting (bandwidth contract)
  • Internal DHCP server
  • TrustSec SXP
  • Access points in local mode
  • Mobility/guest anchor
  • Multicast

Note FlexConnect local switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect access points do not limit traffic that is based on IGMP or MLD snooping.

  • IPv6
  • High Availability
  • PMIPv6
  • WGB
  • VideoStream
  • Outdoor mesh access points

Note Outdoor AP in FlexConnect mode is supported.

  • Indoor mesh access points
  • 802.11w
  • Application Visibility and Control (AVC)

Features Not Supported on Mesh Networks

  • Multicountry support
  • Load-based CAC (mesh networks support only bandwidth-based CAC or static CAC)
  • High availability (fast heartbeat and primary discovery join timer)
  • AP acting as supplicant with EAP-FASTv1 and 802.1X authentication
  • Access point join priority (mesh access points have a fixed priority)
  • Location-based services


The following sections lists Open Caveats and Resolved Caveats for Cisco controllers and lightweight access points for version For your convenience in locating caveats in Cisco’s Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation might be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

  • Commands are in boldface type.
  • Product names and acronyms might be standardized.
  • Spelling errors and typos might be corrected.

NoteIf you are a registered user, view Bug Toolkit on at the following website:

To become a registered user, go to the following website:

Open Caveats

Table 5 lists the open caveats in this release.


Table 5 Open Caveats



Symptom : Controller web GUI displays duplicate domain IP names, but the controller CLI displays them correctly. Use CLI

Condition : When the service provider domain name is more than 32 characters, the controller web GUI displays duplicate entries. This issue occurs in only the controller web GUI.

Workaround : Use controller CLI.


Symptom : On the controller, when limiting the “Max Concurrent Logins for a user name” to 1, for example to avoid using the same username more than once for web authentication, there is a possibility to ignore this setting for 802.1x authentication by setting “max-login-ignore-identity-response” to the enabled state. The “max-login-ignore-identity-response” feature does not work as expected and the global “Max Concurrent Logins for a user name” still takes precedence.

Condition : Unknown.

Workaround : Increase the global “Max Concurrent Logins for a user name” to a desired number.


Symptom : On a channel with high utilization and interference numbers, the RRM DCA algorithm might not change the channel when it should. As a result, the channel assignment for a few access points may be suboptimal, which can negatively impact performance.

Condition : If a channel change that is required to avoid the high utilization or interference has an adverse effect on the RF neighborhood, it might prevent the channel change. Release

Workaround : Configure DCA back to aggressive mode.


Symptom : The Cisco 602 OEAP’s Ethernet Counter stops incrementing after they reach the maximum value for a 32-bit signed integer (2147483647).

Note This does not affect the operation of the AP or the Ethernet traffic.

Condition : Unknown.

Workaround : Reset the counters by rebooting the Cisco 602 OEAP.


Symptom : When a RAP loses its wired connection, the RAP fails to restore connectivity as a MAP through the radio backhaul. The mesh adjacency is correctly built to a nearby MAP, and the RAP gets an IP address and can even join its controller, but shortly afterwards a radio reset is observed which causes the RAP to disconnect. The RAP goes into a loop till the wired connectivity is restored. Error messages similar to the following are displayed on the RAP console:

Feb 8 19:37:54.919: %CAPWAP-3-ERRORLOG: Selected MWAR '5500-5'(index 0). *Feb 8 19:37:54.919: %CAPWAP-3-ERRORLOG: Go join a capwap controller ~ *Feb 8 19:37:45.139: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller 5500-5 ~ *Feb 8 19:37:45.183: %MESH-6-ADJ_VIDB_LINK: Mesh neighbor 0021.a1f9.fa0f VIDB Virtual-Dot11Radio0 forwarding ~ *Feb 8 19:37:46.075: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down *Feb 8 19:37:46.083: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset ~ *Feb 8 19:37:47.075: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down *Feb 8 19:37:47.099: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5700 MHz for 60 seconds. ~ *Feb 8 19:38:21.751: %MESH-4-NO_POTENTIAL_PARENT: There are no potential parents *Feb 8 19:38:24.751: %MESH-4-NO_POTENTIAL_PARENT: There are no potential parents *Feb 8 19:38:24.751: %MESH-6-LINK_UPDOWN: Mesh station 0021.a1f9.fa0f link Down *Feb 8 19:38:24.951: %MESH-6-ADJ_VIDB_LINK: Mesh neighbor 0021.a1f9.fa0f VIDB Virtual-Dot11Radio0 going down *Feb 8 19:38:24.955: %LINK-6-UPDOWN: Interface Virtual-Dot11Radio0, changed state to down10 *Feb 8 19:38:25.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Dot11Radio0, changed state to down

Condition : Mesh deployment on the following controller software releases:, 7.2.x,

Workaround : None.


Symptom : The controller might stop working if a Syslog server entry is being removed from the GUI when the server is unreachable.

Condition : Syslog server configured on the controller with TLS enabled.

The Syslog server entry is removed using the controller GUI while it is unreachable, but the controller still considers it to be “connected”, as per “TLS auth status” that can be seen by entering the show logging command on the controller CLI.

Workaround : None.


Symptom : MAC flap on Layer 2 switch connected to the remote LAN port of Cisco 600 Series OEAP.

Condition : Wired computers plugged into the Layer 2 switch connected to the remote LAN port communicate with each other with only pings.

Workaround : Configure static ARP entries to prevent the MAC flap.


Symptom : AP intermittently does not send probe response when there are other APs in the neighborhood on the same channel.

Condition : There need to be other APs or traffic on the same channel for this issue to occur.

Workaround : If the client hears probes from other surrounding APs, the client should be able to join another AP. Some NICs might prefer to hear probes from a specific AP. Even with the AP having the issue, eventually, the probe response might be transmitted after a few attempts.


Symptom : On a local-switching-enabled 802.1X WLAN, if the clients associate with a local AP (not FlexConnect AP), after successful authentication, only url-redirect attributed is accepted by the controller, not url-redirect-acl attribute, which causes failures on redirection thereafter.

Condition : 802.1X WLAN with local switching enabled; Release 7.2 and later.

Workaround : Disable local switching on the WLAN. You will have to segregate the local AP from FlexConnect APs on different controllers, making it an impossible solution to mix them together on a single controller.


Symptom : Cisco AP3600 and Cisco AP2600 send invalid frames sourced with address 0000.0104.xxxx. This might result in security warnings on the switch, such as the following:

%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet3/46, new MAC address (0000.0104.d634) is seen.

Condition : This issue occurs when the primary or secondary controller is changed in the AP High Availability tab. This issue is observed with only Cisco Aironet 2600 and 3600 Series access points.

Workaround : None.


Symptom : The 5-GHz radio on AIR-CAP1552E-N-K9 in the non-Bridge mode fails to enable if the controller is configured for Brazil (-T) Regulatory Domain.

Condition : Release

Workaround : Use the Bridge mode in the AP.


Symptom : Rogue AP does not get detected on the wired network when it is on non-native VLAN trunk to rogue detector AP.

Condition : Release 7.4.x; Rogue detector mode AP; Rogue AP not on Rogue Detector native VLAN.

Workaround : None.


Symptom : Cisco AP1600, Cisco AP2600, and Cisco AP3600 might transmit management and control frames at maximum power, regardless of the configured power settings.

Condition : Cisco AP1600, Cisco AP2600, and Cisco AP3600.

Workaround : None.


Symptom : Wireless clients are unable to associate with the mesh APs.

Condition : When the wired clients are not operational; clients are connected to the mesh AP with Ethernet bridging enabled.

Workaround : Reboot the mesh AP for the wired and wireless clients to associate.


Symptom : When the controller detects more than 21 ad hoc rogues, the controller GUI shows only the first 20 entries (first page).

Condition : More than 21 ad hoc rogues detected.

On the controller GUI, choose Monitor > Rogue > Adhoc Rogues and click on Unclassified Adhoc or Custom Adhoc .

The first page shows correctly, but it is not possible to browse to the subsequent pages.

Workaround : On the controller CLI, enter the show rogue adhoc summary command.


Symptom : Controller stops communicating with CAM with SNMPv3.

Condition :

1. Enable HA.

2. Add controller to CAM with SNMPv3 (should have an authorization and authentication passwords)

3. Failover from primary to secondary controller.

Workaround : Delete and add the controller in CAM again.


Symptom : The 802.11u domain is lost after a controller reboot.

Condition : Same domain name is used on two different WLANs. This is allowed on CLI, but configuration validation fails on boot.

Workaround : Reconfigure the domain, or use different domain names.


Symptom : Cisco Virtual Wireless Controller is given a valid license with an AP count. Installation of the controller is successful, and the show license summary command shows the license in use with the correct count. However, the homepage of the controller GUI shows “0 access points supported” and APs are denied association with the controller.

Condition : This issue occurs only when you provide a license file that contains only adder licenses and not the base feature.

Workaround : Request for a correct base feature AP count license file.


Symptom : Cisco AP1260 might stop working in the function mvl_transmit_recover.

Condition : Cisco AP1260 using IOS version 12.4(23c)JA6 and controller version

Workaround : None.


Symptom : Controller does not take into account anymore if “airespace wlan-identifier” attribute is sent back in access-accept by the RADIUS server.

Condition : This issue occurs in Release 7.4, but was not present in Release 7.0.x.

Workaround : Use another mechanism to restrict SSID access.


Symptom : Controller goes into maintenance mode with HA in enabled state.

Condition : HA in an enabled state; Cisco Flex 7500 and Cisco 8500 Series controllers in non-LAG scenario with backup port configured; primary port is not operational.

Workaround : None.


Symptom : The standby controller in an HA pair could reboot in a loop if the HA role negotiation succeeds, but the configuration synchronization fails.

Condition : Low memory condition on the controller.

Workaround : Reboot the primary controller.


Symptom : RRM group leader is not operational and does not do channel or power update.

Condition : This issue might occur if you have APs hearing each other when associated through a large set of controllers where RF group name is identical.

Workaround : Options are as follows:

  • Limit the RF group size to 1000 APs. Place the APs accordingly and avoid salt and pepper deployment.
  • If you already are in this state, you can restart the group leader election by entering these commands:

config advanced 802.11a group-mode restart (If RRM is in the 802.11a band) config advanced 802.11b group-mode restart (If RRM is in the 802.11b band)


Symptom : Cisco AP3500 stops working.

Condition : LWAPP Rogue Monitoring process is on.

Workaround : None.


Symptom : After a Cisco AP reboot, the radio which was disabled before Cisco AP reboot is somehow reenabled automatically. This occurs when the Cisco AP belongs to an RF profile.

Condition : Cisco AP joins nondefault AP group and the AP group has the RF profile.

Workaround : Disable radio on AP again after the reboot.


