Cisco Wireless Hot Issues from Cisco TAC

LMS 423 Installation not installed latest device packages for Inventory., CSCue69689

Enhancement: webauth support for fragmented HTTP GET request, Open CSCug74297

Symptom: A wireless webauth client may be unable to authenticate to the network. The problem is seen specifically with cached pages on the client browser. Web redirect occurs fine on the web pages that are not cached.
Conditions: The HTTP GET from the client is arriving at the WLC in multiple TCP segments.
Workaround: - Current limitation of the controller; this is as per design. If the HTTP request intercepted by controller is fragmented, it drops the packet as the HTTP request does not contain enough information required for redirection. - Reconfigure your network and/or the client's TCP/IP stack to ensure that the HTTP GET arrives in a single segment.

Cleanup : mmListen:Failed to release a mutual exclusion object, Fixed CSCud22588

Symptom: Traceback and message log flood with messages like *mmListen: osapi_sem.c:1077 Failed to release a mutual exclusion object. mutex unlock failed, not owned by the calling thread.
Conditions: IPv6 turned on the WLC. You do not need IPv6 to be turned on your wired network to see these error messages but more this are coming from Wireless clients which are ipv6/ipv4 capable. These are cosmetic messages.
Workaround: Disable IPv6 if IPv6 is not needed.

LMS 423 bug fix CSCub77461 breaking RME Device Selectors., Fixed CSCue06188

Symptom: RME Device selector may not show all devices managed in LMS.
Conditions: Adding the devices newly using bulk import option in DCR in LMS4.2.3. If already devices were added in LMS4.2.2, then issue is not applicable by upgrading to 4.2.3.
Workaround: Follow the below steps to patch class files, --> Delete all the devices in DCR --> Take the backup of original class files from below location and then apply the files taken from LMS4.2.2 server, CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\inventory\dm\DeviceListManager CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\inventory\dm\server\DCRMessageProcessor --> Restart the daemons. --> Add the devices again using bulk import.

AP not send traffic indication to client in power saving mode in time, Fixed CSCue71856

Symptom: AP does not send traffic indication to client in power saving mode in time Due to that, Client in power saving mode cannot receive traffic.
Conditions: Client which can support power saving mode may affect this problem.
Workaround: Disable power saving mode on client side may help problem. Nothing on WLC/AP side.

Anchor Controller Hangs intermittently, Open CSCuf03454

Symptom: Controller Hangs intermittently
Conditions: Web pass through clients anchored from Foreign controller to Anchor controller. Controller became un responsive randomly.
Workaround: Reboot the controller.

High cpu utilization with Flexible Netflow (FNF), Fixed CSCue67873

Symptom: High CPU observes on a router, when Flexible Netflow configured. Alternatively may also observe netflow information not being collected.
Conditions: This happens in DMVPN configurations with the tunnels and crypto with flexible netflow enabled as input on the tunnel, and when some packets have destination of the tunnel's IP address
Workaround: Configure traditional NetFlow, or configure flexible netflow only on "output" for tunnels.

rf-profile configuration not shown in show run-config commands, Fixed CSCue54977

Symptom: rf-profile configuration is not seen in show run-config commands
Conditions: N/A
Workaround: use config backup to ftp/tftp server.

AP unable to join controller, WLC indicates max APs supported reached, Open CSCub87374

Symptom: APs may not be able to join controller when running 7.2 controller code and controller indicates the limit for maximum APs supported is reached.
Conditions: Controller indicates limit for maximum APs supported is reached when it has not been reached as indicated in "show license capacity".
Workaround: Reboot Controller or switch to evaluation license.

Radio reset: SF3 radio 'tx jammed' due to corrupted rcv pak pointer, Open CSCuc06605

Symptom:AP1142 r0 coredump: corrupted rcv pak pointer
Conditions:AP1142 r0 coredump: corrupted rcv pak pointer
Workaround:none

cannot access controller GUI using management via wireless on 7.4, Open CSCue87961

Symptom: CANNOT ACCESS THE WEB GUI OF THE WLC
Conditions: MANAGEMENT VIA WIRELESS IS ENABLED
Workaround: USE THE WIRED NETWORK TO ACCESS THE WLC

AP must not bridge ARP traffic for clients with DHCP required in wlan, Fixed CSCud44269

Symptom: AP sending ARP responses for a client in DHCP required state
Conditions: Flex mode AP on 7.3.101.0 DHCP required enabled on the wlan. Roaming breaks for clients on Flex mode AP's
Workaround: Disable the DHCP REQD checkbox on the WLAN

OEAP600 low TCP throughput less than 50Mbps for personal SSID, Fixed CSCtx61744

Symptom: OEAP600 has very low TCP throughput for its personal SSID. Typical 40-43Mbps. Even though an Association is established between 2x2:2 802.11n client and OEAP at MCS 15 (300Mbps), the real TCP throughput does not achieve 50Mbps.
Conditions: [802.11n 2x2:2 client] ))) 5GHz Personal SSID ((( [Evora](LAN port)-------[FTP/TCP client/server] Using iperf or FTP is good to measure the TCP throughput.
Workaround: none

WebAuth fails on 7.4 when user goes to a site with cached credentials, Open CSCug74974

Symptom: WLC fails to redirect clients to the WebAuth/Passthrough page
Conditions: -Any WLC model running 7.4.100.0 -WebAuth/Passthrough WLAN -Client begins the WebAuth/Passthrough process by going to a webpage that has cached their credentials in in a Cookie (such as "remember me" at www.yahoo.com)
Workaround: -Have the client go to a website that doesn't cache credentials in Cookies -Clear the client's Cookies for that website or all websites -Downgrade WLC to 7.0/7.2/7.3

7.2.103.0 code does not accept interface name starting with "all......", Fixed CSCtz76153

Symptom: Customer upgraded the wlc from a 6.0 to the 7.2.103.0 and lost 2 dynamic valn interfaces which he could not recreate on the wlc
Conditions: Upgrade wlc to 7.2.103.0 you lose dynamic vlan having the word starting with "all" like alli,allied,allis etc . They cannot even create a new vlan from GUI or Cli the lot vlan "allis" in this case
Workaround: replace their existing vlan id with any word that does not have "all at the beginning of it

CME 9.1 crashes with TLB (store) exception in CCSIP_SPI_CONTROL, Open CSCug81754

Symptom: Router c2800 with CME9.1 crashes with signal 10 TLB (store) exception in CCSIP_SPI_CONTROL process
Conditions: unknown
Workaround: unknown

RRM grouping state stuck in computation state., Fixed CSCug46616

Symptom: RRM group leader stuck and does not do channel or power update.
Conditions: Potentially be triggered if you have AP's hearing each other when joined through a large set of WLCs where RF group name is same.
Workaround: Limit the RF group size to 1000 APs. So place the APs accordingly and avoid salt and pepper deployment.

Fastethernet0/1 stops sending traffic when Fastethernet0/0 is shutdown, Fixed CSCsu26174

Symptoms: A Cisco 1800 series router may stop passing traffic on FastEthernet interface 0/1 when FastEthernet interface 0/0 is administratively shut down using the interface configuration command shutdown. When FastEthernet 0/0 is shutdown, the following message is displayed: %GT96K_FE-5-LATECOLL: Late Collision on int FastEthernet0/0
Conditions: The symptoms are observed with FastEthernet 0/0 on a Cisco 1841 router and when the device at the far end of interface FastEthernet 0/0 is configured manually to speed 10 or 100.
Workaround: Configure the far-end device to auto-negotiate the speed with the 1800 router.
Further Problem Description: This problem does not occur when pulling out cable and re-inserting in FastEthernet 0/0. It also does not occur when FastEthernet 0/1 is reversed to FastEthernet 0/0.

"clear ap config" leaves indoor AP in mesh mode, Open CSCub14556

Symptom: If you use the "clear ap config" CLI, or the "clear all config" option, under "Set to Factory Defaults" in the GUI, on an indoor AP that has been configured for mesh (bridge) mode, the AP will remain in bridge mode.
Conditions: An indoor AP (such as an AIR-LAP1042) that has been configured for mesh.
Workaround: First, remove the IOS_STATIC_AP_MODE environmental variable from the AP. This can be done on the console by reloading the AP, escaping into the boot loader, and entering the bootloader command ap: unset IOS_STATIC_AP_MODE Or you can copy flash:env_vars from the AP to a TFTP server, edit the file to remove the IOS_STATIC_AP_MODE line, and copy the file back. Then clear the AP config. When the AP reboots, it should be back to factory defaults.

AP memory leak - %SYS-2-MALLOCFAIL: Memory allocation failed, Fixed CSCug54108

Symptom: AP memory leak causes SSH (to AP) to fail
Conditions: SSH to AP does not work
Workaround: reboot the AP

HA redundancy does not fail-over to standby when powercycled, Fixed CSCue02707

Symptom: HA redundancy does not fail-over to standby when powercycled after saving config
Conditions: Steps to recreate: 1. save config and confirm - either from GUI or CLI 2. toggle power switch on power supply to turn off power. The standby-hot controller does not fail over to primary until either you plug the RP cable into a switch or you power on the controller again.
Workaround: none.

WCS 7 security scans reporting IAVA 2013-A-0053, CVE-2012-3499 and 4558, Open CSCug57908

Symptom: WCS 7 security scans reveal the following issues: IAVA 2013-A-0053 Multiple Security Vulnerabilities for Apache Server Apache HTTP Server is an open source, commercial-grade web server application for various operating systems such as UNIX, Linux, and Microsoft windows. To exploit these vulnerabilities, a remote attacker would entice a user to access to a malicious link sent via email. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code in the affected browser and obtain access to sensitive information resulting in the compromise the affected system. At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. CVE-2012-3499: Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. CVE-2012-4558: Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string."
Conditions: WCS 7.0.230.0 and 7.0.240.0. Earlier versions likely affected as well.
Workaround: None at this time on platform. Blocking access from unsecured IP/Ports via Firewall/ACL would be the only workaround via the egress/ingress router or Firewall.
Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do? dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C CVE ID CVE-2012-4558, CVE-2012-3499 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

url-redirect-acl not working on local-switching enabled 802.1x WLAN, Fixed CSCud89654

Symptom: On local switching enabled 802.1x WLAN, if the clients associate to a local AP(not flex AP), after successful authentication, only url-redirect attributed is accepted by WLC, not url-redirect-acl attribute, which causes failures on redirection thereafter.
Conditions: 802.1x WLAN with local switching enabled. WLC 7.2 and beyond.
Workaround: Disable local switching on the WLAN. But it also means that we have to segregate the local AP from flex APs on different WLCs, making it an impossible solution to mix them together on a single WLC.

