Release Notes for Cisco Digital Network Architecture Center, Release 1.3

Cisco Digital Network Architecture Center, Release 1.3 is available with new enhancements, additional device support, and bug fixes.

Cisco DNA Center 1.3 is the recommended release for all new customers who are just starting on the intent-based networking journey with Cisco DNA Center.

Change History

The following table lists changes to this document since its initial release.

Table 1. Document Change History

Date

Change

Location

2019-10-08

Updated C9200 part numbers for Fabric edge node with Cisco SD-Access Wireless support in Cisco DNA Center 1.3.

New and Changed Information

2019-10-07

Updated the description of CSCvr03768.

Resolved Bugs

2019-10-03

Added CSCvr03768 as a resolved bug in Cisco DNA Center 1.3.0.4.

Resolved Bugs

2019-09-08

Added the list of packages and resolved bugs in Cisco DNA Center 1.3.0.4.

New and Changed Information

Resolved Bugs

Added open bugs: CSCvq61912, CSCvq70700, CSCvq97736, CSCvr00675, CSCvr01185, CSCvr18650, CSCvr19265, and CSCvr19604.

Open Bugs—Non-High Availability

2019-08-28

Added Cisco Catalyst 9500 High Performance switches to the list of platforms supported on Cisco Catalyst 9800 Embedded Wireless Controller.

New and Changed Information

2019-08-06

Added a limitation related to Cisco Connected Mobile Experiences (CMX).

Limitations and Restrictions

Noted that starting in Cisco DNA Center 1.3, the following Cisco Catalyst 9500 High Performance switches can be used as seed devices and PnP agents for LAN automation:

  • C9500-32C

  • C9500-32QC

  • C9500-24Y4C

  • C9500-48Y4C

New and Changed Information

2019-08-01

Moved CSCvn69306 to the Resolved Bugs table.

Resolved Bugs

Added the list of packages and resolved bugs in Cisco DNA Center 1.3.0.3.

New and Changed Information

Resolved Bugs

2019-07-25

Added CSCvq54634, CSCvq65765, and CSCvq65784.

Open Bugs—Non-High Availability

Added CSCvq54357.

Resolved Bugs

Updated the LAN automation enhancements description.

New and Changed Information

2019-07-03

Added limitations related to Intelligent Capture.

Limitations and Restrictions

2019-06-21

Added the list of packages and resolved bugs in Cisco DNA Center 1.3.0.2.

New and Changed Information

Resolved Bugs

2019-05-31

Initial release.

New and Changed Information

The following table shows the updated packages and the versions.

Table 2. Updated Packages and Versions in Cisco DNA Center Release 1.3.0.x
Package Name Release 1.3.0.4 Release 1.3.0.3 Release 1.3.0.2 Release 1.3

System Updates

System

1.2.0.1013

1.2.0.1008

1.2.0.998

1.2.0.998

Package Updates

Application Policy

2.1.42.170001

2.1.42.170001

2.1.40.170897

2.1.40.170897

Assurance - Base

1.3.1.140

1.3.1.137

1.3.0.1345

1.3.0.1344

Assurance - Sensor

1.3.0.1313

1.3.0.1313

1.3.0.1313

1.3.0.1313

Automation - Base

2.1.43.60042

2.1.42.60056

2.1.41.60025

2.1.40.61847

Automation - Intelligent Capture

2.1.43.60042

2.1.42.60056

2.1.41.60025

2.1.40.61847

Automation - Sensor

2.1.43.60042

2.1.42.60056

2.1.41.60025

2.1.40.61847

Cisco DNA Center Platform

1.1.1.2

1.1.1.2

1.1.0.4

1.1.0.4

Cisco DNA Center UI

1.3.1.250

1.3.1.241

1.3.0.221

1.3.0.219

Cisco SD-Access

2.1.43.60045

2.1.42.60058

2.1.41.60025

2.1.40.61847

Command Runner

2.1.43.60042

2.1.41.60025

2.1.41.60025

2.1.40.61847

Device Onboarding

2.1.43.60042

2.1.42.60056

2.1.40.61847

2.1.40.61847

Image Management

2.1.43.60042

2.1.42.60056

2.1.41.60025

2.1.40.61847

NCP - Base

2.1.43.60042

2.1.40.61847

2.1.40.61847

2.1.40.61847

NCP - Services

2.1.43.60042

2.1.42.60056

2.1.41.60025

2.1.40.61847

Network Controller Platform

2.1.43.60046

2.1.42.60056

2.1.41.60025

2.1.40.61847

Network Data Platform - Base Analytics

1.3.1.204

1.3.1.204

1.3.0.189

1.3.0.189

Network Data Platform - Core

1.3.1.615

1.3.1.615

1.3.0.513

1.3.0.513

Network Data Platform - Manager

1.3.1.185

1.3.1.185

1.3.0.173

1.3.0.173

Path Trace

2.1.43.60042

2.1.42.60056

2.1.41.60025

2.1.40.61847

New and Changed Features

The following tables summarize the new and changed features in Release 1.3.