Symptom : Controller reboot with traceback tpcv2ConstructApProfile.

Condition : TPCv2 in an enabled state.

Workaround : None.


Symptom : Cisco APs that are configured with submode PPPoE are losing the submode configuration (Submode = Unconfigured) after moving from one controller to another or after rebooting the Cisco AP when associating with the second controller.

Condition : Reboot the PPPoE submode Cisco AP associated with the primary controller.

Workaround : None.


Symptom : Controller might trigger a reaper reset crash at “apfFindRogueApEntry” while adding rogue rules on the controller, due to a deadlock condition.

Condition : Adding rogue rules on the controller.

Workaround : None.


Symptom : In Export Anchor-Foreign scenario, in both Foreign to Foreign as well as fresh association to a Foreign, if packets are not reaching to Export Anchor due to network issues, then after three retries, there will not be any further exchange. The request will go to Export Anchor and the client will stay in that state until it moves out.

Condition : Network issues between mobility peers.

Workaround : None. Instead, fix the underlying connectivity issues.


Symptom : Client with static IP loses connectivity on session timeout.

Condition : This occurs only if the following set of conditions are met:

1. Interface that the client gets from the interface group does not match the interface corresponding to the static IP.

2. Client gets VLAN overridden with the following message:

apfReceiveTask: May 28 12:48:28.066: 00:1a:70:a5:2f:bd Overriding
interface of client from 'vlan20' to 'vlan30' within interface group
'vlan20-30' *apfReceiveTask: May 28 12:48:28.066: 00:1a:70:a5:2f:bd
Applying Interface policy on Mobile, role Local. Ms NAC State 2
Quarantine Vlan 0 Access Vlan 20

This overriding is lost when PMK expires, and a new authentication takes place. This occurs even if the client is continuously sending traffic.

Workaround : Either disable interface groups or set to DHCP required state.


Symptom : During dynamic rf-group, an HA switchover controller stopped working.

Condition : While running dynamic rf-group between an HA Cisco WiSM2 controller and Cisco 5500 Series standalone controller, enter the show advanced 802.11a group command in the standalone controller CLI. On a forced switchover, the standby controller stopped working.

Workaround : None.


Symptom : Incorrect Data tracebacks and failure in response is observed in Cisco AP3600.

Condition :

1. An HA Cisco Flex 7500 Series Controller using Build and a Cisco AP3600 in FlexConnect mode associated with it.

2. Schedule a reset in the active controller using 'reset system in 00:03:00 image no-swap reset-aps save-config’

3. At the scheduled time, the Cisco AP3600 gets a reset push from the controller. While the AP reboots, incorrect data tracebacks are observed in the Cisco AP and the Cisco AP stops working. Later, the Cisco AP associates with the controller.

Workaround : None.


Symptom : Cisco AP1600 prints tracebacks on the console at reboot after VLAN tagging is configured from the controller (using the config ap ethernet tag id vlan-id cisco-ap-name command).

Condition : Cisco AP1600 with data encryption enabled.

Traceback seen at the reboot following the VLAN tagging configuration from the controller.

Workaround : None.


Symptom : SE-Connect mode APs show up as Local mode in GUI after fallback because after the fallback the CleanAir Admin and Oper Status becomes “NA” instead of UP. The Network Spectrum Key is not available and it shows up as Local Mode in GUI. Spectrum Analyzer is unable to connect to the SE-Connect mode APs.

Condition : Reboot the controller and then let the SE-Connect APs associate with the controller.

Workaround :

1. Reboot the Cisco AP.

2. After the reboot, the Cisco AP shows correct Mode of “SE-Connect” and also Network Spectrum Key is available.


Symptom : Client displays the following message:

“Ignoring 802.11 assoc request from mobile radio is NOT enabled”

Condition : Cisco AP is operational, but the controller shows the Cisco AP as nonoperational.

Workaround : Disable the Cisco AP and then reenable it.

More Information : This issue is only observed after three or more days of continuously disabling and then enabling the radio state every minute on internal testing.


Symptom : Radio PCI resets are observed on Cisco AP1600.

Condition : PCI resets on Cisco AP1600 with high load.

Workaround : None.


Symptom : A Cisco AP stopped working and then rebooted.

Condition : Unknown.

Workaround : Unknown. Check any CDP events on the connected switch.


Symptom : In the controller GUI, access points appear in an unknown state.

Condition: Unknown.

Workaround : Reboot the controller.


Symptom : Controller reports many stale client entries.

Condition: Cisco Flex 7500 Series Wireless Controllers with Release having many clients.

Workaround : None.


Symptom : WebAuth redirect fails when local switching is enabled on a WLAN. Manual redirect and redirect with central switching works.

Condition: Local switching is enabled on a WLAN.

Workaround : Add a dummy interface on the controller with the IP address of the VLAN that is locally switched for the client. The VLAN IDs need not be the same, however, the IP addresses must be same. The VLAN must be trunked to the controller.


Symptom : CleanAir status appears as N/A even when the access point supports and enables CleanAir.

Condition: This issue occurs when the access points join a primary or secondary controller after the power goes down or a network problem arises.

Workaround : Disable or reenable the access point radio to recover the CleanAir status on the controller.


Symptom : Controller sends accounting updates with different framed IP address for an endpoint.

Condition: Central web authentication used with ISE and URL redirect is pushed.

Workaround : None.


Symptom : Client disconnects from its WLAN.

Condition: When you change the parameters of a WLAN, a client disconnects from another WLAN.

Workaround : None.


Symptom : RADIUS failover occurs when the controller sends RADIUS request packets with the same ID to the RADIUS server six times and receives no response from the RADIUS server.

Condition: Release

Workaround : None.


Symptom : When a FlexConnect local switching access point roams using WGB, the following message appears on the access point console:

*May 22 11:24:34.559: capwap_ap_mgmt: delete mn 0d0d.0d0d.0d0d

*May 22 11:24:34.559: capwap_ap_mgmt: Deleting PMK for 0d0d.0d0d.0d0d

The station mac address is not present in the network neither as a wlan client, or wired WGB client.

Condition: This message appears on Release 7.4.x while using the debug capwap client mgmt command.

Workaround : None.


Symptom : When you disable the radio of a Cisco AP2600, the radio gets enabled after the access point reloads.

Condition: Release 7.4.x

Workaround : None.


Symptom : Client gets IPv6 address from a different VLAN. A sample message is given below:

Overriding interface of client from 'vlan20' to 'vlan30' within interface group 'vlan20-30'


1. VLAN is in an interface group.

2. Client sends traffic from either a static IP address or a previously allocated IP address.

3. Client traffic does not match the assigned VLAN.

Workaround : Use DHCP required.


Symptom : When you start a calibration task using Prime Infrastructure 1.2 and 1.3, the task proceeds and at the end of the data collection the following message appears:

No data points collected when starting from location..

Condition: This message is displayed when there is no data in the controller calibration table.

Workaround : None.


Symptom : Cisco Services-Ready Engine (SRE) controller configured as a DHCP server shows reversed octet for the default gateway and DNS server values. For example, instead of

Condition: Cisco Wireless Controller on Cisco SRE using Release 7.4.x.

Workaround : Use an external DHCP server or downgrade the controller to a release that is earlier than Release 7.4.x.


Symptom : Unable to use the filter options for clients and access points when you use IE 10 to access the controller GUI. The filter popup box does not appear in the GUI.

Condition: Microsoft Internet Explorer 10.

Workaround : Switch the browser to compatibility view.


Symptom : Cisco 5508 controller with Release stopped working on Reaper Reset: Task "LDAP DB Task 2" missed software watchdog .

Condition: Unknown.

Workaround : None.


Symptom : In an HA-enabled 5508 controller with 430 access points, when you perform predownload on all the access points, the controller does not reset.

Condition: High AP count and failed predownlaod.

Workaround : Reboot the controller using the reset system forced command.


Symptom : The show redundancy summary command shows the following output regardless of its real SKU.

Unit = Secondary - HA SKU

Condition: When you use the show redundancy summary command on:

  • Secondary machine which is converted from a primary machine
  • HA-SKU machine

Workaround : None.


Symptom : AP stopped working once and the log was found on the controller and TFTP server.

Condition: Unknown.

Workaround : None. Access point resets on its own.


Symptom : Access point radio resets during the FlexConnect state change.

Condition: Restore access point connectivity to controller.

Workaround : None.


Symptom : Controller on Release 7.3 or 7.4 fails to authenticate the One Time Password (OTP) users authenticating with TACACS+. The following debug output is displayed when you use the debug aaa tacacs enable command:


auth_cont get_pass reply: pkt_length=25

processTplusAuthResponse: Continue auth transaction

No auth response from: <SERVER IP>, retrying with next server

Preparing message for retransmit. Decrypting first

Forwarding request to <SERVER IP> port=4900

AUTH Socket closed underneath

No auth response from: <SERVER IP>, retrying with next server

Preparing message for retransmit. Decrypting first

Forwarding request to <SERVER IP> port=4900

AUTH Socket closed underneath

Exhausted all available servers for Auth/Author packet

Condition: This issue occurs in the following Condition:

1. Controller uses Release 7.3 or 7.4.

2. TACACS+ is used for management user authentication.

3. OTP is used for TACACS+. Static passwords are not affected.

Workaround :

Extend the TACACS+ management server timeout value by using the following commands:

config tacacs auth disable server-index

config tacacs auth mgmt-server-timeout server-index 10

config tacacs auth enable server-index


Symptom : When there is duplex mismatch between a Cisco Aironet 1140 Series Access Point port and an upper layer switch port, the following warning appears on the switch, controller, and access point:

duplex mismatch discovered

However, when the controller is upgraded to Release 7.4.x, the warning message is not logged to controller.

Condition: Controller with Release 7.4.x.

Workaround : None.


Symptom : Cisco 8510 controller does not update the config line after disabling DHCP proxy using the config dhcp proxy disable bootp-broadcast disable command.

Condition: Release

Workaround : Manually enter the line in the config file or modify the configuration directly on the controller using the CLI or the GUI.


Symptom : Cisco 5508 controller in an HA configuration with two AAA servers sends TACACS+ authentication and authorization requests to different AAA servers. Users using TACACS+ account are unable to login to controller, as the controller sends authentication request to one AAA server, and authorization and accounting request is sent to another AAA server configured in the controller.

Condition: This issue occurs in the following Condition:

1. HA configured on the controller.

2. Users log onto the controller using TACACS+.

3. Two or more AAA servers are defined in the controller TACACS+ authentication and authorization server list.

Workaround : None.


Symptom : Wired clients behind a third party WGB device fail to get an IP address.


  • Third party bridge associates to an access point in H-REAP (FlexConnect) local switching mode.
  • Controller is using release higher than Release

Workaround : None.


