Release Notes for Cisco DNA Center, Release 1.3.3.x

This document describes the features, limitations, and bugs for Cisco DNA Center, Release 1.3.3.x. Cisco DNA Center gets smarter, using machine reasoning to automatically check for inconsistencies in switch configuration and in security patches. This release also lets your Samsung smartphones tell you how to improve Wi-Fi connectivity.

Change History

The following table lists changes to this document since its initial release.

Table 1. Document Change History
Date Change Location

2020-08-05

Added CSCvr54376 to the 1.3.3.0 Resolved Bugs table.

Resolved Bugs

2020-07-16

Added the list of packages in Cisco DNA Center 1.3.3.6.

New and Changed Information

Added the Resolved Bugs table for 1.3.3.6.

Resolved Bugs

Added an open bug: CSCvu29282, CSCvu42019, and CSCvu77846.

Open Bugs—Non-High Availability

Open Bugs—High Availability

2020-06-15

Added an open bug: CSCvq86168.

Open Bugs—Non-High Availability

Noted that application hosting is not supported on stacked switches.

Limitations and Restrictions

2020-06-08

Added an open bug: CSCvu48710.

Open Bugs—Non-High Availability

2020-06-03

Added the list of packages in Cisco DNA Center 1.3.3.5.

New and Changed Information

Added the Resolved Bugs table for 1.3.3.5.

Resolved Bugs

Added open bugs: CSCvu28044, CSCvu15218.

Open Bugs—Non-High Availability

Open Bugs—High Availability

2020-04-20

Added the list of packages in Cisco DNA Center 1.3.3.4.

New and Changed Information

Added the Resolved Bugs table for 1.3.3.4.

Resolved Bugs

Added open bugs: CSCvs72105, CSCvt85320, CSCvt87610, CSCvt89349.

Open Bugs—Non-High Availability

Open Bugs—High Availability

2020-03-30

Updated the following package versions:

  • Automation - Base

  • Cisco DNA Center UI

  • Cisco SD-Access

  • Machine Reasoning

  • Network Controller Platform

New and Changed Information

When you update the Cisco DNA Center UI package version to 1.4.1.105, the About dialog box in the GUI shows the Cisco DNA Center version as 1.3.3.3(1).

Added resolved bugs in Cisco DNA Center 1.3.3.3: CSCvt23943, CSCvt65855.

Note 

CSCvt23943 and CSCvt65855 are resolved in 1.3.3.3 only when you update the following packages to the versions listed in New and Changed Information:

  • Automation - Base

  • Cisco DNA Center UI

  • Cisco SD-Access

  • Machine Reasoning

  • Network Controller Platform

Resolved Bugs

2020-03-18

Added a resolved bug in Cisco DNA Center 1.3.3.3: CSCvt00402.

Resolved Bugs

2020-03-13

Added the list of packages in Cisco DNA Center 1.3.3.3.

New and Changed Information

Added the Resolved Bugs table for 1.3.3.3.

Resolved Bugs

Added an open bug: CSCvt10826.

Open Bugs—Non-High Availability

2020-02-12

Added an open bug: CSCvs47608.

Open Bugs—Non-High Availability

2020-02-04

Added the list of packages in Cisco DNA Center 1.3.3.1.

New and Changed Information

Added the Resolved Bugs table for 1.3.3.1.

Resolved Bugs

Added an open bug: CSCvs87002.

Open Bugs—Non-High Availability

2020-01-17

Initial release.

Upgrade to the Latest Cisco DNA Center Release

For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.

New and Changed Information

The following table shows the updated packages and versions.

Table 2. Updated Packages and Versions in Cisco DNA Center Release 1.3.3.x
Package Name Release 1.3.3.6 Release 1.3.3.5 Release 1.3.3.4 Release 1.3.3.3(1) Release 1.3.3.1 Release 1.3.3.0

System Updates

System

1.3.0.142

1.3.0.142

1.3.0.135

1.3.0.122

1.3.0.115

1.3.0.115

Package Updates

Access Control Application

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62025

2.1.109.62434

2.1.109.62434

AI Network Analytics

2.1.19.0

2.1.18.0

2.1.14.0

2.1.13.0

2.1.7.0

2.1.7.0

Application Hosting

1.1.0.191121

1.1.0.191121

1.1.0.191121

1.1.0.191121

1.1.0.191121

1.1.0.191121

Application Policy

2.1.111.170006

2.1.111.170002

2.1.111.170000

2.1.111.170000

2.1.109.170100

2.1.109.170100

Assurance - Base

1.4.2.373

1.4.2.373

1.4.2.338

1.4.2.300

1.4.2.263

1.4.2.263

Assurance - Sensor

1.4.2.369

1.4.2.369

1.4.2.332

1.4.2.298

1.4.2.262

1.4.2.262

Automation - Base

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62059

(Updated on 2020-03-30. The originally released package version was 2.1.112.62025.)

2.1.109.62434

2.1.109.62434

Automation - Intelligent Capture

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62025

2.1.109.62434

2.1.109.62434

Automation - Sensor

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62025

2.1.109.62434

2.1.109.62434

Cisco DNA Center Global Search

1.0.0.72

1.0.0.68

1.0.0.68

1.0.0.47

1.0.0.47

1.0.0.47

Cisco DNA Center Platform

1.2.1.580

1.2.1.523

1.2.1.489

1.2.1.392

1.2.1.352

1.2.1.352

Cisco DNA Center UI

1.4.1.116

1.4.1.115

1.4.1.111

1.4.1.105

(Updated on 2020-03-30. The originally released package version was 1.4.1.100.)

1.4.1.50

1.4.1.44

Cisco SD-Access

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62059

(Updated on 2020-03-30. The originally released package version was 2.1.112.62025.)

2.1.111.62011

2.1.109.62434

Command Runner

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62025

2.1.109.62434

2.1.109.62434

Device Onboarding

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62025

2.1.109.62434

2.1.109.62434

Image Management

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62025

2.1.109.62434

2.1.109.62434

Machine Reasoning

2.1.114.210004

2.1.114.210002

2.1.113.210008

2.1.112.210003

(Updated on 2020-03-30. The originally released package version was 2.1.111.212006.)

2.1.111.210003

2.1.78.210010

NCP - Base

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62025

2.1.109.62434

2.1.109.62434

NCP - Services

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62025

2.1.109.62434

2.1.109.62434

Network Controller Platform

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62059

(Updated on 2020-03-30. The originally released package version was 2.1.112.62025.)

