Release Notes for Cisco Digital Network Architecture Center, Release 1.2.10

Cisco Digital Network Architecture Center 1.2.10 is available with new capabilities and quality enhancements. Release 1.2.10 accelerates the adoption of Cisco DNA Assurance by bringing new wired Assurance features to market, along with continued wireless Assurance enhancements, Cisco SD-Access enhancements, and new device support.

Change History

The following table lists changes to this document since its initial release.

Table 1. Document Change History

Date

Change

Location

2019-08-09

Cisco Catalyst 9500 high-performance switches (including C9500-32C, C9500-32QC, C9500-24Y4C, C9500-48Y4C) are not supported as seed devices and PnP agents for LAN automation.

Limitations and Restrictions

2019-07-19

Clarified that you can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

Limitations and Restrictions

2019-02-20

Initial release.

New and Changed Information

Cisco DNA Center, Release 1.2.10 is designed to enhance your product's performance and stability.

The following table shows the updated packages and the versions in Cisco DNA Center, Release 1.2.10.

Table 2. Updated Packages and Versions in Cisco DNA Center, Release 1.2.10
Update Type Package Name Version

System Updates

System

1.1.0.754

Package Updates

Application Policy

2.1.28.170011

Assurance - Base

1.2.10.258

NCP - Services

2.1.28.60244.7 (Updated on 2019-05-03. The originally released package version was 2.1.28.60244.)

Automation - Base

2.1.28.60244.7 (Updated on 2019-05-03. The originally released package version was 2.1.28.60244.)

Command Runner

2.1.28.60244

Device Onboarding

2.1.28.60244

Cisco DNA Center Platform

1.0.8.8

Automation - Intelligent Capture

2.1.28.60244

Image Management

2.1.28.60244

NCP - Base

2.1.28.60244

Network Data Platform - Base Analytics

1.1.10.659

Network Data Platform - Core

1.1.10.1012

Network Data Platform - Manager

1.1.10.705

Network Controller Platform

2.1.28.60244

Path Trace

2.1.28.60244

Cisco DNA Center UI

1.2.10.163

Cisco SD-Access

2.1.28.60244.7 (Updated on 2019-05-03. The originally released package version was 2.1.28.60244.)

Assurance - Sensor

1.2.10.254

Automation - Sensor

2.1.28.60244

The following table shows the updated packages and the versions in Cisco DNA Center, Release 1.2.10.4.

Table 3. Updated Packages and Versions in Cisco DNA Center, Release 1.2.10.4
Update Type Package Name Version

System Updates

System

1.1.0.754

Package Updates

Application Policy

2.1.28.170011

Assurance - Base

1.2.11.304

NCP - Services

2.1.28.60244.9

Automation - Base

2.1.28.60244.9

Command Runner

2.1.28.60244

Device Onboarding

2.1.28.60244

Cisco DNA Center Platform

1.0.8.8

Automation - Intelligent Capture

2.1.28.60244

Image Management

2.1.28.60244

NCP - Base

2.1.28.60244

Network Data Platform - Base Analytics

1.1.11.8

Network Data Platform - Core

1.1.11.77

Network Data Platform - Manager

1.1.11.8

Network Controller Platform

2.1.28.60244.9

Path Trace

2.1.28.60244

Cisco DNA Center UI

1.2.11.19

Cisco SD-Access

2.1.28.60244.9

Assurance - Sensor

1.2.10.254

Automation - Sensor

2.1.28.60244

New and Changed Features

The following tables summarize the new and changed features in Release 1.2.10.

Table 4. New and Changed Features in Cisco DNA Center, Release 1.2.10
Feature Description

Topology

The Topology window displays the status of device links and device licenses.

You can draw annotations, toggle between Layer 2 and geographical maps, and filter devices based on the device tag.

Notification icon color badge

The notification icon has a color badge next to it. A blue badge indicates new notifications, new tasks, or successful tasks. A red badge indicates failed task.

Log filtering

A new text field has been added to enable you to specify package names as a filter. Log messages are written to log files only for those packages.

Support for Cisco Nexus 9500 Series Switches

Cisco DNA Center supports the following functionalities on the Cisco Nexus 9504, Cisco Nexus 9508, and Cisco Nexus 9516 switches:

  • Discovery

  • Inventory

  • Topology

  • Template Programmer

  • Software Image Management

  • Basic Monitoring

Table 5. New and Changed Features in Cisco SD-Access, Release 1.2.10
Feature Description

Cisco SD-Access High Availability (3-node HA with SDA)

From Release 1.2.8, Cisco SD-Access 3-node HA for Automation is available as a General Available (GA) feature. Support for SDA 3-node HA continues in Release 1.2.10.