Symptom : Beacon loss in Cisco AP1130.

Condition: Cisco AP 1130 in FlexConnect mode.

Workaround : None.


Symptom : In a mesh topology, RAP-MAP1- MAP2 (all are 1522 access points using 5 GHz backhaul), when MAP1 does not have an Ethernet bridge client then MAP2 connects to MAP1 and joins the controller. However, when MAP1 has an Ethernet bridge client then MAP2 fails to connect to MAP1 to join the controller. The authentication process between MAP2 and MAP1 is never completed in this case.

The issue also appears regardless of the radio used for backhaul (both 5 GHz and 2 GHz backhaul).

Condition: Only on 1520 series access points.

Workaround : None.


Symptom : On an HA pair, when the standby unit is active, the evaluation license remaining time warning is displayed.

Condition: Unknown.

Workaround : None. The HA controller continues to work as the local licenses are not used for access point join validation.


Symptom : Controller sends a message that the APs should be moved to a primary controller, after 90 days of an AP joining the controller.

Condition: This occurs when a HA-SKU controller is used as a secondary controller in a N1 configuration and an AP has joined the controller.

Workaround : None.


Symptom : Flash is not accessible for Cisco AP1520 or Cisco AP1550. The APs will continuously write the following flash error to the console:

Write of the Private File nvram:/lwapp_ap.cfg Failed *Feb 8 15:10:34.947: %LWAPP-3-CLIENTERRORLOG: Save LWAPP Config: error saving config file *Feb 8 15:10:35.115: Write of the Private File nvram:/lwapp_ap.cfg Failed *Feb 8 15:10:35.119: %LWAPP-3-CLIENTERRORLOG: Save LWAPP Config: error saving config file *Feb 8 15:10:40.211: and can generate one of these two error messages, when a "dir" command is done: opening flash:/ (Invalid argument) opening flash:/ (Device or resource busy)

Workaround : Reboot the Cisco AP.


Symptom : Controller fails intermittently.

Condition: Web pass through clients anchored from foreign controller to anchor controller.

Workaround : Reboot the controller.


Symptom : New AP801 on C1941, cannot enable the radios. The radios gets reset continuously, and IOS shows 802.11 driver process using 99 percent CPU. Reloading the AP or router does not change.

Condition: This occurs when AP801 joins controller using Release 7.4.x.

Workaround : None.


Symptom : When AP which is in FlexConnect local switching mode, fails over from primary controller to secondary controller, the client protocol displays 802.11b, instead of 802.11g.

Condition: This occurs in controller

Workaround : None.


Symptom : Clients are unable to join.

Condition: This occurs in controller 7.3 5500 with FlexConnect and NAT/PAT AP IP.

Workaround : Enable data encryption.


Symptom : The FT and LT detection time for an alarm is ahead/later than the AP clock. This is causing a delay in NCS to detect the alarm.

LCAVIAX014-2AD1#show capwap am alarm 54
capwap_am_show_alarm = 54
<A id='139266813'>
<FT>2013/03/12 23:37:44</FT>
<LT>2013/03/12 23:38:07</LT>
<DT>2013/03/01 21:59:47</DT>
pAlarm.bPendingUpload = 0
LCAVIAX014-2AD1#show clock
*21:59:18.983 UTC Tue Mar 12 2013

In Cisco NCS, you will not see the alarm until the actual AP time matches the time reported in the FT.

Condition: This occurs in controller 5508, AP3500 wIPS ELM mode, MSE 3350 on Release

Workaround : None.


Symptom : The "Central Dhcp" and "nat-pat Flag" are enabled on WLAN. With this configuration, when a wireless client tries to associate with an AP, the AP IP address is duplicated to default gateway.

Condition: This occurs in controller

Workaround : Disable “nat-pat Flag”.


Symptom : WiSM2 secondary controller DP stops responding due to deadlock in HA configuration while it gets booted and synchronizes with the primary controller.

Condition: This occurs rarely when there are multiple reboot of controller in HA configuration. The controller recovers after reboot.

Workaround : None.


Symptom : Clients on 802.11n rates gets disconnected or experiences data transfer issues when certain segment number orders are used.

Condition: When client leading segment number is lower than the window (lower order).

Workaround : For Apple devices, disable AQM in the Apple wireless driver. Disable A-MPDU. Also refer CSCug65693 for workaround.


Symptom : Memory leak in EAP.

Condition: This issue occurs during excessive mesh AP Authentication.

Workaround : None.


Symptom : Controller sends keep active alive as a wired packet instead of wireless.

Condition: When the controller sends the keep alive as a wired packet the ISE drops it because of license.

Workaround : Use passive keep alive instead of active.


Symptom : WiSM2 stops responding and reboots (bcastReceiveTask 1332).

Condition: Unknown.

Workaround : None.


Symptom : AP stops responding due to unexpected exception to CPUvector.

Condition: There is no outstanding trigger.

Workaround : None.


Symptom : Ascom phone stops receiving voice packets.

Condition: 11n in use Voice traffic QoS markings are lost on downstream direction.

Workaround : Either fix QoS markings or disable 11n.


Symptom : Clients are unable to connect to SNMP NAC SSID an displays the following error message:

Unable to process out-of-band login request from <MAC and IP Addr> [device-filter]. Cause: OOB client<MAC and IP Addr> not found.

Condition: This occurs after upgrade from controller 7.4.

Workaround : Enable NAC Alert Client Trap.


Symptom : As per the data sheet, the 1600 AP should have 17dbm of tx power on 1 antenna and up to 22 on 3 antennas.

However, when you see the show controllers output, it shows that the power level 1 is 13dbm on 3 antennas (8dbm per antenna). Comparing show controllers output with 3600e, clearly shows that 1600AP has less tx power. Field tests also show it has a much smaller coverage area. This is on 2.4ghz. 5ghz power is meeting expectations. This was noted in -E reg domain. Also, on modifying the antenna gain has no effect at all on Tx power.

Condition: This occurs in controller 7.4.100 code. European regulatory domain in countries where the expected power level is 17.

Workaround: None.


Symptom : Controller fails to redirect clients to the WebAuth/Passthrough page.

Condition: This occurs in controller 7.4.x. When clients begins the WebAuth/Passthrough process by going to a web page that has cached their credentials in a cookie (such as “remember me” at

Workaround : Use a website that does not cache credentials in cookies. Clear the client's cookies for that particular website or all websites. Downgrade controller to controller 7.0/7.2/7.3.


Symptom : The foreign controller does not respond to ARP from foreign export client to a local client being on the same VLAN.


  • Client1 associates with WLC1 (local)
  • Client1 performs Layer 3 roam to WLC2 (WLC2: foreign / WLC1: anchor)
  • Client2 associates with WLC2 (local)
  • Initiate traffic, that is ping from Client1 to Client2

Workaround : None.


Symptom : SRE controller gives an option to configure the “External NAT IP State” and “External NAT IP Address” in the management interface. AP placed in the public domain will not be able to join the SRE. This is because the controller discovery response includes only the controller private IP address. Moreover, the option of enabling or disabling only the ap-discovery nat ip is not available in CLI. “config network ap-discovery nat-ip-only enable/disable”.

Condition: Unknown.

Workaround : Do not place SRE-controller behind NAT even though the GUI allows you to configure it.


Symptom : Clean Air sensor goes down and requires a reboot.

Condition: First found on monitor mode APs.

Workaround : Reboot the AP.


Symptom : Controller changes the overlapping subnet interfaces IP addresses to all zeros without raising any visible alarm on GUI/CLI or any message on msglog/traplog or “show invalid-config”.

Condition: Controller had overlapping subnet interfaces prior to upgrade.

Workaround : Ensure that controller does not have overlapping interfaces before an upgrade.


Symptom : When VLAN transparent feature is enabled on controller version 7.2, it does not pass VLAN tags. Span at end device shows all frames being placed on the native VLAN.

Condition: VLAN Transparent enabled.

Workaround : Disable VLAN Transparent and set the MAP Ethernet port as trunk.


Symptom : Cisco AP3500 gets DFS events because of radar on a DFS channel associated with an Cisco 7925 IP phone. The frequency of DFS events are higher on weekday and business hours.

Condition: Controller Release

Workaround : None.


Symptom : When broadcast SSD is disabled, the client is unable to associate with the controller.

Condition: Disable the broadcast SSID in controller. A client is unable to associate.

Workaround : A non-Cisco client is able to associate.


Symptom : Anchored SSIDs on controller release incorrectly shows recently configured peer controllers in its anchor list after a reboot.

Condition: Controller Release with existing anchored SSIDs.

Workaround : Manually go to the anchored SSID and remove the recently added peer controllers from its anchor list.


Symptom : On FlexConnect (H-REAP) access points with a WLAN setup for local switching and local authentication, not all of the client detail fields are populated when a client connects to the WLAN.

Condition: Unknown.

Workaround : Switch the client authentication from local to central.


Symptom : Controller stops working while running controller release

Condition: Unknown.

Workaround : None


Symptom : Controllers stops working if you clear the AP join statistics.

Condition: This problem occurs only when you clear the AP join statistics ( Monitor > Statistics > AP join Statistics > Clear)

Workaround : None


Symptom : Cisco 4400 Controller stops working in spamreceive in release

Condition: None.

Workaround : None.


Symptom : Client sending TCP SYN to a Multicast MAC for its gateway results in the controller not sending a TCP SYN ACK. TCP Handhsake does not complete and hence the client never generates HTTP traffic and is never redirected. Traffic is seen arriving at foreign and sending to anchor. The anchor ignores/drops the TCP SYN.

Condition: Controller Foreign/Anchor doing Central Web Authentication. When a client has a Multicast MAC address for gateway, this issue occurs. This is usually the result of having a load-balance/clustered node for the gateway of a client.

Workaround : Do not use Multicast MAC.


Symptom : Autonomous AP running software version 15.2 loses clock information after reboot.

Condition: Autonomous AP running software version 15.2. Clock information is lost even when “clock save interval” is configured. This is important for WGB situations where the AP must use certificate-based authentication (EAP-TLS, PEAP), and the certificate validation fails the time check.

Workaround : Perform the following:

1. Manually configure the clock after an AP reboot.

2. Configure SNTP for applications where AP is not operating as WGB with certificate-based authentication by entering this command on the AP console:

ap(config)#sntp server a.b.c.d {version 1|2|3}


Symptom : The LAP1520 outdoor mesh APs gets false DFS triggers when in-band/off-channel (ch 124) weather RADAR signals are present and received above -20 dBm, causing network instability. A similar behavior was observed with off-band maritime radars operating in the 3.05 GHz band, but this can be addressed with Band-pass filters installed at the antenna port.

Condition: AIR-LAP152x outdoor mesh AP installed near a weather RADAR installation.

Workaround : New hidden CLI dfs-peakdetect added to address this issue.