Table 3. New and Changed Features in Cisco DNA Center, Release 1.3
Feature Description

Localization

You can view the Cisco DNA Center GUI screens in English (the default), Chinese, Japanese, or Korean.

To change the default language, simply change the locale in your browser to one of the supported languages: Chinese, Japanese, or Korean.

Note 

While most screens—including the home page, tools, online help, and REST APIs—are localized, the Assurance screens are not localized.

Network hierarchy

When you select an area, building, or floor on the Network Hierarchy, Network Settings, or Provision page, the hierarchical selection is retained when you switch between these pages.

Design usability enhancement

The options under the Design menu are available as a drop-down list.

Policy usability enhancement

The options under the Policy menu are available as a drop-down list.

Provision page navigation enhancement

The Inventory and Plug and Play menu options are available under Provision > Device as a drop-down list.

Inventory

Starting in Cisco DNA Center, the Inventory feature is merged with the Provision page.

From the Cisco DNA Center home page, click Provision. From the Provision Devices page, choose Actions > Inventory to view and use the inventory features.

Image Repository

Starting in Cisco DNA Center 1.3, the Image Repository tool is merged with the site-based Image Repository that is available as part of the Design page.

Starting in Cisco DNA Center 1.3, you can assign a software image to device series filtered from cisco.com as well as to custom device series.

IPv6 support

You can now create and reserve IPv6 address pools in addition to IPv4 address pools.

System 360 overview

The System 360 Overview tab is updated to provide metrics of various functions of Cisco DNA Center in dashlets. The metrics include Hosts, High Availability, ClusterTools, System Management Updates, Backup, Application Health, Identity Services Engine (ISE), and IP Address Manager (IPAM).

ROMMON upgrade

A ROMMON upgrade is included in the add-on for software image upgrade. For the ROMMON upgrade, the cisco.com configuration is mandatory. When a device is added, the latest ROMMON details are retrieved from cisco.com for applicable devices. Also, you import a base image or tag a base image, the ROMMON image is downloaded automatically from cisco.com.

Device upgrade readiness prechecks

Prechecks such as NFVIS Flash, Service Entitlement, Interface, CDP neighbors, Running Config, Spanning Tree Summary, and AP Summary are included as enhancements.

Retry option to resync Cisco ISE connectivity

If the Cisco ISE server configuration fails due to a password change, you can update the password and resync the ISE connectivity in the Authentication and Policy Servers page.

Ability to import new certificate file and export certificate details

You can import a new certificate file from your local system and export certificate details on the System Settings > Settings > Trustpool page.

Schedule discovery

You can schedule discovery for a later time.

Include SSH key information in exported device credentials

You can include information such as the SSH key and initial SSH key algorithm in the exported device credentials.

View additional device details in the Topology page

You can view additional device details such as device IP address and device name suffix in the Topology page.

View all options available in the Topology page

By clicking the Take a Tour link, you can view the details of all options available in the Topology page.

Table 4. New and Changed Software Features in Cisco Wireless, Release 1.3
Feature Description

Support for N+1 High Availability

Cisco DNA Center Release 1.3 introduces support for N+1 High Availability (HA) on the Cisco Wireless Controller and Cisco Catalyst 9800 Series Wireless Controller platforms.

N+1 HA allows a single Cisco Wireless Controller to be used as a backup controller for multiple primary controllers. These wireless controllers are independent of each other and do not share configuration or IP addresses on any of their interfaces.

Cisco DNA Center supports primary and secondary controller configurations for N+1 HA. N+1 HA is configured at the AP level, not at the global level. Configurations are pushed directly to the AP.

Support for guest anchor Inter-Release Controller Mobility (IRCM)

Inter-Release Controller Mobility (IRCM) supports seamless mobility and wireless services across different Cisco Wireless Controllers with different software versions.

Cisco DNA Center supports guest anchor functionality for the following device combinations:

  • Cisco AireOS Controller as a foreign controller with a Cisco AireOS Controller as an anchor controller.

  • Cisco AireOS Controller as a guest anchor controller with a Cisco Catalyst 9800 Series Wireless Controller as a foreign controller.

  • Cisco Catalyst 9800 Series Wireless Controller as a foreign controller with a Cisco Catalyst 9800 Series Wireless Controller as an anchor controller.

New platform support for Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series

The Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series supports the following platforms in this release:

  • Cisco Catalyst 9400 Series Switches

  • Cisco Catalyst 9500 Series Switches

  • Cisco Catalyst 9500 High Performance Series Switches

Advanced SSID configurations for enterprise and guest wireless network settings

The following advanced SSID configurations are added in this release:

  • Fast Transition over the DS

    Fast Transition over the DS is not applicable for wireless enterprise-open and guest network.