Fabric Border Node

You can deploy a Cisco Nexus 7700 Series Switch with an M3 line card as a border node, without an Multiprotocol Label Switching (MPLS) license.

Cisco Catalyst 9800 Series Wireless Controller

The Cisco Catalyst 9800 Series Wireless Controller is the next generation of wireless controllers built for intent-based networking. The Cisco Catalyst 9800 Series Wireless Controller is Cisco IOS XE based and integrates the RF excellence from Cisco Aironet with the intent-based networking capabilities of Cisco IOS XE to create the best-in-class wireless experience for your organization.

The Cisco Catalyst 9800 Series Wireless Controller is built on a modular operating system and uses open, programmable APIs that enable automation of day-0 and day-N network operations.

The Cisco Catalyst 9800 Series Wireless Controller is available in multiple form factors:

  • Catalyst 9800-40 Wireless Controller

  • Catalyst 9800-80 Wireless Controller

  • Catalyst 9800-CL Cloud Wireless Controller (Deployable on private cloud [ESXi, KVM, Cisco Enterprise Network Compute System] and managed by Cisco DNA Center)

  • Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Switch

Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Switch

Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Switch brings the wired and wireless infrastructure together with consistent policy and management.

Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Switch provides user segmentation, support, security, and seamless mobility while maintaining ease of operation of the Cisco Unified Wireless Network (CUWN) solution.

The wireless control plane uses the functionalities of Control and Provisioning of Wireless Access Points (CAPWAP) protocol to communicate between APs and Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Switch.

The Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Switch deployment supports only SD Access, which is a highly secure solution for small campuses and distributed branches. Note that the embedded controller supports APs only in fabric mode.

You can configure a Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Switch as a control plane node and a border node.

These switches with endpoints or APs that are directly connected are known as fabric edge devices:

  • Cisco Catalyst 3650 Series Switches

  • Cisco Catalyst 3850 Series Switches

  • Cisco Catalyst 9300 Series Switches

  • Cisco Catalyst 9400 Series Switches

Fabric in a Box with Catalyst 9800 Embedded Wireless on Cisco Catalyst 9300 Series Switches

The Cisco Catalyst 9300 Series Switches have the capability to host fabric edge, control plane, border, and embedded wireless functionalities on a single switch, which you can configure using Cisco DNA Center.

Table 6. New and Changed Features in Assurance, Release 1.2.10
Feature Description
Network Health Features

Custom threshold value for the Network Health timeline slider

Customize the threshold value for a healthy network on the timeline.

Network Health enhancements

  • Physical Neighbor Topology in the Device 360 window is enhanced to display information about a node, details about each device, details about specific links, and so on.

  • Event Viewer is added in the Device 360 window that displays the different types of events and their details for APs, and syslogs for switches and routers.

  • Only infrastructure links are considered for link errors. In the Connectivity tab of the Device 360 window, the Interfaces table has been enhanced to display the operational status of the interfaces for routers and switches.

Client Health Features

Custom threshold value for the Client Health timeline slider

You can customize the threshold value for healthy clients on the timeline.

Client Roaming Times dashlet

A new dashlet enables the distribution of total response times from start to finish for wireless client roaming, covering fast and slow roams.

Client Devices dashlet enhancements

  • For wireless clients, the Data Rate and Usage data columns can be applied to the table.

  • For wired clients, the following data columns can be applied to the table: Port, Usage, Tx, Rx, Tx Rate, Rx Rate, Link Speed, Duplex, Tx Link Errors, and Rx Link Errors.

  • Export table data: You can export the table data into a CSV file using the Export icon.

  • More table filtering options: You can filter the table by any column.

  • Sort the table data: You can sort the table by some columns.

Client 360 window enhancements

For wired clients:

  • Added the Connectivity area under the timeline pane, with details including data about receiver link errors, transmitter link errors, receiver rate, and transmitter rate.

  • Enhanced the Connection Details area under the timeline pane, with details including data about the port, speed, duplex, and VLAN ID.

  • Added the Tx / Rx Rate and Interface Errors graphs to the Detail Information category under the Connectivity tab.