Symptom : Some clients are not removed from the controller database after user idle timer is expired.

Condition: When 100 clients expire simultaneously because of user idle timeout, only 64/65 deauths are sent and 36/37 clients are not removed from the controller database.

Workaround : Manually remove the stale clients or reboot the AP that had these clients or reboot controller.


Symptom : Controller intermittently stops working.

Condition: Any controller running software versions from 7.0 through 7.4.

Workaround : None.


Symptom : If you remove the HSRP configuration, it leads the CAPWAP APs to keep sending data traffic to the old HSRP MAC while the control traffic is sent to the new correct gateway MAC.

Condition: Cisco AP3500 and HSRP gateway.

Workaround : Reboot AP.



Symptom : Guest LAN interface loses its guest LAN check box because of which the guest WLAN gets disabled.

Condition: Guest LAN interface loses its guest lan check box.

Workaround : Reenable the guest LAN check box on the guest LAN interface. Enable the guest WLAN and set the correct ingress interface.


Symptom : A Cisco AP802 may exhibit one of the following symptoms:

  • when configured for FlexConnect mode, it may come back up in local mode
  • the recovery (rcvk9w8) image attempts to download the full lightweight (k9w8)
  • image via CAPWAP, but the AP resets after 15 minutes and repeats the process

Condition: Cisco AP802, lightweight IOS.

Workaround : Disable RBCP heartbeat fail to detect default reset that occurs after 15 minutes by entering the “service-module wlan-ap0 heart-beat reset disable” command on the router.


Symptom : The local AAA sever of the controller shows the outer username of wireless user who authenticates using local EAP.

Condition: When using local EAP on the controller.

Workaround : Disable identity protection on the wireless client to use the same username for the inner and outer EAP username. For local EAP, inner username will be shown in the clients page or in show client detailed mac-addr


Symptom : High number of client exclusions can prevent configuration changes from being applied to Access Points.

Condition: High number of client exclusions and access points joined the to controller.

Workaround : Disable client exclusion.


Symptom : Client RADIUS authentication fails. The debug client command shows a message similar to this:

Dot1x_NW_MsgTask_7: Dec 17 11:43:36.983: 00:11:22:33:44:55 Entering Backend Auth Response state for mobile f0:d1:a9:24:d8:a7
Dot1x_NW_MsgTask_7: Dec 17 11:43:36.985: 00:11:22:33:44:55 Processing AAA Error 'Out of Memory' (-2) for mobile f0:d1:a9:24:d8:a7
Dot1x_NW_MsgTask_7: Dec 17 11:43:36.999: 00:11:22:33:44:55 Sent Deauthenticate to mobile on BSSID 20:37:06:00:11:22 slot 0(caller 1x_auth_pae.c:1394)

At the same time, the msglog shows a message similar to this:

Dot1x_NW_MsgTask_7: Dec 17 12:30:23.296: #DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication Aborted for client 00:11:22:33:44:55

The traplog shows a message like this:

297 Mon Dec 17 12:36:29 2012 Client Deauthenticated: MACAddress:00:11:22:33:44:55
Base Radio MAC:20:37:06:00:11:22 Slot: 1 User
Name: unknown Ip Address: unknown Reason:Unspecified ReasonCode: 1

Condition: Large scale deployments with multiple clients. RADIUS queues fill up and fail under heavy authentication/accounting load.

Workaround : Disable RADIUS accounting and authentication.


Symptom : Cisco Flex 7510 Series Wireless LAN Controller stops working when it is part of a HA pair. After this, the controller reloads and becomes active.

Condition: Controller is part of an HA pair.

Workaround : None.


Symptom : When a Cisco 1142 lightweight access point joins to a 2504 controller, the access point name that appears in the Wireless page is different from the name that appears in the Monitor > Statistics > AP Join page. Some access point MAC address characters are appended to the access point name, or multiple entries are created with different base radio MAC addresses.

Condition: Controller with image.

Workaround : None.


Symptom : After High Availability (HA) failover, the show redundancy peer-route summary command does not show any service port routes. This issue is applicable to Cisco 8500 Series Wireless LAN Controller.

Condition: The service port routes doesn't exist after High Availability (HA) failover.

Workaround : None.


Symptom : mDNS snooping is enabled for FlexConnect local switching enabled WLAN after controller upgrade.

Condition: When you use controller release 7.3 with FlexConnect local switching enabled WLAN and upgrade it to 7.4.

Workaround : None.


Symptom : LDAP Authentication occurs on a globally defined server listed outside the WLAN settings.

Condition: When there is a timeout of LDAP authentication on the configured WLAN LDAP server.

Workaround : Use 1 LDAP sever/OU for all users or use RADIUS authentication.


Symptom : Clients are able to connect in b/g band even though Radio Policy for a SSID specifically set to “a only”.

Condition: Create a WLAN with radio policy set to “a only” Configure the phones/clients in b/g mode and they successfully connect.

Workaround : None.


Symptom : The Ethernet bridged client of Mesh AP (MAP) does not work.

Condition: If the Ethernet bridged client (for example, a PC) has been plugged into the Ethernet port of a MAP before MAP joins the controller, then the client will not work. The issue is seen on a AP1140, AP3500 and AP3600 (all indoor mesh APs). The issue is not seen on AP1552 (outdoor mesh AP).

Workaround : Ensure that the bridged client is not plugged into the MAP Ethernet port, and then reload the MAP. Let MAP join the controller before plugging the client into the MAP Ethernet port. The client gets a valid IP address and should respond to pings.


Symptom : AP sending ARP responses for a client in DHCP required state

Condition: Flex mode AP on controller release DHCP is enabled on the WLAN. Roaming breaks for clients on Flex mode APs.

Workaround : Disable the DHCP REQD check box on the WLAN.


Symptom : Controller detects false positive Dynamic Frequency Selection Detections (DFS) owing to signals transmitted by Broadcom radios.

Condition: Client hardware triggers DFS detections o wing to signals transmitted by Broadcom radio.

Workaround : Usage of non-DFS channels.


Symptom : While performing a device synchronization operation from Cisco NCS (SNMP query operation), Cisco controller returns a noSuchName value.

Condition: Telnet is enabled (occasionally seen) .

Workaround : None.


Symptom : WPA2 with TKIP and WPA with AES is not supported in standalone mode, local-auth in connected mode, and CCKM fast-roaming in connected mode.

Condition: Occurs only when the WLAN is configured as:

Flexconnect Local Switching and Local Authentication.

WPA-PSK with AES encryption.

Workaround : Disable local authentication or u se WPA2-PSK with AES or WPA-PKS with TKIP.


Symptom : AIR-CT5508-K9 unexpected reboot happens in Cisco controller 7.4.x software version with "apfMsConnTask_5" task suspended.

Condition: Crash happens under normal condition without any changes in hardware or software configuration or network topology.

Workaround : None.


Symptom : Client disassociated from fast transition roam due to key failure. This issue occurs only when both PMF and FT are supported.

Condition: Client has negotiated both PMF and FT capabilities with the access point.

Workaround : Disable PMF or FT.


Symptom : When the client is not authenticated by RSA/RADIUS server using webauth, Cisco controller places the client in RUN state. This issue is caused by the usage of two factor authentication.

Condition: Unknown.

Workaround : Non-usage of two factor authentication. Cisco controller does not support two factor authentication.


Symptom : While enabling a AAA over-ride in the WLAN during foreign controller-interface mapping on a guest access configuration, the anchor controller uses the default interface configuration to assign IP address to the client if the AAA server does not send any interface details.

Condition: Unknown.

Workaround : None.


Symptom : Cisco MAP gateway becomes unreachable using ICMP and displays memory allocation failures.

Condition: 1552UE MAP with IP camera connected.

Workaround : Reboot the access point.


Symptom : The 3600 AP running in FlexConnect mode stops working with the following decode:

Pid 65: Process "CAPWAP 802.11 MAC Management Reception " stack 0x87AFC14 savedsp 0x5516CE4
Flags: analyze prefers_new wakeup_posted
Status 0x00000000 Orig_ra 0x00000000 Routine 0x0287B380
Signal 0 Caller_pc 0x00000000 Callee_pc 0x00000000 Dbg_events 0x00000000
State 0 Totmalloc 6733804 Totfree 2192816 Totgetbuf 119844 Totretbuf 0 Edisms 0x0 Eparm 0x0 Elapsed 0x17598 Ncalls 0x5CD019 Ngiveups 0x0 Priority_q 4 Ticks_5s 3 Cpu_5sec 0 Cpu_1min 6 Cpu_5min 0 Stacksize 0xEA60 Lowstack 0xEA60 Ttyptr 0x54ED758 Mem_holding 0x61E3C Thrash_count 0 Wakeup_reasons 0x0FFFFFFF Default_wakeup_reasons 0x0FFFFFFF Direct_wakeup_major 0x00000000 Direct_wakeup_minor 0x00000000 Regs R14-R31, CR, PC, MSR at last suspend; R3 from proc creation, PC unused: R3 : 00000000 R14: 05350000 R15: 05350000 R16: 05350000 R17: 04230000 R18: 04230000 R19: 04090000 R20: 04DD0000 R21: 04DD0000 R22: 04DD0000 R23: 087BE138 R24: 087BE128 R25: 087BE130 R26: 087BE0B8 R27: 00029200 R28: 00000000 R29: 00000000 R30: 04460000 R31: 00000005 CR: 28004042 PC : 022A04FC MSR: 00029200

Condition: Unknown.

Workaround : None.


Symptom : Controller marks an interface in a group as dirty even when a response is received from the DHCP server. This issue is observed when some clients insist on requesting an IP unlisted in the connected interface range in a flood. The controller forwards the DHCP NAK responded by the DHCP server when a request is made. However, the interface will still be marked as dirty.

Condition: Unknown.

Workaround : None.


Symptom : When an access point is in FlexConnect Local Switching mode with disabled VLAN support, client communication is lost when access point switches over from one controller to another.

Condition: Unknown.

Workaround : None.