1140 AP line up / protocol down, not beaconing anymore, Open CSCud93491

Symptom: 1140 AP not servicing clients anymore Show controllers indicate missed beacons
Conditions: Occuring after upgrade to 7.4.100
Workaround: Reboot the affected AP

WLC NAS id override is taking system name, Open CSCug73845

Symptom: WLC NAS-ID override is taking system name instead the nas-id configured on Apgroup/Wlan/Interface.
Conditions: Configure APgroup/Wlan/Interface NAS-ID.
Workaround: N/A

Rate limiting out of bounds on 4400/WiSM, Terminated CSCtj23339

Symptom: on 4404/Wism platfomrs, some applications are able to pass much more traffic than the average limit expressed on the bandwidth contracts
Conditions: TCP rate limiting on the "metal" assigned to the WLAN
Workaround: Disable ports 3/4 or 1/2, so traffic only goes through one NPU. This is not affecting 4402 or any other hardware platform

AP3600/3500 DFS false detect, Fixed CSCub26654

Symptom:AP3600 DFS false detect
Conditions:AP3600 sees false radar events from the 7925 phone.
Workaround:none

Oracle recoveryarea filling causes MSE to not make backups, Open CSCug22218

Symptom: The MSE may display odd behaviors like not taking backups or having trouble starting when the Oracle recovery area fills up and causes the archiver process to stop.
Conditions:
Workaround: At this time, there is no workaround. Contact the TAC for assistance.

HA redundancy does not fail-over to standby when removing ETH cable, Fixed CSCue02718

Symptom: HA redundancy does not fail-over to standby when removing ETH cable
Conditions: Steps to recreate: 1. save config and confirm - either from GUI or CLI 2. unplug ethernet cable. The standby-hot controller does not fail over to primary until either you plug the RP cable into a switch or back into the original controller
Workaround: none.

7.3 5508 flexconnect APs client not able to connect, Open CSCuf61599

Symptom: clients not able join
Conditions: 7.3 5500 wlc with flexconnect and NAT/PAT AP ip,
Workaround: enable data encryption

AP reloads with DOT11-3-NO_BEACONING "Not Beaconing for too long", Fixed CSCue62388

Symptom: Access Point reloads with the following error displayed on the AP console: Feb 21 19:17:39.498: %SYS-5-RELOAD: Reload requested by Dot11 driver. Reload Reason: Radio Not Beaconing for too long .... Feb 21 19:17:38.966: %DOT11-3-NO_BEACONING: Error on Dot11Radio0 - Not Beaconing for too long - Current [...] Last [...]
Conditions: This bug only occurs with 7.4.100.0 Wireless LAN controller software or 15.2(2)JB Autonomous release (posted Dec 2012 timeframe). It affects all 802.11n APs except the Cisco Aironet 1600 Series. 802.11a/b/g APs (Cisco Aironet 1130 Series and Cisco Aironet 1240 Series) are not affected.
Workaround: None.

Poor VPN Performance on 3600 APs, Open CSCue59791

Symptom: Slow VPN connection on 3600s
Conditions: Wireless client on a 3600 AP using a VPN connection
Workaround: Install DTLS license and enable data encryption on the AP

SNMP packet size requests from LMS is too large., Open CSCtj88629

Symptom: LMS sends more than 512 SNMP requests to the FWSM, so it rejects the requests.
Conditions: This occurs with FWSM and ASA's.
Workaround: None.

Duplicate & Invalid Association identifier entries for HREAP clients, CSCub21596

Symptom: Multiple issues seen with Invalid and duplicate AID entries on the WLC on the 7.2 code *apfReceiveTask: Jul 18 18:22:01.632: %LWAPP-3-INVALID_AID2: spam_api.c:1226 Association identifier 8 for client cc:52:af:7f:d8:8b is already in use by cc:52:af:7f:d2:1 *apfReceiveTask: Jul 18 18:03:45.096: %LWAPP-3-INVALID_AID2: spam_api.c:1226 Association identifier 2 for client cc:52:af:7f:cd:4e is already in use by cc:52:af:7f:d6:a1
Conditions: Flex connect mode Ap's on 7.2.103.0 . Also reported symptoms clients not responding to ARP/broadcast issues but AP's do not move to standalone mode as in CSCtz31572 and the escalation code fix for this does not resolve the issue
Workaround: None

AP association counter versus WLC association counter do not fit., Open CSCtn52995

Symptom: HREAP - Reached max limit on the association ID for AP
Conditions: 1. Client 1 is associated to the controller with AID =1 on ssid x 2. Client 1 sends 802.11 Auth frame on ssid y, at this point AID = 1 is freed at the AP. Auth frames are not honored at the controller, so controller is not informed 3. No association frame arrives from client 1 at ssid 2 4. Client 2 associates to the AP and gets AID = 1 5. AP updates the controller about client 2 and AID =1, at this point the controller adds duplicate entries and increments the count (controller already has client 1 AID =1). Counter is getting incremented and reaching 256. It is due to the network conditions at the customer site in which the 802.11 authentication frames are sent(sometimes on different WLAN), but is not followed by association frames.
Workaround: N/A

New client 802.11 auths fail on 3600 AP on 2.4GHz band after time, Open CSCug46718

Symptom: New 802.11 client 2.4GHz authentications will stop after a period of time
Conditions: 2.4GHz Cliect auths on 3600
Workaround: reboot AP

mobility to 7.0/7.2 WLCs goes down after HA failover to secondary, Open CSCue79462

Symptom: mobility goes down to wlc running 7.0/7.2 after a SSO failover
Conditions: SSO failover
Workaround: re enter the same mobility entry (using the mobility mac address) on the wlc running 7.0/7.2. basically just delete and re add the entry.

Flexconnect APs stuck in limbo when DHCP server is unreachable, Fixed CSCud33577

Symptom: Flexconnect AP stuck in loop/limbo
Conditions: When Flexconnect AP cannot renew dhcp lease. bvi1 interface goes down
Workaround: reboot the AP or increase lease time to a high value. You can also use static ip addresses on the AP. this issue is not seen if the native vlan on the flexconnect ap is set to '1' Create a vlan 1 from the flexconnect group

Crash in sipSPISendAck, Fixed CSCth22485

Symptom: Cisco router crashed while running 15.1(2)T2 with SIP calls.
Conditions: Router configured to handle SIP.
Workaround: None.

DB timeout on MSE due to Oracle password expiry, Fixed CSCud77760

Symptom: DB password expires on MSE
Conditions: The MSE framework may stop responding due to expired database password due to a bug in DB password expiry limits.
Workaround: 1. login to mse as root 2. stop mse 3. execute "oracleDBStartStop.sh start mseorcl open" 4. execute "source /opt/mse/install/oracleenv" 5. execute "getdatabaseparams" and save the output string, this is the db user password 6. execute su --command="sqlplus / as sysdba" oracle 7. at the SQL> prompt, issue the following commands alter user mse account unlock; alter user loc account unlock; alter user wips account unlock; alter user mse identified by ""; alter user loc identified by ""; alter user wips identified by ""; alter profile default limit password_life_time 370; quit 8. execute "oracleDBStartStop.sh stop mseorcl" 9. restart mse

3600 access point showing multiple mac addresses in switch port., CSCuc72288

Symptom: Enabling port security on 3600 AP connected switch port, shows more than one mac-address.
Conditions: Version 007.003(101.000) AP Platform : ap3g2
Workaround: None

Discovery may not stop properly when spaces are in LMS Install Directory, CSCuf86663

Symptom: LMS Discovery may fail to stop properly or show discovery results as expected Errors such as the following may be seen in CSDiscovery.log or ngdiscovery.log may be seen: java.io.FileNotFoundException: D:\Program%20Files\CSCOpx\MDC\tomcat\webapps\cwhp\WEB-INF\lib\discovery.jar (The system cannot find the path specified) [ Mon Mar 25 00:30:33 UTC 2013 ] FATAL [CSDiscoveryManager : stopDiscovery] : URN_NOT_FOUND : urn "CSDiscovery" : Not found !! [ Mon Mar 25 00:30:33 UTC 2013 ] FATAL [DiscoverySummaryAction : perform] : Exception occured during stop discovery in CS. Reason : URN_NOT_FOUND : urn "CSDiscovery" : Not found !!
Conditions: This has been seen to occur on systems where the LMS install directory/NMSROOT contains spaces or some other special characters which require URL Encoding. That includes the default install directories on Windows, such as C:\Program Files\CSCOpx or C:\Program Files (x86)\CSCOpx In general Solaris and the Linux Appliance will be unaffected as their default install directories are /opt/CSCOpx and unaffected by this issue.
Workaround: Backup existing LMS Reinstall LMS in a directory without any spaces or special characters, such as E:\CSCOpx Restore backup

Processing AAA Error 'Out of Memory', Fixed CSCud12582

Symptom: Client RADIUS authentication fails. "debug client" shows a message similar to this: *Dot1x_NW_MsgTask_7: Dec 17 11:43:36.983: 00:11:22:33:44:55 Entering Backend Auth Response state for mobile f0:d1:a9:24:d8:a7 *Dot1x_NW_MsgTask_7: Dec 17 11:43:36.985: 00:11:22:33:44:55 Processing AAA Error 'Out of Memory' (-2) for mobile f0:d1:a9:24:d8:a7 *Dot1x_NW_MsgTask_7: Dec 17 11:43:36.999: 00:11:22:33:44:55 Sent Deauthenticate to mobile on BSSID 20:37:06:00:11:22 slot 0(caller 1x_auth_pae.c:1394) at the same time, the msglog shows a message similar to this: *Dot1x_NW_MsgTask_7: Dec 17 12:30:23.296: #DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication Aborted for client 00:11:22:33:44:55 and the traplog shows a message like this: 297 Mon Dec 17 12:36:29 2012 Client Deauthenticated: MACAddress:00:11:22:33:44:55 Base Radio MAC:20:37:06:00:11:22 Slot: 1 User Name: unknown Ip Address: unknown Reason:Unspecif ied ReasonCode: 1
Conditions: Large scale deployments with multiple clients. RADIUS queues fill up and fail under heavy authentication/accounting load.
Workaround: Disable RADIUS accounting and authentication.

3600 AP sends invalid frames (0000.0104.xxxx) when changing primary WLC, Fixed CSCud97325

Symptom: - 3600/2600 APs sends invalid frames sourced with address 0000.0104.xxxx - May result in security warnings on the switch, such as: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet3/46, new MAC address (0000.0104.d634) is seen.
Conditions: - This happen when the primary / secondary WLC are changed in the AP High Availability tab. - The bug will only occur with Cisco Aironet 2600 and 3600 Series Access Points
Workaround: None

Wism controller shows oper-down after upgrade to 7.0.98.0, Terminated CSCtk34560

Symptom: Customer upgraded 2 controllers from 6.0.199.4 to 7.0.98.0. After the upgrade and reboot, one of the controllers had a status of oper-down. No service port or management interface addresses were present in the 'show wism status' output. All aps remained joined to the controller, and no negative impact was noticed for the wireless clients. We could not ping the wlc interfaces from the sup720 or anywhere. Telnet / ssh / gui access to the wlc was available. Could not session to the controller frmo the sup720. The wlc could ping default-gateways and other addresses, but it could not ping any of its interfaces (including managment).No arp issues were seen.
Workaround: Reboot the controller, and its status changed to oper-up, and normal operations resumed.