  • MFP Client Protection

  • Session Timeout

  • Client Exclusion

  • 11v BSS Transition Support—The following configurations are sent:

    • Max idle enable

    • Client user idle timeout

    • Directed multicast service

  • 11k—Neighbor list configuration is sent. This allows 11k capable clients to request neighbor reports containing information about known neighbor APs that are candidates for roaming.

AAA per SSID

Note 

AAA per SSID feature is supported only for Cisco AireOS Controller.

The AAA per SSID feature solves the behavior of different AAA servers being mapped to different sites, buildings, and floors, which are managed by the same Cisco Wireless Controller. Cisco DNA Center pushes an SSID with respect to the AAA server.

A network profile with an SSID and different sites is mapped with different AAA servers. Based on the AAA server, the SSID with a different name is pushed to the wireless controller after the wireless controller provisioning.

Only two AAA servers per site, building, and floor are supported.

Only one ISE server is mapped to a particular site, building, or floor.

Brownfield is not supported.

You cannot map the ISE server as the primary and the AAA server as the secondary to a particular site.

Table 5. New and Changed Software Features in Cisco SD-Access, Release 1.3
Feature Description

IPv6 endpoint support in fabric

Fabric devices can now onboard IPv6 wired and wireless clients into a Cisco SD-Access fabric that has an IPv4 underlay. The following features are supported for IPv6 endpoints:

  • Layer 2 border handoff

  • Multicast, Broadcast and Link Local multicast

  • Layer 3 handoff

  • DHCP and DNS servers accept IPv6 addresses, in addition to IPv4 addresses

  • Client IP address assignment supports static IP, SLAAC, and DHCP

  • IPv6 and IPv4 clients can co-exist in the same VLAN.

  • IPv6 multicast support for both native and headend replication in the overlay.

Note 

IPv6 guest VN is not supported in Cisco SD-Access, Release 1.3.

LAN Automation enhancements

Cisco Catalyst 9400 Series Switches with 40-G ports now support LAN automation.

Cisco Catalyst 9500 High Performance Series Switches running IOS XE 16.11.1 support LAN Automation. The switches now boot up in Layer 2 mode instead of Layer 3 mode.

Validation of LAN subnet reachability from Cisco DNA Center: if the primary device on the LAN subnet is not reachable from Cisco DNA Center, an error message is displayed.

The LAN Automation page now refreshes automatically.

Starting Cisco DNA Center 1.3, the following Cisco Catalyst 9500 High Performance series switches can be used as seed devices and PnP agents for LAN Automation:

  • C9500-32C

  • C9500-32QC

  • C9500-24Y4C

  • C9500-48Y4C

Support for extended node

Extended nodes are those devices that run in Layer 2 switch mode and do not support fabric technology natively. You can now configure extended nodes in a Cisco SD-Access fabric.

For information on configuring an extended node, see the Configure an Extended Node section in the Cisco Digital Network Architecture Center User Guide, Release 1.3.

Support for port channels

You can now create or delete port channels between the fabric edge ports and the extended node uplinks.

Device support for fabric-in-a-box

You can now configure a Cisco Catalyst 9500 High Performance Series Switch as a fabric-in-a-box.

Layer 2 border local endpoints: scale of 32,000

Cisco Catalyst 9500 Switches or Cisco Catalyst 9400 Switches deployed as a Layer 2 border can now have up to 32,000 local endpoints connected to them.

AAA per SSID

Note 

AAA per SSID feature is supported only for Cisco AireOS Controller.

AAA per SSID feature solves the behavior of different AAA servers being mapped to different sites, buildings, and floors, which are managed by the same Cisco Wireless Controller. Cisco DNA Center pushes an SSID with respect to the AAA server.

A network profile with an SSID and different sites are mapped with different AAA servers. Based on the AAA server, the SSID with a different profile name is pushed to the wireless controller after the wireless controller provisioning.

Only two AAA servers per site, building, and floor is supported.

Only one ISE server is mapped to a particular site, building, or floor.

Brownfield is not supported.

You cannot map an ISE server as primary and AAA server as secondary to a particular site.

New platform support for Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series

The Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series supports the following platforms in this release:

  • Cisco Catalyst 9400 Series Switches

  • Cisco Catalyst 9500 Series Switches

  • Cisco Catalyst 9500 High Performance Series Switches

Advanced SSID configurations for enterprise and guest wireless network settings

The following advanced SSID configurations are newly added in this release:

  • Fast Transition over the DS

    Fast Transition over the DS is not applicable for wireless enterprise-open and guest network.

  • MFP Client Protection

  • Session Timeout

  • Client Exclusion

  • 11v BSS Transition Support—The following configurations are sent:

    • Max idle enable

    • Client user idle timeout

    • Directed multicast service

  • 11k—Neighbor list configuration is sent. This allows 11k capable clients to request neighbor reports containing information about known neighbor APs that are candidates for roaming.