Symptom : When an access point is in FlexConnect mode and has continuous association/re-association of clients with flapping WAN connection, access point may crash at the following decode:

Pid 120: Process "CAPWAP CLIENT " stack 0x8903104 savedsp 0x55F6604 Flags: analyze prefers_new wakeup_posted Status 0x00000000
Orig_ra 0x00000000 Routine 0x02863514 Signal 0 Caller_pc 0x00000000 Callee_pc 0x00000000 Dbg_events 0x00000000 State 0
Totmalloc 113928880 Totfree 111287540 Totgetbuf 287312 Totretbuf 0 Edisms 0x0 Eparm 0x0
Elapsed 0x1239E4 Ncalls 0xC23E Ngiveups 0x4E7 Priority_q 4 Ticks_5s 65 Cpu_5sec 655
Cpu_1min 1144 Cpu_5min 1561 Stacksize 0xEA60
Lowstack 0xEA60 Ttyptr 0x55CD084 Mem_holding 0x141964
Thrash_count 0 Wakeup_reasons 0x0FFFFFFF
Default_wakeup_reasons 0x0FFFFFFF
Direct_wakeup_major 0x00000000
Direct_wakeup_minor 0x00000000
Regs R14-R31, CR, PC, MSR at last suspend; R3 from proc creation,
PC unused: R3 : 00000000 R14: 02863514 R15: 00000000
R16: 00000000 R17: 00000000 R18: 00000000 R19: 00000000
R20: 00000000 R21: 00000000 R22: 04DD0000 R23: 04DD0000
R24: 00000000 R25: 88010C10 R26: 00000012 R27: 00000000
R28: 00000000 R29: 08F24034 R30: 04470000 R31: 00000000
CR: 28000028 PC : 022A0F04 MSR: 00029200

Condition: Access point is in FlexConnect mode and has continuous association/re-association of clients with flapping WAN connection .

Workaround : None.


Symptom : Cisco NCS SNMP polling hangs as Cisco controller hangs while performing a SNMPwalk on the bsnMeshNeighsTable table for the Cisco controller

Condition: SNMPwalkon bsnMeshNeighsTable.

Workaround : None.


Symptom : When an access point receives authentication request from a client that database is about to be freed/deleted, the access point should not respond with auth response for a disabled BSSID.

Condition: Unknown.

Workaround : None.


Symptom : Image upgrade fails in a high availability environment even when the standby is up and running. The standby HOT does not display any image download activity.

Condition: Occurs on AP 5508/Wism2 high availability environment .

Workaround : Reset the system and retry the image download.


Symptom : While trying to change Layer2 and Layer3 policies on any two similar WLAN, an error message "WLAN with duplicate SSID and Layer2 security policy found."is displayed.

Condition: Occurs on AP 5508/WiSM2 high availability environment .

Workaround : Perform the following workaround:

1. Change WLAN configuration from the CLI. You must disable both the WLANs from the GUI and enable the WLANs again after you complete the configuration again.

2. Delete the existing WLAN and re-create another WLAN using the GUI.


Symptom : WebAuth redirect fails when a FlexConnect access point joins the Cisco controller using the IP address from the DHCP server after a reload. A reload occurs when the FlexConnect AP with static IP address has lost connectivity to Cisco controller and the default gateway.

Condition: Unknown.

Workaround : Reload the FlexConnect access point.


Symptom : While enabling an mDNS profile on an interface group, an error "Active WLAN using interface group. Disable WLAN first" is displayed when an interface group is already mapped to a WLAN or an access point.

Condition: Usage of mDNS gateway on interface group.

Workaround : Ensure that you remove, add, and enable mDNS on the interface group before further use.


Symptom : Clients are unable to connect to receive DHCP information post upgrade.

Condition: Usage of mDNS gateway on interface group.

Workaround : Usage of other VLANs.


Symptom : Controller displays incompatibility behavior on Cisco controller incompatibility behavior on Change-of-authorization ( CoA) for RFC 3576 implementation and shows the debug output error 'RFC-3576 Disconnect-Request' which indicates that session identification attributes are invalid.

Condition: Change-of-authorization (CoA) on the controller.

Workaround : When the three AVP pair attributes are sent, the controller accepts the disconnect request Calling-Station-ID MAC address of device (lower case works) Service-Type Login-user Called-Station-ID (upper case MAC of AP SSID separated by colons).


Symptom : Wireless Clients are not denied association when it re-associates.

Condition: The maximum number of clients per access point radio is configured on each Cisco AP1142.

Workaround : None.


Symptom : The “SNMP operation to Device failed. Table too large, possible agent loop.” error message is displayed on monitoring access points on Cisco Prime Infrastructure 1.3.

Condition: SSID is set to FlexConnect local switching and access point set to local AP mode.

Workaround : None.


Symptom : Cisco OEAP fails to connect when a failover occurs from LDPE to Non LDPE controller when in a high availability setup.

Condition: Unknown.

Workaround : None.


Symptom : SIP client sometimes associate access points over CAC voice max-bandwidth.

Condition: Unknown.

Workaround : None.


Symptom : Clients are unable to associate to the access point radio. The access point continues to beacon, but when the client sends an 802.11 authentication frame, the access point fails to respond with an authentication response. This issue occurs when the use of the current transmit queues is equal to the limit - the radio is unable to transmit.

Condition: Unknown.

Workaround : You must perform the following workaround:

1. Write a script that goes out to each access point and monitors the usage of the radio transmit queues. If a radio is found whose transmit queue utilization is nearing its limit, then issue the following command:

clear interface <interfacename>

2. Manually reset the AP's impacted radio.


Symptom : Access point information in an access point group does not match when verified in GUI and CLI.

Condition: Unknown.

Workaround : Perform an upgrade.


Symptom : Client IP on controller does not get updated after executing the upgrade.

Condition: WLAN is used for mobile device, H-REAP local switching, but the DHCP server is central.

Workaround : Synchronization will happen after some time.(20-30 minutes).


Symptom : The access point arranges a bandwidth for SIP phone, though not on the phone.

Condition: Unknown.

Workaround : None.


Symptom : While trying to connect Wireless LAN (WLAN) controller through SSH, the connection fails. If retried immediately from the same system to controller, the connection succeeds.


The SSH connection is made from a different Layer 3 network. The issue is found in the Cisco 4400 and 2106 Series Controllers.

Workaround : Retry SSH connection.


Symptom : An 802.11n AP does not downshift rates for retries when low latency MAC is enabled. The AP sends three retransmissions but the data rate for retransmissions is the same as the data rate at which the initial packet was sent.

Condition: Using an 802.11n AP with low latency MAC enabled.

Workaround : Do not enable low latency MAC.


Symptom : H-REAP reached a maximum limit on the association ID for AP.


1. Client 1 is associated to the controller with AID as 1 on SSID x.

2. Cl ient 1 sends 802.11 auth frame on ssid y, at this point AID as 1 is freed at the AP. Auth frames are not honored at the controller, so controller is not informed.

3. No association frame arrives from client 1 at SSID 2.

4. Client 2 associates to the AP and gets AID as 1.

5. AP updates the controller about client 2 and AID as 1, at this point the controller adds duplicate entries and increments the count (controller already has client 1 AID =1).

6. Counter is getting incremented and reaching 256. It is due to the network conditions in which the 802.11 authentication frames are sent (sometimes on a different WLAN) but is not followed by association frames.

Workaround : None.


Symptom : When a port in a LAG goes down and then comes up, the controller does not send an UP trap through SNMP.

Condition: Distribution ports are configured in a LAG and an SNMP trap receiver is configured.

Workaround : Use the show traplog command to view traplog on controller for the UP trap.


Symptom : While booting up the controller, you might view the following message on the attached monitor or on the serial console:

All the disks from your previous configuration are gone. If this is an unexpected message, then please power off your system and check your system and check your cables to ensure all disks are present.

Press any key to continue or C to load the configuration utility.

When the Space key is pressed, the system could not boot from the disk.

Condition: The controller might have passed through an accidental power interruption. Upon reboot, the RAID card could not find its configuration in the flash memory and therefore it could not boot.

Workaround : When you encounter the situation, you must enter into the RAID management tool called WebBIOS. There are two versions of the tool available:

  • One that uses extensive menus and requires an attached monitor.
  • Another one that is completely based on the command-line interface (CLI). The CLI version can be accessed from the serial console. The prompt appears right after the message. Enter into the CLI version of the WebBIOS utility by pressing Ctrl-Y and then entering the following command: -CfgForeign -Import -a0.


Symptom : After upgrading to the controller (release 7.2), when trying to connect the controller through SSH, the connection fails randomly, the prompt for username is displayed, and then SSH session gets closed from the controller side.

Condition: Unknown.

Workaround : Try connecting several times.


Symptom : AP is not forwarding Multicast data and IGMP querier messages.

Condition: Upon fresh reload of an AP.

Workaround : Perform shut or no shut on the WLAN.


Symptom : If you use the clear ap config CLI command or the clear all config option under the Set to Factory Defaults page in the GUI on an indoor AP that has been configured for mesh (bridge) mode, the AP remains in bridge mode.

Condition: An indoor AP that has been configured for mesh.

Workaround : You can perform one of the following ways:

  • Remove the IOS_STATIC_AP_MODE environmental variable from the AP. This can be done on the console by reloading the AP, escaping into the bootloader, and entering the bootloader command: ap: unset IOS_STATIC_AP_MODE .
  • Copy flash:env_vars from the AP to a TFTP server, edit the file to remove the IOS_STATIC_AP_MODE line, and copy the file back. Then, clear the AP config. When the AP reboots, it should be back to factory defaults.


Symptom : APs may not be able to join controller (with release 7.2 or 7.4) and the controller indicates the limit for maximum APs supported is reached.

Condition: Controller indicates the limit for maximum APs supported is reached when it has not been reached as indicated in the show license capacity command.

Workaround : Reboot the controller with evaluation license.


Symptom : A wireless webauth client is unable to authenticate to the network. When the client opens a browser window, the window is blank.

Using the debug web-auth redirect command, the messages similar to the following appears:

*webauthRedirect: Oct 15 18:43:19.470: #EMWEB-6-REQUEST_IS_NOT_GET_ERROR:

webauth_redirect.c:1055 Invalid request not GET on client socket 72


*webauthRedirect: Oct 10 16:36:30.715: %EMWEB-3-PARSE_ERROR: parse error after reading. bytes parsed = 0 and bytes read = 189

Condition: The HTTP GET from the client is arriving at the controller in multiple TCP segments.

Workaround : Either reconfigure your network or the client's TCP/IP stack, or the both to ensure that the HTTP GET arrives in a single segment.


Symptom : WiSM2 is unreachable and unable to ping. All APs are dropped from the controller, and unable to ping the Management interface's gateway (through console) at the time of failure. Failure condition will recover on it's own typically within minutes.

Condition: Cisco WiSM2 using Release

Buffer pool leak messages are printed within the msglog around the time of the failure:

*broffu_SocketReceive: Oct 20 07:31:15.291: #BROFFU-0-DP_BUFFER_POOL_LOW_DETECTED: broffu_fp_dapi_cmd.c:5060 Warning: DP Early PacketBuffer low detected. DP1 PacketBuffer=26105(<?26200) WQE=102318(<?26200)

*broffu_SocketReceive: Oct 20 07:31:15.291: #BROFFU-0-DP_BUFFER_POOL_LOW_DETECTED: broffu_fp_dapi_cmd.c:5060 Warning: DP Early PacketBuffer low detected. DP0 PacketBuffer=26025(<?26200) WQE=102322(<?26200)

Workaround : Downgrade the controller to its prior release.


