Release Notes for Cisco Digital Network Architecture Center, Release 1.3.1.x

This document describes the features, limitations, and bugs for the Cisco Digital Network Architecture Center, Release 1.3.1.x.

Change History

The following table lists changes to this document since its initial release.

Table 1. Document Change History
Date Change Location

2019-12-06

Added the list of packages in Cisco DNA Center 1.3.1.4.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.4.

Resolved Bugs

2019-11-20

Clarified that the Rogue Management application is supported in Cisco DNA Center 1.3.1.3 and later.

New and Changed Information

2019-11-18

Updated the Cisco DNA Center Search package version to 1.0.0.44.

New and Changed Information

Added CSCvq89880 to the Resolved Bugs table for 1.3.1.3.

Resolved Bugs

2019-11-01

Added support for the Rogue Management application and specified the package version.

New and Changed Information

2019-10-25

Added the list of packages in Cisco DNA Center 1.3.1.3.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.3.

Resolved Bugs

Noted that Cisco DNA Center is not compatible with Cisco IMC 4.0(4c) and later.

Supported Firmware

2019-10-10

Added the list of packages in Cisco DNA Center 1.3.1.2.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.2.

Resolved Bugs

2019-10-03

Added the list of packages in Cisco DNA Center 1.3.1.1.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.1.

Resolved Bugs

2019-09-25

Added information about Cisco Catalyst 9600 support for Layer 2 border handoff functionality.

New and Changed Information

2019-09-19

Added information about the Application Hosting package.

New and Changed Information

Added open bugs: CSCvq71182 and CSCvq86168.

Open Bugs—Non-High Availability

2019-09-12

Added a new Upgrade Limitation section.

Limitations and Restrictions

2019-09-04

Initial release.

Upgrade to the Latest Cisco DNA Center Release

For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.

New and Changed Information

The following table shows the updated packages and the versions.

Table 2. Updated Packages and Versions in Cisco DNA Center Release 1.3.1.x
Package Name Release 1.3.1.4 Release 1.3.1.3 Release 1.3.1.2 Release 1.3.1.1 Release 1.3.1.0

System Updates

System

1.3.0.109

1.3.0.94

1.3.0.94

1.3.0.77

1.3.0.77

Package Updates

Access Control Application

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

AI Network Analytics

2.0.10.6

2.0.9.12

2.0.9.12

2.0.8.31

2.0.8.31

Application Hosting

1.0.0.190822

1.0.0.190822

1.0.0.190822

1.0.0.190822

1.0.0.190822

Application Policy

2.1.75.170275

2.1.75.170275

2.1.75.170275

2.1.75.170270

2.1.75.170270

Assurance - Base

1.4.0.488

1.4.0.449

1.4.0.449

1.4.0.434

1.4.0.434

Assurance - Sensor

1.4.0.484

1.4.0.424

1.4.0.424

1.4.0.424

1.4.0.424

Automation - Base

2.1.78.60109

2.1.77.60004

2.1.76.60504

2.1.75.60446

2.1.75.60446

Automation - Intelligent Capture

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60406

Automation - Sensor

2.1.78.60109

2.1.77.60004

2.1.76.60504

2.1.75.60446

2.1.75.60446

Cisco DNA Center Global Search

1.0.0.44

1.0.0.44

1.0.0.18

1.0.0.18

1.0.0.18

Cisco DNA Center Platform

1.2.0.50

1.2.0.36

1.2.0.36

1.2.0.15

1.2.0.15

Cisco DNA Center UI

1.4.0.244

1.4.0.235

1.4.0.226

1.4.0.211

1.4.0.172

Cisco SD-Access

2.1.78.60109

2.1.77.60004

2.1.76.60504

2.1.75.60446

2.1.75.60446

Command Runner

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

Device Onboarding

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

Image Management

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

Machine Reasoning

2.1.78.210010

2.1.75.210276

2.1.75.210276

2.1.75.210275

2.1.75.210275

NCP - Base

2.1.78.60109

2.1.75.60446

2.1.75.60446

2.1.75.60446

2.1.75.60446

NCP - Services

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

Network Controller Platform

2.1.78.60109

2.1.77.60004

2.1.76.60504

2.1.75.60551

2.1.75.60446

Network Data Platform - Base Analytics

1.4.0.116

1.4.0.108

1.4.0.108

1.4.0.108

1.4.0.108

Network Data Platform - Core

1.4.0.328

1.4.0.321

1.4.0.321

1.4.0.321

1.4.0.321

Network Data Platform - Manager

1.4.0.101

1.4.0.93

1.4.0.93

1.4.0.93

1.4.0.93

Path Trace

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

Rogue Management

1.4.0.70

1.4.0.70

Stealthwatch Security Analytics

2.1.78.1090091

2.1.76.1090762

2.1.76.1090762

2.1.75.1090662

2.1.75.1090662

Wide Area Bonjour

2.4.0.10062

2.4.0.10062

2.4.0.10062

2.4.0.10062

2.4.0.10062

New and Changed Features

The following tables summarize the new and changed features in Release 1.3.1.x.

Table 3. New and Changed Features in Cisco DNA Center, Release 1.3.1.1
Feature Description

Rogue Management application

The Rogue Management application is an optional package that you can install on Cisco DNA Center. Operating within Cisco DNA Center, the Rogue Management application helps you monitor threats from unauthorized access points. You can access the Rogue Management functionality as a dashboard within Cisco DNA Assurance in the Cisco DNA Center user interface.

Table 4. New and Changed Features in Cisco DNA Center, Release 1.3.1.0
Feature Description

Site hierarchy

In the License Manager, the site hierarchy is displayed in the left pane, and you can filter the devices listed in the All Licenses page by clicking a specific site.

Network hierarchy

You can navigate to floors of any site directly by clicking the site marker and clicking the Show Floor option.