Show Lag Hash commands not available with WiSM2, Terminated CSCug63001

Symptom: The commands "show lag eth-port-hash" and "show lag ip-port-has" are not available on the WiSM2 platform.
Conditions: All code versions.
Workaround: None.

wism2 crash and reboot (bcastReceiveTask+1332), Open CSCug38794

Symptom: wism2 crash and reboot (bcastReceiveTask+1332)
Conditions: wism2 crash and reboot (bcastReceiveTask+1332)
Workaround: none

annoying traps from WLC Client with MAC address has joined profile, Fixed CSCuc12395

Symptom: continous trap message from WLC Client with MAC address "wireless mac address of client" has joined profie "profile name"
Conditions: WLC running 7.2 or 7.3
Workaround: Upgrade to 7.4 WLC code and disable the trap control: config trapflags client nac-alert [enable/disable]

ARP problems with MAPs, Fixed CSCuc03576

Symptom: 1. Duplicate address detection on MAPs is not working as expected 2. MAP disconnects periodically (e.g. every 20 minutes) from RAP, then reconnects 3. MAP associates to RAP, and gets address from DHCP, and sends DHCP DISCOVERY packet to WLC, but MAP never receives the DHCP DISCOVERY response. Two underlying issues were found: 1. ARP requests (GARPs and normal ARP requests) are not reaching the MAPs. Thus it is possible to get multiple APS with duplicate addresses, both joining the WLC. Or, the MAPs' default gateway may be unable to resolve ARP for the MAPs, preventing CAPWAP connectivity. 2. GARP for address detection should be 1 per minute; there are some APs sending it every second for unknown reasons
Conditions: CUWN 7.2 through 7.4.
Workaround: To avoid multiply assigned IP addresses, make sure the DHCP scopes are separated. To work around other ARP problems: * configure a static ARP entry for the MAPs * configure routers on the MAPs' subnets to install ARP entries when they receive gratuitous ARP

AP Crash due to chunk corruption; periodic client disconnects, Fixed CSCue08313

Symptom: 1. An AP may crash due to low memeory. 2. An AP is seen to disconnect a wireless client repetitively, for example at 22 second, or 62 second intervals. When the AP disconnects the client, a syslog message similar to the following is seen: Apr 4 00:36:22.582: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station c8f7.332b.51ab Reason: Previous authentication no longer valid During this time, if the client is monitored via repetitive iterations of the "show dot11 associations MAC", it will be seen that the "Activity Timeout" value keeps decrementing, and the "Last activity" value keeps incrementing, even if the client is actively transmitting and receiving data. Thus, the AP disconnects the client once the configured activity timeout period - typically 20 or 60 seconds - expires. The client will typically, but not necessarily, immediately reassociate.
Conditions: Association of wireless client to AP.
Workaround: To avoid the repetitive associations, configure maximum activity timeout values: dot11 activity-timeout unknown default 100000 dot11 activity-timeout client default 100000 maximum 100000 dot11 activity-timeout repeater default 100000 maximum 100000 dot11 activity-timeout workgroup-bridge default 100000 maximum 100000 dot11 activity-timeout bridge default 100000 maximum 100000 Some CCX clients may not use these activity timeout values - in such a case, you must also disable Aironet extensions on the radio: no dot11 extension aironet

.Foreign doesn't rehome client after interAP group roam to his home vlan, Fixed CSCtt15179

Symptom: When two wireless clients that are associated to APs on the same controller try to communicate, one may not pass traffic to the other.
Conditions: L3 roam within WLC. For example: Associate client to an AP on WLC1 in VLAN1. Roam client to an AP in an AP group in VLAN2 on WLC2 - now the client is anchored to WLC1. Now roam the client to an AP on WLC2 but in an AP group in VLAN1. Now, even though the client is in VLAN1, and is on an AP on WLC2 that is in VLAN1, it will remain anchored to WLC2. This will cause a communication (ARP) failure when this client tries to talk with another client that is in VLAN1, but that is local to WLC2.
Workaround: Don't use AP groups for this WLAN.

AP group change to RAP in MAP mode results in stranded RAP, Fixed CSCug64950

Symptom: Modifying the AP group to a RAP which is currently connected through the radio backhaul (RAP in MAP mode due to wired uplink being down), the RAP will get stranded.
Conditions: Mesh AP (tested with 1552 and 1522 models) in role Root AP, with no wired backhaul available. WLC on 7.0.240.3
Workaround: Need console/telnet/ssh access to clear the capwap private config: clear capwap private-config reload

AP crash during normal operation, Fixed CSCtu39166

Symptom: AP rebooted with crashinfo created during normal operation.
Conditions: Normal operation
Workaround: Nothing

Custom logo not displayed when webauth secure web is disabled, Fixed CSCuc52528

Symptom: Custom logo not displayed on webauth login page
Conditions: Internal webauth with custom logo configured webauth secure web disabled
Workaround: Enable secure web or use a custom page

Option to Maintain Layer 3 Auth (Web Auth) Until Session Timeout, Open CSCua55111

Description: Enhancement request for a setting to allow for clients to maintain Web Authentication/Passthrough (Layer 3) Sessions until the Session Timer is reached. Today, any deauthentication event will purge the session and require the end-user to manually re-authenticate. Enabling this setting would allow for users to not be forced to re-authenticate until the Session Timer is reached.

WLC should not allow disable of MCS rates on 800ns guard interval, Fixed CSCub82468

Symptom: Some 11n clients may fail to associate or pass traffic after connection
Conditions: some MCS rates disabled on 0 to 15 Some interpretations of the 11n standard, may lead to enforce that 11n MCS rates are not disabled if operating on 800 guard interval
Workaround: Do not disable 11n rates

change radius-server retransmit, timeout for FlexConnect access point, Open CSCtz16966

Symptom: You can configure the controller to allow a FlexConnect access point in standalone mode to perform full 802.1X authentication to a backup RADIUS server. You can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. It's better to add a new function to configure the controller to change radius-server retransmit/timeout when a FlexConnect access point in standalone mode to perform full 802.1X authentication to a primary/secondary backup RADIUS server. When a FlexConnect access point in standalone mode and primary backup RADIUS server is down, Windows 7 supplicant PEAP authentication gets radius reject from secondary RADIUS server. If we can change radius-server retransmit/timeout, this authentication failure is avoidable.
Conditions: Reproducibility : Yes Software: 7.0.230.0
Workaround: There is no workaround at this time.

WLC reports incorrect number of AP's joined, Open CSCug38065

Symptom: WLC shows different numbers of AP's joined.
Conditions: 7510 WLC with 7.3.101.0 firmware CLI 'sh ap summ' and GUI 'All AP's' screen under WIRELESS tab both show 587 AP's joined to the WLC the GUI '802.11b/g/n' screen under the wireless tab shows 773 AP's currently on the WLC. License usage on GUI only reports 587 AP's out of 900 AP count RTU License config
Workaround: none

Memory Leak in CCE dp subblock, CSCub62582

Symptom: memory leak in CCE dp subblock of Chunk Manager. "show proc mem sorted" and "show chunk summary" show the leak. Device will eventually crash due to low memory.
Conditions: Normal
Workaround: Schedule proactive reload of the device to avoid unexpected crash

Creation of invalid AP group with special character # or %, CSCtg45622

Symptom: AP group name with special characters # or % cannot be created in WLC GUI and are "invalid". There may additional special characters that are considered "invalid". However, AP group creation can occur in WLC CLI. Then, the created AP group name with # or % will include all WLANs with default mapped interfaces that cannot be modified or deleted. This "invalid" AP group entry cannot be deleted in WLC GUI.
Conditions: WLC running 5.2 or later with AP groups feature (not AP group VLAN). WLC 5.1 or prior software allow for both CLI and GUI creation and deletion of such invalid AP group names.
Workaround: Delete "invalid" via WLC CLI. Make sure terminal software is not running Unicode (UTF8).

CLI to allow MRCPv1 to support RFC 2616, Fixed CSCti50250

Symptom: VXML client is failing to parse Russian external grammer from Nuance Speech Server.
Conditions: Russian external grammer hosted on Nuance Speech Server 5.0.2 [ASR 9.0.3 - Russian Lang Pack; Realspeak 4.5 - Russian Lang Pack]
Workaround: None

excessive pim traffic seen over HWIC-ESW cards, Fixed CSCti88571

Symptom: Excessive PIM traffic to 224.0.0.13 is seen
Conditions: When connected two layer 3 devices through two layer 2 trunked devices over ESW wics .
Workaround: This problem is not seen when using only one layer 2 trunk over an ESW wic

Crash at disc_tx_requeue_client, Fixed CSCts33018

Symptoms: The Cisco UC500 crashes at Dot11 subsystem after upgraded from SWP 8.1.0 (15.1(2)T2) to SWP 8.2.0 (15.1(2)T4)
Conditions: This symptom is observed when a Cisco 2900 PoE switch is connected to the Cisco UC540 with Cisco phones and an iMac is connected to the switch. An Apple laptop is also connected using wireless.
Workaround: There is no workaround.

clarification maximum client count for non 6oo series AP's in OEAP mode, Open CSCug67279

Symptom: maximum number of client connections on the OEAP
Conditions: WLC code version 7.4
Workaround: NA

Prevention of cross-site req forgery for management GUI, Open CSCud50283

Symptom: The Cisco Wireless LAN Controller may be affected by Cross Site Request Forgery (CSRF) attacks.
Conditions: Default configuration.
Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C CVE ID CVE-2012-5992 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

HWIC-1FE HWIC-2FE stops processing incoming packets, Terminated CSCuf02446

Symptom: FastEthernet port on a HWIC-1FE or HWIC-2FE will stop processing incoming packets.
Conditions: This occurs when there is a prolonged duplex mismatch between the router and the peer device. Once the interface stops processing packets the only way to recover is to reload the router.
Workaround: Prevent a duplex mismatch from occurring.

1602e AP has insufficient TxPower on 2.4ghz (13dbm), Open CSCug73660

Symptom: as per the data sheet, the 1600 AP should have 17dbm of tx power on 1 antenna and up to 22 with 3 antennas. http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps12555/data_sheet_c78-715702.html The reality is that it's much less in reality. show controllers output shows that power level 1 is 13dbm on 3 antennas (8dbm per antenna) Comparing show controllers output with a 3600e clearly shows that 1600AP has less tx Power. Field tests also show it has a much smaller coverage area. This is on 2.4ghz. 5ghz power is meeting expectations. This was noted in -E reg domain. Also, modifying the antenna gain has no effect at all on tx power
Conditions: 7.4.100 WLC code European regulatory domain in countries where the expected power level is 17
Workaround: none

Beacon drops while Radio Monitoring is running in 12.4(21a) train, Fixed CSCte84991

Symptom: Beacon sometimes drops while Radio Monitoring which can be enabled by WLSE is running in 12.4(21a) train Beacon drop makes a WLAN client lose the association. As a result, a communication failure happens.
Conditions: * 12.4(21a) Train IOS ( This symptom is not observed in 12.4(10b) train) * Introducing WLSE/WDS * Radio Monitoring is enabled in WLSE
Workaround: Disable Radio Monitoring in WLSE

WLC keep client entry forever, after idle timeout, Fixed CSCub51171

Symptom: Some APS refuse new client association because they already have over 200 clients associated. You can see that those clients are physically not present as they show as "last heard" by all APs a long time ago. User idle timeout did not kick in.
Conditions: WLC 7.2.103
Workaround: Configure session timeout

WLC crashing due to the Task Name emWeb, Fixed CSCuc33063

Symptom: WLC crashed with the task name emWeb
Conditions: crash on "show tech-support" command, while pulling TPCv2 data
Workaround: NA

serial timeout 18000 is printed on WLC, Open CSCug55532

Symptom: 'serial timeout 18000' is printed in the result of 'show run-config commands' on WLC running 7.0.235.5 in spite of the fact that the value should be 9600 at a maximum.
Conditions: Upgrade a WLC image from 6.0.202.0 to 7.0.235.3.
Workaround: reconfigure the setting of serial timeout >(Cisco Controller) >config serial timeout ? >[0-9600] Enter time in seconds.

