Release Notes for Cisco Digital Network Architecture Center, Release 1.2.12

Cisco Digital Network Architecture Center 1.2.12 is available with quality enhancements.

Change History

The following table lists changes to this document since its initial release.

Table 1. Document Change History





Added CSCvs53448 as an open bug.

Open Bugs—Non-High Availability


Noted that Cisco DNA Center is not compatible with Cisco IMC 4.0(4c) and later.

Supported Firmware


Added the list of packages in Cisco DNA Center

New and Changed Information

Added the Resolved Bugs table for

Resolved Bugs


Added the list of packages in Cisco DNA Center

New and Changed Information

Added the Resolved Bugs table for

Resolved Bugs


Cisco Catalyst 9500 high-performance switches (including C9500-32C, C9500-32QC, C9500-24Y4C, C9500-48Y4C) are not supported as seed devices and PnP agents for LAN automation.

Limitations and Restrictions


Clarified that you can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

Limitations and Restrictions


Initial release.

New and Changed Information

The following table shows the updated packages and the versions.

Table 2. Updated Packages and Versions in Cisco DNA Center Release 1.2.12.x
Package Name Release Release Release 1.2.12

System Updates


Package Updates

Application Policy

Assurance - Base

Assurance - Sensor

Automation - Base

Automation - Intelligent Capture

Automation - Sensor

Cisco DNA Center Platform

Cisco DNA Center UI

Cisco SD-Access

Command Runner

Device Onboarding

Image Management

NCP - Base

NCP - Services

Network Controller Platform

Network Data Platform - Base Analytics

Network Data Platform - Core

Network Data Platform - Manager

Path Trace

Cisco DNA Center-Supported Devices

For information about devices such as routers, switches, wireless access points, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see Supported Devices.

Compatible Browsers

The Cisco DNA Center web interface is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: Version 73.0 or later

  • Mozilla Firefox: Version 65.0 or later

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

Beta Features

The following features in this release are in the beta stage or are being released as an engineering field trial (EFT):

  • SD-Access Extension with Extended Nodes

  • Skype for Business Application Experience

IP Address and Fully Qualified Domain Names Requirements

To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through an existing network firewall, see the "Required Internet URLs and FQDNs" section in the Cisco Digital Network Architecture Center Installation Guide.

Supported Firmware

Cisco Integrated Management Controller (IMC) versions are independent from Cisco DNA Center versions. This release of Cisco DNA Center has been validated against the following firmware:

  • Cisco IMC Version 3.0(3f) for appliance model DN1-HW-APL

  • Cisco IMC Version 3.1(2c) for appliance model DN2-HW-APL

  • Cisco IMC Version 3.1(3a) for appliance model DN2-HW-APL-L

The preceding versions are the minimum firmware versions. While some later versions are also supported, Cisco DNA Center is not compatible with Cisco IMC 4.0(4c) and later. Do not update later than Cisco IMC 4.0(4b).

Installing Cisco DNA Center

You can install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco Digital Network Architecture Center Installation Guide for information about installation and deployment procedures.


The following applications are not installed on Cisco DNA Center by default. If you need any of these applications, you must manually download and install the packages separately.

  • Cisco SD-Access

  • Assurance - Sensor

  • Automation - Sensor

  • Application Policy

  • Cisco DNA Center platform

  • Intelligent Capture

For more information about downloading and installing a package, see the "Manage Applications" chapter in the Cisco Digital Network Architecture Center Administrator Guide.

Cisco DNA Center Platform Support

For information about the Cisco DNA Center platform, including information about new features, installation, upgrade, and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.

Support for Cisco Connected Mobile Experiences

Cisco DNA Center 1.2.12 supports Cisco Connected Mobile Experiences (CMX) 10.6.0. Earlier versions of CMX are not supported.


While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password.

Network Plug and Play Considerations

Plug and Play Support

General Feature Support

Plug and Play supports the following features, depending on the Cisco IOS software release on the device:

  • AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.

  • Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)

Secure Unique Device Identifier Support

The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:

  • Cisco routers:

    • Cisco ISR 1100 Series with software release 16.6.2

    • Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later

    • Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1

  • Cisco switches:

    • Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later

    • Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later

    • Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later

    • Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

    • Cisco Catalyst IE3300 Series with software release 16.10.1e or later

    • Cisco Catalyst IE3400 Series with software release 16.11.1a or later

  • NFVIS platforms:

    • Cisco ENCS 5400 Series with software release 3.7.1 or later

    • Cisco ENCS 5104 with software release 3.7.1 or later


Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:

  • Cisco routers: Cisco ISR 43xx, Cisco ISR 44xx, Cisco ASR1001-X/HX, Cisco ASR1002-HX

  • Cisco switches: Cisco Catalyst 4500 Series with Supervisor 8-E/8L-E/9-E, Catalyst 9400 Series

Management Interface VRF Support

Plug and Play operates over the device management interface on the following platforms:

  • Cisco routers:

    • Cisco ASR 1000 Series with software release 16.3.2 or later

    • Cisco ISR 4000 Series with software release 16.3.2 or later

  • Cisco switches:

    • Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

4G Interface Support

Plug and Play operates over a 4G network interface module on the following Cisco routers:

  • Cisco 1100 Series ISR with software release 16.6.2 or later

Configure Server Identity

To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.

The SAN requirement applies to devices running the following Cisco IOS releases:

  • Cisco IOS Release 15.2(6)E2 and later

  • Cisco IOS Release 15.6(3)M4 and later

  • Cisco IOS Release 15.7(3)M2 and later

  • Cisco IOS XE Denali 16.3.6 and later

  • Cisco IOS XE Everest 16.5.3 and later

  • Cisco IOS Everest 16.6.3 and later

  • All Cisco IOS releases from 16.7.1 and later

The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:

  • For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.

  • For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.

  • For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.

  • For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.

If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a NAT router, this public IP address must be included in the SAN field of the server certificate.

If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.

We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.

If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the plug and play process.


The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field.


Use the Bug Search Tool

Use the Bug Search tool to search for a specific bug or to search for all bugs in this release.


Step 1

Enter the following URL in your browser:

Step 2

In the Log In window, enter your registered username and password and click Log In.

The Bug Search window opens.

If you do not have a username and password, register at
Step 3

To search for a specific bug, enter the bug ID in the Search For field and press Return.

Step 4

To search for bugs in the current release:

  1. In the Search For field, enter Cisco DNA Center and press Return. (Leave the other fields empty.)

  2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by modified date, status, severity, and so forth.

    To export the results to a spreadsheet, click the Export Results to Excel link.

Open Bugs—High Availability

The following table lists the open high availability (HA) bugs in Cisco DNA Center for this release.

Table 3. Open Bugs—Open Bugs—HA

Bug Identifier



Three-node HA: The device remains in onboarding state even after the image upgrade succeeds.


After master node is down in a three-node setup, several pipeline get into restarting state.


In a three-node setup, if you bring down the node while LAN automation is in progress, the LAN automation status shows as complete, yet without success.

This problem occurs if you perform a network-orchestration service restart or a full node restart while LAN automation is in progress.

The network orchestration service doesn't resume the ongoing LAN automation session. It marks LAN automation as complete and releases all IP addresses allocated from IPAM. Users are expected to perform a configuration cleanup on the seed and write-erase/reload discovered devices and start a new LAN automation session.


External clients (such as Cisco ISE, network devices, and so on) can no longer communicate with Cisco DNA Center.

This behavior occurs when you change one or more of the virtual IP addresses used by your Cisco DNA Center deployment.


After removing a failed node and adding a new node to a multihost cluster, app stack services go into a crashloop state.


Maglev cassandra-1 goes into crashloop state on three-node after upgrading Cisco DNA Center.