Table 6. New Hardware in Cisco SD-Access, Release 1.3

Device Role

Product Family

Part Number

Description

Fabric border and control plane node

Cisco Catalyst 9600 Series Switches

C9600-SUP-1

C9600-LC-48YL

C9600-LC-24C

Cisco Catalyst 9600 Series Switches can be configured as a fabric border node, fabric control plane node, or both.

Fabric border node

Cisco Nexus 7700 Series Switches

N77-SUP3E

The Nexus 7700 Series Switch with the Supervisor Module-3 (SUP 3E) can be configured as a fabric external border node, only with the M3 line card.

Fabric edge node

Cisco Catalyst 9200 Series Switches

C9200L-24PXG-2Y

C9200L-24PXG-4X

C9200L-48PXG-2Y

C9200L-48PXG-4X

Cisco Catalyst 9200 Series Multigigabit switches can be configured as a fabric edge node.

Fabric edge node with SD-Access Wireless support

Cisco Catalyst 9200 Series Switches

C9200-24T

C9200-24P

C9200-48T

C9200-48P

Cisco Catalyst 9200 Series Switches can be configured as a fabric edge node with directly connected Fabric Wireless Access Points to support wireless clients and terminate VXLAN tunnels.

Note that Cisco Catalyst 9800 Embedded Wireless Controller is not supported on Cisco Catalyst 9200 Series Switches.

Access Points

Cisco Catalyst 9100 Series Wi-Fi 6 (802.11ax) Access Points

C9120AXI-x

C9120AXE-x

C9120AXP-x

The Catalyst 9100 Series Access Points can be configured as a Fabric Wireless node.

Table 7. New and Changed Features for Cisco DNA Assurance, Release 1.3
Feature Description

Application Experience enhancements

Enhanced the Health > Application Health window:

  • Added timeline range option for 7 days.

  • Changed non-standard NBAR applications to display their HTTP host name or SSL common name, if available.

  • For the Application dashlet, the following data columns can be added to the table: Jitter, Client Network Latency, and Server Network Latency.

Enhanced the Application 360 window:

  • Added a filter for application data based on location.

  • Added charts for the Application Experience slide-in pane for the following metrics: Jitter, Client Network Latency, and Server Network Latency.

  • Added the Observed data column under DSCP to the Application Experience dashlet table. The Observed column indicates the application's current DSCP value.

Enhanced the Device 360 window for routers:

  • Added filters in the Application Experience category that enables you to filter application data from specific VRFs and router interfaces.

  • Changed non-standard NBAR applications to display their HTTP host name or SSL common name, if available.

  • Added the Observed data column under DSCP to the Application Experience category table. The Observed column indicates the application's current DSCP value.

  • Added the Jitter data column for the Application Experience category table.

IPv6 address support for wireless and wired clients

Enhanced the Health > Client window:

  • Fixed the IPv6 Address data column to display the client's IPv6 address in the following locations:

    • Client Health Summary dashlet in the slide-in panes for Wireless Clients and Wired Clients

    • Client Devices dashlet

    Note 

    Assurance supports clients with multiple IPv6 addresses. You can view the additional addresses by hovering your cursor over the tooltip link in parentheses. For example, (1 more).

  • Added filtering for IPv6 addresses in the Client Devices dashlet table.

Enhanced the Client 360 window:

  • Fixed IPv6 above the timeline to display the client's IPv6 address.

  • Added IPv6 to the Onboarding category.

  • Added IPv6 to the Event Viewer category.

  • Fixed IPv6 Address from the Detail Information category to display the client's IPv6 address.

Note 

Assurance supports clients with multiple IPv6 addresses. You can view the additional addresses by hovering your cursor over the tooltip link in parentheses. For example, (1 more).

Simplifies the health score formula for wireless clients

  • Simplifies the individual health score calculation for wireless clients.

  • Simplifies the RSSI and SNR connectivity scores calculation for wireless clients.

Support KPIs and baselining for On-Device AI (on-premises)

Added the following enhancements:

  • View the issues generated by Assurance for excessive onboarding. The root causes for the excessive onboarding issues are AAA, DHCP, and Association. The issues are generated through the baseline.

  • In the Global Issues window, you can click an issue in the Issue Type column to open a slide-in pane with additional details. In the slide-in pane, click an issue in the Issue Instance column to view more details about the issue instance.

  • While configuring issue settings, if you set the Device Type as All and Category as Onboarding as the trigger condition, you can set the trigger condition to generate either baseline-based issues or threshold-based issues.

  • In the Client Health dashboard, for the Client Onboarding Times and Client Count per SSID dashlets, you can click the Trend tab to display a trend chart. Under Trend, you have the option to select Baseline to view the onboarding time baseline data (trend chart) or to view the client count data (trend chart) per SSID.

