Release Notes for Cisco DNA Center, Release 1.3.1.x

This document describes the features, limitations, and bugs for Cisco DNA Center, Release 1.3.1.x.

Change History

The following table lists changes to this document since its initial release.

Table 1. Document Change History
Date Change Location

2020-08-05

Added CSCvr54376 to the 1.3.1.4 Resolved Bugs table.

Resolved Bugs

2020-07-23

Added the list of packages in Cisco DNA Center 1.3.1.7.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.7.

Resolved Bugs

2020-06-22

Removed CSCvq09974 from the Resolved Bugs table for 1.3.1.5.

Resolved Bugs

2020-04-28

Added the list of packages in Cisco DNA Center 1.3.1.6.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.6.

Resolved Bugs

Added open bug CSCvt78024.

Open Bugs—High Availability

2020-03-18

Added open bug CSCvt00402.

Open Bugs—Non-High Availability

2020-02-20

Added the list of packages in Cisco DNA Center 1.3.1.5.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.5.

Resolved Bugs

2020-02-05

Added CSCvq69305 and CSCvr12994 to the Resolved Bugs table for 1.3.1.4.

Resolved Bugs

2020-01-28

Added information about the Wireless Pool option.

New and Changed Information

2019-12-11

Updated the Access Control Application package version to 2.1.78.60118 for Cisco DNA Center 1.3.1.4.

New and Changed Information

2019-12-06

Added the list of packages in Cisco DNA Center 1.3.1.4.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.4.

Resolved Bugs

2019-11-20

Clarified that the Rogue Management application is supported in Cisco DNA Center 1.3.1.3 and later.

New and Changed Information

2019-11-18

Updated the Cisco DNA Center Search package version to 1.0.0.44.

New and Changed Information

Added CSCvq89880 to the Resolved Bugs table for 1.3.1.3.

Resolved Bugs

2019-11-01

Added support for the Rogue Management application and specified the package version.

New and Changed Information

2019-10-25

Added the list of packages in Cisco DNA Center 1.3.1.3.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.3.

Resolved Bugs

Noted that Cisco DNA Center is not compatible with Cisco IMC 4.0(4c) and later.

Supported Firmware

2019-10-10

Added the list of packages in Cisco DNA Center 1.3.1.2.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.2.

Resolved Bugs

2019-10-03

Added the list of packages in Cisco DNA Center 1.3.1.1.

New and Changed Information

Added the Resolved Bugs table for 1.3.1.1.

Resolved Bugs

2019-09-25

Added information about Cisco Catalyst 9600 support for Layer 2 border handoff functionality.

New and Changed Information

2019-09-19

Added information about the Application Hosting package.

New and Changed Information

Added open bugs: CSCvq71182 and CSCvq86168.

Open Bugs—Non-High Availability

2019-09-12

Added a new Upgrade Limitation section.

Limitations and Restrictions

2019-09-04

Initial release.

Upgrade to the Latest Cisco DNA Center Release

For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.

New and Changed Information

The following table shows the updated packages and the versions.

Table 2. Updated Packages and Versions in Cisco DNA Center Release 1.3.1.x
Package Name Release 1.3.1.7 Release 1.3.1.6 Release 1.3.1.5 Release 1.3.1.4 Release 1.3.1.3 Release 1.3.1.2 Release 1.3.1.1 Release 1.3.1.0

System Updates

System

1.3.0.134

1.3.0.134

1.3.0.115

1.3.0.109

1.3.0.94

1.3.0.94

1.3.0.77

1.3.0.77

Package Updates

Access Control Application

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60118

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

AI Network Analytics

2.0.10.6

2.0.10.6

2.0.10.6

2.0.10.6

2.0.9.12

2.0.9.12

2.0.8.31

2.0.8.31

Application Hosting

1.0.0.190822

1.0.0.190822

1.0.0.190822

1.0.0.190822

1.0.0.190822

1.0.0.190822

1.0.0.190822

1.0.0.190822

Application Policy

2.1.75.170281

2.1.75.170281

2.1.75.170278

2.1.75.170275

2.1.75.170275

2.1.75.170275

2.1.75.170270

2.1.75.170270

Assurance - Base

1.4.0.510

1.4.0.510

1.4.0.504

1.4.0.488

1.4.0.449

1.4.0.449

1.4.0.434

1.4.0.434

Assurance - Sensor

1.4.0.505

1.4.0.505

1.4.0.505

1.4.0.484

1.4.0.424

1.4.0.424

1.4.0.424

1.4.0.424

Automation - Base

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.77.60004

2.1.76.60504

2.1.75.60446

2.1.75.60446

Automation - Intelligent Capture

2.1.80.60028

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60406

Automation - Sensor

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.77.60004

2.1.76.60504

2.1.75.60446

2.1.75.60446

Cisco DNA Center Global Search

1.0.0.44

1.0.0.44

1.0.0.44

1.0.0.44

1.0.0.44

1.0.0.18

1.0.0.18

1.0.0.18

Cisco DNA Center Platform

1.2.0.78

1.2.0.78

1.2.0.76

1.2.0.50

1.2.0.36

1.2.0.36

1.2.0.15

1.2.0.15

Cisco DNA Center UI

1.4.0.341

1.4.0.335

1.4.0.331

1.4.0.244

1.4.0.235

1.4.0.226

1.4.0.211

1.4.0.172

Cisco SD-Access

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.77.60004

2.1.76.60504

2.1.75.60446

2.1.75.60446

Command Runner

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

Device Onboarding

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

Image Management

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

Machine Reasoning

2.1.79.210005

2.1.79.210005

2.1.79.210005

2.1.78.210010

2.1.75.210276

2.1.75.210276

2.1.75.210275

2.1.75.210275

NCP - Base

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.75.60446

2.1.75.60446

2.1.75.60446

2.1.75.60446

NCP - Services

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

Network Controller Platform

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.77.60004

2.1.76.60504

2.1.75.60551

2.1.75.60446

Network Data Platform - Base Analytics

1.4.0.180

1.4.0.180

1.4.0.179

1.4.0.116

1.4.0.108

1.4.0.108

1.4.0.108

1.4.0.108

Network Data Platform - Core

1.4.0.431

1.4.0.431

1.4.0.426

1.4.0.328

1.4.0.321

1.4.0.321

1.4.0.321

1.4.0.321

Network Data Platform - Manager

1.4.0.174

1.4.0.174

1.4.0.173

1.4.0.101

1.4.0.93

1.4.0.93

1.4.0.93

1.4.0.93

Path Trace

2.1.81.60012

2.1.80.60028

2.1.79.60046

2.1.78.60109

2.1.76.60504

2.1.76.60504

2.1.75.60446

2.1.75.60446

Rogue Management

1.4.0.70

1.4.0.70

1.4.0.70

1.4.0.70

1.4.0.70

Stealthwatch Security Analytics

2.1.79.1090242

2.1.79.1090199

2.1.79.1090077

2.1.78.1090091

2.1.76.1090762

2.1.76.1090762

2.1.75.1090662

2.1.75.1090662

Wide Area Bonjour

2.4.0.10062

2.4.0.10062

2.4.0.10062

2.4.0.10062

2.4.0.10062

2.4.0.10062

2.4.0.10062

2.4.0.10062

New and Changed Features

The following tables summarize the new and changed features in Release 1.3.1.x.