2.1.111.62011

2.1.109.62434

Network Data Platform - Base Analytics

1.4.1.164

1.4.1.162

1.4.1.156

1.4.1.152

1.4.1.150

1.4.1.150

Network Data Platform - Core

1.4.1.416

1.4.1.416

1.4.1.412

1.4.1.399

1.4.1.397

1.4.1.397

Network Data Platform - Manager

1.4.1.145

1.4.1.145

1.4.1.141

1.4.1.137

1.4.1.135

1.4.1.135

Path Trace

2.1.116.62020

2.1.114.62044

2.1.113.62059

2.1.112.62025

2.1.109.62434

2.1.109.62434

Rogue Management

1.4.1.41

1.4.1.41

1.4.1.41

1.4.1.41

1.4.1.39

1.4.1.39

Stealthwatch Security Analytics

2.1.113.1090011

2.1.113.1090011

2.1.113.1090008

2.1.112.1090001

2.1.109.1090208

2.1.109.1090208

Wide Area Bonjour

2.4.1.10016

2.4.1.10016

2.4.1.10004

2.4.1.10004

2.4.1.10004

2.4.1.10004

New and Changed Features

The following tables summarize the new and changed features in Release 1.3.3.0. For more information about these features, see the Cisco DNA Center End-User Guides and Cisco DNA Center Maintain and Operate Guides.

Table 3. New and Changed Features in Cisco DNA Center
Feature Description

About window lists appliance serial numbers

The About window lists the appliance serial numbers in addition to the system and application package versions.

Reserve IP pools

During single-stack (IPv4 only) and dual-stack (IPv4 and IPv6) pool reservation, the Global Pool drop-down list is enhanced to show all available global pools instead of the first 500 global pools.

Account lockout

System Settings > Settings > Account Lockout lets you configure the account lockout policy to manage user login attempts, the account lockout period, and login retries.

Password expiry

System Settings > Settings > Password Expiry lets you configure a password expiration policy to manage the password expiration frequency, the number of days that users are notified before their password expires, and the grace period.

Global search enhancement

Global search functionality is enhanced to find items in the following categories anywhere in Cisco DNA Center:

  • Authentication template

  • Devices

  • Fabric

  • Network profiles

  • Network settings

    • Device credentials

    • IP address pools

    • Service provider profiles

  • Policy

  • Traffic copy

  • Transits

Service Explorer enhancement

On the System 360 tab, in the Cluster Tools area, click Service Explorer.

The node clusters and the associated services are displayed in a tree-like structure in a new browser window.

Table 4. New and Changed Features in Cisco DNA Automation
Feature Description

SSID provisioning for Meraki devices

Cisco DNA Center provides SSID provisioning support for Cisco Meraki devices managed by a Meraki dashboard.

New device support for Application Policy

The Cisco DNA Center Application Policy extends support for Duplo (IW6300 Series) devices.

Switchport screen enhancements for Cisco ISR 4000

Provisioning for routing is enhanced with the switchport integration configuration and support is available for Cisco 4000 Series ISRs.

Advanced configuration mode for NFVIS

The NFVIS network profile configuration is enhanced to view flexible topologies, remove default network connections, and add connections between any VNF to the default network connection.

Provisioning/topology integration enhancements

The Provision window is enhanced with the option to launch the topology map view of the discovered devices from inventory.

Inventory

The Stack tab now appears only for switch stack devices and the primary stack.

Cisco StackWise Virtual link (SVL) support

Added support for Cisco StackWise Virtual, which is supported on Cisco Catalyst 9500 Series Switches.

Support for new APs

This release introduces support for the following APs:

  • Cisco Catalyst IW6300 Heavy Duty Series Access Points: The Cisco Catalyst IW6300 Heavy Duty Series Access Points increase plant productivity and worker safety measures. These are mesh APs that have a Class I Division 2 enclosure and simplified management, which can lead to increased cost savings. These APs are designed to bring resilient Wi-Fi mesh that is scalable and secure to hazardous environments.

  • Cisco Industrial Wireless 3700 Series Access Points: The Cisco Industrial Wireless 3700 Series Access Points offer industrial-grade environmental qualifications while providing higher speeds for video and other bandwidth-intensive applications. These APs extend support to a new generation of Wi-Fi clients, such as smart phones, tablets, and high-performance laptops that have integrated 802.11ac support.

    The Cisco Industrial Wireless 3700 Series Access Points offer a scalable and secure mesh architecture for high-performance Wi-Fi services, and can also serve as an advanced static or mobile Workgroup Bridge (WGB).

  • Cisco 6300 Series Embedded Services Access Points: Cisco 6300 Series Embedded Services Access Points are supported with dual band 802.11a/g/n/ac, wave 2 access point, external antenna, voltage specification of 44 VDC to 57 VDC, power over Ethernet, and universal power over Ethernet.

Hypervisor support for Cisco Catalyst 9800-CL Cloud Wireless Controller

A virtual form factor of Cisco Catalyst 9800-CL Cloud Wireless Controller for private cloud now supports Hyper-V along with the existing hypervisors such as ESXi, KVM, and Cisco ENCS.

Support for Cisco Embedded Wireless Controller on Catalyst Access Points

This release supports the Day 0 workflow for Cisco Embedded Wireless Controller on Catalyst Access Points.

The Cisco Embedded Wireless Controller on Catalyst Access Points is available in multiple form factors:

  • Cisco Embedded Wireless Controller on Catalyst 9115AX APs

  • Cisco Embedded Wireless Controller on Catalyst 9117AX APs

  • Cisco Embedded Wireless Controller on Catalyst 9120AX Access Points

  • Cisco Embedded Wireless Controller on Catalyst 9130AX APs

Table 5. New and Changed Features in Cisco DNA Security Integration
Feature Description

Supported features for Cisco ASA 5500-X Series Firewalls

Cisco DNA Center provides the following features support for Cisco ASA 5500-X Series Firewalls:

  • Inventory

  • Topology

  • Software Image Management

  • Templates for onboarding and customization of firewalls

Base automation supports Cisco ASA 5500-X Series Firewall in single context mode only.

Rogue Management application

The Rogue Management application is an optional package that you can install on Cisco DNA Center. Operating within Cisco DNA Center, the Rogue Management application helps you monitor threats from unauthorized access points. You can access the Rogue Management functionality as a dashboard within Cisco DNA Assurance in the Cisco DNA Center user interface.

The Rogue Management application supports Cisco Catalyst 9800 Series Wireless Controllers in this release, along with the existing support for Cisco AireOS Controllers.

After installing the Rogue Management package, you must enable the Rogue Management application by choosing Enable from the Rogue drop-down list on the Rogue Management window in Cisco DNA Center. This enables rogue detection on the Cisco Wireless Controller and Cisco Catalyst 9800 Series Wireless Controller.

Table 6. New and Changed Features in Cisco DNA Assurance
Feature Description

Health score settings for network devices

Added a new Assurance > Manage > Health Score Settings window.