Symptom : If you configure the MAC filtering RADIUS compatibility mode from GUI choosing Security > AAA > MAC Filtering > RADIUS Compatibility Mode or using CLI with the config macfilter radius-compat command as Cisco ACS or Free RADIUS , the WLAN controller sends access-request packet with all bit zero Message Authenticator attribute.

Condition: When configured the MAC Filtering RADIUS Compatibility Mode as Cisco ACS or Free RADIUS .

Workaround : Choose Other (default value).


Symptom : WLAN controller calculates an incorrect message authenticator value for RFC3576 CoA requests from some RADIUS servers such as PacketFence NAC.

Condition: Controller with releases or

Workaround : None.


Symptom : Access points are assigned to channels with lower maximum powers.

Condition: Varying power levels in different channels of the new access points. The controller detects more neighbors with high RSSIs on channels with higher power.

Workaround : None.


Symptom : In a VMWare ESX cluster, when migrating a vWLAN controller from one host to another via vMotion, the vWLAN controller management may become unreachable for 15-30 seconds which may causes APs to transition to standalone mode temporarily and prevent centrally switched WLANs from communicating.

Condition: A virtual controller's management interface is configured with a dot1q VLAN tag communicating through a virtual switch network configured with VLAN (4095 ALL) in promiscuous network. VMware network can be configured to "Notify Switches" causing RARP to be sent on VM's tagged interface for updating neighbors with CAM table seamlessly during vMotion transition. This is transparent to the VM. In the vWLAN controller deployment; hosts cannot know the vWLAN controller’s management or other interface dot1q tags so RARP is delivered untagged. This prevents CAM tables from learning of MAC update on proper VLAN ID and therefore a loss of communication to the vWLAN controller.

Workaround : Communication is established as soon as the vWLAN controller generates traffic through the new host after a vMotion event. No known workaround.


Symptom : Client entry is seen on multiple controllers even when not anchored to the controller or part of its mobility group.

Condition: Not known.

Workaround : None.


Symptom : In the Cisco 5508 Series Wireless Controller, when the MAC Filtering authentication is enabled from the GUI using the following procedure, client authentication fails.

1. Choose Security > AAA > RADIUS > Authentication to open the RADIUS Authentication page. Define more than one RADISU servers.

2. Choose Security > AAA > MAC Filtering and set the RADIUS Compatibility Mode as Free RADIUS .

3. In the WLAN setting, select the MAC Filtering check box, select the Authentication server that you have selected. The index number of the server is 1.

4. Choose S ecurity > AAA > RADIUS > Authentication . Delete the Radius server which has index number 1.

5. In the WLAN setting, select Authentication server which has index number other than 1.

Condition: None specified.

Workaround : From the WLAN controller GUI, choose Security > AAA > RADIUS > Authentication , and define a dummy radius server which has index 1.


Symptom : A Cisco controller functioning as a DHCP server with large DHCP scopes may stop servicing DHCP client requests.

Condition: WLAN controller with release

Workaround : Reload the WLAN controller.


Symptom : When adding a new 3600 AP to the WLAN controller with multiple countries, the AP may select a country in a different regulatory domain than that of the AP.

Condition: With a AIR-CAP3602I-A-K9 joining a controller with countries in regulatory domains for -A and -N. The AP selects the country in the -N regulatory domain.

Workaround : Select the correct country and enable the AP admin state.


Symptom: The Cisco 5508 Wireless LAN Controller fails to respond when a client moves from PMIP enabled wireless controller to non PMIP enabled wireless controller if fast SSID is enabled.

Condition: Fast SSID is enabled. The controller is deployed with a with mix of PMIP and normal WLANs in use.

Workaround: Disable Fast SSID.


Symptom: After multiple 802.1x failures, the client is never excluded when the controller uses the software version.

Condition: Client repeatedly fails when 802.1x authentication is used.

Workaround: None


Symptom: The controller fails to respond when the AAA server pushes the Cisco AV pair when the url-redirect-acl is longer than 32 characters.

Condition: The error occurs when the url-redirect-acl name is longer than 32 characters.

Workaround: Use url-redirect-acl names of less than 32 characters.


Symptom: After adding a WLAN to an AP group, the WLAN properties cannot be edited on the AP VLAN mapping page when the AP is in flex mode.

Condition: WLAN is disabled before being added to the AP group.

Workaround: Perform the following steps:

1. Enable the WLAN before adding to AP group.

2. Add another enabled WLAN.

3. Reload AP.


Symptom: Configuration import of ASCII and HEX commands for PSK do not work as expected. Clients fail to authenticate.

Condition: This happens when the configuration contains ASCII and HEX commands in un-encrypted format for PSK.

Workaround: Use an encrypted format when you upload the configuration for PSK.


Symptom: Cisco Aironet 1242 Access Point generates tracebacks and coredump after the controller upgrades to Additionally, the radios also reset as shown in the log below:

Jul 10 06:02:54.569: %SYS-2-BADSHARE: Bad refcount in datagram_done, > ptr=125F318, count=0 -Traceback= <HEX Tracebacks>

Condition: The Cisco Aironet 1242 Access Point generates tracebacks and coredumps when upgraded to the Cisco WLC software version

Workaround: None.


Symptom: Cisco Aironet 2600 Access Points fail to perform location calibration when using either the linear or by data points methods. Location calibration works for other models of access points.

Condition: When location calibration is performed when there are Cisco Aironet 2600 Series Access Points as part of the deployment.

Workaround: None.


Symptom: BCAST queue is filled up displaying the following error:

Traplog indicates : "RX Multicast Queue Full"

Condition: Wireless clients send the IGMP report as soon as the query is sent by the Cisco WLC causing a Spike in Bcast queue. The spike is for very brief moment to cause queue to go full.

Ideally for each query, clients should send report within 10 seconds. So throttling would happen. But in some cases, if the application does not do backoff (it sends as soon as query is received) a Bcast queue full message is displayed.

Workaround: Increase IGMP query interval and timeout. If the queue is full and the IGMP query is not processed on first try, the stream will still not be affected until no report is received over the timeout value.


Symptom: Cisco WLC fails to respond when software version is used.

Condition: The Cisco WLC fails to respond when mDNS snooping enabled on software version

Workaround: Disable mDNS snooping.


Symptom: Unable to use debug pm pmk command.

Condition: Unable to use the debug pm pmk

Workaround: None


Cisco WLC fails to respond with the task spamPacketDumpHandleIntraRoamCase

Symptom: Cisco WLC fails to respond with the task spamPacketDumpHandleIntraRoamCase

Condition: The Cisco WLC fails to respond when the ap packet-dump command is used.

Workaround: Do not use ap packet-dump feature.


Symptom: RAP loses static Channel on 5 GHZ and 2.4GHZ channel get set to static when configured for auto.

Condition: When the RAP is configured with the following values:

RAP-1 - Set to Channel 100. 2.4 GHZ = Auto

RAP-2 - Set to Channel 161. 2.4 GHZ = Auto

Both RAPs are initially joined with wired connection to the Cisco WLC.

When RAP-1 eth link is lost/goes down, it joins over wireless backhaul through RAP-2. When eth connection is available RAP-1 joins over eth and gets set to channel 161 (remembers previous parents channel info) and 2.4 GHZ gets set to static channel 11.

Workaround: RAP eth connection is never lost. If eth connection is lost, RAP should not join another RAP.


Symptom: When a RAP loses its wired connection it fails to restore connectivity as a MAP through the radio backhaul.

The mesh adjacency is correctly build to a nearby MAP and the RAP gets an IP address and can even join its WLC, but shortly afterwards a radio reset is observed which causes the RAP to disconnect.

The RAP never settles down (it keeps on looping) till the wired connectivity is restored.

Sample error messages on RAP console:

*Feb 8 19:37:54.919: %CAPWAP-3-ERRORLOG: Selected MWAR '5500-5'(index 0).
*Feb 8 19:37:54.919: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Feb 8 19:37:45.139: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller 5500-5
*Feb 8 19:37:45.183: %MESH-6-ADJ_VIDB_LINK: Mesh neighbor 0021.a1f9.fa0f VIDB

Virtual-Dot11Radio0 forwarding

*Feb 8 19:37:46.075: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Feb 8 19:37:46.083: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Feb 8 19:37:47.075: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Feb 8 19:37:47.099: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5700 MHz for 60 seconds.
*Feb 8 19:38:21.751: %MESH-4-NO_POTENTIAL_PARENT: There are no potential parents
*Feb 8 19:38:24.751: %MESH-4-NO_POTENTIAL_PARENT: There are no potential parents
*Feb 8 19:38:24.751: %MESH-6-LINK_UPDOWN: Mesh station 0021.a1f9.fa0f link Down
*Feb 8 19:38:24.951: %MESH-6-ADJ_VIDB_LINK: Mesh neighbor 0021.a1f9.fa0f VIDB

Virtual-Dot11Radio0 going down

*Feb 8 19:38:24.955: %LINK-6-UPDOWN: Interface Virtual-Dot11Radio0, changed state to down10
*Feb 8 19:38:25.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Dot11Radio0, changed state to down

Condition: Mesh deployment on the following software versions: / /

Workaround: None.


Symptom: 802.11 statistics do not update in Cisco AP1600 in Monitor mode.

Condition: On the AP console, enter the show int dx statistics command. The statistics are not updated.

Workaround: None.


Symptom:After clearing and reloading the configuration, if HA is configured, the MAC addresses differ on the active and standby mobility controllers when the show mobility summary command is executed.

Condition: Configuration clear.

Workaround: This does not happen on normal operation, unless a full configuration wiped and reconfiguration process is done, and HA is reestablished.


Symptom: Cisco WLC controller fails to respond and resets the spectrumNMSPTask

Condition: Cisco WLC fails to respond under normal conditions. Conditions unknown.

Workaround: None.


Symptom: Cisco WLC running the software version 7.4 in DHCP Proxy mode misses the option 255 in DHCP request packet, resulting in packets being dropped during inspection.

Condition: Release 7.4.

Workaround: Set format to ASCII by running the following command:

config dhcp opt-82 format ascii


Symptom : In an HA scenario, when the default management gateway is broken, the standby or active controller goes into maintenance mode and never comes out of that mode even after the connection is restored.

Condition :

1. Configure an HA pair and configure a standby and active controller.

2. Shut down the management default gateway and ensure that one controller goes into maintenance mode after a reboot.

3. After some time, restore the management gateway connection and try to make the controller in maintenance mode come back to the corresponding mode after the connection is restored.

4. The controller always remains in the maintenance mode until a manual reboot is performed and the status is shown to be in negotiation.

Workaround : Perform a manual reboot of the controller.