You can view the devices assigned to any site by clicking the icon available next to the site, and selecting the View Devices option. This takes you to the Provision page, where the device list is auto filtered based on the respective site.

Manage licenses

You can update the Specific License Reservation (SLR) or Permanent License Reservation (PLR) for a device. Choose Actions > Manage License Reservation > Update License Reservation.

Manage licenses

Cisco DNA Center displays a License Details window that shows the complete license details and license history.

Defective device replacement

You can replace a defective device in the Provision > Inventory page by marking the defective device for replacement, and selecting the replacement device added through Inventory. The Return Material Authorization (RMA) workflow begins. When you deploy the replacement device in this manner, the replacement device works like the old device.

Security advisories

The Security Advisories tool captures and lists the security advisories recommended by the Cisco Product Security Incident Response Team (PSIRT). You must install the Machine Reasoning package to use this tool. The advisories are matched based on the software image that is currently installed on the device.

Browser-based configuration wizard

In addition to the Maglev configuration wizard, you can also use the new browser-based wizard to configure your Cisco DNA Center appliance for use in your production environment. Note that the 44 core M4 appliance (Cisco part number DN1-HW-APL) cannot be configured using this wizard. Only the following Cisco DNA Center M5 appliances support configuration using the browser-based wizard:

  • 44 core Cisco UCS C220 M5 SFF appliance: Cisco part number DN2-HW-APL

  • 44 core Cisco UCS C220 M5 SFF upgrade appliance: DN2-HW-APL-U

  • 56 core Cisco UCS C220 M5 SFF appliance: Cisco part number DN2-HW-APL-L

  • 56 core Cisco UCS C220 M5 SFF upgrade appliance: Cisco part number DN2-HW-APL-L-U

  • 112 core Cisco UCS C480 M5 appliance: Cisco part number DN2-HW-APL-XL

  • 112 core Cisco UCS C480 M5 upgrade appliance: DN2-HW-APL-XL-U

Ability to clone an IP pool

You can clone an existing IP pool at the site level. When you clone an IP pool, the DHCP server and DNS server IP addresses are already filled in, which saves you time.

Plug and Play provisioning

Bulk provisioning supports additional data fields needed to provision wireless devices. You can change the device name during the claim process and it is also used as the default device hostname. The claim user interface has several other improvements to make the process easier. A second stack cabling scheme is supported for stackable switches.

Application Visibility service: Applications and Application Sets

Applications and Application Sets are moved from Policy > Application Policy to Provision > Services > Application Visibility.

Application Hosting

Application Hosting allows customers to bring in third-party docker applications on Catalyst 9300 Series switches with Cisco IOS-XE software version 16.12.1s.

Telemetry profile enhancements

Support for the Application Visibility profile is introduced in this release.

Device tagging enhancements

This feature allows you to delete a device tag or template tag that is not associated with a device or template.

Group-based access control policies update

Cisco DNA Center 1.3.1.0 includes an updated and improved Group-Based Access Control Policy menu. Cisco ISE is required for a group-based access control policy to download to network devices, and may also be used as the AAA/RADIUS server. Third-party AAA/RADIUS servers are also supported for group-based access control in this release. When you add or edit a scalable group, Cisco DNA Center no longer opens Cisco ISE to the TrustSec workcenter page for further configuration. All group-based policy data is created and managed in Cisco DNA Center. That data is synchronized to Cisco ISE.

Cisco ISE serves as the runtime policy system for SD policy access, providing policy download to network access devices to allow them to perform policy enforcement.

The minimum required Cisco ISE versions are either:

  • Cisco ISE 2.4 patch 7

  • Cisco ISE 2.6 patch 1

ACI groups in Cisco DNA Center

Group-based access control policies in Cisco DNA Center automatically import ACI groups from Cisco ISE. ACI integration must be enabled on Cisco ISE. In Cisco DNA Center, ACI scalable groups display as "learned from ACI".

Cisco Wide Area Bonjour application

The Cisco Wide Area Bonjour application in Cisco DNA Center provides you with centralized access control and monitoring capabilities, combined with the scalability and performance required for large-scale Bonjour services deployments.

Stealthwatch Security Analytics Service on Cisco DNA Center

The Stealthwatch Security Analytics service in Cisco DNA Center automates the provisioning of network elements (based on best practices) so that they send data to Cisco Stealthwatch, enabling you to gain additional visibility, and improving your malware detection capabilities.

Table 5. New and Changed Features in Cisco DNA Assurance, Release 1.3.1.0
Feature Description

Cisco AI Network Analytics

Cisco DNA Center, Release 1.3.1.0 introduces Cisco AI Network Analytics.

Cisco AI Network Analytics is an application within Cisco DNA Center that leverages the power of Machine Learning and Machine Reasoning to provide accurate insights that are specific to your network deployment, which allows you to quickly troubleshoot issues.

Trends and Insights

Cisco AI Network Analytics allows you to determine global patterns (trends) and deviations in your network and provides system-generated insights.

Comparative Analytics

With Cisco AI Network Analytics you can compare a site with another site, compare KPI values with peers in your network, and compare the APs in network heatmaps to spot trends and gain insights.

Issue enhancements

A new updated and more intuitive Open Issues dashboard enables you to easily understand the status of the network. This new dashboard allows you to understand the most impacted sites, the recent trends, and quickly access the AI-driven issues when the Cisco AI Network Analytics application is enabled.

The issue windows are enhanced and simplified:

  • The Global Issues and All Issues windows are replaced by Open Issues, Resolved Issues, and Ignored Issues.

  • The AI-driven issue category is added to the Issue Settings window.

  • Machine Reasoning is supported for the Layer 2 Loop issue.

  • You can configure Cisco DNA Center to send a REST or email notification when supported issues are triggered.

Data rate KPI for wireless clients

Added a data rate KPI for wireless clients.