In a three-node cluster configuration, after upgrading Cisco DNA Center, the service influxdb-1 crashes continuously. The following error message is generated: "ERROR | Influxdb http response code: 502."


In a three-node cluster with many network devices, the wireless collector fails to register after upgrading the Assurance package, causing loss of wireless telemetry data.

To work around this problem, restart the wireless collector.

Related bug: CSCvp02010.


The sensor pipeline is running in a three-node cluster, but the Cisco DNA Center GUI (System Settings > Data Platform > Sensor) shows NOT_RUNNING for the sensor.

Related bug: CSCvo48148.


The NTP service does not recover from a failure on its own.

Related bug: CSCvp42465.

Open Bugs—Non-High Availability

The following table lists the open non-HA bugs in Cisco DNA Center for this release.

Table 4. Open Bugs—Non-HA

Bug Identifier



For any NFVIS with version 3.7.x or earlier, there is no API to retrieve system uptime.


Importing a Plug and Play CSV with 25 APs fails.


The Elasticsearch data store moves to an available node and the old entries and mappings are removed. When this happens, no data is shown on the Assurance pages.


When a single anchor controller supports multiple foreign controllers, deleting mobility configurations on one foreign controller results in removal of these configurations along with the associated WLANs on the anchor controller.


After discovery of a Cisco Catalyst 3850 or Catalyst 3650, the existing IPDT policy is overwritten with the default value of 10.


A wireless controller goes into unmonitored state after a restore from the backup.


After vNICs are deleted from vNFS, interfaces and configurations aren't deleted.


The Assurance Sensor-Driven Test interface allows a single sensor to be used in multiple test suites, of which each test suite can have one or more tests. Each suite has a defined recurring interval at which the tests within the suite are scheduled to run. If a sensor is overloaded by the number of tests within a single suite or is used across multiple suites containing multiple tests, a scenario occurs where the sensor cannot complete the suite tests within the defined recurring interval. When this occurs, gaps are seen in the 24-hour test results.


Images loaded through Plug and Play show in newly added sites and in all sites.


Host physical link failures must be detected and service traffic must be rerouted.


Cisco Catalyst 9500 fabric in a box: While configuring interfaces during static host onboarding, the Fusion uplink is overwritten.


The floor loses the position of APs after a Cisco DNA Center upgrade.


Wireless controller deletion with 4000 APs and 20,000 clients takes 6 hours on a single node running Cisco DNA Center 1.2.10.


During a system update, docker restarts due to The remedyctl detects the condition and restarts the docker service to recover the runtime. The system update fails because the system-updater health check fails when the docker daemon restarts.


When editing an existing test suite by changing its location, the existing sensor configuration is removed without any warning.


An internal error occurs when you choose Add VNF and add a device to the Inventory.


PnP: Image upgrade fails for the IR829M router during onboarding.


In the Provision > Devices window, uptime (the period of time that a devices has been up and running) is not shown for NFVIS 3.10 and later devices.


Network health appears for the Cisco Catalyst 9800 wireless controller in both monitored and unmonitored sections.


After provisioning devices, the Provision > Device Inventory > Provision Status column shows "Success" and "Out of Date."


In the Inventory window, after you change the WAN IP address to the management IP address (and vice versa), interfaces are not listed in the NFVIS provisioning flow.


The Cisco Aironet 1800S Active Sensor doesn't pull software images immediately when inventoried, but only after a nightly synch.


Occasionally, the ISRv goes into ERROR state while booting up in NFVIS.


Cisco DNA Center and CMX 10.6 integration doesn't sync the floor and building automatically.


Sensor test suites disappear after removing all sensors from the inventory.


It takes a few seconds to load the heat map, AP, and client details.


A Cisco Catalyst 9000 image cannot be assigned to Catalyst 9400 devices.