Symptom: The APs disjoin after the switchover if the Cisco 8500 WLC has 6000 APs and 64000 clients on the full load.

Condition: This happens when the Cisco 8500 controller is fully loaded.

Workaround: None.


Symptom: The following messages are displayed on Cisco WiSM2:

Message from at Sep 20 08:38:46 ... wism2-ms9: *spamApTask7: Sep 20 08:38:42.434: #OSAPI-0-INVALID_TIMER_HANDLE: timerlib_mempool.c:241 Task is using invalid timer handle 15069/46996
Message from at Sep 20 08:38:46 ... wism2-ms9: -Traceback: 0x113b0060 0x10a26264 0x105c9810 0x105c2760 0x105c2b90 0x105c3094 0x105a19e0 0x10348180 0x103d88ec 0x103e4ac4 0x10e4c86c 0x10a22318 0x11d316a0 0x11d8ffcc

Condition: The error message is displayed when using WiSM2 using wireless controller software version.

Workaround: None.


Symptom: Cisco WiSM2 stopped working after an upgrade from Release to

Condition: Cisco WiSM2; upgrade.

Workaround: None.


Symptom: Cisco WiSM2 stopped working and rebooted.

Condition: TPCv2 is in enabled state.

Workaround: Disable TPCv2.


Symptom: Cisco Virtual Wireless LAN Controllers fail to correctly implement Virtual CPU Access Control Lists that have been configured to restrict access to the private virtual management address.

Condition: Cisco Virtual Wireless LAN Controllers running WLC Release 7.4 are affected.

Workaround: None.

Further Problem Description : This issue does not allow an attacker to bypass any forms of authentication. An attacker that did access the private virtual management interface would need to provide valid credentials to gain access to the device.


Symptom: On the WLC or PI GUI, CleanAir operational status for one or more Cisco Aironet series access points shows 'Down' as operational status with reason 'CleanAir internal error [5]'. On the console log for the access point, there are messages such as the following:

%CLEANAIR-3-ERROR: Slot 0 could not connect to spectrum FW
*Oct 2 13:30:07.327: NCI-I1: openSensor(slot=1)
*Oct 2 13:30:37.315: NCI-E1: Sensor Connect failure, 260
*Oct 2 13:30:37.315: CleanAir: **** Slot 1: Failed to start, err=5
*Oct 2 13:30:37.315: NCI-I1: shutdownNci
*Oct 2 13:29:57.327: CleanAir: **** Slot 1: Failed to start, err=5

The event log shows repeated radio resets with reason code 37 (Radio IDB Reset):

Sep 26 22:32:53.579: %EVT-5-NTC: Radio d0 RST 37 Flags 60109 BCN 0
Sep 26 22:32:53.579: %EVT-5-NTC: Radio d0 RST 37 Flags 60109 BCN 0
Sep 26 22:32:53.579: %EVT-5-NTC: Radio d0 RST 37 Flags 60109 BCN 0

Condition: Occurs only with CleanAir capable Cisco Aironet Access Points such as the 3500, 2600, and 3600 series APs.

Workaround: None.


Symptom: Controller stops working and then reboots.

Condition: Ad hoc rogue detection is in enabled state.

Workaround: Disabling ad hoc rogue detection is a potential workaround.

On the controller GUI, choose Security > Wireless Protection Policies > Rogue Policies > General , and set Detect and report Ad-Hoc Networks to disabled state.


Symptom: Messages similar to the following may be seen in the msglog:

#OSAPI-4-MSGQ_SEND_FAILED: osapi_msgq.c:520 Failed to send a message to the message queue object: RRM-DCLNT-2_4-Q. enqueue failed.
*iappSocketTask: Sep 10 14:33:26.160: #RRM-3-MSGTAG021: rrmClient.c:1279 Airewave Director: Unable to queue enchanced coverage data from AP 00:25:84:00:11:22(1) on 802.11a
*iappSocketTask: Sep 10 14:33:26.165: #RRM-3-MSGTAG021: rrmClient.c:1279 Airewave Director: Unable to queue enchanced coverage data from AP 00:25:84:00:11:22(0) on 802.11bg
#RRM-3-RRM_LOGMSG: rrmClient.c:1885 RRM LOG: Airewave Director: Unable to queue load data from AP 00:27:0D:00:11:22(1) on 802.11a

Another symptom is that the WLC might stop working when the RRM profile is changed:

Reaper Reset: Task "emWeb" missed software watchdog

Condition: Unknown.

Workaround: None.


Symptom : When the Cisco WLC detects more than 21 ad hoc rogues, the web GUI shows only the first 20 entries (first page).

Conditions : Path on the web GUI: Monitor > Rogue > Adhoc Rogues and click on “Unclassified Adhoc” or “Custom Adhoc”.

The first page shows correctly, but it is not possible to browse to the subsequent pages.

Workaround : Use the show rogue adhoc summary command on the CLI.


Symptom : System is unresponsive in different tasks after guest LAN is enabled.

Conditions :

  • Guest LAN
  • Cisco 5500 Series WLC using 7.2 or later releases
  • IPv6 traffic from clients

Workaround : Disable guest LAN or disable IPv6.


Symptom : Unable to delete an mDNS profile.

Conditions : When the mDNS profile is mapped to an interface and the interface is deleted.

Workaround : Before deleting the interface, detach the profile and then delete the interface.


Symptom : Cisco AP disconnects from primary and moves to secondary WLC because of memory allocation.

Conditions : Unknown.

Workaround : Reboot the Cisco AP.


Symptom : Cisco 1240 and 1130 Series APs—DHCP does not work with FlexConnect and VLAN Native 2.

Conditions :

  • FlexConnect local switching
  • Cisco 1240 or 1130 Series APs
  • Cisco WLC Release or earlier releases
  • VLAN Native 2
  • User unable to get IP address and to connect to the network

Workaround : Change the native VLAN to an unexpectedly higher number, so no WLAN will ever get mapped to a bridge group number that high.

Further Problem Description : Telnet to the FlexConnect mode AP. Example: VLAN3 is the native VLAN on the FlexConnect mode AP. The AP is correctly mapped to bridge group 1. The WLAN that does not work is the one that is mapped to VLAN2. VLAN2 is mapped to bridge group 3 (see below). This is the instance where the issues is encountered. It can be any WLAN-VLAN-Native VLAN combination.

interface FastEthernet0.1
encapsulation dot1Q 3 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 1
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 2
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled


Symptom : Wireless clients cannot receive broadcast packets after broadcast key rotation.

Conditions : Dynamic WEP; Release,, and

Workaround : Enter the config advanced eap bcast-key-interval 86400 command in the middle of the night and then change security setting to WPA2.

Resolved Caveats

Table 6 lists the caveats that are resolved in this release.


Table 6 Resolved Caveats



LC needs force reset option to recover if stuck in sw download state.


“New Memory leak sshpm, on sshencode. line 252”


Cisco AP3500 watchdog crashes at random with CPU Hog while under light load.


OEAP600 low TCP throughput less than 50Mbps for personal SSID


Aggr Sched Cat 1: AP crashes due to function pointer corruption


AP crash in spamProcessCertPayload


AP3600/3500 DFS false detect


Controller stopped working at emWeb instruction: ewaFormSubmit_login_callback


Controller stopped working on multiple tasks, high CPU, after enabling guest-lan


Local switching 3600 drops IP6to4 TCP SYN ACK packets received from LAN


ARP problems with MAPs


Radio reset: SF3 radio 'tx jammed'[BZ 809]


Web access issue on SRE with 7.2 code


"AP: %SYS-2-INTSCHED: 'idle' at level 0 , interrupts -Process: CAPWAP CL"


75Dup service ip add error messages on 6500 for WiSM2 in HA setup


1550 AP showing up in Local mode instead of MAP or RAP mode


AP send out ARP request for different subnet IP address


RRM queues running full on 7.3


LAP1142's display of Active Power levels is incorrect


LAP1550 excessive DFS detection for in-band/off-channel weather radar


CAP1552 local mode not obeying 30 min channel blacklist after DFS event


DHCPv6 sollicits are sent over the air while they shouldn't


"OEAP WPA2 issue, stuck at - wpaState to HANDSHAKE_AT_AP"


Cleanup : mmListen:Failed to release a mutual exclusion object


Controller stopped working on Release


FlexConnect APs stuck in limbo when DHCP server is unreachable


Load - Controller 5500 stopped working --Task SXP SOCK


"AP sometimes fails to hear BA from clients, causing BA timeouts [BZ 786]"


License storage issues


AP1600 not deferring NDP and Rogue containment with high traffic


HA controller stopped working on reboot


Encryption key corruption on BA ack with wrong ID


Updating NB/WB spur suppression for 2600/3600 AP


7.4 changes radius callStationIdType from radio to eth mac


AP without default route lacks IP connectivity to other subnets


AP1242 in H-REAP mode crashed with traceback pointing to CAPWAP bindings


Some WLANs disabled after reboot


Memory Leak on Anchor controller for client auth trap.


Cisco WiSM2 stopped working after upgrading to 7.4.x only when high traffic load


Telnet Access to controller lost


AP1142 crashing after upgrading to 7.4.x


Debug leaking due to lack of mac address for APF


Standby controller continuous crash when a mesh joined to Active


Failure observed in SNMP for AP CAPWAP retransmit change push


3600 sends continuous corrupted deauth frames when in WIPS + 7.4


Failure observed during Web-auth rediect


HA redundancy does not failover to standby when powercycled


HA redundancy does not failover to standby when removing ETH cable


Power level:2 in 2.4GHz on 3602I/2602I APs is stated invalid


DP failure because of DP Exception on


Controller failure task: osapiBsnTimer SNMPTask


AP failure due to chunk corruption; periodic client disconnects


"High CPU on mobility task, crash on mmlisten"


TX power level changes are reset after AP reboot (11nAP)


TPC in 7.4 reduces transmit power to lower than expected values


WSSI interference triggers DCA to change channels on serving radios


RRM AP Neighbor list is not synced to HA Standby after switchover


Failure in DHCP Socket Task nfaSyncMsgSendToTask dhcpSendRaw


Controller failure in SrDoSnmp


Pmalloc trailer failure - sshmp-integer-core.c


Insufficient output by 'show 802.11a/b cleanair air-quality summary'


Wired guest not getting IP address on controller


"Unable to enable ""bootp-broadcast"" with HA SSO configured"


Controller failure on with mDNS service enabled


Controller leaking memory for task:mmlisten


Clients hit Idle timeout after successful authentication


Controller: Failure with w/iappSocketTask reason


Controller drops wireless to wireless client traffic with source UDP/16666


rf-profile configuration not shown in show run-config commands


"Memory leak in mm_listen.c, line 8826"


Failure to create AP bundle during controller upgrade


RF group state is HA standby on the active after failover


Reaper reset controller due to mutex issue in spectrumRadSlotAQEnableGet


HA: IGMP/MLD join goes out of standby controller


"AP reloads with DOT11-3-NO_BEACONING ""Not Beaconing for too long"""


Sanity check is not performed and both controllers stay Active


"MSE: Need auto archive log feature, log full brings down MSE services"


Standby does not take over when active is powered down


AP not send traffic indication to client in power saving mode in time


TPC on demand functionality not working with HA.