The following GUI enhancements were made for this feature:

  • Enhanced the Client Health dashboard by adding the Client Data Rate dashlet, which displays the distribution of data rates for wireless clients.

  • Enhanced the Client 360 window:

    • Added details about data rate and client protocol under the timeline pane.

    • Added the Data Rate chart to the Detail Information category under the Connectivity tab.

Application Experience support for more network devices

You can view the quantitative metrics of the applications running on the following network devices:

  • Cisco Catalyst 9000 Series Switches

  • Cisco AireOS WLCs

Sensor enhancements

  • Added a new GUI window Assurance > Manage > Sensors > Sensor List.

    Use this window to view the onboarded sensors in your network. You can enable SSH, enable the status LED, and change the name for these sensors.

  • Added a new GUI window Assurance > Manage > Sensors > Backhaul Settings.

    Use this window to view, create, and manage backhaul configurations for sensors.

  • You can select target APs to test against when creating sensor-driven tests.

Intelligent Capture support for more network devices

Intelligent Capture support is now available for the following access point models:

  • Cisco Aironet 1815 Series APs

  • Cisco Aironet 1830 Series APs

  • Cisco Aironet 1840 Series APs

  • Cisco Aironet 1850 Series APs

  • Cisco Aironet 1540 Series APs

  • Cisco Aironet 1560 Series APs

  • Cisco Catalyst 9115 APs

  • Cisco Catalyst 9120 APs

Table 6. New and Changed Software Features in Cisco Wireless, Release 1.3.1.0
Feature Description

New AP support

This release introduces the support for Cisco Aironet 1840 Series Access Points.

New platform support: Cisco Catalyst 9800-L Wireless Controller

The Cisco Catalyst 9800-L Wireless Controller provides seamless software updates for small to mid-size enterprises. The Cisco Catalyst 9800-L Wireless Controller is available in two variations. You can choose between copper and fiber uplinks, which gives you flexibility in your network.

  • Cisco Catalyst 9800-L Copper Series Wireless Controller (9800-L-C RJ45)

  • Cisco Catalyst 9800-L Fiber Series Wireless Controller 9800-L-F SFP)

Rolling AP upgrade

The Rolling AP upgrade feature on the Cisco Catalyst 9800 Series Wireless Controller provides a way to upgrade the Cisco Wireless Controller and APs with minimal to zero downtime. To achieve the zero downtime, it is possible to upgrade APs in a staggered way using the N+1 Rolling AP upgrade feature.

Mobility configuration

The mobility configuration in Cisco DNA Center allows you to group a set of Cisco Wireless Controllers into a mobility group for a seamless roaming experience of wireless clients.

Guest web passthrough

Web passthrough is a solution that is used for guest access and requires no authentication credentials. With web passthrough authentication, wireless users are redirected to the usage policy page while using the internet for the first time. The users are allowed to browse the internet after accepting the policy.

Sleeping client timeout

The guest access clients with successful web authentications are allowed to sleep and wake up without having to go through another authentication process. You can configure the duration for which the sleeping clients are to be remembered before reauthentication.

The valid range is from 10 to 43200 minutes; the default duration is 720 minutes. You can configure the duration on a WLAN and on a user group policy that is mapped to the WLAN.

Multiple virtual networks for guest access

You can create multiple virtual networks for guest access. With this feature, you can use different virtual networks for guest traffic in places where there is no enterprise traffic. You can map the wireless guest SSIDs to IP address pools from different virtual networks with no restrictions.

Embedded wireless support on fabric edge

Cisco DNA Center supports embedded wireless functionality on Cisco Catalyst 9300 Series, Cisco Catalyst 9400 Series, and Cisco Catalyst 9500 Series Switches, which are configured as fabric edges.

Application policy support

You can configure and deploy application policies on the Cisco Catalyst 9800 Series Wireless Controller.

Ekahau integration

Ekahau Pro allows you to create the complete network plan for your enterprise, including floor layout, AP locations, and obstacles. After creating the floor layout, you can export the simulated network plan and the real-world site survey data into a format that Cisco DNA Center can use. You can import the Ekahau project file into Cisco DNA Center for further planning.

Interactive floor planning

Interactive floor planning helps network administrators plan a floor layout by drawing a floor map and placing hypothetical APs that are not yet installed or discovered by Cisco DNA Center, and then export the floor plan to a PDF. Network administrators can visualize the floor plan before mounting APs on the floor.

Table 7. New and Changed Software Features in Cisco SD-Access, Release 1.3.1.0
Feature Description

Fabric-in-a-box deployments options

  • Cisco Catalyst 9000 Switches (C9300, C9400, and C9500 series) have the capability to host border node, edge node, and embedded wireless functionalities on a single switch (single or stacked), with a non-colocated control plane node.

  • You can deploy two fabric-in-a-box features at a site, but without the support for embedded wireless.

Border handoff enhancements: 4-byte ASN support

The local autonomous number can be specified in ASPLAIN, ASDOT, or ASDOT+ notations during Layer 3 handoff and during IP transit creation.

Device support for Layer 2 border handoff

Starting Cisco SD-Access Release 1.3.1.0, Cisco Catalyst 9500 High Performance Series Switches and Cisco Catalyst 9600 Series Switches support Layer 2 border handoff functionality.

Base automation support for Cisco Nexus 9500 devices

Cisco DNA Center discovers and provisions Cisco N9K-C9504, N9K-C9508, and N9K-C9516 devices.

New platform support: Cisco Catalyst 9800-L Wireless Controller

The Cisco Catalyst 9800-L Wireless Controller provides seamless software updates for small to mid-size enterprises. The Cisco Catalyst 9800-L Wireless Controller is available in two variations. You can choose between copper and fiber uplinks, which gives you flexibility in your network.