Sensors and Sensor-Driven Tests Features

Active RF scanning for sensor tests

Active RF scanning enables RF statistics to be reported as part of the test results.

In support of Active RF scanning, the following data columns are available for the Test Results dashlet: RSSI, SNR, Time, Channel, Tx Rate, Rx Rate, and Tx Retries.

Test result error messages

You can view an error message when a sensor-driven test fails in the Test Results dashlet. The error message provides details on why the test failed.

Test Results dashlet enhancements

In the Test Results details slide-in pane:

  • You can click a test result failure bar in the graph to view the error message, which provides details of the failure.

  • Threshold is displayed at the top of the slide-in pane.

Scheduling an onboarding- only test

In the Manage > Sensor-Driven Tests window:

  • You can run an onboarding test separately in the Select Tests step with the Onboarding Tests option.

Hidden SSID support

Testing of and reporting about hidden SSID is available.

Manage > Sensor-Driven Tests window enhancements

In the Select Sensors step, enhancements are made to the GUI.

Sensor Devices dashlet enhancements

Added the Last Seen column.

Test Summary dashlet enhancements

  • Changed the view for the total number of sensor-driven test results into a breakdown of percentages and number of tests.

  • Added the Top 5 Test Types by Failure chart.

Top APs by Failure Count dashlet

A new dashlet lists the top APs by failure count, and provides the number of failures per AP.

Issues Features

Configure issue settings

Added a new window Assurance > Manage > Issue Settings.

The Issue Settings window enables you to configure the settings for issues. You can enable or disable issues from being reported, change issue's priority, and change the threshold for reporting an issue.

Ignore issues

You can stop issues from being reported for a duration of time.

Global issues

The following global issues have been introduced:

  • HA Switchover: Supported for all network devices, except APs.

  • Time Drift: Supported for all network devices, except APs.

  • Infrastructure Link Down: Supported for infrastructure links.

Telemetry Features

Telemetry Workflow enhancements

Updated the telemetry workflow.

Cisco DNA Center-Supported Devices

For information about devices such as routers, switches, wireless access points, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see Supported Devices.

Compatible Browsers

The Cisco DNA Center web interface is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: Version 62.0 or later

  • Mozilla Firefox: Version 54.0 or later

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

Beta Features

The following features in this release are in beta stage or are being released as an engineering field trial (EFT):

  • SD-Access Extension with Extended Nodes

  • Skype for Business Application Experience

IP Address and Fully Qualified Domain Names Requirements

To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through an existing network firewall, see the "Required Internet URLs and FQDNs" section in the Cisco Digital Network Architecture Center Installation Guide.

Supported Firmware

CIMC versions are independent from Cisco DNA Center versions. This release of Cisco DNA Center has been validated against the following firmware:

  • CIMC Version 3.0(3f) for appliance model DN1-HW-APL

  • CIMC Version 3.1(2c) for appliance model DN2-HW-APL

  • CIMC Version 3.1(3a) for appliance model DN2-HW-APL-L

The preceding versions are the minimum firmware versions. Later versions are also supported.

Installing Cisco DNA Center

You can install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco Digital Network Architecture Center Installation Guide for information about installation and deployment procedures.


Note

The following applications are not installed on Cisco DNA Center by default. If you need any of these applications, you must manually download and install the packages separately.

  • Cisco SD-Access

  • Assurance - Sensor

  • Automation - Sensor

  • Application Policy

  • Cisco DNA Center platform

  • Intelligent Capture


For more information about downloading and installing a package, see the "Manage Applications" chapter in the Cisco Digital Network Architecture Center Administrator Guide.

Cisco DNA Center Platform Support

For information about the Cisco DNA Center platform, including information about new features, installation, upgrade, and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.

Support for Cisco Connected Mobile Experiences

Cisco DNA Center 1.2.10 supports Cisco Connected Mobile Experiences (CMX) 10.6.0. Earlier versions of CMX are not supported.


Note

While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password.


Network Plug and Play Considerations

Plug and Play Support

General Feature Support

Plug and Play supports the following features, depending on the Cisco IOS software release on the device:

  • AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.

  • Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)

Secure Unique Device Identifier Support

The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:

  • Cisco routers:

    • Cisco ISR 1100 Series with software release 16.6.2

    • Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later

    • Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1

  • Cisco switches:

    • Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later

    • Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later

    • Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later

    • Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

    • Cisco Catalyst IE3300 Series with software release 16.10.1e or later

    • Cisco Catalyst IE3400 Series with software release 16.11.1a or later

  • NFVIS platforms:

    • Cisco ENCS 5400 Series with software release 3.7.1 or later

    • Cisco ENCS 5104 with software release 3.7.1 or later


Note

Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:

  • Cisco routers: Cisco ISR 43xx, Cisco ISR 44xx, Cisco ASR1001-X/HX, Cisco ASR1002-HX

  • Cisco switches: Cisco Catalyst 4500 Series with Supervisor 8-E/8L-E/9-E, Catalyst 9400 Series


Management Interface VRF Support

Plug and Play operates over the device management interface on the following platforms:

  • Cisco routers:

    • Cisco ASR 1000 Series with software release 16.3.2 or later

    • Cisco ISR 4000 Series with software release 16.3.2 or later

  • Cisco switches:

    • Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

4G Interface Support

Plug and Play operates over a 4G network interface module on the following Cisco routers:

  • Cisco 1100 Series ISR with software release 16.6.2 or later

Configure Server Identity

To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.

The SAN requirement applies to devices running the following Cisco IOS releases:

  • Cisco IOS Release 15.2(6)E2 and later

  • Cisco IOS Release 15.6(3)M4 and later

  • Cisco IOS Release 15.7(3)M2 and later

  • Cisco IOS XE Denali 16.3.6 and later

  • Cisco IOS XE Everest 16.5.3 and later

  • Cisco IOS Everest 16.6.3 and later

  • All Cisco IOS releases from 16.7.1 and later

The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:

  • For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.

  • For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.

  • For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.

  • For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.

If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a NAT router, this public IP address must be included in the SAN field of the server certificate.

If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.

We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.

If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the plug and play process.


Note

The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field.


Important Notes

Update Telemetry Profiles to Use a New Cluster Virtual IP Address

If you are using the Cisco DNA Center Telemetry tool to monitor device data, and you need to change the Cisco DNA Center cluster virtual IP address (VIP), complete the following steps to change the VIP and to ensure that node telemetry data is sent to the new VIP.

Before you begin

  • Determine whether the version of Cisco DNA Center that you are using is in the 1.1.x or 1.2.x release train. You can check this by logging in to the Cisco DNA Center web interface and using the About option to view the Cisco DNA Center version number. For example, if the version you are using begins with 1.1, it is in the 1.1.x release train.

  • Obtain SSH client software.

  • Identify the VIP address that was configured for the 10-GB interface facing the enterprise network on the Cisco DNA Center master node. Log in to the appliance using this address, on port 2222. To identify this port, see the rear-panel figure in the "Front and Rear Panels" section in the Cisco Digital Network Architecture Center Installation Guide.

  • Obtain the Linux username (maglev) and password configured on the master node.

  • Identify the cluster VIP that you want to assign. The cluster VIP must conform to the requirements explained in the "Required IP Addresses and Subnets" section in the Cisco Digital Network Architecture Center Installation Guide.

Procedure


Step 1

Access the Cisco DNA Center GUI and use the Telemetry tool to push the Disable Telemetry profile to all the nodes, as follows:

  1. From the Cisco DNA Center home page, scroll down to the Tools area and click Telemetry.

  2. Click the Site View tab.

  3. In the Site View table, choose all the sites and devices currently being monitored.

  4. Click the Actions button and choose the Disable Telemetry profile from the drop-down list.

  5. Wait for the Site View table to show that telemetry has been disabled for the sites and devices.

Step 2

Use the appliance Configuration wizard to change the cluster VIP, as follows:

  1. Using an SSH client, log in to the VIP address that was configured for the 10 GB interface facing the enterprise network on the Cisco DNA Center master node. Be sure to log in on port 2222.

  2. When prompted, enter the Linux username and password.

  3. Enter the following command to access the Configuration wizard on the master node:

    $ sudo maglev-config update
    

    If you are prompted for the Linux password, enter it again.

  4. Click [Next] until the screen prompting you for the cluster virtual IP appears. Enter the new cluster VIP, then click [Next] to proceed through the remaining screens of the wizard.

    From Cisco DNA Center 1.2.5, you must configure one virtual IP per configured interface. We recommend that you enter the sudo maglev-config update command so that the wizard prompts you to provide one VIP per configured interface.

    When you reach the final screen, a message appears, stating that the wizard is ready to apply your changes.