When embedded wireless STP is turned on (the default is off), a path trace involving embedded wireless fails at the point between the embedded wireless controller and its connected switch. The path trace returns the error "Failed to obtain complete L2 path between routers."


On a restored cluster, new Assurance issues might not be generated.


Host onboarding authentication types should be blocked for extended nodes.


Package upgrade fails from Cisco DNA Center 1.2.10 to 1.2.12 due to an NFS "Stale file handle" problem.


Cisco DNA Center does not provision the ip domain lookup command to managed devices that are running Cisco IOS XE 16.9.4 due to syntax changes in the command.

To work around this problem, either downgrade the Cisco IOS XE version to an earlier version with the previous command syntax, or upgrade to Cisco DNA Center

Resolved Bugs

The following table lists the resolved bugs in Cisco DNA Center, Release

Table 5. Resolved Bugs for Cisco DNA Center, Release

Bug Identifier



The WSDL certificate in Cisco DNA Center's EJBCA Public Key Infrastructure (PKI) broker service expired on October 4, 2019. After this server certificate expires, Cisco DNA Center clients that use the EJBCA service for secure sessions fail to connect. As a result, Cisco DNA Center fails to onboard the Embedded Wireless Controller on Cisco Catalyst 9800 series devices and 1800s wireless sensors. Apart from the eWLC, there is no impact to any other WLC, switch, or router onboarding, or any other feature in Cisco DNA Center.

There is no workaround for this problem. You must upgrade Cisco DNA Center to a version that has been patched to include a new WSDL certificate. The following Cisco DNA Center releases have the fix with the new WSDL certificate:,,, and The new certificate has a 20-year expiry.

The following table lists the resolved bugs in Cisco DNA Center, Release

Table 6. Resolved Bugs for Cisco DNA Center, Release

Bug Identifier



Provisioning of wired devices fails with the following error:

NCSP10025: UserIntentProvisioningService failed.


Cisco DNA Center does not deploy a CLI template to more than one device when the firewall profile is assigned to two or more sites.


The device remains stuck in configuring state during provisioning.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.2.12.

Table 7. Resolved Bugs for Cisco DNA Center, Release 1.2.12

Bug Identifier



Cannot enable L2 handoff if the border has Cisco SD-Access transit connected.


To avoid traffic loss, Cisco DNA Center should push the configuration "ipv4 locator reachability minimum-mask-length 32".


Issues are seen when adding an IP and a VIP to an existing Cisco DNA Center configuration.


A critical VLAN for voice does not work in Cisco SD-Access.


During the Cisco DNA Center 1.2.8 upgrade, the system update hangs at 55% for approximately one hour.


Missing NDP/Assurance pipelines after upgrading to Cisco DNA Center 1.2.8.


Purge and aggregation cron jobs do not run as expected.


After upgrading, the NDP Elasticsearch service is continuously in CrashLoopBackOff state.


When working with an AP 2800E model, ANT2524DW-R is the only antenna option available to choose for the 2.4 GHz band.


The Assurance topology graph does not show when a link is down, but the automation topology graph is updated.


When a device is configured with file verify auto, the precheck for the file transfer fails.


After upgrading, the Network Visibility package push fails because the docker push fails.


Assurance: Several commands cannot be executed from the Issue Detail page.


During sensor test suite creation, all SSIDs are not shown for the selected floor.


The fabric Host Onboarding page does not display 5-Gb Ethernet ports for Cisco Catalyst 9000 switches.


When upgrading Cisco DNA Center 1.2.8 to 1.2.10, the following error is reported for the system update:

System update failed during INSTALLED_CLUSTER_UPDATES. Cluster update timed-out Retry.


The system update fails with an error that the hook download failed.


When upgrading Cisco DNA Center 1.2.8 to 1.2.10, the system update hangs at 55% for approximately three hours.


The Influxdb proxy container crashes frequently on a scale setup.


AP custom and default RF profile provisioning fails with an error message.