Intelligent Capture

  • Added the following location to manage Intelligent Capture for clients:

    Assurance > Manage > Client Intelligent Capture

  • Added the following location to manage Intelligent Capture for Access Points:

    Assurance > Manage > AP Intelligent Capture

Cisco ISE configuration unification

  • Centralized Cisco ISE configuration for all of Cisco DNA Center in the NCP (Network Control Platform) location:

    Settings > System Settings > Settings > Authentication and Policy Servers

    After a Cisco ISE server is successfully configured, NCP sends the configuration details (that is, pxGrid nodes, keystore, and truststore files) to Network Data Platform (NDP).

  • Added the following location to enable anonymization for PPI (personally identifiable information):

    Settings > System Settings > Settings > Anonymize Data

Cisco DNA Center-Supported Devices

For information about devices such as routers, switches, wireless access points, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see Supported Devices.

Compatible Browsers

The Cisco DNA Center web interface is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: Version 73.0 or later

  • Mozilla Firefox: Version 65.0 or later

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

IP Address and FQDN Firewall Requirements

To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through any existing network firewall, see "Required Internet URLs and FQDNs" in the Cisco Digital Network Architecture Center Installation Guide.

Supported Firmware

Cisco Integrated Management Controller (IMC) versions are independent from Cisco DNA Center versions. This release of Cisco DNA Center has been validated against the following firmware:

  • Cisco IMC Version 3.0(3f) for appliance model DN1-HW-APL

  • Cisco IMC Version 3.1(2c) for appliance model DN2-HW-APL

  • Cisco IMC Version 3.1(3a) for appliance model DN2-HW-APL-L

  • Cisco IMC Version 4.0(1a) for appliance model DN2-HW-APL-XL

The preceding versions are the minimum firmware versions. Later versions are also supported.

Installing Cisco DNA Center

You can install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco Digital Network Architecture Center Installation Guide for information about installation and deployment procedures.


Note

The following applications are not installed on Cisco DNA Center by default. If you need any of these applications, you must manually download and install the packages separately.

  • Cisco SD-Access

  • Assurance - Sensor

  • Automation - Sensor

  • Application Policy

  • Cisco DNA Center platform

  • Intelligent Capture


For more information about downloading and installing a package, see the "Manage Applications" chapter in the Cisco Digital Network Architecture Center Administrator Guide.

Cisco DNA Center Platform Support

For information about the Cisco DNA Center platform, including information about new features, installation, upgrade, and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.

Support for Cisco Connected Mobile Experiences

This release of Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) 10.6.1. Earlier versions of CMX are not supported.


Note

While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password.


Plug and Play Considerations

Plug and Play Support

General Feature Support

Plug and Play supports the following features, depending on the Cisco IOS software release on the device:

  • AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.

  • Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)

Secure Unique Device Identifier Support

The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:

  • Cisco routers:

    • Cisco ISR 1100 Series with software release 16.6.2

    • Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later

    • Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1

  • Cisco switches:

    • Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later

    • Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later

    • Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later

    • Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

    • Cisco Catalyst IE3300 Series with software release 16.10.1e or later

    • Cisco Catalyst IE3400 Series with software release 16.11.1a or later

  • NFVIS platforms:

    • Cisco ENCS 5400 Series with software release 3.7.1 or later

    • Cisco ENCS 5104 with software release 3.7.1 or later


Note

Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:

  • Cisco routers: Cisco ISR 43xx, Cisco ISR 44xx, Cisco ASR1001-X/HX, Cisco ASR1002-HX

  • Cisco switches: Cisco Catalyst 4500 Series with Supervisor 8-E/8L-E/9-E, Catalyst 9400 Series


Management Interface VRF Support

Plug and Play operates over the device management interface on the following platforms:

  • Cisco routers:

    • Cisco ASR 1000 Series with software release 16.3.2 or later

    • Cisco ISR 4000 Series with software release 16.3.2 or later

  • Cisco switches:

    • Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

4G Interface Support

Plug and Play operates over a 4G network interface module on the following Cisco routers:

  • Cisco 1100 Series ISR with software release 16.6.2 or later

Configure Server Identity

To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.

The SAN requirement applies to devices running the following Cisco IOS releases:

  • Cisco IOS Release 15.2(6)E2 and later

  • Cisco IOS Release 15.6(3)M4 and later

  • Cisco IOS Release 15.7(3)M2 and later

  • Cisco IOS XE Denali 16.3.6 and later

  • Cisco IOS XE Everest 16.5.3 and later

  • Cisco IOS Everest 16.6.3 and later

  • All Cisco IOS releases from 16.7.1 and later

The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:

  • For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.

  • For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.

  • For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.

  • For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.

If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a NAT router, this public IP address must be included in the SAN field of the server certificate.