  5. Click [proceed] to apply the cluster VIP change.

    At the end of the configuration process, a success message appears and the SSH prompt reappears.

Step 3

Restart the necessary Cisco DNA Center services by entering the following series of commands at the SSH prompt. Use the commands for the release train that is appropriate for your Cisco DNA Center version.

For versions of Cisco DNA Center in the 1.1.x release train (versions 1.1.1 and later, up to but not including 1.2.0), enter the following commands:
magctl service restart -d netflow-go
magctl service restart -d syslog
magctl service restart -d trap
magctl service restart -d wirelesscollector
For Cisco DNA Center in the 1.2.x release train (versions 1.2.0 and later), enter the following commands:
magctl service restart -d collector-netflow
magctl service restart -d collector-syslog
magctl service restart -d collector-trap
magctl service restart -d wirelesscollector
Step 4

Wait for all the services to restart. You can monitor the progress of the restarts by entering the following command, substituting service names as needed for the release train appropriate for your Cisco DNA Center version. For example, if you are using a version of Cisco DNA Center in the 1.2.x release train, enter the following command:

magctl appstack status | grep -i -e collector-netflow -e collector-syslog -e collector-trap -e wirelesscollector

When all the necessary services are running, you see command output similar to the following, with a Running status for each service that has restarted successfully:

assurance-backend  wirelesscollector-123-bc99s  1/1   Running   0   25d   <IP>   <IP>
ndp   collector-netflow-456-lxvlx   1/1   Running   0   1d   <IP>   <IP>
ndp   collector-syslog-789-r0rr1    1/1   Running   0   25d   <IP>   <IP>
ndp   collector-trap-101112-3ppllm  1/1   Running   0   25d   <IP>   <IP>
 
Step 5

Access the Cisco DNA Center GUI and use the Telemetry tool to push the Optimal Visibility profile to all nodes, as you did in Step 1.


Bugs

Use the Bug Search Tool

Use the Bug Search tool to search for a specific bug or to search for all bugs in this release.

Procedure


Step 1

Enter the following URL in your browser:

Step 2

In the Log In window, enter your registered cisco.com username and password and click Log In.

The Bug Search window opens.

Note 
If you do not have a cisco.com username and password, register at https://idreg.cloudapps.cisco.com/idreg/guestRegistration.do.
Step 3

To search for a specific bug, enter the bug ID in the Search For field and press Return.

Step 4

To search for bugs in the current release:

  1. In the Search For field, enter Cisco DNA Center and press Return. (Leave the other fields empty.)

  2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by modified date, status, severity, and so forth.

    To export the results to a spreadsheet, click the Export Results to Excel link.

Open Bugs—High Availability

The following table lists the open high availability (HA) bugs in Cisco DNA Center, Release 1.2.10.

Table 7. Open Bugs—HA

Bug Identifier

Headline

CSCvm33809

Three-node HA: The device remains in onboarding state even after the image upgrade succeeds.

CSCvm92516

After the master node is down in a three-node setup, several pipelines go into restarting state.

CSCvn32215

In a three-node setup, if you bring down the node while LAN automation is in progress, the LAN automation status shows as complete, yet without success.

This problem occurs if you perform a network-orchestration service restart or a full node restart while LAN automation is in progress.

The network orchestration service doesn't resume the ongoing LAN automation session. It marks LAN automation as complete and releases all IP addresses allocated from IPAM. Users are expected to perform a configuration cleanup on the seed, write-erase/reload discovered devices, and start a new LAN automation session.

CSCvn64113

External clients (such as Cisco ISE, network devices, and so on) can no longer communicate with Cisco DNA Center.

This behavior occurs when you change one or more of the virtual IP addresses used by your Cisco DNA Center deployment.

CSCvo30319

After removing a failed node and adding a new node to a multihost cluster, appstack services go into a crashloop state.

CSCvo35174

Maglev cassandra-1 goes into crashloop state in a three-node setup after upgrading from Cisco DNA Center 1.2.8 to 1.2.10.

CSCvo36004

A three-node upgrade from Cisco DNA Center 1.2.8 to 1.2.10 fails.

CSCvo49811

In a three-node cluster configuration, after upgrading from Cisco DNA Center 1.2.8 to 1.2.10, the service influxdb-1 crashes continuously. The following error message is generated: "ERROR | Influxdb http response code: 502."