Use this window to configure the health score settings for network devices. You can customize the health score calculation for network devices by changing the KPI thresholds and specifying the KPIs that are included for the calculation.

Trigger conditions for issues involving wireless clients with excessive onboarding times

Added trigger conditions for issues involving wireless clients with excessive onboarding times. You can specify the allowable time for the following phases during onboarding:

  • AAA authentication

  • Obtaining an IP address

To configure the trigger conditions, go to the Assurance > Manage > Issue Settings window.

Wireless sensors dashboard changes

Updated the wireless sensors dashboard for the following changes:

  • Changed the timeline to display colored-coded blocks that represent the percentage of overall sensor test failures for a specific time window.

  • Added the Overall Summary dashlet, which provides an overall view of all the sensors in your network and their status.

    This dashlet also provides the total number of tests performed by all sensors and a breakdown of the test results for test categories. Each test category provides additional details about its test results.

  • Changed the Test Results dashlet to provide the Heatmap View and the Card View.

    The Heatmap View displays the top five rankings for statistical categories. This view also displays a heatmap representation of the sensor test result failures.

    The Card View displays the test result data in a card format for high-level monitoring and comparison.

To access the wireless sensors dashboard, go to the Assurance > Dashboards > Wireless Sensors window.

Sensor 360 window

Added a new window that provides a 360° view of a specific wireless sensor. With this window, you can view a sensor's test results, performance trends, and neighboring APs.

You can also view and download a sensor's event logs.

Sensor test templates

Added a new method to create and run sensor-driven tests.

With templates, you can reuse sensor-driven tests for quick deployment to multiple locations in the network.

To access the test templates, go to the Assurance > Manage > Sensors > Test Templates window.

Sensor legacy tests

Renamed the Test Suites method to Legacy Tests.

To access the legacy tests, go to the Assurance > Manage > Sensors > Legacy Tests window.

Persistent wireless backhaul connections on sensor devices

Added support for persistent wireless backhaul connections on sensor devices, which means that the wireless connection is "always on" regardless of wireless testing activities.

Intelligent Capture enhancements

The menu option Manage > Intelligent Capture Settings > Client changed to Manage > Intelligent Capture Settings > Client Schedule Capture.

You can view the history of Client Data Packet Capture sessions.

If no APs are enabled, you can use the Configure AP Enablement area to start enabling the APs. You can disable AP statistics capture on all APs.

The Spectrum Analysis charts are enhanced to provide more granular data.

Cisco StackWise Virtual link (SVL) support

Added support for Cisco StackWise Virtual, which is supported on the Cisco Catalyst 9500 Series Switches.

Wired client syslogs and events displayed in Event Viewer

Cisco ISE server events, switch system-level syslogs, switch port or interface-specific events, and client-specific events are now displayed in the Event Viewer.

Issue enhancements

You can resolve or ignore a bulk of issues at a time.

The system automatically resolves issues if the issue condition no longer exists. This feature is supported for the following issues: Interface is down, wireless controller/switch/router is unreachable, and AP is down.

Executive Summary reports

You can now schedule Executive Summary Reports to capture detailed data about network devices and clients, which you can use to analyze network performance.

Samsung device support

Added support for Samsung devices. For Samsung devices, the Detail Information > Device Info tab displays additional information, such as build number, origin, country code, device type (mobile, tablet, and so on), and host operating system.

AI Network Analytics configuration workflow

Simplified the workflow for configuring AI Network Analytics.

Table 7. New and Changed Features in Cisco Software-Defined Access
Feature Description

Extended node enhancements:

  • Policy Extended Nodes: authentication support on extended nodes

  • Multicast on extended nodes

  • Cisco Industrial Ethernet 3400 and 3400H series switches running Cisco IOS XE 17.1.1s or later are policy extended nodes.

    802.1x and MAB authentication is enabled on a policy extended node to communicate with Cisco ISE in order to download the VLAN and scalable group tag (SGT) attributes for the endpoints.

    The link between the edge node and policy extended node is configured with inline tagging to propagate the SGT.

    A policy extended node performs SGACL enforcement.

  • Extended node devices can now handle multicast traffic. Multicast receivers are configured on the extended node devices.

Authentication template enhancements

  • Hitless authentication: You can now switch directly between authentication modes (Open, Low Impact, Closed) without removing the device from the fabric

  • Site-specific authentication: You can configure authentication settings specifically for a site and can also change the authentication settings at a global level. This can be helpful in a multisite environment where a site has specific requirements for authentication settings.

Multicast enhancements: support for custom source-specific multicast (SSM)

This release introduces a workflow-based configuration for multicast traffic. You can specify multiple custom SSM IP ranges for every virtual network. You can also configure a rendezvous point (RP) outside the fabric.

Layer 2 intersite

This feature allows connectivity of endpoints from one fabric site to another, in the Layer 2 domain. Layer 2 intersite communication is achieved by extending the same subnet across multiple fabric sites. This extends Layer 2 across the fabric sites connected over a Layer 2 segment.

StackWise Virtual link (SVL) support at border, edge, and fabric-in-a-box

Cisco Catalyst 9500 Series Switches, when configured as StackWise Virtual, can be added to the fabric as an edge, border, border with colocated control plane, or fabric-in-a-box device.

  • Only wired clients are supported on the edge nodes that are connected in SVL.

  • SVL configuration on the device should be done manually before adding the device to the Inventory.

Table 8. New Hardware in Cisco Software-Defined Access
Device Role Product Family Part Number Description

Fabric edge, border, control plane node, and fabric-in-a-box with embedded wireless

Cisco Catalyst 9300 Series Switches

C9300L-24UX-4X

C9300L-24UX-2Q

C9300L-48UX-4X

C9300L-48UX-2Q

C9300L-48PF-4G

C9300L-48PF-4X

Cisco Catalyst 9300 Series Switches are available with 24 and 48 ports and support multi-Gigabit port and universal power supply over Ethernet.

Access points

Cisco Catalyst IW6300 Heavy Duty Series Access Points

IW-6300H-DC-x-K9

Cisco Catalyst IW6300 Heavy Duty Series access points are supported with dual-band 802.11a/g/n/ac, wave 2 access point, external antenna, voltage specification of 44 VDC to 57 VDC, power over Ethernet, and universal power over Ethernet.

IW-6300H-DCW-x-K9

Cisco Catalyst IW6300 Heavy Duty Series access points are supported with dual-band 802.11a/g/n/ac, wave 2 access point, external antenna, voltage specification of 10.8 VDC to 36 VDC, power over Ethernet, and universal power over Ethernet.