If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.

We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.

If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the plug and play process.


Note

The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field.


Bugs

Use the Bug Search Tool

Use the Bug Search tool to search for a specific bug or to search for all bugs in this release.

Procedure


Step 1

Enter the following URL in your browser:

Step 2

In the Log In window, enter your registered cisco.com username and password and click Log In.

The Bug Search window opens.

Note 
If you do not have a cisco.com username and password, register at https://idreg.cloudapps.cisco.com/idreg/guestRegistration.do.
Step 3

To search for a specific bug, enter the bug ID in the Search For field and press Return.

Step 4

To search for bugs in the current release:

  1. In the Search For field, enter Cisco DNA Center and press Return. (Leave the other fields empty.)

  2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by modified date, status, severity, and so forth.

    To export the results to a spreadsheet, click the Export Results to Excel link.

Open Bugs—Non-High Availability

The following table lists the open non-HA bugs in Cisco DNA Center for this release.

Table 8. Open Bugs—Non-HA

Bug Identifier

Headline

CSCvj41522

Importing a Plug and Play CSV with 25 APs fails.

CSCvn32554

Wireless controller goes into unmonitored state after a restore from the backup.

CSCvo21720

Network health appears for the Cisco Catalyst 9800 wireless controller in both the monitored and unmonitored sections.

CSCvo44394

When you try to add Cisco ISE 2.4 to Cisco DNA Center 1.3, the following certificate error is generated:

“Error establishing trust with ISE: Expected phrase [Enter URI for uploading ISE certificate chain:] 
wasn’t received from ise”

The workaround is to configure the network MTU size to 9100 between Cisco ISE and Cisco DNA Center.

CSCvo60306

Device activation fails when the image is not the minimum supported image version.

CSCvp15026

Devices remain in Partial Collection Failure state after an incomplete provision and resynch.

This problem occurs only when there is an incomplete manual clearing of CLI commands on a device. When a device goes through the full removal flow, subsequent synchronizations work correctly.

Related bug: CSCvj15139.

CSCvp29213

A crash occurs when the RADIUS Change of Authorization (CoA) feature is triggered for an environment data update and the clear cts environment-data command is issued at the same time. The problem occurs because the clear cts environment-data command fails to clear the environment data.

CSCvp25402

After you delete a wireless controller with 4000 APs from Cisco DNA Center, it takes 25 minutes or longer for the wireless controller to be removed from the inventory.

CSCvp38271

Cisco Software-Defined Access: Events are missing from the Event Viewer on the Device 360 page.

CSCvp48020

IR829 does not display the correct Gigabit interface in the WAN interface drop-down list.

CSCvp48160

Software image management: Catalyst 6000 image activation fails while upgrading image version 152-2.SY to 152-2.SY*.

CSCvp49120

A Cisco Catalyst 6000 ISSU upgrade from SY2 to SY3 fails when the device has snmp-server enable traps vstack in the running configuration.

CSCvp51880

The Maglev Cassandra service fills up the disk with index files.

CSCvp53259

A Cisco DNA Center local backup fails if the maglev password starts with special characters.

CSCvp65347

The Time API takes a very long time to respond when there are multiple user sessions browsing the Assurance GUI.

CSCvp73793

The Cisco Catalyst 9800 wireless controller neighbor topology does not update the AP count in the inventory.

CSCvp75825

Air quality is missing randomly from an AP 360 page health chart.

CSCvp79623

The Device Inventory page refreshes continuously when the complete fully qualified domain name (FQDN) associated with the Cisco DNA Center IP address is not configured during install. The Device Inventory page doesn't show the device list.

To work around this problem, use the IP address or the complete FQDN in the URL.

CSCvp80992

Provisioning fails if you choose "Do not change" and enter an interface name.

CSCvp82437

The Flex Connect SSID with Cisco Catalyst 9800 does not appear on an AP when you choose VLAN name management.

CSCvp83057

External site borders point to other external borders in a site, which causes loops.

CSCvp83298

After migration, the port channel is not created on the switch and is missing from the Host Onboarding page.

CSCvp83298

After upgrading packages, resynchronizing devices, and reconfiguring fabric, if a device classifier is enabled on an edge device, access points go down.

CSCvp85827

Border Gateway Protocol (BGP) advertises Multicast Rendezvous Point (RP) /32 and /128 prefixes from non-RP borders.

CSCvp86063

You can manually add Cisco IE3300 and IE3400 extended nodes that have been removed from the fabric.

CSCvp86074

Migration: Cannot add IPv6 to the fabric.

CSCvp88055

An ISR border device returns an error when the fabric is enabled with a multicast RP on the other fabric border.

CSCvp88475

AP mode and uptime don't get updated, affecting Intelligent Capture functionality.