Open Bugs—Non-High Availability

The following table lists the open non-HA bugs in Cisco DNA Center, Release 1.2.10.

Table 8. Open Bugs—Non-HA

Bug Identifier

Headline

CSCvh16564

For any NFVIS with version 3.7.x or earlier, there is no API to retrieve the system uptime.

CSCvj41522

Plug and Play CSV with 25 APs fails.

CSCvj75410

The Elasticsearch data store moves to an available node and the old entries and mappings are removed. When this happens, no data is shown on the Assurance pages.

CSCvm36416

When a single anchor controller supports multiple foreign controllers, deleting mobility configurations on one foreign controller results in removal of these configurations along with the associated WLANs on the anchor controller.

CSCvk78718

Updating the interface IP address doesn't update the Kong certificate.

CSCvn11847

After a Cisco Catalyst 3850 or Catalyst 3650 is discovered, the existing IPDT policy is overwritten with the default value of 10.

CSCvn32554

A wireless controller goes into unmonitored state after a restore from a backup.

CSCvn42568

After vNICs are deleted from vNFS, interfaces and configurations aren't deleted.

CSCvn46294

The Assurance Sensor-Driven Test interface allows a single sensor to be used in multiple test suites, of which each test suite can have one or more tests. Each suite has a defined recurring interval at which the tests within the suite are scheduled to run. If a sensor is overloaded by the number of tests within a single suite or is used across multiple suites containing multiple tests, a scenario occurs where the sensor cannot complete the suite tests within the defined recurring interval. When this occurs, gaps are seen in the 24-hour test results.

CSCvn54563

Images loaded through Plug and Play show in newly added sites and in all sites.

CSCvn69306

After a system update, the jboss service does not run for the next hour. After 1 hour, the service recovers automatically.

CSCvn75941

Host physical link failures must be detected and service traffic must be rerouted.

CSCvn98180

Cisco Catalyst 9500 fabric in a box: While configuring interfaces during static host onboarding, the Fusion uplink is overwritten.

CSCvo02927

A floor loses the position of APs after a Cisco DNA Center upgrade.

CSCvo07310

Purge and aggregation jobs do not run.

CSCvo08984

Wireless controller deletion with 4000 APs and 20,000 clients takes 6 hours on a single node running Cisco DNA Center 1.2.10.

CSCvo10238

Embedded wireless: An invalid command is passed to the switch.

CSCvo14534

During a system update, docker restarts due to https://github.com/moby/moby/issues/35091. The remedyctl detects the condition and restarts the docker service to recover the runtime. The system update fails because the system-updater health check fails when the docker daemon restarts.

CSCvo16429

When editing an existing test suite by changing its location, the existing sensor configuration is removed without any warning.

CSCvo16662

An internal error occurs when you choose Add VNF and add a device to the Inventory.

CSCvo17731

PnP: Image upgrade fails for the IR829M router during onboarding.

CSCvo20051

A system update fails if the hook-installer is not running.

CSCvo21174

In the Provision > Devices window, uptime (the period of time that a device has been up and running) is not shown for NFVIS 3.10 and later devices.

CSCvo21720

Network health appears for the Cisco Catalyst 9800 wireless controller in both monitored and unmonitored sections.

CSCvo24817

The Assurance topology graph does not show a link down, but the fusion topology graph is updated.

CSCvo25703

ENFV provisioning fails due to an ASAv day-N template push failure.

CSCvo27411

After provisioning devices, the Provision > Device Inventory > Provision Status column shows "Success" and "Out of Date."

CSCvo30065

In the Inventory window, after you change the WAN IP address to the management IP (and vice versa), interfaces are not listed in the NFVIS provisioning flow.

CSCvo30471

The Cisco Aironet 1800S Active Sensor doesn't pull software images immediately when inventoried, but only after a nightly synch.

CSCvo32637

Occasionally, the ISRv goes into ERROR state while booting up in NFVIS.

CSCvo34972

Cisco DNA Center and CMX 10.6 integration doesn't sync the floor and building automatically.

CSCvo36052

Sensor test suites disappear after removing all sensors from the inventory.

CSCvo38279

During sensor test suite creation, not all SSIDs are shown for the selected floor.

CSCvo40364

It takes a few seconds to load the heat map, AP, and client details.

CSCvo42491

A Cisco Catalyst 9000 image cannot be assigned to Catalyst 9400 devices.