AA does not send email for CRS XR BGP syslog, Terminated CSCug52479

Symptom: There is no Automated Action Email generated after BGP syslog is received on LMS 3.2.
Conditions: BGP syslog from CRS1 running XR.
Workaround: N/A.

Cannot change HREAP Vlan mapping - Error :WLAN ID 3 cannot be alterd, Fixed CSCty40179

Symptom: Cannot change HREAP Vlan mapping - Error :WLAN ID 3 cannot be alterd
Conditions: The issue is that the SSID "SAW_Voice_Authorised_Access_only" exceeds 31 bytes. While we allow user to create an SSID profile with 32 bytes, as part of profile payload we store only 31 bytes, which leads to mismatch and hence the controller does not allow to change the VLAN. This is the reason why only this particular WLAN causes issues.
Workaround: Dont execd the 31 bytes when creating SSID profile

3602 AP may select the wrong country on the controller, Open CSCud84109

Symptom: When adding a new 3600 AP to a controller with multiple countries, the AP may select a country in a different regulatory domain than that of the AP.
Conditions: With a AIR-CAP3602I-A-K9 joining a controller with countries in regulatory domains for -A and -N. The AP will select the country in the -N regulatory domain.
Workaround: Select the correct country and enable the AP admin state.

Client entries replicated on AP, Open CSCug49108

Symptom: client entries replicated on AP
Conditions: when using command "show client ap 802.11a/802.11b "
Workaround: Disable/enable radios to get rid of duplicated client entries

Mesh AP's don't process ICMP unless joined to controller, Fixed CSCtr33129

Symptom: Cisco Lightweight Access Points in bridge (mesh) mode do not process ICMP unless the AP is associated to a Wireless Lan Controller.
Conditions: Lightweight Access point in bridge mode and connected to wired infrastructure. DHCP address acquisition successful, but ap does not respond to ICMP.
Workaround: Allow the Bridge Mode Access Point to join a Wireless Lan Controller. Eng-Comments: The ICMP function is based on (layer3) IP protocol. Before mesh AP joined controller, the icmp packet was unable to be processed by the mesh AP due to no knowledge to route to the controller then to the destination. After mesh AP joined the controller, the icmp packet will be processed by AP heading to controller to route the packet. The behavior of mesh AP do not process ICMP prior joined the wireless controller is expected.

ap1130 stop both transmission and receipt, Open CSCug53823
Symptom: AP does not send out ACK or Probe Response though Probe Request is sent from a WLAN client. As a result, the WLAN client associates to the far AP in spite of the nearest failed AP. In another occurance, AP stop beaconing from wireless sniffer though dot11 stats increased beacon count on AP show controller d0.
Conditions: Unknown
Workaround: Reboot the failed AP

AP drops EAPoL frame to client, CSCtr57170
Symptom: WLC 6.0.202..0 AP goes into state where it will accept association from client, but fail to transmit EAP frame to client. WLC will timeout client by M1 retransmisions, triggering a deauth.
Conditions: N/A
Workaround: N/A

RBAC - lack of security protection of data, Terminated CSCtj25505
Symptom: cwpass file contains no encrypted data for Roles. It is in plain text.
Conditions: If the user gets the permission to see the file he can edit the role and change it.
Workaround: None.

WiSM2 crashes Reason: Reaper Reset Task:dtlArpTask, Open CSCug65454
Controller may crash with a reason of Reaper Reset: Task "dtlArpTask" missed software watchdog No workaround

CDP duplex mismatch when using LAG on 5508 WLC, Fixed CSCuc94082
Symptom: When using LAG mode on WLC, lag interface sends duplex as half, all other ports are sent as full.
Conditions: getting duplex mismatch on switch logs for lag interface on wlc.
Workaround: turn off cdpv2 advertising config cdp advertise-v2 disable

No Support For Internal DHCP Should Be Noted in 7.3.101.0 Release Notes, Fixed CSCug60151
Symptom: In 7.3.101.0, the HA feature was introduced and noted in the release notes as a new feature. The lack of support for internal DHCP functionality should also be noted with this new HA feature.
Conditions: n/a
Workaround: n/a

Unable to change Radio Settings from the Web interface AP 1550, Open CSCug90558
Symptom: Unable to change the radio settings from the Web interface ( as if the Apply Button doesn't work )
Conditions: AP 1550 running (15.2(2)JB
Workaround: Configure from CLI

Incorrect Error Message When Creating Scope on HA Controller, Open CSCug60138
Symptom: Error message provided regarding scope lease on HA WLC not beneficial and causes confusion
Conditions: Error message should be changed to reflect lack of support of internal DHCP for HA WLC
Workaround: none

WLC crashes when applying CPU ACL in HA, Fixed CSCug42677
Symptom: WLC may crash when applying CPU ACL.
Conditions: WLC 5508 running 7.3.101.0 configured in HA.
Workaround: None.

3502 Ap's crashing, Fixed CSCuc76519
Symptom: 3502 AP crash
Conditions: When a tunneled traffic sent towards the AP, GRE IPV6 ect
Workaround: None

DP crash with Watchdog detected LOCKUP, CSCue33987
Symptom: WLC crashed with console output "Watchdog detected LOCKUP"
Conditions: Unknown
Workaround: Not known.

WLC(7.3) adds new mobility peers to all anchored ssids after reboot, Fixed CSCuc19950
Symptom: anchored ssids on wlc 7.3.101.0 will incorrectly show recently configured peer controllers in its anchor list after reboot.
Conditions: wlc 7.3.101.0 with existing anchored ssids.
Workaround: Manually go to the anchored ssid and remove the recently added peer controllers from its anchor list.

Wireless clients can't connect to UC500 because stop sending beacons, CSCsx05336
Symptom: Clients can't connect to AP.
Conditions: UC500 running wireless. Wireless clients can't connect. UC500 doesn't show any clients trying to connect.
Workaround: None.
Further Problem Description:

Packets from HREAP, Local-Switch WLAN, should never egress the WLC, Fixed CSCtx95544
Symptom:We notice the 6500 switch learn lot of client Mac entries from the management interface of the WLC. these correspond to MAC addresses of the locally switched HREAP clients
Conditions: HREAP locally switched clients send MDNS , TCP and other traffic to the WLC. This traffic sent between the time the WLC moves the client into RUN state and the AP being informed of this causes the packets from the locally switched client to egress the WLC
Workaround: Create a dummy interface and tie the WLAN to that interface with a dummy VLAN that does not exist on the switch. Aditonally an ACL interface will serve to block all egress traffic for clients on the RUN state For MDNS traffic : Enable IGMP snooping so the controller sends a single report on behalf of all clients

FlexConnect AID leak, Fixed CSCug91572
Symptom: Clients fail to associate with Status 17 (max client reached) after some time on a FlexConnect setup even though there's only 1 or 2 clients attempting to associate to the AP. Sample error message on WLC debug client: *spamApTask4: May 13 09:51:54.353: c4:71:fe:d9:30:8d Association Failed on REAP AP BSSID 10:8c:cf:b4:ae:60 (slot 0), status 17 0 Max Client Reached, recieved an AID=0
Conditions: - WLC code 7.4.100.0 - AP: FlexConnect AP with a mix of central and locally switched SSID - Clients: Mix of WGB+wired clients and regular PC clients roaming across FlexConnect APs
Workaround: Reload the affected AP. More Info:

Apple iOS clients report two associated wlans with bssid mac overlap, Open CSCud88177
Symptom: Dual band Apple iOS devices may appear to be associated to two WLANs while functioning in a Cisco Unified Wireless infrastructure. In the client's Wi-Fi configuration page, two WLANs may have a check character next to them, indicating association. The issue appears to be cosmetic and non service impacting.
Conditions: Lightweight Access Points are advertising a larger number of WLANs. This may cause the same mac address to be used as the BSSID on the same AP, but on different bands. This is expected behavior. Utilizing the Access Point's base radio mac address, 802.11a WLANs start ending with Hexadecimal F, and descend. 802.11b/g WLANs start ending with Hexadecimal Zero, and ascend.
Workaround: Configure Access Points to advertise lesser quantities of WLANs, or configure some WLANs to function on 802.11a only, or 802.11b/g only.

3500 AP crash with disc_tx_11n_aggr_timer_send on 7.2, CSCtz91549
Symptom:3500 ap crashes with traceback 0x6055B8 0x6078B0
Conditions: Aggregation scheduler crashes
Workaround: workaround is to disable aggregation scheduler :- config 802.11a 11nSupport a-mpdu tx scheduler disable config 802.11b 11nSupport a-mpdu tx scheduler disable

Allow FlexConnect Local Switching and mDNS Snooping on the Same WLAN, Open CSCug69382
Feature Request: Allow Administrators to enable FlexConnect Local Switching and mDNS on the same WLAN. mDNS Snooping will only operate on APs in Local Mode.
Conditions: Single WLAN is used with FlexConnect Local Switching enabled and both FlexConnect and Local Mode APs are joined.
Workaround: Create two separate WLANs: 1) FlexConnect Local Switching, 2) mDNS Snooping.

LAP1520 excessive DFS detection for in-band/off-channel weather radar, Fixed CSCuc81022
Symptom: The LAP1520 outdoor mesh APs may get false DFS triggers when an in-band/off-channel (ch 124) weather RADAR signals are present and received above -20 dBm, causing network instability. A similar behavior was observed with off-band maritime radars operating in the 3.05 GHz band, but this can be addressed with Band-pass filters installed at the antenna port.
Conditions: AIR-LAP152x outdoor mesh AP installed nearby a weather RADAR installation.
Workaround: New Hidden CLI dfs-peakdetect added to address this issue

WLC may deauthenticate a client before EAP-Identity-Request Timeout, Open CSCug66306
Symptom: Wireless LAN Controller may send Deauthentication against EAP Identity Response received before EAP-Identity-Request Timeout.
Conditions: This symptom may occur when WLC sends the last retry of EAP Identity Request frame.
Workaround: Input credential quickly, in order to avoid EAP Identity Request retry.

3500 AP crashed on Pid 67: Process "LWAPP KAM-AP process ", CSCug85643
Symptom: 3500 AP crashed on Pid 67: Process "LWAPP KAM-AP process "
Conditions: 3500 AP crashed on Pid 67: Process "LWAPP KAM-AP process "
Workaround: none

User accounts deleted after reboot on Guest controller on 5.0.148, CSCso62881
Symptom: On a guest controller running 5.0.148 code (both standard and debug image for CSCsm98250 ), when the controller is rebooted (mainly due to lock-up), both the local net users and the local management user accounts are deleted. This appears to be similar to CSCsl32786.
Conditions: Guest controllers (DMZ) running 5.0.148 code. In this specific scenario, the Guest controller is locking up due to CSCsm98250 and can only be restored by reboot. Upon reboot, all accounts are lost.