CSCvp89837

If you upgrade Cisco DNA Center 1.2.10 to 1.3 and make embedded wireless LAN controller image changes, the controller goes into Unmonitored state, and Assurance shows no client data.

CSCvp95386

After upgrading the embedded wireless software on Cisco Catalyst 9000 devices from 16.10.1.e to 16.11.1s, the AP country code configuration is lost.

CSCvp96088

An image change on the wireless controller causes the AP Intelligent Capture 360 page to lose all data.

CSCvp99454

After upgrading from Cisco DNA Center 1.2.3 or 1.2.6 to 1.2.8, then 1.2.10, then 1.3, the Network Plug and Play menu option is available under the Tools menu. (The Network Plug and Play menu option should not be present.)

If you upgrade from Cisco DNA Center 1.2.10 to 1.3, the Network Plug and Play menu option is not available under the Tools menu, which is correct.

CSCvq02712

Cisco DNA Center 1.3 SDA end users can HTTPS to the fabric edge default gateway IP address.

CSCvq54634

Multicast does not work on an edge device that is added to a fabric on which multicast is already enabled.

CSCvq55626

The NDP package upgrade fails from 1.2.10.4 to 1.3.0.3. The Elasticsearch pod does not run in the NDP namespace.

CSCvq57083

Maglev upgrade from 1.2.12 to 1.3.0.3 fails with the error "Timeout waiting to pull system update hook bundle."

CSCvq61912

After upgrading Cisco DNA Center to 1.3.0.4, the software image update status always shows Activation in progress.

CSCvq65765

After upgrading to Cisco DNA Center 1.3.0.3 and enabling the Autoconf feature, macro configurations are not removed from extended nodes.

CSCvq65784

When IPv4 multicasting is enabled on an edge device, Cisco DNA Center does not push the ip igmp explicit-tracking command to the Layer 2 handoff VLAN on the corresponding border device.

CSCvq97736

Parent catalog settings validation fails and packages cannot be retrieved from the cloud. This problem occurs only when the proxy is not configured through the Config wizard during ISO install.

To work around this problem, SSH to the cluster IP and enter magctl service restart -d catalogserver. Wait for 90 seconds and then enter maglev catalog settings validate.

CSCvr00675

After upgrading from Cisco DNA Center 1.2 to 1.3, when you try to modify a guest wireless SSID, the following error message is displayed:

"NCWL10019: Over the DS cannot be enabled when the Fast Transition is Null."

CSCvr01185

After migration, extended nodes are flagged as out of compliance.

CSCvr18650

Deploying an onboarding interface fails with the following error:

"NCSP10025: UserIntentProvisioningService error."

CSCvr19265

After upgrading or restarting a node, the API /api/system/v1/license/credentials/cco returns a 502 error code and CCO credentials are not set.

To work around this problem, enter the following CLI command to restart the license service:

$ magctl service restart -d license-service

Related bug: CSCvq70700.

CSCvr19604

After upgrading from Cisco DNA Center 1.2.12 to 1.3.0.4, the command no macro auto global processing is not pushed to the edge node after enabling AVC.

Open Bugs—High Availability

The following table lists the open high availability (HA) bugs in Cisco DNA Center for this release.

Table 9. Open Bugs—HA

Bug Identifier

Headline

CSCvn32215

In a three-node setup, if you bring down the node while LAN automation is in progress, the LAN automation status shows as complete, yet without success.

This problem occurs if you perform a network-orchestration service restart or a full node restart while LAN automation is in progress.

The network orchestration service doesn't resume the ongoing LAN automation session. It marks LAN automation as complete and releases all IP addresses allocated from IPAM. Users are expected to perform a configuration cleanup on the seed device, write-erase/reload discovered devices, and start a new LAN automation session.

CSCvo35174

Maglev cassandra-1 goes into the crashloop state on a three-node cluster after upgrading Cisco DNA Center.

CSCvo95706

The VIP toggles between the three nodes every minute and "Invalid VRRPv3 checksum" messages are seen in keepalived.

Resolved Bugs

The following tables list the resolved bugs in Cisco DNA Center, Releases 1.3.0.4, 1.3.0.3, 1.3.0.2, and 1.3.

Table 10. Resolved Bugs in Cisco DNA Center, Release 1.3.0.4

Bug Identifier

Headline

CSCvp36746

Reprovisioning of devices managed by Cisco DNA Center results in looping validating the config.

CSCvp40461

IP address management: Cannot create a global pool for IPv4.

CSCvp60708

Cisco DNA Center does not deploy a CLI template to more than one device when the firewall profile is assigned to two or more sites.

CSCvp95942

Provisioning a composite template with three templates fails before moving to success.

CSCvp97687

During an upgrade to Cisco DNA Center 1.3, the GUI appears to hang at 40% complete.

CSCvp99546

Fabric in a box: Synchronization occasionally takes longer than 30 minutes.