IW-6300H-AC-x-K9

Cisco Catalyst IW6300 Heavy Duty Series access points are supported with dual-band 802.11a/g/n/ac, wave 2 access point, external antenna, voltage specification of 110 VAC to 220 VAC, power over Ethernet, and universal power over Ethernet.

Access points

Cisco 6300 Series Embedded Services Access Points

ESW-6300-CON-x-K9

Cisco 6300 Series Embedded Services access points are supported with dual-band 802.11a/g/n/ac, wave 2 access point, external antenna, voltage specification of 44 VDC to 57 VDC, power over Ethernet, and universal power over Ethernet.

Access points

Cisco Industrial Wireless 3702 Access Points

IW3702-2E-x-K9, IW3702-4E-x-K9

Cisco Industrial Wireless 3702 access points support 802.11ac wave 1 technology with 4x4 MIMO, three spatial streams, IP67 rated, ruggedized, and certified for onboard rail and outdoor use cases.

Policy extended node

Cisco Catalyst IE3400 Heavy Duty Series (IE3400H)

IE-3400H-8FT-E

IE-3400H-16FT-E

IE-3400H-24FT-E

Cisco IE3400H Series switches are available with 8, 16, or 24 Fast Ethernet (D-coded) M12 interfaces.

Policy extended node

Cisco Catalyst IE3400 Heavy Duty Series (IE3400H)

IE-3400H-8T-E

IE-3400H-16T-E

IE-3400H-24T-E

Cisco IE3400H Series switches are available with 8, 16, or 24 Gigabit Ethernet (X-coded) M12 interfaces.

Table 9. New and Changed Features in Cisco DNA Center Platform
Feature Description

Enhanced data synchronization between Cisco DNA Center and a Configuration Management Database (CMDB)

You can now map inventory and SWIM fields from Cisco DNA Center to the ServiceNow CMDB for synchronization. These fields can be mapped as attributes, reference fields, configuration items (CIs), or CI classes.

New software image management (SWIM) closed loop automation between Cisco DNA Center and an ITSM

This release supports closed loop automation for SWIM between Cisco DNA Center and ServiceNow. For supported ServiceNow releases, a ServiceNow admin can review, approve, and close Cisco DNA Center SWIM change requests (CRs) in ServiceNow.

New Assurance-to-ITSM enhancements

You can now view ServiceNow ticket data associated with an Assurance issue in the Cisco DNA Center GUI.

Cisco DNA Center-Supported Devices

For information about devices such as routers, switches, wireless access points, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see Supported Devices.

Compatible Browsers

The Cisco DNA Center web interface is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: Version 73.0 or later

  • Mozilla Firefox: Version 65.0 or later

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

IP Address and FQDN Firewall Requirements

To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through any existing network firewall, see "Required Internet URLs and FQDNs" in the Cisco DNA Center Installation Guide.

Supported Firmware

Cisco Integrated Management Controller (Cisco IMC) versions are independent from Cisco DNA Center releases. This release of Cisco DNA Center has been validated against the following firmware:

  • Cisco IMC Version 3.0(3f) for appliance model DN1-HW-APL

  • Cisco IMC Version 3.1(2c) for appliance model DN2-HW-APL

  • Cisco IMC Version 3.1(3a) for appliance model DN2-HW-APL-L

  • Cisco IMC Version 4.0(1a) for appliance model DN2-HW-APL-XL

The preceding versions are the minimum firmware versions. While some later versions are also supported, Cisco DNA Center is not compatible with Cisco IMC 4.0(4c) and later. Do not update later than Cisco IMC 4.0(4b).

Installing Cisco DNA Center

You can install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco DNA Center Installation Guide for information about installation and deployment procedures.


Note

The following applications are not installed on Cisco DNA Center by default. If you need any of these applications, you must manually download and install the packages separately.

  • Application Hosting

  • Application Policy

  • Assurance - Sensor

  • Automation - Sensor

  • Cisco DNA Center platform

  • Cisco SD-Access

  • Cisco Wide Area Bonjour Application

  • Intelligent Capture


For more information about downloading and installing a package, see "Manage Applications" in the Cisco DNA Center Administrator Guide.

Cisco DNA Center Platform Support

For information about the Cisco DNA Center platform, including information about new features, installation, upgrade, and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.

Support for Cisco Connected Mobile Experiences

Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) 10.6.2. Earlier versions of CMX are not supported.


Note

While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password.


Plug and Play Considerations

Plug and Play Support

General Feature Support

Plug and Play supports the following features, depending on the Cisco IOS software release on the device:

  • AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.

  • Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)

Secure Unique Device Identifier Support

The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:

  • Cisco routers:

    • Cisco ISR 1100 Series with software release 16.6.2

    • Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later

    • Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1

  • Cisco switches:

    • Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later

    • Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later

    • Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later

    • Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

    • Cisco Catalyst IE3300 Series with software release 16.10.1e or later

    • Cisco Catalyst IE3400 Series with software release 16.11.1a or later

  • NFVIS platforms:

    • Cisco ENCS 5400 Series with software release 3.7.1 or later

    • Cisco ENCS 5104 with software release 3.7.1 or later


Note

Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:

  • Cisco routers: Cisco ISR 43xx, Cisco ISR 44xx, Cisco ASR1001-X/HX, Cisco ASR1002-HX

  • Cisco switches: Cisco Catalyst 4500 Series with Supervisor 8-E/8L-E/9-E, Catalyst 9400 Series


Management Interface VRF Support

Plug and Play operates over the device management interface on the following platforms:

  • Cisco routers:

    • Cisco ASR 1000 Series with software release 16.3.2 or later

    • Cisco ISR 4000 Series with software release 16.3.2 or later

  • Cisco switches:

    • Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

4G Interface Support

Plug and Play operates over a 4G network interface module on the following Cisco routers:

  • Cisco 1100 Series ISR with software release 16.6.2 or later

Configure Server Identity

To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.

The SAN requirement applies to devices running the following Cisco IOS releases:

  • Cisco IOS Release 15.2(6)E2 and later

  • Cisco IOS Release 15.6(3)M4 and later

  • Cisco IOS Release 15.7(3)M2 and later

  • Cisco IOS XE Denali 16.3.6 and later

  • Cisco IOS XE Everest 16.5.3 and later

  • Cisco IOS Everest 16.6.3 and later

  • All Cisco IOS releases from 16.7.1 and later

The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:

  • For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.

  • For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.

  • For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.

  • For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.

If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a NAT router, this public IP address must be included in the SAN field of the server certificate.

If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.

We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.

If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the plug and play process.


Note

The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field.


Bugs

Use the Bug Search Tool

Use the Bug Search tool to search for a specific bug or to search for all bugs in this release.

Procedure


Step 1

Enter the following URL in your browser:

Step 2

In the Log In window, enter your registered cisco.com username and password and click Log In.

The Bug Search window opens.