  • Cisco Catalyst 9800-L Copper Series Wireless Controller (9800-L-C RJ45)

  • Cisco Catalyst 9800-L Fiber Series Wireless Controller 9800-L-F SFP)

Multiple virtual networks for guest access

You can create multiple virtual networks for guest access. With this feature, you can use different virtual networks for guest traffic in places where there is no enterprise traffic. You can map the wireless guest SSIDs to IP address pools from different virtual networks with no restrictions.

Embedded wireless support on fabric edge

Cisco DNA Center supports embedded wireless functionality on Cisco Catalyst 9300 Series, Cisco Catalyst 9400 Series, and Cisco Catalyst 9500 Series Switches, which are configured as fabric edges.

Table 8. New Hardware in Cisco SD-Access, Release 1.3.1.0

Device Role

Product Family

Description

Extended node

Cisco Catalyst IE3400 Heavy Duty Series (IE3400H)

The Cisco IE3400H Series switches are available with 8, 16, or 24 Fast Ethernet (D-coded) or Gigabit Ethernet (X-coded) M12 interfaces.

Cisco DNA Center-Supported Devices

For information about devices such as routers, switches, wireless access points, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see Supported Devices.

Compatible Browsers

The Cisco DNA Center web interface is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: Version 73.0 or later

  • Mozilla Firefox: Version 65.0 or later

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

IP Address and FQDN Firewall Requirements

To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through any existing network firewall, see "Required Internet URLs and FQDNs" in the Cisco Digital Network Architecture Center Installation Guide.

Supported Firmware

Cisco Integrated Management Controller (Cisco IMC) versions are independent from Cisco DNA Center releases. This release of Cisco DNA Center has been validated against the following firmware:

  • Cisco IMC Version 3.0(3f) for appliance model DN1-HW-APL

  • Cisco IMC Version 3.1(2c) for appliance model DN2-HW-APL

  • Cisco IMC Version 3.1(3a) for appliance model DN2-HW-APL-L

  • Cisco IMC Version 4.0(1a) for appliance model DN2-HW-APL-XL

The preceding versions are the minimum firmware versions. While some later versions are also supported, Cisco DNA Center is not compatible with Cisco IMC 4.0(4c) and later. Do not update later than Cisco IMC 4.0(4b).

Installing Cisco DNA Center

You can install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco Digital Network Architecture Center Installation Guide for information about installation and deployment procedures.


Note

The following applications are not installed on Cisco DNA Center by default. If you need any of these applications, you must manually download and install the packages separately.

  • Application Hosting

  • Application Policy

  • Assurance - Sensor

  • Automation - Sensor

  • Cisco DNA Center platform

  • Cisco SD-Access

  • Cisco Wide Area Bonjour Application

  • Intelligent Capture


For more information about downloading and installing a package, see "Manage Applications" in the Cisco Digital Network Architecture Center Administrator Guide.

Cisco DNA Center Platform Support

For information about the Cisco DNA Center platform, including information about new features, installation, upgrade, and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.

Support for Cisco Connected Mobile Experiences

Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) 10.6.2. Earlier versions of CMX are not supported.


Note

While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password.


Plug and Play Considerations

Plug and Play Support

General Feature Support

Plug and Play supports the following features, depending on the Cisco IOS software release on the device:

  • AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.

  • Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)

Secure Unique Device Identifier Support

The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:

  • Cisco routers:

    • Cisco ISR 1100 Series with software release 16.6.2

    • Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later

    • Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1

  • Cisco switches:

    • Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later

    • Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later

    • Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later

    • Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

    • Cisco Catalyst IE3300 Series with software release 16.10.1e or later

    • Cisco Catalyst IE3400 Series with software release 16.11.1a or later

  • NFVIS platforms:

    • Cisco ENCS 5400 Series with software release 3.7.1 or later

    • Cisco ENCS 5104 with software release 3.7.1 or later


Note

Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:

  • Cisco routers: Cisco ISR 43xx, Cisco ISR 44xx, Cisco ASR1001-X/HX, Cisco ASR1002-HX

  • Cisco switches: Cisco Catalyst 4500 Series with Supervisor 8-E/8L-E/9-E, Catalyst 9400 Series


Management Interface VRF Support

Plug and Play operates over the device management interface on the following platforms:

  • Cisco routers:

    • Cisco ASR 1000 Series with software release 16.3.2 or later

    • Cisco ISR 4000 Series with software release 16.3.2 or later

  • Cisco switches:

    • Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

4G Interface Support

Plug and Play operates over a 4G network interface module on the following Cisco routers:

  • Cisco 1100 Series ISR with software release 16.6.2 or later

Configure Server Identity

To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.

The SAN requirement applies to devices running the following Cisco IOS releases:

  • Cisco IOS Release 15.2(6)E2 and later

  • Cisco IOS Release 15.6(3)M4 and later

  • Cisco IOS Release 15.7(3)M2 and later

  • Cisco IOS XE Denali 16.3.6 and later

  • Cisco IOS XE Everest 16.5.3 and later

  • Cisco IOS Everest 16.6.3 and later

  • All Cisco IOS releases from 16.7.1 and later

The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:

  • For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.

  • For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.

  • For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.

  • For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.

If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a NAT router, this public IP address must be included in the SAN field of the server certificate.

If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.

We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.

If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the plug and play process.


Note

The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field.


Bugs

Use the Bug Search Tool

Use the Bug Search tool to search for a specific bug or to search for all bugs in this release.

Procedure


Step 1

Enter the following URL in your browser:

Step 2

In the Log In window, enter your registered cisco.com username and password and click Log In.

The Bug Search window opens.

Note 
If you do not have a cisco.com username and password, register at https://idreg.cloudapps.cisco.com/idreg/guestRegistration.do.
Step 3

To search for a specific bug, enter the bug ID in the Search For field and press Return.

Step 4

To search for bugs in the current release:

  1. In the Search For field, enter Cisco DNA Center and press Return. (Leave the other fields empty.)

  2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by modified date, status, severity, and so forth.

    To export the results to a spreadsheet, click the Export Results to Excel link.