CSCvo42517

When embedded wireless STP is turned on (the default is off), a path trace involving embedded wireless fails at the point between the embedded wireless controller and its connected switch. The path trace returns the error "Failed to obtain complete L2 path between routers."

CSCvo43286

When updating Cisco DNA Center from 1.2.8 to 1.2.10, the following error is reported for the system update:

System update failed during INSTALLED_CLUSTER_UPDATES. Cluster update timed-out. Retry.

To work around this problem, enter the magctl service restart -d system-updater command.

CSCvo44418

On a restored cluster, new Assurance issues might not be generated.

CSCvo49209

A system update fails around 88% with an error that the hook download failed. To work around this problem, retry the system update.

CSCvo90635

Backup and restore fails with a timeout.

Resolved Bugs

The following tables list the resolved bugs in Cisco DNA Center, Releases 1.2.10 and 1.2.10.4.

Table 9. Resolved Bugs for Cisco DNA Center, Release 1.2.10

Bug Identifier

Headline

CSCvn24661

Cannot pair wireless controller HA if one of the wireless controllers is already part of a fabric.

CSCvn41837

In an HA cluster, during a system update, the rabbitmq service might get in an inconsistent database state due to multiple restarts, which can lead to some message queues not getting mirrored to all nodes. As a result, the system package upgrade remains in PENDING_UPGRADE state indefinitely.

CSCvn50293

In an HA configuration, if you bring down one of the nonseed nodes while a backup is in progress, the backup operation might hang. You can, however, manually cancel the backup.

CSCvn50929

In a three-node HA cluster, power cycling one or more cluster hosts might result in a postgres crash. Some other services that depend on the postgres service might also crash.

This problem occurs if one or more cluster nodes are power cycled without a graceful shutdown.

CSCvn54047

Cannot delete the device from the fabric if Cisco ISE is allowed to be deselected from network settings.

CSCvn59736

In a three-node setup, the PnP Connect Profiles > IP field shows the node IP address instead of the cluster VIP.

CSCvn67667

In a three-node HA setup, ASAv devices aren't configured with all three node host IP addresses for SNMP management.

CSCvn81052

After successfully enabling service distribution, the following Cisco DNA Center services might become stuck in the INIT state without any progress: network-poller, command-runner-service.

CSCvn97144

When embedded wireless is enabled, sites are not listed in order. It is difficult to sort through a long list of sites to find the correct site.

CSCvo00160

After upgrading, the Assurance application might not display any data.

CSCvo11783

After a node reload, Assurance data is not recovered. Some NDP pipelines might not come up.

CSCvo13794

After a system upgrade, NDP Elasticsearch remains in continuous CrashLoopBackOff state.

CSCvo14451

Under Provision > Devices > Provision Logs, when you click the Open VNC Console link, an error is generated.

CSCvo18219

A Command Runner failure occurs on the AP.

CSCvo19870

After upgrading devices such as sensors, if you click the Inventory page sidebar, the wrong time is shown.

CSCvo34930

The 5 GHz heat map is missing from Cisco DNA Center.

CSCvo35254

Network Data Platform collector-manager goes into crashloop state after a package upgrade from Cisco DNA Center 1.2.8 to 1.2.10.

CSCvo36900

After an upgrade, the Network Visibility package push fails because the docker push keeps failing.

Table 10. Resolved Bugs for Cisco DNA Center, Release 1.2.10.4

Bug Identifier

Headline

CSCvo30496

Bulk updates from Inventory cause an Elasticsearch no node exception.

CSCvo42419

Cisco Catalyst 9000 devices with 5-Gb interfaces are not displayed on the Host Onboarding page.

CSCvo65595

DeviceConfigStatus remains pending when no BCS is generated.

CSCvo79515

GW query fixes to consider the relevant shards.

CSCvo86971

The Assurance connector displays many wired client delete messages.

CSCvo98118

The Telemetry dashboard pulls incorrect information about connected hosts.

CSCvo98754

After upgrading to Cisco DNA Center 1.2.10, wired client information is missing from Assurance.

CSCvp00075

An extended node keeps triggering discovery, which makes the inventory unstable.

CSCvp21269

Cisco DNA Center removes any existing AAA configuration from a wireless controller after provisioning changes are made from Cisco DNA Center.

CSCvp28027

Assurance wired pipeline changes to accommodate changes in the NCP infrastructure as part of a HOST DELETE change.