Table 3. New and Changed Features in Cisco SD-Access, Release 1.3.1.4
Feature Description

Ability to define an IP address pool as a wireless pool

Cisco DNA Center, Release 1.3.1.4 provides the ability to select an IP pool as a wireless pool. You can choose from only the defined wireless pool while configuring wireless SSID for the fabric.

To enable the Wireless Pool toggle button, from the Cisco DNA Center home page, click Provisioning > Fabric > Fabric Name > Host Onboarding > VN Name > Advanced View.

Table 4. New and Changed Features in Cisco DNA Center, Release 1.3.1.1
Feature Description

Rogue Management application

The Rogue Management application is an optional package that you can install on Cisco DNA Center. Operating within Cisco DNA Center, the Rogue Management application helps you monitor threats from unauthorized access points. You can access the Rogue Management functionality as a dashboard within Cisco DNA Assurance in the Cisco DNA Center user interface.

Table 5. New and Changed Features in Cisco DNA Center, Release 1.3.1.0
Feature Description

Site hierarchy

In the License Manager, the site hierarchy is displayed in the left pane, and you can filter the devices listed in the All Licenses page by clicking a specific site.

Network hierarchy

You can navigate to floors of any site directly by clicking the site marker and clicking the Show Floor option.

You can view the devices assigned to any site by clicking the icon available next to the site, and selecting the View Devices option. This takes you to the Provision page, where the device list is auto filtered based on the respective site.

Manage licenses

You can update the Specific License Reservation (SLR) or Permanent License Reservation (PLR) for a device. Choose Actions > Manage License Reservation > Update License Reservation.

Manage licenses

Cisco DNA Center displays a License Details window that shows the complete license details and license history.

Defective device replacement

You can replace a defective device in the Provision > Inventory page by marking the defective device for replacement, and selecting the replacement device added through Inventory. The Return Material Authorization (RMA) workflow begins. When you deploy the replacement device in this manner, the replacement device works like the old device.

Security advisories

The Security Advisories tool captures and lists the security advisories recommended by the Cisco Product Security Incident Response Team (PSIRT). You must install the Machine Reasoning package to use this tool. The advisories are matched based on the software image that is currently installed on the device.

Browser-based configuration wizard

In addition to the Maglev configuration wizard, you can use the new browser-based wizard to configure your Cisco DNA Center appliance for use in your production environment. Note that the 44-core M4 appliance (Cisco part number DN1-HW-APL) cannot be configured using this wizard. Only the following Cisco DNA Center M5 appliances support configuration using the browser-based wizard:

  • 44-core Cisco UCS C220 M5 SFF appliance: Cisco part number DN2-HW-APL

  • 44-core Cisco UCS C220 M5 SFF upgrade appliance: DN2-HW-APL-U

  • 56-core Cisco UCS C220 M5 SFF appliance: Cisco part number DN2-HW-APL-L

  • 56-core Cisco UCS C220 M5 SFF upgrade appliance: Cisco part number DN2-HW-APL-L-U

  • 112-core Cisco UCS C480 M5 appliance: Cisco part number DN2-HW-APL-XL

  • 112-core Cisco UCS C480 M5 upgrade appliance: DN2-HW-APL-XL-U

Ability to clone an IP pool

You can clone an existing IP pool at the site level. When you clone an IP pool, the DHCP server and DNS server IP addresses are already filled in, which saves you time.

Plug and Play provisioning

Bulk provisioning supports additional data fields needed to provision wireless devices. You can change the device name during the claim process and it is also used as the default device hostname. The claim user interface has several other improvements to make the process easier. A second stack cabling scheme is supported for stackable switches.

Application Visibility service: Applications and Application Sets

Applications and Application Sets are moved from Policy > Application Policy to Provision > Services > Application Visibility.

Application Hosting

Application Hosting allows customers to bring in third-party docker applications on Catalyst 9300 Series switches with Cisco IOS-XE software version 16.12.1s.

Telemetry profile enhancements

Support for the Application Visibility profile is introduced in this release.

Device tagging enhancements

This feature allows you to delete a device tag or template tag that is not associated with a device or template.

Group-based access control policies update

Cisco DNA Center 1.3.1.0 includes an updated and improved Group-Based Access Control Policy menu. Cisco ISE is required for a group-based access control policy to download to network devices, and may also be used as the AAA/RADIUS server. Third-party AAA/RADIUS servers are also supported for group-based access control in this release. When you add or edit a scalable group, Cisco DNA Center no longer opens Cisco ISE to the TrustSec workcenter page for further configuration. All group-based policy data is created and managed in Cisco DNA Center. That data is synchronized to Cisco ISE.

Cisco ISE serves as the runtime policy system for SD policy access, providing policy download to network access devices to allow them to perform policy enforcement.

The minimum required Cisco ISE versions are either:

  • Cisco ISE 2.4 patch 7

  • Cisco ISE 2.6 patch 1

ACI groups in Cisco DNA Center

Group-based access control policies in Cisco DNA Center automatically import ACI groups from Cisco ISE. ACI integration must be enabled on Cisco ISE. In Cisco DNA Center, ACI scalable groups display as "learned from ACI".

Cisco Wide Area Bonjour application

The Cisco Wide Area Bonjour application in Cisco DNA Center provides you with centralized access control and monitoring capabilities, combined with the scalability and performance required for large-scale Bonjour services deployments.

Stealthwatch Security Analytics Service on Cisco DNA Center

The Stealthwatch Security Analytics service in Cisco DNA Center automates the provisioning of network elements (based on best practices) so that they send data to Cisco Stealthwatch, enabling you to gain additional visibility, and improving your malware detection capabilities.

Table 6. New and Changed Features in Cisco DNA Assurance, Release 1.3.1.0
Feature Description

Cisco AI Network Analytics

Cisco DNA Center, Release 1.3.1.0 introduces Cisco AI Network Analytics.

Cisco AI Network Analytics is an application within Cisco DNA Center that leverages the power of Machine Learning and Machine Reasoning to provide accurate insights that are specific to your network deployment, which allows you to quickly troubleshoot issues.

Trends and Insights

Cisco AI Network Analytics allows you to determine global patterns (trends) and deviations in your network and provides system-generated insights.

Comparative Analytics

With Cisco AI Network Analytics you can compare a site with another site, compare KPI values with peers in your network, and compare the APs in network heatmaps to spot trends and gain insights.