Open Bugs—Non-High Availability

The following table lists the open non-HA bugs in Cisco DNA Center.

Table 9. Open Bugs—Non-HA

Bug Identifier

Headline

CSCvj41522

Importing a Plug and Play CSV with 25 APs fails.

CSCvn16534

When you delete a backup, the elastic backup on the network file system server is not deleted. Only the metadata is deleted.

CSCvn32554

A wireless controller goes into unmonitored state after a restore from the backup.

CSCvo21720

Network health appears for the Cisco Catalyst 9800 wireless controller in both the monitored and unmonitored sections.

CSCvo39337

Get memberid fails if the proxy is configured after the setup wizard.

CSCvo44394

When you try to add Cisco ISE 2.4 to Cisco DNA Center 1.3, the following certificate error is generated:

Error establishing trust with ISE: Expected phrase [Enter URI for uploading ISE certificate chain:] 
wasn't received from ise.

The workaround is to configure the network MTU size to 9100 between Cisco ISE and Cisco DNA Center.

CSCvo60306

Device activation fails when the image is not the minimum supported image version.

CSCvp15026

Devices remain in Partial Collection Failure state after an incomplete provision and resynchronization.

This problem occurs only when there is an incomplete manual clearing of CLI commands on a device. When a device goes through the full removal flow, subsequent synchronizations work correctly.

Related bug: CSCvj15139.

CSCvp25402

After you delete a wireless controller with 4000 APs from Cisco DNA Center, it takes 25 minutes or longer for the wireless controller to be removed from the inventory.

CSCvp48020

The IR829 does not display the correct Gigabyte interface in the WAN interface drop-down list.

CSCvp48160

Software image management: Cisco Catalyst 6000 image activation fails while upgrading the image version 152-2.SY to 152-2.SY*.

CSCvp49120

A Cisco Catalyst 6000 ISSU upgrade from SY2 to SY3 fails when the device has snmp-server enable traps vstack in the running configuration.

CSCvp51880

The Maglev Cassandra service fills up the disk with index files.

CSCvp73793

The Cisco Catalyst 9800 wireless controller neighbor topology does not update the AP count in the inventory.

CSCvp83057

External site borders point to other external borders in a site, which causes loops.

CSCvp83298

After migration, the port channel is not created on the switch and is missing from the Host Onboarding page.

CSCvp95386

After upgrading the embedded wireless software on Cisco Catalyst 9000 devices from 16.10.1.e to 16.11.1s, the AP country code configuration is lost.

CSCvp96088

An image change on the wireless controller causes the AP Intelligent Capture 360 page to lose all data.

CSCvq02712

SDA end users can HTTPS to the fabric edge default gateway IP address.

CSCvq13219

Copying the golden tag for base image does not copy the wireless package.

CSCvq23559

An error occurs while creating an authorization policy under Policy sets.

CSCvq34252

During Return Material Authorization (RMA), the AVC config is not replaced completely; match commands are missing for class-map.

CSCvq40037

LAN automation PnP: An image upgrade fails for a Cisco Catalyst 9500 device.

CSCvq53490

After migrating policy data to Cisco ISE, some policies are not migrated from Cisco DNA Center to Cisco ISE.

CSCvq53511

No loop is detected if MSTP is enabled on the device.

CSCvq54634

Multicast does not work on an edge device that is added to a fabric on which multicast is already enabled.

CSCvq55154

Cisco Catalyst 9800 wireless controller: NETCONF discovery fails after performing a write erase on the device.

CSCvq55394

If STP is not enabled on devices, loops are not detected, and MRE does not conclude.

CSCvq55459

No loops are detected if you connect a new cable to the device.

CSCvq55626

An NDP package upgrade fails. The Elasticsearch pod does not run in the ndp namespace.

CSCvq57083

Maglev upgrade fails with the following error:

Timeout waiting to pull system update hook bundle.

CSCvq58240

For an external guest border, Cisco DNA Center doesn't configure the BGP address-family ipv4 vrf GUEST_VN. Guest clients don't work with the External Guest-Border BGP configuration.

Instead, you must configure the External Guest-Border BGP manually based on the network design.

CSCvq61710

Cisco DNA Center: For Cisco Nexus 7000 Release 8.2(4) devices, the kick start image in CCO should also show under latest/suggested.

CSCvq65765

After upgrading to Cisco DNA Center and enabling the Autoconf feature, macro configurations are not removed from extended nodes.

CSCvq65784

When IPv4 multicasting is enabled on an edge device, Cisco DNA Center does not push the ip igmp explicit-tracking command to the Layer 2 handoff VLAN on the corresponding border device.

CSCvq66963

ENCS/NFVIS devices with NFVIS version 3.12.1 are not managed and show partial collection failure in Cisco DNA Center.

CSCvq67362

APs are seen in Assurance pages when the wireless controller is deleted in Unreachable state.

CSCvq70912

Cannot onboard 8.8.261 wireless sensors after upgrading to Cisco DNA Center.

CSCvq71182

Application Hosting: A bad gateway error is reported after a device reload.

CSCvq75273

A session timeout does not take the user to the login screen automatically.

CSCvq84795

Even if the device has the exact role set up, the Device Role is shown as UNKNOWN in the Issues dashboard.

CSCvq86168

Application Hosting: After the USB is reseated, the device must be reloaded.

CSCvq86732

Cisco DNA Center and Cisco ISE are out of sync after running an automation script to create or delete scalable groups, contracts, or policies.

CSCvq88037

After moving the production cloud, the site comparison chart does not load.

CSCvq90282

System commands time out and a subsequent system upgrade fails with the following error:

Copying host packages failed.

CSCvq91492

After changing the Cisco DNA Center license on a Cisco Catalyst 9000 device, QoS configs are modified.

CSCvq91161

Network Data Platform: SNMPv3 devices are deleted but remain in the polled list in an upgraded cluster.