When upgrading Cisco DNA Center from 1.2.8 to 1.2.10, adding intermediate nodes to the fabric causes a Java exception error.


After upgrading Cisco DNA Center to 1.2.10, Assurance data is lost after several days.


The client health score remains low (indicating an onboarding failure), even if the authentication succeeds in the next step.


Cisco Wireless Controller C9800 inventory collection fails when the policy tag contains an ampersand (&).


The Elasticsearch service in Cisco DNA Center encounters issues like the following:

  • The logging level is set to debug, which consumes more disk space.

  • The log files do not roll over.

  • The Grafana chart for Elasticsearch does not work as expected.


Inventory collection fails for most wireless controllers.


Cisco DNA Center pushes a voice VLAN by default, which cannot be assigned.


The Application Policy GUI does not load the Site or Service Provider (SP) Profile menus.


The port configuration is not pushed to the Fast Ethernet port in extended node.


For extended nodes, the fabric configuration snapshot is missing from the database table after restoring a backup.


Cisco Wireless Controllers move to Point Coordination Function (PCF) mode when the AVC profile contains a space.


Many wired client delete messages are seen in the Assurance connector.


Backup and restore fails with a timeout.


Issue details show incorrect radio information.


Task manager data consumes more CPU, resulting in an Assurance data lag.


The Telemetry dashboard pulls incorrect information about connected hosts.


After upgrading Cisco DNA Center from 1.2.8 to 1.2.10, Assurance pages do not contain wired client information.


Inventory is unstable because unreachable extended nodes keep triggering discovery.


Device provisioning fails with a null pointer exception error.


Assurance data is lost due to Graphwriter failing to write data to Elasticsearch.


Service distribution fails with an HTTPConnectionPool: Read timed out error.


After an extended node Plug and Play error occurs, devices are not added to the inventory after a Plug and Play reset.


The latest version of the Chrome browser does not show the Add and Cancel buttons at the bottom of the Fabric Create page.


Provisioning the configuration "service-policy output DNA-dscp#APIC_QOS_Q_OUT" fails on some interfaces.


Cisco DNA Center removes the existing AAA configuration from the wireless controller after provisioning changes are made.


Devices become unregistered in Cisco DNA Center License Manager.


Device provisioning fails for Cisco Catalyst 9200 series switches running the Cisco IOS XE 16.11.x image.


The interface template DefaultWiredDot1xOpenAuth is removed during switch port provisioning.


CLI preview shows commands to be pushed for auto-qos interfaces, even after excluding the interface.


During provisioning, the ip dhcp snooping command is not pushed with the template.


Wireless controllers move to unmonitored state after adding a wireless controller with more than 700 access points.


Miscalculation of wireless controller time difference for devices in other time zones.


Wireless controller goes to unreachable, partial collection failure, and SNMP timeouts occur frequently.


The authentication configuration is not pushed to newly added switch stack members.


The software image management upgrade status shows as failed, even though the image upgrade succeeds on the switch.


When a border node is removed from a Cisco DNA Center fabric, and inventory with a pre-existing device such as an extended node is in an errored state, any operations from the fabric page fail with a null pointer exception.


The Client Devices dashboard in Assurance shows "???" as the column header.


The broker-agent service cannot register with the collector-agent.


The software image management activation status shows as failed even after the image is activated.


Software image management distributes the image multiple times before activation when the Distribute Only option is chosen.


Cisco DNA Center doesn't remove the "map-cache" command from a second border/control plane node when the "Connected to internet" option is chosen.

Limitations and Restrictions

Backup and Restore Limitations

Backup and restore limitations and restrictions include:

  • You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.

  • After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose System Settings > Settings > Authentication and Policy Servers. Choose Edit for the server. Enter your Cisco ISE password to update.

  • After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.

  • Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.

  • Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.

  • You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

HA Limitation

In this release, Cisco DNA Center provides HA support only for Automation and Cisco SD-Access. HA for Assurance is not supported.