Access points get disconnected during code upgrade, Fixed CSCso22875
None Symptom: During code download, some APs may disconnect/reconnect to the WLC.
Conditions:
Workaround:

WLC crashes on 7.3 with Task Name :ccxL2RoamTask, CSCue76062
Symptom: WLC crashes frequently
Conditions: Software was stopped by the reaper for the following reason: Reaper Reset: Task "ccxL2RoamTask" missed software watchdog
Workaround: None

Local switching 3600 drops IP6to4 TCP SYN ACK packets received from LAN, Fixed CSCuc02149
Symptom: A 3600 series AP in either autonomous IOS or FlexConnect local switching mode drops IP6to4 TCP SYN ACK packets that are received from its LAN port. A wired sniff at the AP port will show, when the wireless client attempts to establish a TCP connection over IPv6 in IPv4, that the AP transmits the TCP SYN (in IPv6 in IPv4) to the switch, and receives the SYN+ACK from the switch, but fails to forward the SYN+ACK packet to the wireless client. The first time that the AP, after a reload, drops the SYN+ACK packet, the following message will be seen on the AP console, or in its log file: WARNING - Received pak from RXTX port - Check log for detailed info At the same time, the wireless client can successfully ping the IPv6 address of its 6to4 gateway.
Conditions: 3600 or 2600 series AP, in autonomous or FlexConnect local switching mode. Wireless client is attempting to establish TCP connections over IPv6 in IPv4 (i.e. IPv4 protocol type 41.)
Workarounds: 1. Use a 1040/1140/1260/3500 AP. 2. Disable IPv6 support on the application server. 3. If using lightweight mode, use a centrally switched WLAN rather than locally switched.

Local Mode APs lose config after power cycle, Open CSCuc32335
Symptom: Local mode APs on wlc lose thier config and get reset to factory default
Conditions: Local AP loses power or shut no- shut is done to the POE port. This was seen on a 3602 AP, 5508 WLC running 7.2.103.0
Workaround: n/a

LAP1550 excessive DFS detection for in-band/off-channel weather radar, Fixed CSCud04901
Symptom: The LAP1550-series outdoor mesh APs may get false DFS triggers when an in-band/off-channel (ch 124) weather RADAR signals are present and received above -20 dBm, causing network instability.
Conditions: AIR-LAP155x outdoor mesh AP installed nearby a weather RADAR installation.
Workaround: None.

AP radio resets with corrupt TX/RX buffer tracebacks on 7.2.110.0, Fixed CSCub82534
Symptom: AP radio resets
Conditions: Accompanied with RX/TX buffer trace backs
Workaround: None

cpu ACL does not block ssh to virtual ip, however telnet does, Open CSCug83271
Symptom: Cannot block access to SSH using cpu acl.
Conditions: cpu ACL does not block ssh to virtual ip, however telnet does.
Workaround: Disable management via wireless client.

AP 3600s rebooting due to Reason: Radio Not Beaconing for too long, Open CSCue24263
Symptom: AP 3600s are intermittently rebooting due to radio driver failure. No crash files or radio core dumps are auto generated. From AP eventlog, following message is seen: *** Access point reloading. Reason: Radio Not Beaconing for too long ... ***
Conditions: AP 3600, running 7.2.110.0, radios going off channel for detection or containment.
Workaround: Disable containment if enabled. AP CLI: debug dot11 d0/d1 stop-on-failure

Guest Device not refreshing IP After being placed in no-response VLAN, Open CSCug93020
Symptom: The DHCP server configured on a C800 router is assigning the client IP address BEFORE the port is placed in the "No-Response" vlan. Once the port switches over to the no-response VLAN, the client is stuck with an IP address for the wrong VLAN
Conditions: - C880 device is being used running following code: c800-universalk9-mz.SPA.152-4.M3.bin - Dot1x port is configured with a no-response VLAN - DHCP pools are locally configured on c800 router - Windows 7 workstation configured without a dot1x supplicant
Workaround: Manually perform an ipconfig /release followed by an ipconfig /renew to refresh the IP address on the client workstation

disabled radio is enabled after AP reload when AP group uses RF profile, Fixed CSCug53945
Symptom: After AP reload, radio which disabled before AP reload is somehow re-enabled automatically.
Conditions: AP joins non-default AP group and AP group has RF profile.
Workaround: Manually disable radio on AP again after reload.

"Radio disabled due to inline power" on 7.4, Fixed CSCug45057
Symptom: 2.4 Ghz and 5 Ghz radios disabled due to error "Radio disabled due to inline power"
Conditions: Upgrade to 7.4.100.0
Workaround: None

DNS resolution for syslog messages to be disabled by default in LMS OVFs, Fixed CSCty05610
Symptom: In LMS 4.1 OVF deployment, the DNS resolution for Syslog messages are enabled by default. Syslogd trying to do DNS lookup for syslogs, which could result is some syslogs not being inserted into syslog_info file (possible causes could be the DNS servers are slow or no of queries are large). This is done by default in WIndows, as crmlog process doesnot resolve syslogs.
Conditions: LMS Linux OVF deployment
Workaround: Disable DNS resolution for Syslog messages Edit /etc/sysconfig/syslog and edit the syslogd options to include -x, which disables DNS resolution: SYSLOGD_OPTIONS="-m 0 -r -x" Then restart using /etc/init.d/syslogd restart Then restart SyslogCollector and Analyzer and check subscription

Clock save interval does not work on AP running 15.2, CSCue56124
Symptom: Autonomous AP running 15.2 software loses clock information after reboot.
Conditions: Autonomous AP running 15.2 software. Clock information is lost even when "clock save interval" is configured. This is particularly important for WGB situations where the AP must use certificate based authentication (EAP-TLS, PEAP), and the certificate validation will fail the time check.
Workaround: 1. Manually configure the clock after an AP reboot. 2. Configure SNTP for applications where AP is not operating as WGB with certificate based authentication: ap(config)#sntp server a.b.c.d {version 1|2|3}

CO:WiSM controller lost heartbeat to Sup. Not able to ping the mgmt int, Fixed CSCsg59144
None Symptom: The user is unable to ping the service port on the controller through the CAT6k switch The heart beats between the sup 720 and the cat 6k are lost due to which the two cannot communicate.
Conditions:
Workaround: After a hrdware reset from the cat6k switch the WISM is up.
Further Problem Description:

5508 crash in spamReceiveTask: Reaper Reset, LOCK ASSERT apfMsConnTask_4, Fixed CSCuc59054
Symptom: A wireless LAN controller may unexpectedly reload with messages similar to the following on the console: ** LOCK ASSERT ** (apfMsConnTask_4) !! prio=273 root=100 word=20000 and with a crash file that looks like this: Task Name:spamReceiveTask Reason: Reaper Reset [ ... ] System Stack [ ... ] Frame 7: 0x102c6690: spamLradSendMgidInfo+1152 Frame 8: 0x1023c8e0: spamApiSendMgidInfo+184
Conditions: Wireless LAN controller is configured with an interface group that has no interfaces mapped to it.
Workaround: Fix the configuration, so that all configured interface groups have interfaces mapped.

capwap Ap 3600 gets into Boot mode "ap: boot" mode during power outage, Terminated CSCuc81911
Symptom: Capwap 3600 APs get to stuck " ap:" mode when there is a power outage, requiring manual Boot.
Conditions: when there was a power outagage there is a possibility of AP gettng stuck in boot mode
Workaround: ap: flash_init and ap: boot the above commands are required t be given to get them working back up

WLC 5508 crash due to memory corruption in task name spamApTask6, Fixed CSCue92521
Symptom: 5508 controller crash due to memory corruption in spamApTask6.
Conditions: None
Workaround: None

WLC not responding to SNMP from wireless client, Terminated CSCta06414
Symptom: WLC not responding to SNMP from wireless client, same client wired works fine to WLC
Workaround Used wired client to manage WLC via SNMP

Global High Availability Feature, Fixed CSCti45880
The Global High Availability feature is only used to help an AP move over to a controller when the current controller fails. The back-up primary and back-up secondary are 4th and 5th in the order of controllers if primary, secondary and tertiary controllers are configured under the AP. If the primary, secondary and tertiary controllers are not configured, then the AP will only use the back-up primary if the current controller fails. Note: AP will not retain any of the back-up primary or secondary controller information if it is rebooted. Note: The back-up primary and secondary controller information does not work with the AP fallback feature. Note: If the AP move to a new controller with different global back-up controllers configured, the AP will take on the new back-up controllers
Conditions:
Workaround:

Clean Air sensor goes down and requires a reboot, Open CSCug89084
Symptom: Clean Air sensor goes down and requires a reboot.
Conditions: first found on monitor mode APs
Workaround: Reboot the AP

Remote Lan adds mac filtering after upgrade. OEAP radios are disabled, Fixed CSCue66944
Symptom: After upgrading from 7.3.112.0 to 7.4.110.0, the remote wlan adds mac filtering to layer 2 security. OEAP Radios are configured as down.
Conditions: upgrading from 7.3.112.0 to 7.4.110.0 with mac-filter disabled
Workaround: Enabling radio on oeap and removing mac filtering fixes this issue.

Wism crashes at spamReceiveTask, CSCug79428
Symptom: Wism crashes at SpamReceiveTask and also mentions disablePassiveScanClientsOnLBWlan in the crash file
Conditions: seen on 7.0.240
Workaround: None

Clean Air sensor goes down and requires a reboot, Fixed CSCua46511
Symptom: Clean Air sensor goes down and requires a reboot.
Conditions:
Workaround: Reboot the AP

webauth fails on segmented HTTP GET, Fixed CSCuc68995
Symptom: A wireless webauth client may be unable to authenticate to the network. When the client opens a browser window, the window is blank. With "debug web-auth redirect" in effect, messages similar to the following may be seen: *webauthRedirect: Oct 15 18:43:19.470: #EMWEB-6-REQUEST_IS_NOT_GET_ERROR: webauth_redirect.c:1055 Invalid request not GET on client socket 72 or *webauthRedirect: Oct 10 16:36:30.715: %EMWEB-3-PARSE_ERROR: parse error after reading. bytes parsed = 0 and bytes read = 189
Conditions: The HTTP GET from the client is arriving at the WLC in multiple TCP segments.
Workaround: Reconfigure your network and/or the client's TCP/IP stack to ensure that the HTTP GET arrives in a single segment. One example of client software that is known to introduce TCP segmentation behavior that triggers this bug is AnyConnect Web Security 3.0.3054. More information: This bug is a regression that was introduced in 7.2. Although Cisco acknowledges that this is a bug in our design, we do not intend to it.