CSCvq92221

Devices do not appear in the Monitored section in Assurance because one device remains in partial collection failure state.

CSCvq94904

The Overall Health map shows incorrect information.

CSCvq95775

The catalog server tries to pull packages even if there is a failure after Cisco DNA Center is powered on.

CSCvq97375

It is possible to integrate a Cisco DNA Center instance with a Cisco ISE server that already has a different Cisco DNA Center integrated.

CSCvr02321

The SMU API count result shows 2, whereas the UI displays 1 for a Cisco ISR 4331 router.

CSCvr04915

Provisioning is blocked on a new controller to fabric provisioned site.

CSCvr10816

For some devices, provisioning fails at the Activate VNFs stage with the following error:

The device to be provisioned does not exist.

CSCvr13910

If you use a default policy with the "Deny IP" SGACL and the policy gets pushed to the switch, all control packets are denied and the switch loses connectivity to the network.

CSCvr17217

After upgrading packages, changes to the Cisco ISE configuration do not take effect.

Open Bugs—High Availability

The following table lists the open high availability (HA) bugs in Cisco DNA Center.

Table 10. Open Bugs—HA

Bug Identifier

Headline

CSCvn32215

In a three-node setup, if you bring down the node while LAN Automation is in progress, the LAN automation status shows as complete, yet without success.

This problem occurs if you perform a network-orchestration service restart or a full node restart while LAN automation is in progress.

The network orchestration service doesn't resume the ongoing LAN automation session. It marks LAN automation as complete and releases all IP addresses allocated from IPAM. Users are expected to perform a configuration cleanup on the seed device, write-erase/reload discovered devices, and start a new LAN automation session.

CSCvo35174

Maglev cassandra-1 goes into the crashloop state in a three-node cluster after upgrading Cisco DNA Center.

CSCvo95706

The VIP toggles between the three nodes every minute and "Invalid VRRPv3 checksum" messages are seen in keepalived.

CSCvq73822

In a three-node cluster, a password change in the maglev config update must change for all three nodes.

Resolved Bugs

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.4.

Table 11. Resolved Bugs in Cisco DNA Center, Release 1.3.1.4
Bug Identifier Headline

CSCvm15743

Cisco DNA Center: LAN automation should check for an enable password.

CSCvp73577

Creating VNs in host onboarding is touching the network unncessarily.

CSCvp81113

Number of devices in Fusion and in NDP graph db are mismatched.

CSCvp87542

Cisco Catalyst 9800 Series Wireless Controller provisioning failure when special characters are used in the Cisco ISE shared key.

CSCvq08301

Intelligent Catpure: Various capture file handling improvements and workarounds.

CSCvq42795

AP provisioning fails with error "OwningEntityId" for wireless controller missing in the database.

CSCvq65767

Cisco DNA Center 1.3.0.2: LAN Automation fails after updating Management IP address of seed device.

CSCvq70996

Cisco ISE integration fails if AAA server already exists with given IP.

CSCvq71911

Error while creating custom dashboard using Client Health template.

CSCvq73386

Cisco DNA Center1.3.0.2: Wireless client Assurance data not seen.

CSCvq74452

Out of memory and gateway error are observed in Cisco DNA Center 1.2.10.

CSCvq80321

Assurance API yields invalid values for client slot ID and health score.

CSCvq90200

Heatmap persists even after AP disassociation.

CSCvq97467

Cisco DNA Center does not display virtual network information post upgrade from 1.2.10.4 to 1.3.0.3.

CSCvq98206

Cisco DNA Center managed fabric devices may report being in "Failed" provision status, despite their last provisioning task completing successfully.

CSCvr00436

Enhancement: Masking config output from Command Runner.

CSCvr00675

Unable to modify guest wireless SSID due to Fast Transition null.

CSCvr01901

Unexpected "DHCP IP address obtain failure" issue for IPv6 only clients.

CSCvr03397

Catalyst 9300 macros get applied to IP phone ports.

CSCvr04611

Application 360 page doesn't show any data the first time loaded from search.

CSCvr08398

Cisco DNA Center Device provisioning: Template configuration page failed to pull the device list.

CSCvr14061

IPAM service stuck not processing requests in RabbitMQ queue; multiple restarts needed to recover.

CSCvr18868

Cisco DNA Center 1.3.0.3 WPA2 personal passphrase with "&" fails to provision Cisco Catalyst 9800 Series Wireless Controller.

CSCvr19226

Post upgrade from Cisco DNA Center 1.2.x to 1.3.0: SWIM image upgrade, fabric page loading and many functions are broken.

CSCvr21334

Under heavy load, after a few days the wireless clients are found to be missing.

CSCvr22453

Add support for multiple return types on hostProtocolEnum.

CSCvr26483

MongoDB doesn't perform write operations causing "identitymgmt svc" and other dependencies to fail.

CSCvr28905

Cisco DNA Center 1.3.0.3: Unable to provision AP failed with reason "character '< ' is not allowed".

CSCvr30114

Credential manager backup fails as upsert to mongo DB fails.

CSCvr32896

NPObjectTracker not getting deleted.

CSCvr33678

When configuration is pushed through Cisco DNA Center, unreachable devices should be skipped.

CSCvr39983

Wired Client does not show correct value for data transimitting and receiving rate.

CSCvr45718

Cisco DNA Center has missing port missing configuration and fails to deploy onboarding interface.

CSCv49683

Cisco DNA Center 1.3.1: CSV import does not work for template.

CSCvr50943

After system update from Cisco DNA Center 1.2.10 to 1.3.1.1, maglev commands are failing due to invalid token generation.

CSCvr52679

The "dnacp-formatter-service" is in not running state. Possible reason: Trial enterprise license expiration.

CSCvr54410

Cisco DNA Center: The "SPF-service-manager-service" is down after associating IP adddress pool to VN.