MSE out of memory while adding APs to floor.


dBm value is zero for AP802


WiSM2 crash due to Task Name: apfMsConnTask_6


AP does not clear L2 MGID info after Dynamic Interface Change


Controller failure: Silent crash on 5508 running without any crashlogs


Unable to access controller GUI using management via wireless on 7.4


Unable to upgrade from previous cco to phos via GUI


Clients not removed from AP after HA failover


SSID column in raw report from controller shows wrong data


Controller 5508 crash due to memory corruption in task name spamApTask6


"fixes for: reporting times, location corner cases and analytic services"


HA 5500 controller stopped working due to memory corruption during AAA initialization


7500 and WiSM2 High Availablity issue


HA will not even pair with 80ms RTT


Small packet drop on wism2 + DTLS scenario


"emWEB task controller Crash observed when execute ""config wlan delete"""


Mobility control path is down between 8500(HA)-8500


A-Pair stuck in image download state


CalledStation Id should use MAC Address per CalledStationID change


1552E: Flash fills up and cannot join as flash cannot be written to...


All ap clears the L2 MGID when wlan intf mapping deleted frm 1 apg.


getTagLocationlistfortelemetry api returns null


"1600, 2600, 2600 aIOS permits only 7 dBm power setting"


RRM misbehaving on BGL Alpha HA OEAP controller


Virtual controller: Web authentication feature is broken in virtual controller


"DP heartbeat lost, crash at longevity testbed"


Save config is not updating startup config with new AP group int mapping


AP radio Core dump: Transmitter seems to have stopped


After a few Failover None of the Clients get authenticated


Controller crashed - Task Name: SNMPTask


"New 7500 M3 Hardware Version, unable to scale to 6000 APs "


ACL is not inherited when controller switched over


HA - Standby ctrl reboots twice due to mobility related XML mis-match


CAPWAP background config save fixes/optimization


HA Standby controller FUS DP failure crash loop


'Network interrupt loop detected'; does not show AP traceback


Standby Crashing when Active tries to transfer images in a particular sc


AP is not able to boot with recovery image


"WSSI not supported in -S, -N reglatory Domains (possibly more)"


Secondary 5500 controller has went to hung up state


L2roam entry not initialized in HA standby controller


5500 controller failure during upgrade after kitchen sink stress with mem @ 79%util


No beacon is sent from AP1600 for bake-off image


FlexConnect ACL is not retaining after AP reboot in standalone


"back out CSCuc3599, devshell over telnet"


AP 1142 DATA_KEEPALIVE_ERR When DTLS Enabled - Not Staying Connected


Controller crashes when applying CPU ACL in HA


Radio disabled due to inline power on


New client 802.11 auth fails 3600 or 2600 AP on 2.4GHz band after time


Central DHCP Processing WLAN not getting added to Flexconnect AP


2504 Traceback errors after image upgrade


AP memory leak - %SYS-2-MALLOCFAIL: Memory allocation failed


WISM2 : HA : - AP disconnects the Active and rejoins post switchover


AP 1524PS/AG crashing while doing clear config


ARP request unicast is dropped on anchor scenario


WiSM2 crashes Reason: Reaper Reset Task:dtlArpTask


Macbook client disconnect on alpha_ac


Crashinfo files continue to grow on AP without being cleaned


HA pair broken & config disappeared for WiSM2 running version


Web-authentication with static ip client fails in Export Anchor


All the rogue config params are lost on the AP in the following scenario


Controller-GUI Radius Response Time shows Centi-Seconds when it's really msecs


Crash of SXP core when trying to delete configured SXP connection


WiSM-2 crash Task Name: apfMsConnTask_7 Reason: System Crash


Controller 7.4 crash on tplusTransportThread


Controller console hung after serial timeout if any show cli output in buffer


Controller: Observing double 'client authenticated' Trap logs


FlexConnect AID leak


Instrumentation for reaper task


7500 primary controller crashed while start image transfer


Controller Crash Task Name: emWeb Reason: System Crash (HA)


L2 mgids are getting deleted in APs after HA switchover


APs disconnect on software download in a HA Pair


Aggr_Sched Stack Corruption (infinite loop in timer_send path)


7500 controller crash at task emweb


HTTPS to HA controller fails after reload as it misses Web Admin key


Missing reset interrupt level for flex ext. webauth


Rogue transient threshold computation is wrong in AP


HA messages showing in console during boot


Wired Client behind Universal WGB does not get an ip


HA Primary controller (Cisco Flex 7500 controller) reboots with gateway reachability issue


Aggr_Sched_Stack Corruption


AP SSO active controller crash at emWeb Task


ipv6 webauth not working if wlan is mapped to dynamic interface


Controller crash on if you make any config change


Sys Crash seen on New Act on S/Wover at acDtlsPlumbDataPlaneKeys


APs are not properly detecting RRM measurements


Intra controller roaming with Webauth broken


RRM changing txpower when interval timer not expired


Aggr_Scheduler_Crash - FWD_TRACE_L function (freed dtx in cpq)


3600 AP hang on network interrupt loop


AP602 OEAP using invalid channels for E domain


Stand-by controller Reloading when power down the Active controller


OEAP: Evora WLAN client can't connect since client database is full


Controller: WiSM2 crashed when CNA began device discovery


"With RF profile created, certain clients are not able to join "


OEAP600 frequently disconnecting when joined to controller with HA pair


ap3500 crash with TLB Miss in sig_channel_stats()


AP 3600 fails to generate coredump


One-way audio issue seen on spectralink 8400

Installation Notes

This section contains important information to keep in mind when installing controllers and access points.


Warning This warning means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071

Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030

Warning Do not locate the antenna near overhead power lines or other electric light or power circuits, or where it can come into contact with such circuits. When installing the antenna, take extreme care not to come into contact with such circuits, as they may cause serious injury or death. For proper installation and grounding of the antenna, please refer to national and local codes (e.g. U.S.: NFPA 70, National Electrical Code, Article 810, Canada: Canadian Electrical Code, Section 54). Statement 280

Warning This product relies on the building’s installation for short-circuit (overcurrent) protection. Ensure that a fuse or circuit breaker no larger than 120 VAC, 15A U.S. (240 VAC, 10A international) is used on the phase conductors (all current-carrying conductors). Statement 13

Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground connector. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. Statement 1024

Warning Read the installation instructions before you connect the system to its power source. Statement 10

Warning Do not work on the system or connect or disconnect any cables (Ethernet, cable, or power) during periods of lightning activity. The possibility of serious physical injury exists if lightning should strike and travel through those cables. In addition, the equipment could be damaged by the higher levels of static electricity present in the atmosphere. Statement 276

Warning Do not operate the unit near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use. Statement 364

Warning In order to comply with radio frequency (RF) exposure limits, the antennas for this product should be positioned no less than 6.56 ft. (2 m) from your body or nearby persons. Statement 339

Warning This unit is intended for installation in restricted access areas. A restricted access area can be accessed only through the use of a special tool, lock and key, or other means of security. Statement 1017

Safety Information

Follow the guidelines in this section to ensure proper operation and safe use of the controllers and access points.

FCC Safety Compliance Statement

FCC Compliance with its action in ET Docket 96-8, has adopted a safety standard for human exposure to RF electromagnetic energy emitted by FCC-certified equipment. When used with approved Cisco Aironet antennas, Cisco Aironet products meet the uncontrolled environmental limits found in OET-65 and ANSI C95.1, 1991. Proper operation of this radio device according to the instructions in this publication results in user exposure substantially below the FCC recommended limits.

Safety Precautions

For your safety, and to help you achieve a good installation, read and follow these safety precautions. They might save your life!

1. If you are installing an antenna for the first time, for your own safety as well as others, seek professional assistance. Your Cisco sales representative can explain which mounting method to use for the size and type of antenna you are about to install.

2. Select your installation site with safety as well as performance in mind. Electric power lines and phone lines look alike. For your safety, assume that any overhead line can kill you.

3. Call your electric power company. Tell them your plans and ask them to come look at your proposed installation. This is a small inconvenience considering your life is at stake.

4. Plan your installation carefully and completely before you begin. Successfully raising a mast or tower is largely a matter of coordination. Each person should be assigned to a specific task and should know what to do and when to do it. One person should be in charge of the operation to issue instructions and watch for signs of trouble.

5. When installing an antenna, remember:

a. Do not use a metal ladder.

b. Do not work on a wet or windy day.

c. Do dress properly—shoes with rubber soles and heels, rubber gloves, long-sleeved shirt or jacket.

6. If the assembly starts to drop, get away from it and let it fall. Remember that the antenna, mast, cable, and metal guy wires are all excellent conductors of electrical current. Even the slightest touch of any of these parts to a power line completes an electrical path through the antenna and the installer: you!

7. If any part of an antenna system should come in contact with a power line, do not touch it or try to remove it yourself. Call your local power company. They will remove it safely.

8. If an accident should occur with the power lines, call for qualified emergency help immediately.

Installation Instructions

See the appropriate quick start guide or hardware installation guide for instructions on installing controllers and access points.

NoteTo meet regulatory restrictions, all external antenna configurations must be installed by experts.

Personnel installing the controllers and access points must understand wireless techniques and grounding methods. Access points with internal antennas can be installed by an experienced IT professional.

The controller must be installed by a network administrator or qualified IT professional, and the proper country code must be selected. Following installation, access to the controller should be password protected by the installer to maintain compliance with regulatory requirements and ensure proper unit functionality.

Service and Support

Information About Caveats

If you need information about a specific caveat that does not appear in these release notes, you can use the Cisco Bug Toolkit to find caveats of any severity. Click this URL to browse to the Bug Toolkit:

(If you request a defect that cannot be displayed, the defect number might not exist, the defect might not yet have a customer-visible description, or the defect might be marked Cisco Confidential.)


For the most up-to-date, detailed troubleshooting information, see the Cisco TAC website at this URL:

Click Product Support > Wireless. Then choose your product and Troubleshooting to find information on the problem you are experiencing.

Related Documentation

For additional information about the Cisco controllers and lightweight access points, see these documents:

  • The quick start guide or installation guide for your particular controller or access point
  • Cisco Wireless LAN Controller Configuration Guide
  • Cisco Wireless LAN Controller Command Reference
  • Cisco Wireless LAN Controller System Message Guide

You can access these documents at this URL: .

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: .

Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.