WISM2 WLC Data Plane crash with the Reason - Heartbeat, Open CSCug70432
Symptom: WISM2 WLC data plane crash with the reason - Heartbeat Version: 7.3.112.0 Data Plane ID: 0 Reason: Heartbeat ** DP Crash Pointers **
Conditions: NA
Workaround: NA

OEAP 600 inconsistent throughput degrading with latency, Terminated CSCtz21519
Symptom: OEAP 600 inconsistent throughput degrading with latency Cu Environment: TCP throughput initially bursts to 10 mbps and then shapes down to 2 MBPS constant Lab environment: RTT = 100 ms(introduced by pagent pmod), TCP Window size = 512 KB, TCP Througput between PC1 and PC2 = ~ 4 to 5 Mbps
Conditions: Customer Setup: PC-2(Iperf client)<-->OEAP 600 wired port< --> ISP(20 Mbps up/down) { Internet RTT to PC1 ~55-100 ms } <--> ASA Firewall <--> 6500 Swtich -->WISM -->PC-1(Iperf server) Result: TCP throughput gets inital burst of 10 ms for about 5-6 seconds and then simmers down to 2 MBPS consistently. UDP constantly maintains 10 Mbps throughput. Lab setup: PC-2(Iperf client)<-->OEAP 600 wired port< --> Router(1811) <--> Router(1841 + Pagent running PMOD) <--> 3750 Swtich -->WLC 2504 -->PC-1(Iperf server) Results: With PC2 to PC1 RTT = 2 ms, TCP Window size = 512 KB, TCP Througput between PC1 and PC2 = ~ 10 to 11 Mbps With PC2 to PC1 RTT = 50 ms(introduced by pagent pmod), TCP Window size = 512 KB, TCP Througput between PC1 and PC2 = ~ 8 to 10 Mbps With PC2 to PC1 RTT = 100 ms(introduced by pagent pmod), TCP Window size = 512 KB, TCP Througput between PC1 and PC2 = ~ 4 to 5 Mbps
Workaround: None

netflow on 7.4 will not support 3rd party NMS e.g. solarwind, Open CSCue57694
Symptom: WLC will not work with solarwind on 7.4. netflow feature.
Conditions: WLC 7.4 netflow collector is 3rd party NMS
Workaround: none. please add it to the config guide as it is not supported as per EDCS-1157876:- Req # 6.0.6.5.5 Admin should be able to use NCS or 3rd party NMS to gain application visibility in a large deployment. Flexible netflow record monitoring and export are typically used for integration with NMS or any standard netflow analysis tools. comments:- 7.4 will have the NCS support. 3rd party NMS is not supported.

Ability to Disable AP Fallback to DHCP When Configured for Static IP, Open CSCua58662
Symptom: *Enhancement Request* An AP with a Static IP address drops from the WLC, and is unable to join. The AP fails over to DHCP, and successfully joins the WLC. The AP will maintain this DHCP address until rebooted. Need ability to disable DHCP failover to avoid APs from obtaining a DHCP assigned IP address.
Conditions: Static IP Address Assigned to AP AP Drops from the WLC, and fails to join via Static IP
Workarounds: Option 1) Remove DHCP scope from the subnet where the statically assigned APs reside. Option 2) Enable DHCP Address reservations, and enable DHCP on the APs.

Internal DHCP Functionality is Unsupported in an HA Configuration, Open CSCug60045
Symptom: Internal DHCP functionality fails from HA controller
Conditions: Currently, with controllers in an HA configuration, internal DHCP is not supported. This defect is being opened as a product enhancement to support internal DHCP functionality just as when not in HA.
Workaround: use an external DHCP server

"capwap ap hostname" CLI returns "ERROR!!! Command is disabled.", Open CSCtl96208
Symptom: Due to CSCsy17745, "capwap ap" commands on a lightweight AP can be executed anytime. But only "capwap ap hostname" still returns "ERROR!!! Command is disabled." ap#show ver Cisco IOS Software, C1250 Software (C1250-K9W8-M), Version 12.4(21a)JHB1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. ~~ ap# ap#capwap ap hostname TEST ERROR!!! Command is disabled.
Conditions: The access point is running the lightweight IOS featureset (k9w8) or recovery image (rcvk9w8).
Workaround 1: Configure from WLC.

running 7.3.101 verified 3600 APs with clean air sensor crash, Open CSCuc37636
Symptom: CleanAir becomes disabled on AP. Requires reboot of AP to re-enable CleanAir
Conditions: Unknown what is causing the problem at this time.
Workaround: Leave CleanAir disabled on AP or reboot AP to re-enable CleanAir.

AP 'DOT11-2-RADIO_RX_BUF' Crash upon receipt of WPA packet with length 0, Fixed CSCtu24889
Symptom: 3500, 1520, or 1260 series Access Point crashes and reboots occasionally, and the crash info on the AP contains a message similar to the following : *Nov 3 06:29:57.234: %DOT11-2-RADIO_RX_BUF: Corrupt buf:062C97D4 rcv:A665AF9A/AAF080EF prog:0291EA44/0291EA44 pak:025DD7BC *Nov 3 06:29:57.234: %DOT11-2-RADIO_RX_BUF2: Ring in/out:270959/270832 ProgID:270833 Last:061F3F18 Errs:0/0/0 *Nov 3 06:29:57.234: %SOAP_BUF-2-PAK: pak:025DD7BC, pool:Wlan Pool, pool size:2656 *Nov 3 06:29:57.234: %SOAP_BUF-2-PAK: magic:5C18062E, refcount:1, caller_pc:004E77D0 These errors may also be followed by messages concerning 'redzone corruption'.
Conditions: The Access Point received a malformed WPA/WPAv2 AES encrypted frame from a client with the length field set to the value 0.
Workaround: Locate and remove the offending client from the network; or, use a non-AES security mode, such as WPA-TKIP.

Cannot set broadcast address for SNMP community in 7.4, Open CSCug74325
Symptom: Cannot set broadcast address for SNMP community in 7.4
Conditions: WLC 7.4
Workaround: downgrade to 7.3

CWA with Flex APs require a local ACL with same name as Flex ACL, Open CSCue68065
Symptom: If you do Central Web authentication with Flex APs, the ACL you return as av-pair needs to exist as non-flex ACL. It would be better to have the possibility to push a flex-only ACL name through the av-pair
Conditions: wlc 7.2,7.3,7.4
Workaround: Have the same ACL present as non-flex ACL and flexACL

UC560 Not able to enable Presence for Internal Lines, Open CSCug51393
Symptom: UC560 Not able to enable Presence for Internal Lines
Conditions: UC560 Not able to enable Presence for Internal Lines
Workaround: None

AP HA:WLC/AP migration issues without WCS, Open CSCua00733
Symptom: can't configure HA of all AP globally and per AP-group on WLC
Conditions: can't configure HA of all AP globally and per AP-group on WLC
Workaround: Manually configure HA options on all APs

clarification on the maximum number of OEAP's behind a NAT on 7.4, Fixed CSCug67321
Symptom: clarification on maximum number of OEAP devices behind NAT
Conditions: OEAP behind NAT
Workaround: NA

Granular AP search filter for WLC gui, Open CSCug60713
Symptom: AP filter search needs to supported multiple parameter
Conditions: AP filter search needs to supported multiple parameter
Workaround: none

Document-ACL applied to Wired Guest WLAN does not block peer to peer, Fixed CSCuf66317
Symptom: A WLAN ACL applied to a wired guest WLAN will not block peer to peer traffic. The same ACL applied to a wireless guest WLAN will block peer to peer traffic. different functionality
Conditions: Trying to block peer to peer communication
Workaround: none - needs documented under guidlines and limitations of the CCO configuration guide. section Wired Guest.

AP2600 2.4ghz radio hang with "Network Interrupt Loop Detected", CSCuf46857
Symptom: A Cisco 2600 Series Access Point's 2.4ghz radio may periodically stop functioning. "Network Interrupt Loop Detected" is logged by the Access Point.
Conditions: Lightweight 2600 associated to WLC running 7.4.100.0.
Workaround: Disable aggregation scheduler.

WiSM2 HA replies to ARP request with redundancy-port mac, Open CSCug83998
Symptom: WiSM2 configured for HA may reply to ARP requests for the management IP using the redundancy-port mac address. This may cause connectivity issues with other devices.
Conditions: WiSM2 running 7.3.112.0 and configured for HA
Workaround: Clear arp on the WiSM2

show wlan name in show client detail for easy troubleshooting, Open CSCug72744
Symptom: show wlan name from show client detail
Conditions: show wlan name from show client detail
Workaround: none

AP CAPWAP CLIENT Process crashed, Fixed CSCsw49486
Symptom: APs crashed during network blip
Conditions: many APs joining at the same time
Workaround: Let the APs take time to settle down and that is it.
Further Problem Description: Only occurred during a network blip

mDNS Gateway doesn't advertise wireless device services to wired network, Open CSCue90227
Symptom: Wired clients do not see Bonjour/mDNS advertisements from wireless devices.
Conditions: AppleTV on a WLAN with the default mDNS profile enabled. MacBook laptop on VLAN with an interface on the WLAN with the default mDNS profile enabled. mDNS Snooping enabled globally. Default mDNS Profile with AirPlay and AirTunes enabled. WLAN tied to an interface/VLAN that is different from the MacBook's VLAN.
Workaround: None known at this time.

Reload is not required for tcp-mss-adjust to take effect, Fixed CSCug49004
Symptom: When configuring an LAP with a tcp-mss-adjust value, we have confirmed that the reload is never required for the change to take effect on the AP. However, all the configuration guides mention that a WLC reload is required for the change to take effect: http://www.cisco.com/en/US/partner/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_01000.html#ID4226 While the command reference guides don't mention anything about a reload: http://www.cisco.com/en/US/docs/wireless/controller/7.3/command/reference/b_cr_7.3_chapter_010.html#wp2557458545 Therefore, we need to remove from the configuration guides the instruction that says that we need to reload the WLC...
Conditions: Wrong documentation for the tcp-mss-adjust feature on the WLC.
Workaround: The feature applies without the need of a WLC reload. Documentation update only.

LMS 4.2.1: High Memory Usage on Windows Server 2008 on VMWare, Open CSCud21555
Symptom: High Memory usage about 90% showing in windows task manager
Conditions: LMS Version - 4.2.1 Managed Devices - 40 Server - Windows 2008 Enterprise Edition with Service Pack 2 over ESXi 4.1.0 4 CPU with 2.1 GHz RAM - 8 GB SWAP - 16 GB Customer has supported configuration of up to 300 devices but facing high memory usage of 85-90% with only 40 devices.
Workaround:

Need to be able to customize logout page for external web authentication, Open CSCtb31779
Symptom: Currently only the login page can be placed on an external server when doing external web authentication. The logout page and login fail page cannot be customized if doing external web auth. This means it cannot be translated to local language and are really different from the login page. It would be nice to either be able to place logout and login failed pages on the external web server or at least be able to use the ones from the custom bundle along with the external web server login page.
Conditions: /
Workaround: /
Further Problem Description: /

WLC on 5.2.157 CLI 'show dhcp lease' leaves out hours & minutes., Fixed CSCsw34627
Symptom: 'show dhcp lease' in WLC 5.2.157 from the WLC omits the hours & minutes.
Workaround: Use the gui to display.

AP1131 running 12.4(23c)JA7/7.0.240 crashes in Check Heaps process, Open CSCug62464
Symptom: AP1131 crashing continuously
Conditions: N/A
Workaround: N/A

ap2600 stops beaconing for 2-6 sec, Open CSCug53150
Symptom: Clients complaining about client disconnections, connecting to APs far away, roaming disconnections, etc... Root cause is that APs may stop beaconing the WLANs for some periods (2-6 secs).
Conditions: NA.
Workaround: After a reboot of the AP the problems are cleared resolved for a certain period of time.