CSCvr54036

Cisco DNA Center: Multiple template provisioning operations get stuck when there are unreachable devices.

CSCvr56898

Cisco DNA Center: Edit VN page under Host Onboarding is blank when the SGT is not available in Cisco ISE.

.

CSCvr57319

Plug and play server should try again, if plug and play agent fails to respond the first time.

CSCvr60176

Cisco DNA Center 1.3.0.4: Upgrade failed due to "devicesmartagentdetails" relation missing.

CSCvr61506

AP radio high utilization mismatch between AP360 and issue detail pages.

CSCvr72715

Need very descriptive and user friendly message when integration fails due to expired certiificate

CSCvr75269

Cisco DNA Center 1.3.0.4 9300: Failed inventory collection due to "ConstraintViolationException" ACL.

CSCvr82062

Application package upgrade failing due to Exception in package: access-control-application

CSCvr85956

Inventory Resync takes longer time for "lldp_neighbors" and VLAN features.

CSCvr89195

Cisco Catalyst 9800 Series Wireless Controller's policy tag deleted when provisioned after changing AP RF profile.

CSCvr91320

AP 360 doesn't show the CPU or memory utilization.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.3.

Table 12. Resolved Bugs in Cisco DNA Center, Release 1.3.1.3
Bug Identifier Headline

CSCvq86191

At high scale, adding an extended node to the fabric fails due to an empty device interface.

CSCvq89880

A user with an Observer role cannot use the Search function in the Cisco DNA Center GUI. A "Failed to lookup" error is reported.

CSCvr00601

The provisioning status shows SUCCESS but the color remains red.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.2.

Table 13. Resolved Bugs in Cisco DNA Center, Release 1.3.1.2
Bug Identifier Headline

CSCvq47566

ETCD runs out of memory during periodic snapshot creation and the Cisco DNA Center cluster goes down.

CSCvq80742

A Cisco DNA Center system upgrade fails with the following error:

Kubernetes upgrade to version v1.10.2 failed.

CSCvq85254

After a device image is changed and reloaded, the AP Intelligent Capture page contains no data.

CSCvq94430

A fresh deployment of Cisco DNA Center fails at the system package deployment.

CSCvq97736

Validation fails for the Maglev parent catalog settings.

CSCvq99977

After the system upgrade completes, member ID information is missing on the catalog service.

CSCvr02827

After applying a security fix for an AireOS wireless controller, an access tunnel goes down and never recovers.

CSCvr05013

The web install UI should show the Cisco UCS server picture based on the PID.

CSCvr10469

During an upgrade, Cisco DNA Center fails to install a prehook. This hook checks to see if the correct version of software is on the Cisco ISE server, and if the software version is not correct, the upgrade does not occur.

CSCvr21334

After a few days of heavy use, wireless clients are missing.

CSCvr42300

Access Control Application and Cisco SD-Access packages fail to upgrade due to missing IPACL policy migrations.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.1.

Table 14. Resolved Bugs in Cisco DNA Center, Release 1.3.1.1
Bug Identifier Headline

CSCvr03768

The WSDL certificate in Cisco DNA Center's EJBCA Public Key Infrastructure (PKI) broker service expired on October 4, 2019. After this server certificate expires, Cisco DNA Center clients that use the EJBCA service for secure sessions fail to connect. As a result, Cisco DNA Center fails to onboard the Embedded Wireless Controller on Cisco Catalyst 9800 series devices and 1800s wireless sensors. Apart from the eWLC, there is no impact to any other WLC, switch, or router onboarding, or any other feature in Cisco DNA Center.

There is no workaround for this problem. You must upgrade Cisco DNA Center to a version that has been patched to include a new WSDL certificate. The following Cisco DNA Center releases have the fix with the new WSDL certificate: 1.2.10.5, 1.2.12.2, 1.3.0.4, and 1.3.1.1. The new certificate has a 20-year expiry.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.0.

Table 15. Resolved Bugs in Cisco DNA Center, Release 1.3.1.0

Bug Identifier

Headline

CSCvn69306

After a system update, some background services might not run for the next hour. After 1 hour, the services recover automatically.

CSCvp29213

A crash occurs when the RADIUS Change of Authorization (CoA) feature is triggered for an environment data update and the clear cts environment-data command is issued at the same time. The problem occurs because the clear cts environment-data command fails to clear the environment data.

CSCvp38271

Cisco SD-Access: Events are missing from the Event Viewer on the Device 360 page.

CSCvp53259

A Cisco DNA Center local backup fails if the maglev password starts with special characters.

CSCvp65347

The Time API takes a very long time to respond when there are multiple user sessions browsing the Assurance GUI.

CSCvp75825

Air quality is missing randomly from an AP 360 page health chart.

CSCvp79623

The Device Inventory page refreshes continuously when the complete fully qualified domain name (FQDN) associated with the Cisco DNA Center IP address is not configured during install. The Device Inventory page doesn't show the device list.

To work around this problem, use the IP address or the complete FQDN in the URL.

CSCvp80992

Provisioning fails if you choose "Do not change" and enter an interface name.

CSCvp82437

The Flex Connect SSID with Cisco Catalyst 9800 does not appear on an AP when you choose VLAN name management.

CSCvp85827

Border Gateway Protocol (BGP) advertises Multicast Rendezvous Point (RP) /32 and /128 prefixes from non-RP borders.

CSCvp86063

You can manually add Cisco IE3300 and IE3400 extended nodes that have been removed from the fabric.

CSCvp86074

Migration: Cannot add IPv6 to the fabric.

CSCvp88055

An ISR border device returns an error when the fabric is enabled with a multicast RP on the other fabric border.

CSCvp88475

AP mode and uptime don't get updated, affecting Intelligent Capture functionality.

CSCvp89837

If you upgrade Cisco DNA Center 1.2.10 to 1.3 and make embedded wireless LAN controller image changes, the controller goes into Unmonitored state, and Assurance shows no client data.