Note 
If you do not have a cisco.com username and password, register at https://idreg.cloudapps.cisco.com/idreg/guestRegistration.do.
Step 3

To search for a specific bug, enter the bug ID in the Search For field and press Return.

Step 4

To search for bugs in the current release:

  1. In the Search For field, enter Cisco DNA Center and press Return. (Leave the other fields empty.)

  2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by modified date, status, severity, and so forth.

    To export the results to a spreadsheet, click the Export Results to Excel link.

Open Bugs—Non-High Availability

The following table lists the open non-HA bugs in Cisco DNA Center for this release.

Table 10. Open Bugs—Non-HA

Bug Identifier

Headline

CSCvo44394

When you try to add Cisco ISE 2.4 to Cisco DNA Center 1.3, the following certificate error is generated:

“Error establishing trust with ISE: Expected phrase [Enter URI for uploading ISE certificate chain:] 
wasn’t received from ise”

The workaround is to configure the network MTU size to 9100 between Cisco ISE and Cisco DNA Center.

CSCvo60306

Device activation fails when the image is not the minimum supported image version.

CSCvp15026

Devices remain in Partial Collection Failure state after an incomplete provision and resynch.

This problem occurs only when there is an incomplete manual clearing of CLI commands on a device. When a device goes through the full removal flow, subsequent synchronizations work correctly.

Related bug: CSCvj15139.

CSCvp25402

After you delete a wireless controller with 4000 APs from Cisco DNA Center, it takes 25 minutes or longer for the wireless controller to be removed from the inventory.

CSCvp48020

The IR829 does not display the correct Gigabit interface in the WAN interface drop-down list.

CSCvp48160

Software image management: Cisco Catalyst 6000 image activation fails while upgrading the image version 152-2.SY to 152-2.SY*.

CSCvp49120

A Cisco Catalyst 6000 ISSU upgrade from SY2 to SY3 fails when the device has snmp-server enable traps vstack in the running configuration.

CSCvp95386

After upgrading the embedded wireless software on Cisco Catalyst 9000 devices from 16.10.1.e to 16.11.1s, the AP country code configuration is lost.

CSCvp96088

An image change on the wireless controller causes the AP Intelligent Capture 360 page to lose all data.

CSCvq13219

Copying the golden tag for base image is not copying the wireless package.

CSCvq34252

During Return Material Authorization (RMA), the AVC config is not replaced completely; match commands are missing for class-map.

CSCvq53490

After migrating policy data to Cisco ISE, some policies are not migrated from Cisco DNA Center to Cisco ISE.

CSCvq53511

No loop is detected if MSTP is enabled on the device.

CSCvq55154

Cisco Catalyst 9800 Series Wireless Controller: NETCONF discovery fails after performing a write erase on the device.

CSCvq55394

If STP is not enabled on devices, loops are not detected, and MRE does not conclude.

CSCvq61710

Cisco DNA Center: For Cisco Nexus 7000 Release 8.2(4) devices, the kick start image should also show under latest/suggested.

CSCvq63486

Rogues coming from a Cisco Catalyst 9800 Series Wireless Controller show empty data for SNR values in the Cisco DNA Center Rogue page.

CSCvq66963

ENCS/NFVIS devices with NFVIS version 3.12.1 are not managed and show partial collection failure in Cisco DNA Center.

CSCvq70912

Cannot onboard 8.8.261 wireless sensors after upgrading to Cisco DNA Center.

CSCvq86168

Application installation fails with an error message that the device does not support third-party applications, even though the device (such as a Cisco Catalyst 9300) has a Cisco USB connected in the back panel.

CSCvq95775

The catalog server tries to pull the packages even there is failure due to capability level after Cisco DNA Center is power-on

CSCvr13910

If you use a default policy with the "Deny IP" SGACL and the policy is pushed to the switch, all control packets are denied and the switch loses connectivity to the network.

CSCvr59764

Day-N templates are not pushed to the second device in multisite router provisioning.

CSCvr72364

Device count for routers tab shows the wrong values in the Marked for Replacement screen.

CSCvr87910

Cannot enable wireless on ECA due to the error "NCWL 10033 wrong address (Country) set."

CSCvr98946

Inventory: Device config clean fails.

CSCvs08584

VRF and Layer 3 routing are not supported on the Cisco Catalyst 9800 Series Wireless Controller.

The Catalyst 9800 Series Wireless Controller goes into unmonitored state when the management VRF is configured, and that interface is discovered by or added to the Cisco DNA Center inventory.

To work around this issue, use a non-VRF interface to add the Catalyst 9800 Series Wireless Controller.

CSCvs47608

An AP claim through PnP hangs in onboarding state.

Related bug: CSCvt01785.

CSCvs57800

The initial installation of Cisco DNA Center fails if localhost resolves to any IP address other than 127.0.0.1.

CSCvs72105

Cisco DNA Assurance: Wireless controller fails to download a certificate from Cisco DNA Center due to an invalid URL error.

CSCvs87002

After you add a new Cisco Catalyst 9800 Series Wireless Controller, if the first-time NETCONF discovery fails, the wireless controller finds the AP and clients join correctly, but Assurance contains no data.

CSCvs87674

In the Discovery window, the eye icon is reversed for hidden and unhidden passwords. (That is, when the password is hidden, the unhidden eye icon is shown, and vice versa.)

CSCvs87703

In the Inventory window, the count of devices per site or per floor is missing.

CSCvt10826

Unable to delete a device because an inventory sync proceeds while an ongoing configuration cleanup is taking place.

CSCvt33310

By default, Cisco DNA Center configures a Cisco Catalyst 9800 Series Wireless Controller with the management VRF and IP address of the management interface for connections back to Cisco DNA Center for Assurance information gathering. However, if both the management VRF and the IP address are configured, the connection may fail.

From Cisco DNA Center, if the VRF is configured and the device is added to Cisco DNA Center, the Assurance TLS connection is not established and the device goes into unmonitored state.

CSCvt85320

Under Design > Network Hierarchy, a device that is assigned to a floor through PnP does not appear on the floor map.

To work around this problem, unclaim the device in inventory, reclaim the device, and then assign it to the desired site or floor.

CSCvt89349

Cannot edit an existing enterprise SSID or add a new enterprise SSID.

CSCvu21987

AP plug and play (PnP) provisioning using CSV file fails with APs stuck in onboarding or unclaimed. Some APs not provisioned correctly.

CSCvu42019

Client based custom groups creating more callback execution and thus lag in 100 K wired clients.

CSCvu48710

Under Tools > License Manager > All Licenses > Action > Enable License Reservation, Cisco DNA Center reserves the correct number of licenses for a StackWise virtual switch. However, when reviewing the stack, only the stack member that is in active mode has activated the license. Any stack member that is in standby mode shows the reservation status as "RESERVATION IN PROGRESS."