Cisco ISE Integration Limitations

Cisco ISE integration limitations and restrictions include:

  • ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.

  • Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subordinate CA of a root CA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.

  • Self-signed certificates applied to Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).

  • The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

  • If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.

  • The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.

  • Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.

  • Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.

    Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.

  • For automation integration, the Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.

Brownfield Feature-Related Limitations

Brownfield feature-related limitations include:

  • Cisco DNA Center cannot learn device credentials.

  • You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.

  • Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.

  • Cisco DNA Center can learn only one wireless controller at a time.

  • For site profile creation, only the AP groups with AP and SSID entries are considered.

  • Automatic site assignment is not possible.

  • SSIDs with an unsupported security type and radio policy are discarded.

  • For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.

  • The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.

  • The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.

  • When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP groups with the SSID are associated with the same interfaces.

  • A wireless conflict is based only on the SSID name, and does not consider other attributes.

Wireless Policy Limitation

If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise, the error "Policy Deployment failed" is displayed.

Cisco Plug and Play Limitations

Plug and Play limitations and restrictions include:

  • Virtual Switching System (VSS) is not supported.

  • The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.

  • The Stack License workflow is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.

  • The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:

    pnp startup-vlan <vlan_number>

LAN Automation Limitation

Cisco Catalyst 9500 high-performance switches (including C9500-32C, C9500-32QC, C9500-24Y4C, C9500-48Y4C) are not supported as seed devices and PnP agents for LAN automation. If you try to use a Catalyst 9500H as the seed device, the GUI displays the following error:

Failed to create LAN Automation session. BAD_Request:
[Common Settings - Please change the discovery interface configuration to L2 mode and then re-sync the primary device from Inventory App].

Get Assistance from the Cisco TAC

Use this link to open a TAC case. Choose the following when opening a TAC case:

  • Technology: Cisco DNA - Software-Defined Access

  • Subtechnology: Cisco DNA Center Appliance (SD-Access)

  • Problem Code: Install, uninstall, or upgrade

Related Documentation

We recommend that you read the following documents relating to Cisco DNA Center:

For This Type of Information... See This Document...

Release information, including new features, system requirements, and open and resolved bugs.

Cisco DNA Center Release Notes

Installation and configuration of Cisco DNA Center, including postinstallation tasks.

Cisco DNA Center Installation Guide

Upgrade information for your current release of Cisco DNA Center.

Cisco DNA Center Upgrade Guide

Use of the Cisco DNA Center GUI and its applications.

Cisco DNA Center User Guide

Configuration of user accounts, RBAC scope, security certificates, authentication and password policies, and global discovery settings.

Monitoring and managing Cisco DNA Center services.

Backup and restore.

Cisco DNA Center Administrator Guide

Security features, hardening, and best practices to ensure a secure deployment.

Cisco DNA Center Security Best Practices Guide

Supported devices, such as routers, switches, wireless access points, NFVIS platforms, and software releases.

Supported Devices

Hardware and software support for Cisco SD-Access.

Cisco SD-Access Hardware and Software Compatibility Matrix

Use of the Cisco DNA Assurance GUI.

Cisco DNA Assurance User Guide

Licenses and notices for open source software used in Cisco DNA Assurance.

Open Source Used in Cisco DNA Assurance

Use of the Cisco DNA Center platform GUI and its applications.

Cisco DNA Center Platform User Guide

Cisco DNA Center platform release information, including new features, deployment, and open bugs.

Cisco DNA Center Platform Release Notes

Licenses and notices for open source software used in Cisco DNA Center platform.

Open Source Used in Cisco DNA Center Platform

Key features and scale numbers.

Cisco DNA Center Data Sheet

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.

You can also subscribe to the What’s New in Cisco Product Documentation RSS feed, which delivers lists and content of new and revised Cisco technical documentation directly to your desktop, using any RSS reader application. This RSS feed is a free service.