CSCvp99454

After upgrading from Cisco DNA Center 1.2.3 or 1.2.6 to 1.2.8, then 1.2.10, then 1.3, the Network Plug and Play menu option is available under the Tools menu. (The Network Plug and Play menu option should not be present.)

If you upgrade from Cisco DNA Center 1.2.10 to 1.3, the Network Plug and Play menu option is not available under the Tools menu, which is correct.

CSCvq43865

Due to a large number of hung pykube connections, the Maglev server is unresponsive to services.

Limitations and Restrictions

Upgrade Limitation

If you are upgrading to Cisco DNA Center and all of the following conditions apply, the upgrade never starts:

  • Cisco ISE is already configured in Cisco DNA Center.

  • The version of Cisco ISE is not the required 2.6 patch 1 or 2.4 patch 7 or later.

  • Cisco DNA Center contains an existing fabric site.

Although the UI does not indicate that the upgrade failed to start, the logs contain messages related to the upgrade failure.

To work around this problem, upgrade Cisco ISE to 2.6 patch 1 or 2.4 patch 7 or later, and retry the Cisco DNA Center upgrade.

Backup and Restore Limitations

Backup and restore limitations and restrictions include:

  • You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.

  • After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose System Settings > Settings > Authentication and Policy Servers. Choose Edit for the server. Enter your Cisco ISE password to update.

  • After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.

  • Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.

  • Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.

  • You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

HA Limitation

In this release, Cisco DNA Center provides HA support only for Automation and Cisco SD-Access. HA for Assurance is not supported.

Cisco ISE Integration Limitations

Cisco ISE integration limitations and restrictions include:

  • ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.

  • Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.

  • Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).

  • The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

  • If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.

  • The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.

  • Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.

  • Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.

    Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.

  • The Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.

License Limitation

The Cisco DNA Center License Manager supports Smart Licensing only for wireless LAN controller models that run Cisco IOS XE. License Manager does not support wireless LAN controller models that run Cisco AireOS.

Fabric Limitation

Cisco DNA Center supports only up to 1.2 million interfaces on fabric devices. Fabric interfaces include physical and virtual interfaces like switched virtual interfaces, loopback interfaces, Dot1Q, and so on.

Brownfield Feature-Related Limitations

Brownfield feature-related limitations include:

  • Cisco DNA Center cannot learn device credentials.

  • You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.

  • Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.

  • Cisco DNA Center can learn only one wireless controller at a time.

  • For site profile creation, only the AP groups with AP and SSID entries are considered.

  • Automatic site assignment is not possible.

  • SSIDs with an unsupported security type and radio policy are discarded.

  • For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.

  • The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.

  • The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.

  • When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.

  • A wireless conflict is based only on the SSID name, and does not consider other attributes.

Wireless Policy Limitation

If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise, Policy Deployment failed is displayed.

Cisco Plug and Play Limitations

Plug and Play limitations and restrictions include:

  • Virtual Switching System (VSS) is not supported.

  • The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.

  • The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.

  • The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:

    pnp startup-vlan <vlan_number>

AP Provisioning Failure Limitation

Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, the AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.

After the provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.

AP Performance Limitation

Provisioning of 100 APs takes longer in this release as compared to 3 minutes in earlier releases. The amount of time varies depending on the "wr mem" time of the Cisco Catalyst 9800 Series Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices.

Inter-Release Controller Mobility (IRCM) Limitation

The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.

IP Device Tracking on Trunk Port Limitation

Rogue-on-wire detection is impacted; Cisco DNA Center does not show all clients connected to a switch via an access point in bridge mode. The trunk port is used to exchange all VLAN information. When you enable IP device tracking on the trunk port, clients connected on the neighbor switch are also shown. Cisco DNA Center does not collect client data if the connected interface is a trunk port and the neighbor is a switch. As a best practice, disable IP device tracking on the trunk port. The rogue-on-wire is not detected if the IP device tracking is enabled on the trunk port. See Disabling IP Device Tracking for more information.

Get Assistance from the Cisco TAC

Use this link to open a TAC case. Choose the following when opening a TAC case:

  • Technology: Cisco DNA - Software-Defined Access

  • Subtechnology: Cisco DNA Center Appliance (SD-Access)

  • Problem Code: Install, uninstall, or upgrade

Related Documentation

We recommend that you read the following documents relating to Cisco DNA Center:

For This Type of Information... See This Document...

Release information, including new features, limitations, and open and resolved bugs.

Cisco DNA Center Release Notes

Installation and configuration of Cisco DNA Center, including postinstallation tasks.

Cisco DNA Center Installation Guide

Upgrade information for your current release of Cisco DNA Center.

Cisco DNA Center Upgrade Guide

Use of the Cisco DNA Center GUI and its applications.

Cisco DNA Center User Guide

Configuration of user accounts, security certificates, authentication and password policies, and backup and restore.

Cisco DNA Center Administrator Guide

Security features, hardening, and best practices to ensure a secure deployment.

Cisco DNA Center Security Best Practices Guide

Supported devices, such as routers, switches, wireless access points, NFVIS platforms, and software releases.

Supported Devices

Hardware and software support for Cisco SD-Access.

Cisco SD-Access Hardware and Software Compatibility Matrix

Use of the Cisco DNA Assurance GUI.

Cisco DNA Assurance User Guide

Use of the Cisco DNA Center platform GUI and its applications.

Cisco DNA Center Platform User Guide

Cisco DNA Center platform release information, including new features, deployment, and bugs.

Cisco DNA Center Platform Release Notes

Key features and scale numbers.

Cisco DNA Center Data Sheet

Use of the Cisco Wide Area Bonjour Application GUI.

Cisco Wide Area Bonjour Application User Guide

Use of the Stealthwatch Security Analytics Service on Cisco DNA Center.

Cisco Stealthwatch Analytics Service User Guide