To work around this problem, activate the licenses manually.

CSCvu77846

After upgrade to Cisco DNA Center 2.1.1, unable to provision new edge switch if it is running switch software version lower than 16.12.2.

Open Bugs—High Availability

The following table lists the open high availability (HA) bugs in Cisco DNA Center for this release.

Table 11. Open Bugs—HA

Bug Identifier

Headline

CSCvn32215

In a three-node cluster, if you bring down the node while LAN automation is in progress, the LAN automation status shows as complete, yet without success.

This problem occurs if you perform a network-orchestration service restart or a full node restart while LAN automation is in progress.

The network orchestration service doesn't resume the ongoing LAN automation session. It marks LAN automation as complete and releases all IP addresses allocated from IPAM. Users are expected to perform a configuration cleanup on the seed device, write-erase/reload discovered devices, and start a new LAN automation session.

CSCvr98946

Inventory: Device configuration clean operation fails on an HA cluster.

CSCvt87610

The Cisco Catalyst 9800 Series Wireless Controller telemetry connection remains in the Connecting state, and no Assurance data corresponding to the Catalyst 9800 Series Wireless Controller is displayed in Cisco DNA Center. Alternatively, Assurance data for an Catalyst 9800 Series Wireless Controller goes missing, then recovers by itself, depending on whether the node running the collector-iosxe-db service and the primary node (the one that holds the virtual IP) are the same.

This problem occurs in a three-node upgraded cluster only if the collector-iosxe-db service is not running in the node that holds the virtual IP.

CSCvu15218

Upgrade from Cisco DNA Center 1.3.1.6 to 1.3.3.5 is failing at 41% due to rabbitmq-3 instances in crashloop.

CSCvu29282

In a three-node cluster, a new member ID is created after the system upgrade is completed from Cisco DNA Center 1.3.3.4 to 2.1.1.

Resolved Bugs

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.3.6.

Table 12. Resolved Bugs in Cisco DNA Center, Release 1.3.3.6

Bug Identifier

Headline

CSCvr49629

Cannot start LAN automation. The following error occurs:

Error while reserving the SVI space.

CSCvt59517

Application 360 is missing information for clients connected to a Cisco Catalyst 9000.

CSCvu03050

Reprovisioning a wireless controller fails after site floor deletion.

CSCvu03730

Cisco Catalyst 9800 Series Wireless Controller goes unmonitored in Cisco DNA Center if sdn-network-infra-iwan certificate is not installed.

CSCvu15592

Cisco DNA Center removes a QoS policy after applying it.

CSCvu18273

The devices on a site don't appear on the Assurance Network Health page, even though devices are present.

CSCvu28044

In a scaled fabric setup, when a failed operation is retried, the spf-service-manager-service restarts with out of memory errors.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.3.5.

Table 13. Resolved Bugs in Cisco DNA Center, Release 1.3.3.5

Bug Identifier

Headline

CSCvp87542

A Cisco Catalyst 9800 Series Wireless Controller provisioning failure occurs when a special character is used in a Cisco ISE shared key.

CSCvq09974

In a three-node setup, Influxdb crashes with OOM errors.

CSCvs02409

After a fresh installation of Cisco DNA Center, the root (/) partition of the appliance is 85% or more full. An out-of-disk-space situation causes Kubernetes to be unable to schedule or destroy any pods.

CSCvs52947

GlusterFS does not heal automatically because of stale references.

CSCvs55949

Network validation fails for Cisco DNA Center's 10 Gigabit Ethernet interface.

CSCvs59089

Provisioning switches fails due to an error in retrieval of the Cisco ISE PAN IP addresses.

CSCvs71990

Cisco DNA Center three-node cluster: If you select multiple fabric edges to provision, the provisioning is performed one device at a time.

CSCvs93317

An upgrade to Cisco DNA Center 1.3.3 fails because the NFS server configured for Assurance backup is unresponsive.

CSCvs93670

LAN automation doesn't generate an alert if the LAN subnet is exhausted during L3 configuration.

CSCvs97183

Cisco SD-Access: Need to configure the flood arp-nd command on L2 flooding IP pools to disable the AR relay.

CSCvs99118

Audit logs: The service request processing fails with the following error:

Previous request with the same intent is either being processed or was already processed.

CSCvt00103

Cisco DNA Center does not show heatmaps for APs in 2.4 GHz. Heatmaps for the same APs are seen in 5 GHz.

CSCvt04397

When an attempt is made to upgrade Cisco DNA Center while its postgres database is not functioning properly, the SchemaUpdater process times out, but the process is not killed. This causes the upgrade to fail.

CSCvt08105

A change in a building name on Design > Network Hierarchy > List View > Edit Building is not immediately reflected on the Assurance Device 360 page.

CSCvt18788

After upgrade, reprovisioning a wireless controller creates a new wireless profile.

CSCvt25042

The Cisco DNA Center GUI goes into maintenance mode intermittently.

CSCvt29668

Cisco DNA Center may fail to collect inventory from a Cisco Catalyst 9800 Series Wireless Controller, citing the dmm_modelclass table not having entries for the tables EwlcTsFlexProfile and EwlcTsFlexProfilePolicyAcl.

CSCvt32995

Disable IPv6 to avoid services binding to an IPv6 address space.

CSCvt44539

Policy: Deploying wired QoS results in FMANRP_QOS-3-HWIDBCHECK: on Fabric border Catalyst 9800 Series Wireless Controller.

CSCvt44900

PnP conflict with LAN automation due to PnP startup-vlan CLI.

CSCvt45288

Not all host groups are retrieved from Stealthwatch when multiple domains are used.

CSCvt45686

AQ reporting for radio 1 has no data, whereas radio 0 shows data.

CSCvt46026

Stealthwatch association shows "Error undefined."

CSCvt63046

Taskmgr-data crashes with an out-of-memory error.

CSCvt68900

The Client 360 page keeps spinning when the username contains special characters.

CSCvt76587

The Inventory page and Provisioning page display no devices.

CSCvt81829

Software Image Management (SWIM) activation script prechecks fail during database communication.

CSCvt87433

Cisco DNA Center fails to collect inventory from an ISR 4000 series router, due to a constraint violation error with the configuredActiveModules object.

CSCvu03730

A Cisco Catalyst 9800 Series Wireless Controller is unmonitored in Cisco DNA Center because the "sdn-network-infra-iwan" certificate is not installed.

CSCvu28044

In a scaled fabric setup, when you retry a failed operation, the spf-service-manager-service restarts with out-of-memory errors.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.3.4.