Issue enhancements

A new updated and more intuitive Open Issues dashboard enables you to easily understand the status of the network. This new dashboard allows you to understand the most impacted sites, the recent trends, and quickly access the AI-driven issues when the Cisco AI Network Analytics application is enabled.

The issue windows are enhanced and simplified:

  • The Global Issues and All Issues windows are replaced by Open Issues, Resolved Issues, and Ignored Issues.

  • The AI-driven issue category is added to the Issue Settings window.

  • Machine Reasoning is supported for the Layer 2 Loop issue.

  • You can configure Cisco DNA Center to send a REST or email notification when supported issues are triggered.

Data rate KPI for wireless clients

Added a data rate KPI for wireless clients.

The following GUI enhancements were made for this feature:

  • Enhanced the Client Health dashboard by adding the Client Data Rate dashlet, which displays the distribution of data rates for wireless clients.

  • Enhanced the Client 360 window:

    • Added details about data rate and client protocol under the timeline pane.

    • Added the Data Rate chart to the Detail Information category under the Connectivity tab.

Application Experience support for more network devices

You can view the quantitative metrics of the applications running on the following network devices:

  • Cisco Catalyst 9000 Series Switches

  • Cisco AireOS WLCs

Sensor enhancements

  • Added a new GUI window Assurance > Manage > Sensors > Sensor List.

    Use this window to view the onboarded sensors in your network. You can enable SSH, enable the status LED, and change the name for these sensors.

  • Added a new GUI window Assurance > Manage > Sensors > Backhaul Settings.

    Use this window to view, create, and manage backhaul configurations for sensors.

  • You can select target APs to test against when creating sensor-driven tests.

Intelligent Capture support for more network devices

Intelligent Capture support is now available for the following access point models:

  • Cisco Aironet 1815 Series APs

  • Cisco Aironet 1830 Series APs

  • Cisco Aironet 1840 Series APs

  • Cisco Aironet 1850 Series APs

  • Cisco Aironet 1540 Series APs

  • Cisco Aironet 1560 Series APs

  • Cisco Catalyst 9115 APs

  • Cisco Catalyst 9120 APs

Table 7. New and Changed Software Features in Cisco Wireless, Release 1.3.1.0
Feature Description

New AP support

This release introduces the support for Cisco Aironet 1840 Series Access Points.

New platform support: Cisco Catalyst 9800-L Wireless Controller

The Cisco Catalyst 9800-L Wireless Controller provides seamless software updates for small to mid-size enterprises. The Cisco Catalyst 9800-L Wireless Controller is available in two variations. You can choose between copper and fiber uplinks, which gives you flexibility in your network.

  • Cisco Catalyst 9800-L Copper Series Wireless Controller (9800-L-C RJ45)

  • Cisco Catalyst 9800-L Fiber Series Wireless Controller 9800-L-F SFP)

Rolling AP upgrade

The Rolling AP upgrade feature on the Cisco Catalyst 9800 Series Wireless Controller provides a way to upgrade the Cisco Wireless Controller and APs with minimal to zero downtime. To achieve the zero downtime, it is possible to upgrade APs in a staggered way using the N+1 Rolling AP upgrade feature.

Mobility configuration

The mobility configuration in Cisco DNA Center allows you to group a set of Cisco Wireless Controllers into a mobility group for a seamless roaming experience of wireless clients.

Guest web passthrough

Web passthrough is a solution that is used for guest access and requires no authentication credentials. With web passthrough authentication, wireless users are redirected to the usage policy page while using the internet for the first time. The users are allowed to browse the internet after accepting the policy.

Sleeping client timeout

The guest access clients with successful web authentications are allowed to sleep and wake up without having to go through another authentication process. You can configure the duration for which the sleeping clients are to be remembered before reauthentication.

The valid range is from 10 to 43200 minutes; the default duration is 720 minutes. You can configure the duration on a WLAN and on a user group policy that is mapped to the WLAN.

Multiple virtual networks for guest access

You can create multiple virtual networks for guest access. With this feature, you can use different virtual networks for guest traffic in places where there is no enterprise traffic. You can map the wireless guest SSIDs to IP address pools from different virtual networks with no restrictions.

Embedded wireless support on fabric edge

Cisco DNA Center supports embedded wireless functionality on Cisco Catalyst 9300 Series, Cisco Catalyst 9400 Series, and Cisco Catalyst 9500 Series Switches, which are configured as fabric edges.

Application policy support

You can configure and deploy application policies on the Cisco Catalyst 9800 Series Wireless Controller.

Ekahau integration

Ekahau Pro allows you to create the complete network plan for your enterprise, including floor layout, AP locations, and obstacles. After creating the floor layout, you can export the simulated network plan and the real-world site survey data into a format that Cisco DNA Center can use. You can import the Ekahau project file into Cisco DNA Center for further planning.

Interactive floor planning

Interactive floor planning helps network administrators plan a floor layout by drawing a floor map and placing hypothetical APs that are not yet installed or discovered by Cisco DNA Center, and then export the floor plan to a PDF. Network administrators can visualize the floor plan before mounting APs on the floor.

Table 8. New and Changed Software Features in Cisco SD-Access, Release 1.3.1.0
Feature Description

Fabric in a Box deployments options

  • Cisco Catalyst 9000 Switches (C9300, C9400, and C9500 series) have the capability to host border node, edge node, and embedded wireless functionalities on a single switch (single or stacked), with a non-colocated control plane node.

  • You can deploy two Fabric in a Box features at a site, but without the support for embedded wireless.

Border handoff enhancements: 4-byte ASN support

The local autonomous number can be specified in ASPLAIN, ASDOT, or ASDOT+ notations during Layer 3 handoff and during IP transit creation.

Device support for Layer 2 border handoff

Starting Cisco SD-Access Release 1.3.1.0, Cisco Catalyst 9500 High Performance Series Switches and Cisco Catalyst 9600 Series Switches support Layer 2 border handoff functionality.

Base automation support for Cisco Nexus 9500 devices

Cisco DNA Center discovers and provisions Cisco N9K-C9504, N9K-C9508, and N9K-C9516 devices.

New platform support: Cisco Catalyst 9800-L Wireless Controller

The Cisco Catalyst 9800-L Wireless Controller provides seamless software updates for small to mid-size enterprises. The Cisco Catalyst 9800-L Wireless Controller is available in two variations. You can choose between copper and fiber uplinks, which gives you flexibility in your network.

  • Cisco Catalyst 9800-L Copper Series Wireless Controller (9800-L-C RJ45)

  • Cisco Catalyst 9800-L Fiber Series Wireless Controller 9800-L-F SFP)

Multiple virtual networks for guest access

You can create multiple virtual networks for guest access. With this feature, you can use different virtual networks for guest traffic in places where there is no enterprise traffic. You can map the wireless guest SSIDs to IP address pools from different virtual networks with no restrictions.