WLC 7.4 crash on tplusTransportThread, Open CSCug86804
Symptom: WLC running 7.4 may crash.
Conditions: WLC running 7.4 and with TACACS+ servers configured.
Workaround: None.

WLC sending RADIUS accounting retries faster than configured timeout, Fixed CSCty49012
Symptom: WLC is jumping between the configured accounting radius servers too fast. Analyzing the sniffer traces, we see it is sending the requests within a few miliseconds, which sometimes doesn't allow enough time to receive the reply. The WLC is configured for timeout of 12 seconds and has agressive failover disabled.
Conditions: Seen with WLC5508 running 7.2.103.0.
Workaround: None

wlc crash on 7.3.101.0, Fixed CSCud23648
Symptom: wlc crash on 7.3.101.0
Conditions: Crash on Task Name: osapiReaper User Crash: The system has encountered a fatal condition at broffu_fp_dapi_cmd.c:3679
Workaround: NA

show capwap client timers command causes unexpected reload, Fixed CSCuc25203
Symptom: Executing show capwap client timers command on Lightweight AP causes unexpected reload.
Conditions: Executing show capwap client timers command.
Workaround: To avoid executing show capwap client timers and show tech- support commands.

Need to reset 90 day license timer on secondary controller, Open CSCue38133
Symptom: Controller will send a message after 90 days of an AP joining the controller, that the APs should be moved to a primary controller.
Conditions: A HA-SKU WLC is being used as a secondary controller in a N+1 configuration and an AP has joined the controller.
Workaround: None

Request to support 4096 size key certificates, Open CSCtj44859
Symptom: 7925 / 7921 not working with 4096 bit keys
Conditions: CA or cert uploaded on the phone has a 4096 bit key
Workaround: use 2048 bit key

AP is crashed due to Unexpected exception to CPUvector, Open CSCug53680
Symptom: AP rebooted with crashinfo.
Conditions: There is no outstanding trigger.
Workaround: Nothing

High CPU crash on SSHPM during ADT list processing, Open CSCug58807
Symptom: Crash on SSHPM task, due to missed watchdog
Conditions: Very high webauth activity 7.0 based code
Workaround: None

Document 7.3 code requirement for AP802H in rel note and compat matrix, Open CSCug80769
Symptom: A newer version of the ap802, the AP802H is being introduced into new mode routers. This AP requires 7.3 code for support, per this document: http://www.cisco.com/en/US/prod/collateral/routers/ps10906/ps380/qa_c67-678460.html We need to clearly document: 1) introduction of support for this ap in the 7.3.101.0 release notes 2) reference support in subsequent release notes 3) update the compatability matrix, indicating the difference in support of the AP802 (supported since 7.0 code), and the AP802H (7.3.101.0) first support.
Conditions: Documentation update.
Workaround: Refer to http://www.cisco.com/en/US/prod/collateral/routers/ps10906/ps380/qa_c67-678460.html

eapol key failure for motorola scanner, Open CSCug55048
Symptom: Motorola scanner 319x fails on eapol-key handshake - M1 or M3
Conditions: WLC Client debug shows *osapiBsnTimer: Apr 23 19:28:34.280: 00:23:68:d4:71:a5 802.1x 'timeoutEvt' Timer expired for station 00:23:68:d4:71:a5 and for message = M2 *dot1xMsgTask: Apr 23 19:28:34.280: 00:23:68:d4:71:a5 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:23:68:d4:71:a5 *osapiBsnTimer: Apr 23 19:28:34.880: 00:23:68:d4:71:a5 802.1x 'timeoutEvt' Timer expired for station 00:23:68:d4:71:a5 and for message = M2 *dot1xMsgTask: Apr 23 19:28:34.880: 00:23:68:d4:71:a5 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 00:23:68:d4:71:a5 *osapiBsnTimer: Apr 23 19:28:35.480: 00:23:68:d4:71:a5 802.1x 'timeoutEvt' Timer expired for station 00:23:68:d4:71:a5 and for message = M2 *dot1xMsgTask: Apr 23 19:28:35.480: 00:23:68:d4:71:a5 Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 00:23:68:d4:71:a5 *osapiBsnTimer: Apr 23 19:28:36.080: 00:23:68:d4:71:a5 802.1x 'timeoutEvt' Timer expired for station 00:23:68:d4:71:a5 and for message = M2 *dot1xMsgTask: Apr 23 19:28:36.080: 00:23:68:d4:71:a5 Retransmit 4 of EAPOL-Key M1 (length 121) for mobile 00:23:68:d4:71:a5 *osapiBsnTimer: Apr 23 19:28:36.680: 00:23:68:d4:71:a5 802.1x 'timeoutEvt' Timer expired for station 00:23:68:d4:71:a5 and for message = M2 *dot1xMsgTask: Apr 23 19:28:36.680: 00:23:68:d4:71:a5 Retransmit failure for EAPOL-Key M1 to mobile 00:23:68:d4:71:a5, retransmit count 5, mscb deauth count 4 *dot1xMsgTask: Apr 23 19:28:36.680: 00:23:68:d4:71:a5 Resetting MSCB PMK Cache Entry 0 for station 00:23:68:d4:71:a5 *dot1xMsgTask: Apr 23 19:28:36.680: 00:23:68:d4:71:a5 Removing BSSID d0:c2:82:b6:af:6d from PMKID cache of station 00:23:68:d4:71:a5 *dot1xMsgTask: Apr 23 19:28:36.680: 00:23:68:d4:71:a5 Setting active key cache index 0 ---> 8 *dot1xMsgTask: Apr 23 19:28:36.680: 00:23:68:d4:71:a5 Sent Deauthenticate to mobile on BSSID d0:c2:82:b6:af:60 slot 1(caller 1x_ptsm.c:546) *dot1xMsgTask: Apr 23 19:28:36.680: 00:23:68:d4:71:a5 Scheduling deletion of Mobile Station: (callerId: 57) in 10 seconds
Workaround: Reload affected AP

UC540 bad call quality on remote SSL and IPSec VPN phones, Open CSCug79949
Symptom: - Customer was runing 15.1(2)T4 and experiencing high CPU. Cu then upgrade to 15.1(4)M5 and high cpu seems to be resolved. - Cu start to see that remote 525G phones over SSL VPN are being disconnected while on call. - Upgrade phone firmware to 7.5.4 and remote phone disconnection stopped but introduced the current problem. - Cu is experiencing bad voice quality on remote phones that leads to high cpu after about 10min into the call. - Cu is experiencing the same voice quality issue on remote phones over IPSec but yet not confirmed if it is the result of high CPU due to the SSL VPN issue
Conditions: - IOS Ver: 15.1(4)M5 - Hardware: UC540W-FXO-K9 - CUE: 8.0.6
Workaround: - No workaround

After going offchannel for RRM, Intel client gets no data for awhile, Terminated CSCts35247
Symptom: A wireless client device may intermittently experience pauses of up to a minute in receiving data from the networks.
Conditions: This is seen with a lightweight AP which is going offchannel periodically for 50ms periods to do RRM work.
Workaround: Configure the client device to continually transmit data. For Intel clients, this may be done via registry setting, available from Intel.
Further Problem Description: This problem is seen when the client device goes into powersave mode in order to scan offchannel. Then, while the client is offchannel, the AP goes offchannel. The client comes back onchannel, and tries to come out of powersave mode, but the AP doesn't ack, because it's still offchannel. The client then assumes that it's out of powersave mode, but when the AP comes back onchannel, it assumes that the client is still in powersave mode. Therefore the AP buffers all traffic destined to the client, till the client transmits a packet first. This bug has been marked Junked, because it is Cisco's position that this is a bug on the client side, which should never assume that its powersave messages have been successfully transmitted, if they were never acknowledged. Ultimately, this situation may be addressed by having the infrastructure and client implement the 802.11k quiet element, whereby the AP will be able to tell the client when it is going to be offchannel.

Clients not recieving mDNS advertisements from a proxy mDNS server, Open CSCue90320
Symptom: Clients are unable to discover all devices that are being advertized by a proxy mDNS server, such as FingerPrint.
Conditions: WLC running 7.4.100.0 mDNS Snooping enabled globally mDNS profile enabled on the interface/wlan where services are being advertised mDNS proxy program, such as Finger Print, advertising services on behalf of the other devices Clients connected to the wireless network
Workaround: None know at this time

WLC crashes when configured with LDAP server, Fixed CSCsx29956
Symptom: WLC crashes when configured to operate with LDAP server.
Conditions: WLC is running 5.2.157.0
Workaround: None
Further Problem Description: Task Name: LDAP DB Task 2 Reason: Reaper Reset Analysis of Failure: Software was stopped by the reaper for the following reason: Reaper Reset: Task "LDAP DB Task 2" missed software watchdog

WLC needs to support OTP with TACACS/RADIUS, Fixed CSCtc23403
One Time Passwords (OTP) is supported on the Wireless Lan Controller (WLC) using TACACS and RADIUS. In this configuration, the WLC acts as a transparent pass-thru device. The controller will forward all client requests to the TACACS/RADIUS server without inspecting the client behavior. When using OTP the client must only establish a single connection to the controller to function properly. The WLC currently does not have any intelligence or checks to correct a client that is trying to establish multiple connections. For OTP support the WLC should be at a minimum code level of 4.2.173 that has the fixes for CSCsh29597 and CSCsk21007.

Beacon loss on only a particular WLAN, Terminated CSCud37324
Symptom: Beacon loss on only a particular WLAN
Conditions: Clients are experiencing poor performance, erratic roaming, and re-association behavior. Client debug is showing the client send new association request every couple of seconds when the problem is experienced. Wireless captures and AP logs reveal there is intermittent beacon loss from the particular BSSID. Wireless captures were taken to see 802.11 frames during this problem. It was found that the beacons for this "particular" WLAN were stopping and we would see delta from previous beacon ranging from 1-6 seconds. The client would see this is as a BSS loss and move to a nearby AP and then roam back when beacons returned to normal 102 ms time. This problem will occur for 30-60 seconds, and then beacons transmit normally. This is causing poor client performance and loss of connectivity.
Workaround: NA

FFT: %OSAPI-0-INVALID_TIMER_HANDLE: timerlib_mempool.c:240, Fixed CSCtc16222
Symptom: Customer seeing the following messages on his WISM2 blades- Message from syslogd@wism2-ms9-mgmt.it.osu at Sep 20 08:38:46 ... wism2-ms9-mgmt.it.osu wism2-ms9: *spamApTask7: Sep 20 08:38:42.434: #OSAPI-0-INVALID_TIMER_HANDLE: timerlib_mempool.c:241 Task is using invalid timer handle 15069/46996 Message from syslogd@wism2-ms9-mgmt.it.osu at Sep 20 08:38:46 ... wism2-ms9-mgmt.it.osu wism2-ms9: -Traceback: 0x113b0060 0x10a26264 0x105c9810 0x105c2760 0x105c2b90 0x105c3094 0x105a19e0 0x10348180 0x103d88ec 0x103e4ac4 0x10e4c86c 0x10a22318 0x11d316a0 0x11d8ffcc
Conditions: WISM2 running 7.3.101.0
Workaround: N/A

Unexpected reboot due to Sigtrap Exception on applying qos pre-classify, Fixed CSCty01234
Symptoms: A router running Cisco IOS may reload unexpectedly.
Conditions: This symptom is observed only with low-end platforms using VDSL interfaces, such as a Cisco 887 router. It also requires that the qos pre-classify command be used in conjunction with IPsec and GRE, such as in a DMVPN configuration.
Workaround: Do not use the qos pre-classify command.