Table 14. Resolved Bugs in Cisco DNA Center, Release 1.3.3.4

Bug Identifier

Headline

CSCvq40879

Unable to restore a backup from Cisco DNA Center 1.3.0.2.

CSCvr12994

Cisco DNA Center: Stored cross-site scripting vulnerability.

CSCvr93473

High CPU load and more than 3000 Docker containers in init state.

CSCvr95235

Telemetry agent ends up constantly in CrashLoopBackOff error state on both active and standby clusters.

CSCvs18203

Cisco DNA Center search service doesn't work if the MongoDB connection is unstable.

CSCvs19560

Mismatch between client data shown in maps and Assurance, and actual client data.

CSCvs33846

Validate before a node joins the cluster.

CSCvs42952

After enabling maximal visibility, the flow monitor configuration is sent to the wrong L3 port.

CSCvs48901

Changing the Cisco ISE VIP leads to a loss of security group tag (SGT) configuration on ports.

CSCvs78950

The Cisco Catalyst 9800 Series Wireless Controller telemetry connection remains in the Connecting state, and no Assurance data corresponding to the Catalyst 9800 Series Wireless Controller is displayed in Cisco DNA Center.

CSCvs85704

Cisco DNA Center fails to decrypt passwords after restoring from a backup.

CSCvs86018

An AP provisioning failure occurs due to missing "OwningEntityId" details for the wireless controller.

CSCvs88980

Wireless controller fails inventory collection with the exception "ManagedNetworkElement was altered."

CSCvt05278

Cisco DNA Center upgrade from 1.3.1.4 to 1.3.3.1 fails when the network contains Cisco Nexus 7000 devices.

CSCvt06511

Cisco DNA Center fails to collect inventory data from the Meraki dashboard due to an unknown error.

CSCvt07586

Cisco DNA Center 1.3.0.2 to 1.3.0.6 upgrade triggers a device provision switchport change notification.

CSCvt13963

Fabric provisioning fails after adding vManage to Cisco DNA Center 1.3.3.1.

CSCvt19768

During failover, isolate recovery fails because the maintenance service is not available.

CSCvt20541

The configuration object "DNAC_ACL_WEBAUTH_REDIRECT" gets removed and readded to a managed wireless controller when adding or removing a dot1x/PSK SSID.

CSCvt34006

Duplicate migration status causing causes provisioning operations to fail on duplicate key CVLAN_EXAUTH.

CSCvt34300

After migration, adding ext-node shows a banner due to an error.

CSCvt39849

The Client Summary report does not show the entire site hierarchy.

CSCvt54592

Multiple devices fail inventory collection after Cisco DNA Center is upgraded to 1.3.3.1 RADIUS key size.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.3.3.

Table 15. Resolved Bugs in Cisco DNA Center, Release 1.3.3.3

Bug Identifier

Headline

CSCvp34431

Cisco DNA Center 1.3 uses a longer JWT token, which may cause the integration with a wireless LAN controller to fail, causing incoming Assurance data to stop.

CSCvq31127

Backup fails with a "Taskname=BACKUP.fusion:postgres" error.

CSCvs22065

A three-node setup may become unresponsive after over 100 days of service.

CSCvs50957

Device provisioning fails with "Error in authentication profile processing."

CSCvs53995

A seed device fails inventory collection due to a switchport constraint violation exception.

CSCvs68068

Keepalived: VRRP-script node health check false alarm causes VIP jitters.

CSCvs69931

Cisco DNA Center may fail to synchronize inventory from Cisco Catalyst 9300 edge switches after upgrading to Cisco DNA Center 1.3.1.4. This problem is seen only when there are non-Cisco devices connected to the switch, and CDP is enabled.

CSCvs84253

Site comparison: Building drop-down list does not work due to a mismatch in sqlQuery.

CSCvt05278

Cisco DNA Center upgrade from 1.3.1.4 to 1.3.3.1 fails if a Nexus 7000 device is in managed state.

CSCvt00402

A Cisco Catalyst 3000 switch with a 1.6-GB flash size cannot perform a software image upgrade between 16.12.x images.

CSCvt23943

An SPF deduplication error occurs during the SDA migration workflow.

This bug is resolved in 1.3.3.3 only when you update the following packages to the versions listed in New and Changed Information:

  • Automation - Base

  • Cisco DNA Center UI

  • Cisco SD-Access

  • Machine Reasoning

  • Network Controller Platform

CSCvt65855

While restoring a backup of a Cisco DNA Center installation that had been upgraded to 1.3.3.3 to a new installation from an ISO image of 1.3.3.3, the restore operation fails due to the Machine Reasoning Engine package version. The following error message is generated:

{'version': '1.0', 'error':
{'message': 'Exception while performing preRestore: Following model plugins deployed in backup are
from a higher version than current deployment: [semantic-reasoner-event-model-plugin:7.6.111.62002,
cnsr-model-plugin:7.6.111.62002, common-view-model-plugin:7.6.111.62002]'
, 'datasource': 'postgres', 'status': 'error', 'appstack': 'fusion', 'lastUpdateTime': 0}

This bug is resolved in 1.3.3.3 only when you update the following packages to the versions listed in New and Changed Information:

  • Automation - Base

  • Cisco DNA Center UI

  • Cisco SD-Access

  • Machine Reasoning

  • Network Controller Platform

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.3.1.

Table 16. Resolved Bugs in Cisco DNA Center, Release 1.3.3.1

Bug Identifier

Headline

CSCvs66857

After upgrading from Cisco DNA Center 1.3.1.4 to 1.3.3.0, if you try to create a new SGT with multiple virtual networks (VNs) on the Policy page, the following error message is generated:

errorKey:NCSP10000
errorCode:InternalError
failureReason:Unable to find cfs VirtualNetworkContext

CSCvs74635

Wireless connectivity problems might occur after upgrading to Cisco DNA Center 1.3.0.6. If the IP pool association from the AAA override for the client is not defined as part of Cisco DNA Center, host onboarding could result in connectivity problems. This is because with Cisco DNA Center 1.3.0.6, all IP pools that are not associated with a fabric SSID are deleted from the wireless controller during reprovisioning.

The following table lists the resolved bugs in Cisco DNA Center, Release 1.3.3.0.

Table 17. Resolved Bugs in Cisco DNA Center, Release 1.3.3.0

Bug Identifier

Headline

CSCvq40037

LAN automation PnP: An image upgrade fails for a Cisco Catalyst 9500 device.

CSCvq65765

After upgrading to Cisco DNA Center and enabling the Autoconf feature, macro configurations are not removed from extended nodes.

CSCvq65784

When IPv4 multicasting is enabled on an edge device, Cisco DNA Center does not push the ip igmp explicit-tracking command to the Layer 2 handoff VLAN on the corresponding border device.