Embedded wireless support on fabric edge

Cisco DNA Center supports embedded wireless functionality on Cisco Catalyst 9300 Series, Cisco Catalyst 9400 Series, and Cisco Catalyst 9500 Series Switches, which are configured as fabric edges.

Table 9. New Hardware in Cisco SD-Access, Release 1.3.1.0

Device Role

Product Family

Description

Extended node

Cisco Catalyst IE3400 Heavy Duty Series (IE3400H)

The Cisco IE3400H Series switches are available with 8, 16, or 24 Fast Ethernet (D-coded) or Gigabit Ethernet (X-coded) M12 interfaces.

Cisco DNA Center-Supported Devices

For information about devices such as routers, switches, wireless access points, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see Supported Devices.

Compatible Browsers

The Cisco DNA Center web interface is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: Version 73.0 or later

  • Mozilla Firefox: Version 65.0 or later

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

IP Address and FQDN Firewall Requirements

To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through any existing network firewall, see "Required Internet URLs and FQDNs" in the Cisco DNA Center Installation Guide.

Supported Firmware

Cisco Integrated Management Controller (Cisco IMC) versions are independent from Cisco DNA Center releases. This release of Cisco DNA Center has been validated against the following firmware:

  • Cisco IMC Version 3.0(3f) for appliance model DN1-HW-APL

  • Cisco IMC Version 3.1(2c) for appliance model DN2-HW-APL

  • Cisco IMC Version 3.1(3a) for appliance model DN2-HW-APL-L

  • Cisco IMC Version 4.0(1a) for appliance model DN2-HW-APL-XL

The preceding versions are the minimum firmware versions. While some later versions are also supported, Cisco DNA Center is not compatible with Cisco IMC 4.0(4c) and later. Do not update later than Cisco IMC 4.0(4b).

Installing Cisco DNA Center

You can install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco DNA Center Installation Guide for information about installation and deployment procedures.


Note

The following applications are not installed on Cisco DNA Center by default. If you need any of these applications, you must manually download and install the packages separately.

  • Application Hosting

  • Application Policy

  • Assurance - Sensor

  • Automation - Sensor

  • Cisco DNA Center platform

  • Cisco SD-Access

  • Cisco Wide Area Bonjour Application

  • Intelligent Capture


For more information about downloading and installing a package, see "Manage Applications" in the Cisco DNA Center Administrator Guide.

Cisco DNA Center Platform Support

For information about the Cisco DNA Center platform, including information about new features, installation, upgrade, and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.

Support for Cisco Connected Mobile Experiences

Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) 10.6.2. Earlier versions of CMX are not supported.


Note

While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password.


Plug and Play Considerations

Plug and Play Support

General Feature Support

Plug and Play supports the following features, depending on the Cisco IOS software release on the device:

  • AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.

  • Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)

Secure Unique Device Identifier Support

The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:

  • Cisco routers:

    • Cisco ISR 1100 Series with software release 16.6.2

    • Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later

    • Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1

  • Cisco switches:

    • Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later

    • Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later

    • Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later

    • Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

    • Cisco Catalyst IE3300 Series with software release 16.10.1e or later

    • Cisco Catalyst IE3400 Series with software release 16.11.1a or later

  • NFVIS platforms:

    • Cisco ENCS 5400 Series with software release 3.7.1 or later

    • Cisco ENCS 5104 with software release 3.7.1 or later


Note

Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:

  • Cisco routers: Cisco ISR 43xx, Cisco ISR 44xx, Cisco ASR1001-X/HX, Cisco ASR1002-HX

  • Cisco switches: Cisco Catalyst 4500 Series with Supervisor 8-E/8L-E/9-E, Catalyst 9400 Series


Management Interface VRF Support

Plug and Play operates over the device management interface on the following platforms:

  • Cisco routers:

    • Cisco ASR 1000 Series with software release 16.3.2 or later

    • Cisco ISR 4000 Series with software release 16.3.2 or later

  • Cisco switches:

    • Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

4G Interface Support

Plug and Play operates over a 4G network interface module on the following Cisco routers:

  • Cisco 1100 Series ISR with software release 16.6.2 or later

Configure Server Identity

To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.

The SAN requirement applies to devices running the following Cisco IOS releases:

  • Cisco IOS Release 15.2(6)E2 and later

  • Cisco IOS Release 15.6(3)M4 and later

  • Cisco IOS Release 15.7(3)M2 and later

  • Cisco IOS XE Denali 16.3.6 and later

  • Cisco IOS XE Everest 16.5.3 and later

  • Cisco IOS Everest 16.6.3 and later

  • All Cisco IOS releases from 16.7.1 and later

The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:

  • For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.

  • For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.

  • For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.

  • For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.

If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a NAT router, this public IP address must be included in the SAN field of the server certificate.

If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.

We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.

If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the plug and play process.


Note

The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field.


Bugs

Use the Bug Search Tool

Use the Bug Search tool to search for a specific bug or to search for all bugs in this release.

Procedure


Step 1

Enter the following URL in your browser:

Step 2

In the Log In window, enter your registered cisco.com username and password and click Log In.

The Bug Search window opens.

Note 
If you do not have a cisco.com username and password, register at https://idreg.cloudapps.cisco.com/idreg/guestRegistration.do.
Step 3

To search for a specific bug, enter the bug ID in the Search For field and press Return.

Step 4

To search for bugs in the current release:

  1. In the Search For field, enter Cisco DNA Center and press Return. (Leave the other fields empty.)

  2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by modified date, status, severity, and so forth.

    To export the results to a spreadsheet, click the Export Results to Excel link.

Open Bugs—Non-High Availability

The following table lists the open non-HA bugs in Cisco DNA Center.

Table 10. Open Bugs—Non-HA

Bug Identifier

Headline

CSCvn16534

When you delete a backup, the elastic backup on the network file system server is not deleted. Only the metadata is deleted.

CSCvn32554

A wireless controller goes into unmonitored state after a restore from the backup.

CSCvo39337

Get memberid fails if the proxy is configured after the setup wizard.

CSCvp95386

After upgrading the embedded wireless software on Cisco Catalyst 9000 devices from 16.10.1.e to 16.11.1s, the AP country code configuration is lost.

CSCvp96088

An image change on the wireless controller causes the AP Intelligent Capture 360 page to lose all data.

CSCvq02712

SDA end users can HTTPS to the fabric edge default gateway IP address.

CSCvq13219

Copying the golden tag for base image does not copy the wireless package.

CSCvq34252

During Return Material Authorization (RMA), the AVC config is not replaced completely; match commands are missing for class-map.

CSCvq53490

After migrating policy data to Cisco ISE, some policies are not migrated from Cisco DNA Center to Cisco ISE.

CSCvq53511

No loop is detected if MSTP is enabled on the device.