CSCvp55154

Wired client data is plotted even after all devices are deleted from Cisco DNA Center.

Limitations and Restrictions

Backup and Restore Limitations

Backup and restore limitations and restrictions include:

  • You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.

  • After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose System Settings > Settings > Authentication and Policy Servers. Choose Edit for the server. Enter your Cisco ISE password to update.

  • After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.

  • Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.

  • Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.

  • You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

HA Limitation

In this release, Cisco DNA Center provides HA support only for Automation and Cisco SD-Access. HA for Assurance is not supported.

Cisco ISE Integration Limitations

Cisco ISE integration limitations and restrictions include:

  • ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.

  • Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subordinate CA of a root CA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.

  • Self-signed certificates applied to Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).

  • The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

  • If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.

  • The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.

  • Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.

  • Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.

    Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.

  • For automation integration, the Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.

Brownfield Feature-Related Limitations

Brownfield feature-related limitations include:

  • Cisco DNA Center cannot learn device credentials.

  • You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.

  • Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.

  • Cisco DNA Center can learn only one wireless controller at a time.

  • For site profile creation, only the AP groups with AP and SSID entries are considered.

  • Automatic site assignment is not possible.

  • SSIDs with an unsupported security type and radio policy are discarded.

  • For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.

  • The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.

  • The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.

  • When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP groups with the SSID are associated with the same interfaces.

  • A wireless conflict is based only on the SSID name, and does not consider other attributes.

Wireless Policy Limitation

If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise, the error "Policy Deployment failed" is displayed.

Cisco Plug and Play Limitations

Plug and Play limitations and restrictions include:

  • Virtual Switching System (VSS) is not supported.

  • The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.

  • The Stack License workflow is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.

  • The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:

    pnp startup-vlan <vlan_number>

LAN Automation Limitation

Cisco Catalyst 9500 high-performance switches (including C9500-32C, C9500-32QC, C9500-24Y4C, C9500-48Y4C) are not supported as seed devices and PnP agents for LAN automation. If you try to use a Catalyst 9500H as the seed device, the GUI displays the following error:

Failed to create LAN Automation session. BAD_Request:
[Common Settings - Please change the discovery interface configuration to L2 mode and then re-sync the primary device from Inventory App].

Get Assistance from the Cisco TAC

Use this link to open a TAC case. Choose the following when opening a TAC case:

  • Technology: Cisco DNA - Software-Defined Access

  • Subtechnology: Cisco DNA Center Appliance (SD-Access)

  • Problem Code: Install, uninstall, or upgrade

Related Documentation

We recommend that you read the following documents relating to Cisco DNA Center:

For This Type of Information...

See This Document...

Release information, including new features, system requirements, and open and resolved bugs.

Cisco DNA Center Release Notes

Installation and configuration of Cisco DNA Center, including postinstallation tasks.

Cisco DNA Center Installation Guide

Upgrade information for your current release of Cisco DNA Center.

Cisco DNA Center Upgrade Guide

Use of the Cisco DNA Center GUI and its applications.

Cisco DNA Center User Guide

Configuration of user accounts, RBAC scope, security certificates, authentication and password policies, and global discovery settings.

Monitoring and managing Cisco DNA Center services.

Backup and restore.

Cisco DNA Center Administrator Guide

Security features, hardening, and best practices to ensure a secure deployment.

Cisco DNA Center Security Best Practices Guide

Supported devices, such as routers, switches, wireless access points, NFVIS platforms, and software releases.

Supported Devices

Hardware and software support for Cisco SD-Access.

Cisco SD-Access Hardware and Software Compatibility Matrix

Use of the Cisco DNA Assurance GUI.

Cisco DNA Assurance User Guide

Licenses and notices for open source software used in Cisco DNA Assurance.

Open Source Used in Cisco DNA Assurance

Use of the Cisco DNA Center platform GUI and its applications.

Cisco DNA Center Platform User Guide

Cisco DNA Center platform release information, including new features, deployment, and open bugs.

Cisco DNA Center Platform Release Notes

Licenses and notices for open source software used in Cisco DNA Center platform.

Open Source Used in Cisco DNA Center Platform

Key features and scale numbers.

Cisco DNA Center Data Sheet

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.

You can also subscribe to the What’s New in Cisco Product Documentation RSS feed, which delivers lists and content of new and revised Cisco technical documentation directly to your desktop, using any RSS reader application. This RSS feed is a free service.