WLC displays wrong interface name when having hundreds of interfaces, Open CSCug74517
Symptom: WLC displaying client belonging to the wrong interface name. Vlan is displayed correctly. Technically client is also assigned to the right subnet. When connecting to one of the first 255 interfaces, there is no problem, but if connecting to one of the last 255 interfaces of the list, the client will be displayed in the wrong interface name.
Conditions: Happening when using several hundreds of dynamic interfaces on the WLC. This display error is also seen on Prime Infrastructure since it pulls the error from WLC
Workaround: none but it's not operationally impacting

AP LEDs are not globally enforced on WLC, Open CSCug48683
Symptom: Newly joined APs have LED ON even though "config ap led-state disable all" is configured on WLC.
Conditions: - Disable LED globally for all AP on WLC. - Join new AP to the controller. - LED for that AP is ON
Workaround: After joining new APs to WLC re-enter "config ap led-state disable all".

WISM crashed on task sshpmMainTask System Crash, Fixed CSCtb74239
Symptom: WiSM controller crashed on sshpmMainTask
Workaround: None

WiSM crash instruction located at: 0x1038a140(ewsInternalAbort+348), Fixed CSCsr70862
Symptom: WiSM crash instruction located at: 0x1038a140(ewsInternalAbort+348)"
Condition : Seen on WLC running ver 4.2.130.0
Workaround: Set session timeout to zero or remove telnet access.

HMR3: Observing AES-CCMP TSC replays on 1522 APs, Fixed CSCth52844
Symptom: The Mesh AP consoles will show continuous or frequent messages of AES-CCMP TSC replays when there is some traffic on Ethernet bridged clients connected to any RAP/MAP. Packets that are identified as an AES-CCMP replay are dropped by the AP, as expected.
Conditions: No special conditions and the issue will not be seen consistent as the AP may stop the messages even with traffic on sometimes.
Workaround: No workarounds.

Controller crash in tpcv2ConstructApProfile, Fixed CSCug59937
Symptom: Controller reboot with traceback tpcv2ConstructApProfile
Conditions: TPC v2 enabled.
Workaround: None

Improper memory allocation by CTI process crashing CME, Fixed CSCty64721
Symptoms: Improper memory allocation by CTI process crashes the CME.
Conditions: The CTI front end process is using up huge memory causing the CME to crash eventually. When the crash occurs: Processor Pool Total: 140331892 Used: 140150164 Free: 181728 I/O Pool Total: 27262976 Used: 5508816 Free: 21754160
Workaround: There is no workaround.

CLI Allows "+" (Plus Sign) In AP Group Name Breaking WLC Config via GUI, Fixed CSCtg42627
WLC CLI allows a user to use the "+" (plus sign) in the AP Group name. config wlan apgroup add This character is interpreted by the WLC as a space rather than a "+", and breaks the configuration. User cannot edit, or delete AP Group via the WLC Web GUI. Per the WLC Web GUI, a plus sign is not a valid character. (An error is generated)
Workaround: Remove the AP Group by using the following command via the WLC: config wlan apgroup delete

All WLCs|Code: 7.4.100.0|WLC schedule reboots at incorrect time, Open CSCug82362
Symptom: WLC schedule reboots at incorrect time when set with DST time
Conditions: If NTP server is configured and timezone configured with DST time effective
Workaround: Configure the time on the WLC manually

RRM: TPC should automatically disable radios (or auto monitor mode), Open CSCue46623
Symptom: Wireless clients may experience poor performance, especially in 2.4GHz. The channels are seen to be heavily congested, with numerous access points on the same channel in the same location. Access point radios' transmit power is set very low, and as a result rapidly moving clients may be unable to scan successfully, and may experience intermittent connectivity.
Conditions: Access points are densely deployed, for example in order to support voice in 5GHz and/or location services. RRM's TPC algorithm is set to control radio power.
Workaround: Set a minimum transmit power level, for example 8 dBm, in order to establish a minimum cell radius, in order to support mobile clients. Measure co-channel interference (CCI), for example, in the WLC Config Analyzer > RF Analysis > RF Problem Finder > Other APs Same Channel, and identify locations with excessive interference. Manually disable radios in areas of excessive CCI.
Further Problem Description: 2.4GHz supports only 3 non-overlapping channels, and also propagates further than 5GHz. As a result, in a dense deployment of dual band APs that supports strong coverage in 5GHz, the 2.4GHz band is likely to experience excessive CCI. If a large number of SSIDs are configured, and if the APs are beaconing at a low data rate (1 or 2 Mbps), then the beacons alone are likely to consume an excessive amount of the channel, in dense areas. Under load, with heavy CCI, the 2.4GHz is apt to experienced a high duty cycle and poor client performance. With this enhancement request, RRM will be able to identify locations of excessive density, and will be able dynamically to turn off, or set into monitor mode, excess radios.

HTTP port 80 open on Access Points when controller is 7.4.100.0, Fixed CSCuf66202
Symptom: HTTP Port was by default enabled for all ap types Port 80 open on access points running 7.4.100.0 controller code
Conditions: AP upgraded to 7.4.100.0 <B>Workaround:</B> Create an ACL to block port 80 to AP subnet

WLC crash on 7.0.235.0 Task Name: SNMPTask, Open CSCug88272
Symptom: WLC crash on 7.0.235.0 Task Name: SNMPTask
Conditions: when snmpV3 used
Workaround: none

Doc : Need to make clear WLAN controller Platforms supporting NAT, Fixed CSCty56374
The current some CCO docs says unclear or wrong information about Wireless LAN controller Platforms supporting NAT. Those information should be corrected.

WLC crash at apfRogueTask on 4.2.207.0, CSCte50421
Symptom:
Conditions: WLC crashes at apfRogueTask on 4.2.207.0
Workaround: None at this time.

Bridge 1310 doesn't reply to EAPOL when plugged to a dot1x switchport, Open CSCue75875
Symptom: When plugging the 1310 Bridge to a dot1x enabled switchport and having the correct configuration on both switchport and the bridge, the bridge doesn't reply back to EAPOL packets sent by the switch.
Conditions: N/A
Workaround: None

WLC: dot1x interface create failure - "Unable to find 802.1x interface", Fixed CSCue73385
Symptom: Client authentication may fail with the following message on WLC: *Dot1x_NW_MsgTask_0: Feb 19 09:39:13.283: xx:xx:xx:xx:xx:xx Unable to find 802.1x interface aa:aa:aa:aa:aa:aa for mobile xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx = client MAC address aa:aa:aa:aa:aa:aa = AP MAC address
Conditions: WLC running 7.0 code. Issue found to be happening following repeated AP join failure.
Workaround: Reload the WLC to clean the entries.

Interface config changes after HA config, Open CSCug48432
Symptom: After configuring HA and the secondary reloads, the secondary goes into Maintenance mode. The reason to go to Maintenance mode is Communication Down. We see the interface configuration gets lost on the secondary after reloading and off course there is no connectivity...
Conditions: Configure HA.
Workaround: None.

7.4 config guide - AVC feature packet marking explanation missing, Open CSCug85641
Symptom: 7.4 config guide doesn't have packet marking info for AVC
Conditions: 7.4 config guide doesn't have packet marking info for AVC
Workaround: none

WLC Bonjour Gateway should provide more control of service distrobution, Open CSCue89879
Symptom: Large campus unable to limit and control the WLC caching and responding to all queries. For example, limiting the response to bonjour request to only respond to with devices from 1 particular VLAN
Conditions: Intending to implement bonjour devices on 1 VLAN and only have this 1 VLAN devices responding to clients
Workaround: None

SNMP NAC should not be allowed without NAC Alert enabled, Open CSCug57545
Symptom: Clients are unable to connect to SNMP NAC SSID with an error message of Unable to process out-of-band login request from [device-filter]. Cause: OOB client not found.
Conditions: After upgrade from 7.4
Workaround: Enable NAC Alert Client Trap

doc for LMS integration with ACS doesn't specify version requirements., Fixed CSCsr08888
Symptom: Integration of LMS and CSM (or more than one LMS server) with ACS causes integration to fail for at least one of the servers. Symptoms seen: only helpdesk role available for some components.
Conditions: Different component versions installed on the servers. For example Common Services 3.1.1 on one server, and Common Services 3.0.5 on another server.
Workaround: For Successful integration all components to be of the same version. Documentation doesn't currently clearly specify that at the moment. This defect has been opened to resolve this.

WLC not replying to SNMP after some time, Fixed CSCtx27358
Symptom: WLCs are "unreachable" from WCS perspective after some time. In reality, they are fully operational and reachable except through SNMP. An snmpwalk on them will fail. The WLC will report through debugs : SNMPTask: Dec 22 10:00:53.076: Authentication failure, bad community string *SNMPTask: Dec 22 10:00:53.076: Bad Community name *SNMPTask: Dec 22 10:00:53.076: SNMPD: Failed to get result Pdu. In reality, the community name used is the right one. And the WLC config backup shows that the same community exists on the WLC. deleting and re-adding the community on the WLC solves the problem for some more days ...
Conditions: unknown
Workaround: recreate the community on wlc

Improve performance of the filtering parameter cache, Fixed CSCug46654
Symptom: This is not a bug but an enhancement. It takes some tiny times (nano sec order) in case of having a tens of thousands of entries in MAC filter. This enhancement improves the search time much faster by optimizing the algorithm.
Conditions: N/A
Workaround: N/A

WLC is reporting a large number of stale client entries, Open CSCug92421
Symptom: WLC is reporting a large number of stale client entries
Conditions: WLC 7510, 7.3.103.14, numerous clients
Workaround: None known at this time

Roaming with PSK Fails if maxuserlogin is set to 1 on 7.0.235.3, Fixed CSCue02090
Symptom: Roaming fails if maxuserlogin is configured to 1
Conditions: Maximum user login (config netuser maxuserlogin) is set to 1.
Workaround: Disable or increase the maxuserlogin

FlexConnect mode fallback function different for 11n and 11a, Fixed CSCuf93693
Symptom: AP is in FlexConnect mode and powered by AC adapter. Two clients are connected to the AP, and when the ethernet cable is removed from the AP and then connected back to the AP in about 1 - 2 minutes, one client still connected to network, but the other client is disconnected.
Conditions: 7.3.103.12
Workaround: NA

high latency with wireless N clients on 7500 WLC running 7.2 code, Fixed CSCty17976
Symptom: 802.11n clients on a WLC 7500 will see packet latency around 2500 milliseconds. Other WLC platforms are not affected.
Conditions:
Workaround: Run the following commands to disable the A-MPDU scheduler config 802.11b 11nSupport a-mpdu tx scheduler disable config 802.11a 11nSupport a-mpdu tx scheduler disable