CSCvq55154

Cisco Catalyst 9800 wireless controller: NETCONF discovery fails after performing a write erase on the device.

CSCvq55394

If STP is not enabled on devices, loops are not detected, and MRE does not conclude.

CSCvq55459

No loops are detected if you connect a new cable to the device.

CSCvq57083

Maglev upgrade fails with the following error:

Timeout waiting to pull system update hook bundle.

CSCvq58240

For an external guest border, Cisco DNA Center doesn't configure the BGP address-family ipv4 vrf GUEST_VN. Guest clients don't work with the External Guest-Border BGP configuration.

Instead, you must configure the External Guest-Border BGP manually based on the network design.

CSCvq61710

Cisco DNA Center: For Cisco Nexus 7000 Release 8.2(4) devices, the kick start image in CCO should also show under latest/suggested.

CSCvq65765

After upgrading to Cisco DNA Center and enabling the Autoconf feature, macro configurations are not removed from extended nodes.

CSCvq65784

When IPv4 multicasting is enabled on an edge device, Cisco DNA Center does not push the ip igmp explicit-tracking command to the Layer 2 handoff VLAN on the corresponding border device.

CSCvq66963

ENCS/NFVIS devices with NFVIS version 3.12.1 are not managed and show partial collection failure in Cisco DNA Center.

CSCvq67362

APs are seen in Assurance pages when the wireless controller is deleted in Unreachable state.

CSCvq70912

Cannot onboard 8.8.261 wireless sensors after upgrading to Cisco DNA Center.

CSCvq71182

Application Hosting: A bad gateway error is reported after a device reload.

CSCvq75273

A session timeout does not take the user to the login screen automatically.

CSCvq84795

Even if the device has the exact role set up, the Device Role is shown as UNKNOWN in the Issues dashboard.

CSCvq86168

Application Hosting: After the USB is reseated, the device must be reloaded.

CSCvq86732

Cisco DNA Center and Cisco ISE are out of sync after running an automation script to create or delete scalable groups, contracts, or policies.

CSCvq90282

System commands time out and a subsequent system upgrade fails with the following error:

Copying host packages failed.

CSCvq91492

After changing the Cisco DNA Center license on a Cisco Catalyst 9000 device, QoS configs are modified.

CSCvq91161

Network Data Platform: SNMPv3 devices are deleted but remain in the polled list in an upgraded cluster.

CSCvq94904

The Overall Health map shows incorrect information.

CSCvq95775

The catalog server tries to pull packages even if there is a failure after Cisco DNA Center is powered on.

CSCvq97375

It is possible to integrate a Cisco DNA Center instance with a Cisco ISE server that already has a different Cisco DNA Center integrated.

CSCvr02321

The SMU API count result shows 2, whereas the UI displays 1 for a Cisco ISR 4331 router.

CSCvr04915

Provisioning is blocked on a new controller to fabric provisioned site.

CSCvr10816

For some devices, provisioning fails at the Activate VNFs stage with the following error:

The device to be provisioned does not exist.

CSCvr13910

If you use a default policy with the "Deny IP" SGACL and the policy gets pushed to the switch, all control packets are denied and the switch loses connectivity to the network.

CSCvr17217

After upgrading packages, changes to the Cisco ISE configuration do not take effect.

CSCvt00402

A Cisco Catalyst 3000 switch with a 1.6-GB flash size cannot perform a software image upgrade between 16.12.x images.

CSCvt45686

Air quality reporting for radio 1 shows no data. However, the wireless controller shows that the air quality data is being collected and sent. Radio 0 in Cisco DNA Center also shows the air quality data. The expected result is that AP models that support air quality should report data on both radio.

CSCvu04131

Package upgrade fails from 1.2.12 to 1.3.1.6 due to an exception in the package:

UPGRADE_ERROR - Exception in package:
assurance, kind: Plugin,
name: assurance-aggregations - 500 Server Error: Internal Server Error

Open Bugs—High Availability

The following table lists the open high availability (HA) bugs in Cisco DNA Center.

Table 11. Open Bugs—HA

Bug Identifier

Headline

CSCvn32215

In a three-node setup, if you bring down the node while LAN Automation is in progress, the LAN automation status shows as complete, yet without success.

This problem occurs if you perform a network-orchestration service restart or a full node restart while LAN automation is in progress.

The network orchestration service doesn't resume the ongoing LAN automation session. It marks LAN automation as complete and releases all IP addresses allocated from IPAM. Users are expected to perform a configuration cleanup on the seed device, write-erase/reload discovered devices, and start a new LAN automation session.

CSCvo35174

Maglev cassandra-1 goes into the crashloop state in a three-node cluster after upgrading Cisco DNA Center.

CSCvo95706

The VIP toggles between the three nodes every minute and "Invalid VRRPv3 checksum" messages are seen in keepalived.

Cisco Catalyst 9800 Series Wireless Controller

CSCvq73822

In a three-node cluster, a password change in the maglev config update must change for all three nodes.

CSCvt78024

In a three-node cluster, Cisco Catalyst 9800 Series Wireless Controller image upgrade fails due to a flapping VIP interface.

Resolved Bugs

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.7.

Table 12. Resolved Bugs in Cisco DNA Center, Release 1.3.1.7
Bug Identifier Headline

CSCvs69086

Cisco DNA Center should not allow provisioning until the fabric authentication key security fix is applied.

CSCvt32610

Cannot edit profiles on an upgraded server.

CSCvt85320

Sensors are not visible in the Design page floor maps for positioning.

CSCvt97870

A security group subscription request is not sent when Cisco ISE mode is selected on a migration failure.

CSCvu05291

A security group deletion does not synchronize to Cisco DNA Center in Cisco ISE mode.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.6.

Table 13. Resolved Bugs in Cisco DNA Center, Release 1.3.1.6
Bug Identifier Headline

CSCvq40879

Cannot restore a backup from Cisco DNA Center 1.3.0.2.

CSCvq74450

Cisco DNA Center three-node cluster: A restore hangs for longer than 10 hours and the status remains in progress. The restore does not fail with a timeout or succeed.

CSCvr54533

While the Cisco DNA Center Maglev config wizard accepts more than one NTP server, it only writes the first NTP server IP address to /etc/ntp.conf.

CSCvr55608

Rediscovery of devices does not update the device credentials in the inventory. As a result, devices go into partial collection failure and do not change to Managed state without resynchronization.

CSCvr57939

Cannot add or view devices on a fabric page due to a cached entry in the Topology service.

CSCvr77104

NCSW 10013: Failed to activate the device with the image on successful upgrade.

CSCvr81570

Provisioning fails during the workflow step in spf.cfsTranslatorTaskAdapter.

CSCvr93473

CPU load is high and more than 3000 Docker containers remain in init state.