CSCvq85254

The AP Intelligent Capture page has no data after a device image is changed and reloaded.

CSCvq92221

Devices do not appear in the "Monitored" section in Assurance because one device remains in Partial Collection Failure state.

CSCvq94904

The Overall Health map shows incorrect information.

CSCvr02321

The SMU API count result shows 2, but the GUI displays 1 for a Cisco ISR 4331 router.

CSCvr04915

Provisioning is blocked on a new controller in a fabric-provisioned site.

CSCvr10816

For some devices, provisioning fails at the Activate VNFs stage with the following error:

The device to be provisioned does not exist

CSCvr13984

Cisco DNA Center does not manage an IE 5000 after a reload with 1-G SFPs inserted in 10-G uplink ports.

CSCvs52742

Cannot access files with 110,000 directories created by cfg-archiver; backup times out.

CSCvr54376

A vulnerability in Cisco DNA Center software could allow an unauthenticated remote attacker access to sensitive information on an affected system.

The vulnerability is due to improper handling of authentication tokens by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker access to sensitive device information, which includes configuration files.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dna-info-disc-3bz8BCgR

Limitations and Restrictions

Upgrade Limitation

If you are upgrading to Cisco DNA Center and all of the following conditions apply, the upgrade never starts:

  • Cisco ISE is already configured in Cisco DNA Center.

  • The version of Cisco ISE is not the required 2.6 patch 1 or 2.4 patch 7 or later.

  • Cisco DNA Center contains an existing fabric site.

  • The number of DNS servers must not exceed three.

Although the UI does not indicate that the upgrade failed to start, the logs contain messages related to the upgrade failure.

To work around this problem, upgrade Cisco ISE to 2.6 patch 1 or 2.4 patch 7 or later, and retry the Cisco DNA Center upgrade.

Backup and Restore Limitations

  • You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.

  • After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose System Settings > Settings > Authentication and Policy Servers. Choose Edit for the server. Enter your Cisco ISE password to update.

  • After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.

  • Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.

  • Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.

  • You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

HA Limitation

In this release, Cisco DNA Center provides HA support only for Automation and Cisco SD-Access. HA for Assurance is not supported.

Cisco ISE Integration Limitations

  • ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.

  • Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.

  • Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).

  • The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

  • If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.

  • The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.

  • Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.

  • Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.

    Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.

  • The Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.

License Limitation

The Cisco DNA Center License Manager supports Smart Licensing only for wireless LAN controller models that run Cisco IOS XE. License Manager does not support wireless LAN controller models that run Cisco AireOS.

Fabric Limitation

Cisco DNA Center supports up to a maximum of 1.2 million interfaces on fabric devices. Fabric interfaces include physical and virtual interfaces like switched virtual interfaces, loopback interfaces, and so on.

Physical ports cannot exceed 480,000 ports on a 112-core appliance.

Brownfield Feature-Related Limitations

  • Cisco DNA Center cannot learn device credentials.

  • You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.

  • Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.

  • Cisco DNA Center can learn only one wireless controller at a time.

  • For site profile creation, only the AP groups with AP and SSID entries are considered.

  • Automatic site assignment is not possible.

  • SSIDs with an unsupported security type and radio policy are discarded.

  • For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.

  • The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.

  • The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.

  • When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.

  • A wireless conflict is based only on the SSID name, and does not consider other attributes.

Wireless Policy Limitation

If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise, Policy Deployment failed is displayed.

AP Limitations

  • AP as a sensor is not supported in this release of Cisco DNA Center.

  • Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, the AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.

    After the provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.

  • Provisioning of 100 APs takes longer in this release as compared to 3 minutes in earlier releases. The amount of time varies depending on the "wr mem" time of the Cisco Catalyst 9800 Series Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices.

Application Hosting Limitation

In this release of Cisco DNA Center, application hosting is not supported on stacked switches.

Inter-Release Controller Mobility (IRCM) Limitation

The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.

IP Device Tracking on Trunk Port Limitation

Rogue-on-wire detection is impacted; Cisco DNA Center does not show all clients connected to a switch via an access point in bridge mode. The trunk port is used to exchange all VLAN information. When you enable IP device tracking on the trunk port, clients connected on the neighbor switch are also shown. Cisco DNA Center does not collect client data if the connected interface is a trunk port and the neighbor is a switch. As a best practice, disable IP device tracking on the trunk port. The rogue-on-wire is not detected if the IP device tracking is enabled on the trunk port. See Disabling IP Device Tracking for more information.

AAA Provisioning Limitation

Cisco DNA Center does not support provisioning AAA on Cisco Nexus 7000 devices.

Cisco Plug and Play Limitations

  • Virtual Switching System (VSS) is not supported.

  • The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.

  • The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.

  • The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:

    pnp startup-vlan <vlan_number>

Get Assistance from the Cisco TAC

Use this link to open a TAC case. Choose the following when opening a TAC case:

  • Technology: Cisco DNA - Software-Defined Access

  • Subtechnology: Cisco DNA Center Appliance (SD-Access)

  • Problem Code: Install, uninstall, or upgrade

Related Documentation

We recommend that you read the following documents relating to Cisco DNA Center:

For This Type of Information... See This Document...

Release information, including new features, limitations, and open and resolved bugs.

Cisco DNA Center Release Notes

Installation and configuration of Cisco DNA Center, including postinstallation tasks.

Cisco DNA Center Installation Guide

Upgrade information for your current release of Cisco DNA Center.

Cisco DNA Center Upgrade Guide

Use of the Cisco DNA Center GUI and its applications.

Cisco DNA Center User Guide

Configuration of user accounts, security certificates, authentication and password policies, and backup and restore.

Cisco DNA Center Administrator Guide

Security features, hardening, and best practices to ensure a secure deployment.

Cisco DNA Center Security Best Practices Guide

Supported devices, such as routers, switches, wireless access points, NFVIS platforms, and software releases.

Supported Devices

Hardware and software support for Cisco SD-Access.

Cisco SD-Access Hardware and Software Compatibility Matrix

Use of the Cisco DNA Assurance GUI.

Cisco DNA Assurance User Guide

Use of the Cisco DNA Center platform GUI and its applications.

Cisco DNA Center Platform User Guide

Cisco DNA Center platform release information, including new features, deployment, and bugs.

Cisco DNA Center Platform Release Notes

Use of the Cisco Wide Area Bonjour Application GUI.

Cisco Wide Area Bonjour Application User Guide

Use of the Stealthwatch Security Analytics Service on Cisco DNA Center.

Cisco Stealthwatch Analytics Service User Guide

Use of Rogue Management functionality as a dashboard within Cisco DNA Assurance in the Cisco DNA Center GUI.

Cisco DNA Center Rogue Management Application Quick Start Guide