CSCvr98535

Cisco DNA Center doesn't configure the HTTP source interface for PKI. As a result, the Cisco Catalyst 9800 Series Wireless Controller telemetry connection remains in "connecting" state.

CSCvr99025

LAN automation does note configure the peer link.

CSCvs04286

A virtual network-to-IP address pool operation in a scaled environment fails to configure all devices due to a timeout.

CSCvs16542

The Kubernetes pods "Kube-Api" and "Kube-ControllerManager" terminate with an OutOfMemory exit code.

CSCvs33846

Validate before a node joins the cluster.

CSCvs53995

A seed device fails inventory collection due to a switchport constraint violation exception.

CSCvs85704

Cisco DNA Center fails to decrypt passwords after restoring from a backup.

CSCvs88980

Cisco Wireless Controller fails inventory collection with the exception "ManagedNetworkElement was altered."

CSCvs93670

LAN automation doesn't generate an alert if a LAN subnet is exhausted during L3 configuration.

CSCvt08105

A building name change on the Design page does not immediately reflect on the Assurance Device 360 page.

CSCvt08845

After upgrading from Cisco DNA Center 1.2.12, the virtual network L3 instance number is reset to 4100.

CSCvt18135

The NDP database size in mongodb is ~380 GB, affecting the maglev disk partition as well as the mongodb backup.

CSCvt19768

During failover, isolate recovery fails because the maintenance service is not available.

CSCvt24453

The Network Orchestration service crashes due to a switch in "Maintenance" state.

CSCvt39849

The Client Summary report does not show the entire site hierarchy.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.5.

Table 14. Resolved Bugs in Cisco DNA Center, Release 1.3.1.5
Bug Identifier Headline

CSCvp98167

During upgrade on a three-node cluster, kernel packages fail to install, resulting in an upgrade failure.

CSCvq40037

LAN automation PnP must not execute the image upgrade task on a Cisco Catalyst 9300 device with a Cisco Catalyst 9800 golden image.

CSCvq81180

Cisco DNA Center (112-core 1-N upgraded cluster): Influx database process restarts with OOM killed errors.

Cisco DNA Center's InfluxDB installation may become unresponsive if the directory size exceeds 300 GB.

CSCvr26483

The MongoDB does not perform write operations, causing the identitymgmt service and other dependencies to fail.

CSCvr30114

Credential manager backup fails because the upsert to MongoDB fails.

CSCvr34143

Unnecessary change of ownership scripts causes a failure for NDP pipeline services.

CSCvr35414

The Cisco DNA Center DN2 appliance is not compatible with Cisco IMC firmware version 4.0(4c) and later.

CSCvr41100

After wireless controller failover, Cisco DNA Center updates Cisco ISE with a new TrustSec device ID, which breaks communication.

CSCvr54524

Modify query to return search results for devices/users.

CSCvr63469

The Device 360 window does not load with the Japanese browser locale setting.

CSCvr83624

Unable to change the status of the issues under the Device 360 window.

CSCvr83926

Devices don't update automatically with new certificates after replacing the Cisco DNA Center certificate.

CSCvr89951

After upgrading, LAN automation does not start due to a previous LAN automation IS-IS password.

CSCvr99737

When you add a Cisco Catalyst 9800 Series Wireless Controller with scale and leave the setup for longevity, the Last Sync Status in the Inventory window shows "In progress."

CSCvs17526

Unable to update the multicast RP configuration on border nodes.

CSCvs20166

LAN automation doesn't start and returns "ERROR:NCND00050."

CSCvs21975

After upgrading, the fabric border Layer 3 handoff pool changes.

CSCvs22065

In a three-node cluster, Cisco DNA Center becomes unresponsive after over 100 days of service.

CSCvs22210

After upgrading, when you click a device on the Provision tab, an error is generated: "An unknown error occurred. Please try again."

CSCvs24161

The email configuration is not saved if the server rejects a message request.

CSCvs49949

The Maglev server restarts continuously when the backup server is unreachable.

CSCvs63096

Some configured IP pools and VLANs don't appear on the L2 Handoff Configuration window.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.4.

Table 15. Resolved Bugs in Cisco DNA Center, Release 1.3.1.4
Bug Identifier Headline

CSCvm15743

LAN automation should check for an enable password.

CSCvp73577

Creating VNs in host onboarding is touching the network unnecessarily.

CSCvp81113

The number of devices in Fusion and in the NDP graph db don't match.

CSCvp87542

Cisco Catalyst 9800 Series Wireless Controller provisioning failure when special characters are used in the Cisco ISE shared key.

CSCvq08301

Intelligent Capture: Various capture file handling improvements and workarounds.

CSCvq42795

AP provisioning fails with error "OwningEntityId" for wireless controller missing in the database.

CSCvq65767

LAN automation fails after updating the management IP address of the seed device.

CSCvq69305

A vulnerability in the web-based user interface (Web UI) of Cisco DNA Center could allow an authenticated, remote attacker to perform an arbitrary command injection attack.

The vulnerability is due to incorrect input validation of user-supplied data. An attacker could exploit this vulnerability by supplying a malicious input parameter on a form in the Web UI and then submitting that form. An exploit could allow the attacker to disable a menu option on the Web UI.

CSCvq70996

Cisco ISE integration fails if a AAA server already exists with the given IP address.

CSCvq71911

Error while creating a custom dashboard using the Client Health template.

CSCvq73386

Wireless client Assurance data is missing.

CSCvq74452

Out of memory and gateway errors are observed in Cisco DNA Center.

CSCvq80321

Assurance API yields invalid values for client slot ID and health score.

CSCvq90200

Heatmap persists even after AP disassociation.

CSCvq97467

Cisco DNA Center does not display virtual network information after upgrading from 1.2.10.4 to 1.3.0.3.

CSCvq98206

Cisco DNA Center managed fabric devices may report being in "Failed" provision status, despite their last provisioning task completing successfully.

CSCvr00436

Enhancement: Mask config output from Command Runner.

CSCvr00675

Unable to modify guest wireless SSID due to Fast Transition null.

CSCvr01901

Unexpected "DHCP IP address obtain failure" issue for IPv6 only clients.

CSCvr03397

Cisco Catalyst 9300 macros are applied to IP phone ports.

CSCvr04611

The Application 360 window doesn't show any data the first time it loads from a search.

CSCvr08398

Cisco DNA Center Device provisioning: Template configuration window fails to pull the device list.

CSCvr12994

A vulnerability in the web-based management interface of Cisco DNA Center could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs administrator credentials.

Cisco has released software updates that address the vulnerability described in this advisory. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190205-dnac-xss

CSCvr14061

IPAM service hangs and doesn't process requests in RabbitMQ queue; multiple restarts needed to recover.

CSCvr18868

Cisco DNA Center 1.3.0.3 WPA2 personal passphrase with "&" fails to provision Cisco Catalyst 9800 Series Wireless Controller.

CSCvr19226

After upgrading from Cisco DNA Center 1.2.x to 1.3.0, SWIM image upgrade, fabric page load, and other functions are broken.

CSCvr22453

Add support for multiple return types on hostProtocolEnum.

CSCvr26483

MongoDB doesn't perform write operations causing "identitymgmt svc" and other dependencies to fail.

CSCvr28905

Cisco DNA Center 1.3.0.3: Unable to provision AP failed with reason "character '< ' is not allowed".

CSCvr30114

Credential manager backup fails as upsert to mongo DB fails.

CSCvr32896

NPObjectTracker is not deleted.

CSCvr33678

When configuration is pushed through Cisco DNA Center, unreachable devices should be skipped.

CSCvr39983

Wired client does not show correct values for data transmitting and receiving rate.

CSCvr45718

Cisco DNA Center has missing port missing configuration and fails to deploy onboarding interface.

CSCv49683

CSV import does not work for a template.

CSCvr50943

After system update from Cisco DNA Center 1.2.10 to 1.3.1.1, maglev commands fail due to invalid token generation.

CSCvr52679

The "dnacp-formatter-service" is in not running state. Possible reason: Trial enterprise license expiration.

CSCvr54410

Cisco DNA Center: The "SPF-service-manager-service" is down after associating IP address pool to VN.

CSCvr54036

Cisco DNA Center: Multiple template provisioning operations hang when there are unreachable devices.

CSCvr54376

A vulnerability in Cisco DNA Center software could allow an unauthenticated remote attacker access to sensitive information on an affected system.

The vulnerability is due to improper handling of authentication tokens by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker access to sensitive device information, which includes configuration files.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dna-info-disc-3bz8BCgR

CSCvr56898

Cisco DNA Center: The Edit VN window under Host Onboarding is blank when the SGT is not available in Cisco ISE.

CSCvr57319

Plug and play server should try again, if plug and play agent fails to respond the first time.

CSCvr60176

Cisco DNA Center 1.3.0.4: Upgrade failed due to "devicesmartagentdetails" relation missing.

CSCvr61506

AP radio high utilization mismatch between AP360 and issue detail windows.

CSCvr72715

Need descriptive and user friendly message when integration fails due to an expired certificate.

CSCvr75269

9300: Failed inventory collection due to "ConstraintViolationException" ACL.

CSCvr82062

Application package upgrade failing due to Exception in package: access-control-application

CSCvr85956

Inventory Resync takes longer time for "lldp_neighbors" and VLAN features.

CSCvr89195

Cisco Catalyst 9800 Series Wireless Controller's policy tag deleted when provisioned after changing AP RF profile.

CSCvr91320

AP 360 doesn't show the CPU or memory utilization.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.3.

Table 16. Resolved Bugs in Cisco DNA Center, Release 1.3.1.3
Bug Identifier Headline

CSCvq86191

At high scale, adding an extended node to the fabric fails due to an empty device interface.

CSCvq89880

A user with an Observer role cannot use the Search function in the Cisco DNA Center GUI. A "Failed to lookup" error is reported.

CSCvr00601

The provisioning status shows SUCCESS but the color remains red.

CSCvr63900

Upgrade to Cisco DNA Center 1.3.1.2 failed because more than three DNS servers were configured for a node.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.2.

Table 17. Resolved Bugs in Cisco DNA Center, Release 1.3.1.2
Bug Identifier Headline

CSCvq47566

ETCD runs out of memory during periodic snapshot creation and the Cisco DNA Center cluster goes down.

CSCvq80742

A Cisco DNA Center system upgrade fails with the following error:

Kubernetes upgrade to version v1.10.2 failed.

CSCvq85254

After a device image is changed and reloaded, the AP Intelligent Capture window contains no data.

CSCvq94430

A fresh deployment of Cisco DNA Center fails at the system package deployment.

CSCvq97736

Validation fails for the Maglev parent catalog settings.

CSCvq99977

After the system upgrade completes, member ID information is missing on the catalog service.

CSCvr02827

After applying a security fix for an AireOS wireless controller, an access tunnel goes down and never recovers.

CSCvr05013

The web install UI should show the Cisco UCS server picture based on the PID.

CSCvr10469

During an upgrade, Cisco DNA Center fails to install a prehook. This hook checks to see if the correct version of software is on the Cisco ISE server, and if the software version is not correct, the upgrade does not occur.

CSCvr21334

After a few days of heavy use, wireless clients are missing.

CSCvr42300

Access Control Application and Cisco SD-Access packages fail to upgrade due to missing IPACL policy migrations.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.1.

Table 18. Resolved Bugs in Cisco DNA Center, Release 1.3.1.1
Bug Identifier Headline

CSCvr03768

The WSDL certificate in Cisco DNA Center's EJBCA Public Key Infrastructure (PKI) broker service expired on October 4, 2019. After this server certificate expires, Cisco DNA Center clients that use the EJBCA service for secure sessions fail to connect. As a result, Cisco DNA Center fails to onboard the Embedded Wireless Controller on Cisco Catalyst 9800 series devices and 1800s wireless sensors. Apart from the eWLC, there is no impact to any other WLC, switch, or router onboarding, or any other feature in Cisco DNA Center.

There is no workaround for this problem. You must upgrade Cisco DNA Center to a version that has been patched to include a new WSDL certificate. The following Cisco DNA Center releases have the fix with the new WSDL certificate: 1.2.10.5, 1.2.12.2, 1.3.0.4, and 1.3.1.1. The new certificate has a 20-year expiry.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.1.0.

Table 19. Resolved Bugs in Cisco DNA Center, Release 1.3.1.0

Bug Identifier

Headline

CSCvn69306

After a system update, some background services might not run for the next hour. After 1 hour, the services recover automatically.

CSCvp29213

A crash occurs when the RADIUS Change of Authorization (CoA) feature is triggered for an environment data update and the clear cts environment-data command is issued at the same time. The problem occurs because the clear cts environment-data command fails to clear the environment data.

CSCvp38271

Cisco SD-Access: Events are missing from the Event Viewer on the Device 360 window.

CSCvp53259

A Cisco DNA Center local backup fails if the maglev password starts with special characters.

CSCvp65347

The Time API takes a very long time to respond when there are multiple user sessions browsing the Assurance GUI.

CSCvp75825

Air quality is missing randomly from an AP 360 window health chart.

CSCvp79623

The Device Inventory window refreshes continuously when the complete fully qualified domain name (FQDN) associated with the Cisco DNA Center IP address is not configured during install. The Device Inventory window doesn't show the device list.

To work around this problem, use the IP address or the complete FQDN in the URL.

CSCvp80992

Provisioning fails if you choose "Do not change" and enter an interface name.

CSCvp82437

The Flex Connect SSID with Cisco Catalyst 9800 does not appear on an AP when you choose VLAN name management.

CSCvp85827

Border Gateway Protocol (BGP) advertises Multicast Rendezvous Point (RP) /32 and /128 prefixes from non-RP borders.

CSCvp86063

You can manually add Cisco IE3300 and IE3400 extended nodes that have been removed from the fabric.

CSCvp86074

Migration: Cannot add IPv6 to the fabric.

CSCvp88055

An ISR border device returns an error when the fabric is enabled with a multicast RP on the other fabric border.

CSCvp88475

AP mode and uptime don't get updated, affecting Intelligent Capture functionality.

CSCvp89837

If you upgrade Cisco DNA Center 1.2.10 to 1.3 and make embedded wireless LAN controller image changes, the controller goes into Unmonitored state, and Assurance shows no client data.

CSCvp99454

After upgrading from Cisco DNA Center 1.2.3 or 1.2.6 to 1.2.8, then 1.2.10, then 1.3, the Network Plug and Play menu option is available under the Tools menu. (The Network Plug and Play menu option should not be present.)

If you upgrade from Cisco DNA Center 1.2.10 to 1.3, the Network Plug and Play menu option is not available under the Tools menu, which is correct.

CSCvq43865

Due to a large number of hung pykube connections, the Maglev server is unresponsive to services.

Limitations and Restrictions

Upgrade Limitation

If you are upgrading to Cisco DNA Center and all of the following conditions apply, the upgrade never starts:

  • Cisco ISE is already configured in Cisco DNA Center.

  • The version of Cisco ISE is not the required 2.6 patch 1 or 2.4 patch 7 or later.

  • Cisco DNA Center contains an existing fabric site.

  • The number of DNS servers must not exceed three.

Although the UI does not indicate that the upgrade failed to start, the logs contain messages related to the upgrade failure.

To work around this problem, upgrade Cisco ISE to 2.6 patch 1 or 2.4 patch 7 or later, and retry the Cisco DNA Center upgrade.

Backup and Restore Limitations

  • You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.

  • After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose System Settings > Settings > Authentication and Policy Servers. Choose Edit for the server. Enter your Cisco ISE password to update.

  • After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.

  • Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.

  • Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.

  • You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

HA Limitation

In this release, Cisco DNA Center provides HA support only for Automation and Cisco SD-Access. HA for Assurance is not supported.

Cisco ISE Integration Limitations

  • ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.

  • Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.

  • Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).

  • The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

  • If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.

  • The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.

  • Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.

  • Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.

    Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.

  • The Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.

License Limitation

The Cisco DNA Center License Manager supports Smart Licensing only for wireless LAN controller models that run Cisco IOS XE. License Manager does not support wireless LAN controller models that run Cisco AireOS.

Fabric Limitation

Cisco DNA Center supports up to a maximum of 1.2 million interfaces on fabric devices. Fabric interfaces include physical and virtual interfaces like switched virtual interfaces, loopback interfaces, and so on.

Physical ports cannot exceed 480,000 ports on a 112-core appliance.

Brownfield Feature-Related Limitations

  • Cisco DNA Center cannot learn device credentials.

  • You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.

  • Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.

  • Cisco DNA Center can learn only one wireless controller at a time.

  • For site profile creation, only the AP groups with AP and SSID entries are considered.

  • Automatic site assignment is not possible.

  • SSIDs with an unsupported security type and radio policy are discarded.

  • For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.

  • The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.

  • The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.

  • When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.

  • A wireless conflict is based only on the SSID name, and does not consider other attributes.

Wireless Policy Limitation

If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise, Policy Deployment failed is displayed.

AP Limitations

  • AP as a sensor is not supported in this release of Cisco DNA Center.

  • Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, the AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.

    After the provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.

  • Provisioning of 100 APs takes longer in this release as compared to 3 minutes in earlier releases. The amount of time varies depending on the "wr mem" time of the Cisco Catalyst 9800 Series Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices.

Application Hosting Limitation

In this release of Cisco DNA Center, application hosting is not supported on stacked switches.

Inter-Release Controller Mobility (IRCM) Limitation

The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.

IP Device Tracking on Trunk Port Limitation

Rogue-on-wire detection is impacted; Cisco DNA Center does not show all clients connected to a switch via an access point in bridge mode. The trunk port is used to exchange all VLAN information. When you enable IP device tracking on the trunk port, clients connected on the neighbor switch are also shown. Cisco DNA Center does not collect client data if the connected interface is a trunk port and the neighbor is a switch. As a best practice, disable IP device tracking on the trunk port. The rogue-on-wire is not detected if the IP device tracking is enabled on the trunk port. See Disabling IP Device Tracking for more information.

AAA Provisioning Limitation

Cisco DNA Center does not support provisioning AAA on Cisco Nexus 7000 devices.

Cisco Plug and Play Limitations

  • Virtual Switching System (VSS) is not supported.

  • The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.

  • The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.

  • The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:

    pnp startup-vlan <vlan_number>

Get Assistance from the Cisco TAC

Use this link to open a TAC case. Choose the following when opening a TAC case:

  • Technology: Cisco DNA - Software-Defined Access

  • Subtechnology: Cisco DNA Center Appliance (SD-Access)

  • Problem Code: Install, uninstall, or upgrade

Related Documentation

We recommend that you read the following documents relating to Cisco DNA Center:

For This Type of Information... See This Document...

Release information, including new features, limitations, and open and resolved bugs.

Cisco DNA Center Release Notes

Installation and configuration of Cisco DNA Center, including postinstallation tasks.

Cisco DNA Center Installation Guide

Upgrade information for your current release of Cisco DNA Center.

Cisco DNA Center Upgrade Guide

Use of the Cisco DNA Center GUI and its applications.

Cisco DNA Center User Guide

Configuration of user accounts, security certificates, authentication and password policies, and backup and restore.

Cisco DNA Center Administrator Guide

Security features, hardening, and best practices to ensure a secure deployment.

Cisco DNA Center Security Best Practices Guide

Supported devices, such as routers, switches, wireless access points, NFVIS platforms, and software releases.

Supported Devices

Hardware and software support for Cisco SD-Access.

Cisco SD-Access Hardware and Software Compatibility Matrix

Use of the Cisco DNA Assurance GUI.

Cisco DNA Assurance User Guide

Use of the Cisco DNA Center platform GUI and its applications.

Cisco DNA Center Platform User Guide

Cisco DNA Center platform release information, including new features, deployment, and bugs.

Cisco DNA Center Platform Release Notes

Use of the Cisco Wide Area Bonjour Application GUI.

Cisco Wide Area Bonjour Application User Guide

Use of the Stealthwatch Security Analytics Service on Cisco DNA Center.

Cisco Stealthwatch Analytics Service User Guide

Use of Rogue Management functionality as a dashboard within Cisco DNA Assurance in the Cisco DNA Center GUI.

Cisco DNA Center Rogue Management Application Quick Start Guide