CSCvq02954

CommonBorder issues with INFRA_VN pool addition/names.

CSCvq09405

Cannot update the IP address pool in a virtual network.

CSCvq15441

During LAN automation, Cisco DNA Center does not push "write memory" to the peer seed.

CSCvq24092

Cisco DNA Center pushes the wrong Pre-Auth ACL.

CSCvq32466

Devices are unreachable, partial collection failures occur, and SNMP timeouts occur frequently.

CSCvq33072

IPSLA operation and reachability sessions are not cleaned up when an IP address is unprovisioned.

CSCvq33516

Cannot create custom applications in Application Policy.

CSCvq43865

Due to a large number of hung pykube connections, the Maglev server is unresponsive to services.

CSCvq45083

While provisioning an IP pool in a virtual network, the following error is generated: "java.lang.OutOfMemoryError: GC overhead limit exceeded."

CSCvq47553

Plug and Play UI: The Advanced Configuration is missing a scroll bar for templates with many attributes.

CSCvq49014

Host onboarding hangs at "fetching interfaces details... please wait..."

CSCvq49071

CMX locations of clients are missing on Cisco DNA Center floor maps.

CSCvq50166

Cisco DNA Center fails to provision a wireless controller. The error "Incorrect input!" is generated.

CSCvq53679

Assurance incorrectly reports "Excessive time lag" for a wireless controller.

CSCvq53772

Floor creation fails due to an internal server error 500.

CSCvq54768

Cisco DNA Center silently pushes IBNS 2.0.

CSCvq57415

Cisco DNA Center 1.3 upgrade fails due to tenant data migration.

CSCvq66900

The same devices belong to unassigned and to a site.

CSCvq70566

After adding a device to the fabric with Layer 3 handoff, the device domain name is lost.

CSCvq72718

Cannot provision a template that contains the string "FAILED".

CSCvq74218

Reprovisioning a wireless controller fails after site or floor deletion.

CSCvq78788

The underlay custom route-map is removed during reprovisioning.

CSCvq79255

Software upgrade shows inconsistent software upgrade status.

CSCvq79576

Border devices are deleted from the inventory without the user explicitly deleting those devices.

CSCvq81674

Cisco DNA Center cannot claim devices with the Composite Day 0 template.

CSCvq81851

Cisco DNA Center upgrade fails due to tenant data migration: duplicated entry in serialnumberipaddressmapping.

CSCvq86871

The PxGrid service crashes due to a large number of scalable groups.

CSCvq88657

Guest ACL reprovisioning fails on the 8.5 wireless controller.

CSCvq92227

Cisco DNA Center upgrade from 1.2.12 to 1.3.0.4: Access-tunnel is gone on the access point connected to the extended node after applying the security fix.

CSCvr00693

Adding internal border/Layer 3 handoff should not push config/connect to fabric edges.

CSCvr03768

The WSDL certificate in Cisco DNA Center's EJBCA Public Key Infrastructure (PKI) broker service expired on October 4, 2019. After this server certificate expires, Cisco DNA Center clients that use the EJBCA service for secure sessions fail to connect. As a result, Cisco DNA Center fails to onboard the Embedded Wireless Controller on Cisco Catalyst 9800 series devices and 1800s wireless sensors. Apart from the eWLC, there is no impact to any other WLC, switch, or router onboarding, or any other feature in Cisco DNA Center.

There is no workaround for this problem. You must upgrade Cisco DNA Center to a version that has been patched to include a new WSDL certificate. The following Cisco DNA Center releases have the fix with the new WSDL certificate: 1.2.10.5, 1.2.12.2, 1.3.0.4, and 1.3.1.1. The new certificate has a 20-year expiry.

Table 11. Resolved Bugs in Cisco DNA Center, Release 1.3.0.3

Bug Identifier

Headline

CSCvp17987

Device upgrade scenario must handle version changes.

CSCvp22208

Deletion of an unreachable device fails in a nonfabric Assurance-only setup.

CSCvp23733

Cisco DNA Center UI pages stop responding and display no values.

CSCvp42650

While provisioning a device to a fabric with a template applied, the "ip dhcp snooping" command is not pushed to the devices in the fabric.

CSCvp52235

Fabric in a Box does not differentiate Layer 2 from Layer 3 links.

CSCvp58052

Provisioning an AP with the High RF profile fails with an internal error.

CSCvp59968

AAA RADIUS primary Auth/Acct and secondary Auth/Acct indexes are changed when a wireless controller is provisioned.

CSCvp60199

The Authentication configuration is not pushed to newly added switch stack members.

CSCvp70381

An AP search using global search doesn't show all access points with duplicate names.

CSCvp76474

Cannot reconfigure the edge switch port after the extended node is moved.

CSCvp78285

The Template programmer service goes down.

CSCvp78852

Reprovisioning fabric devices may cause removal of CTS commands.

CSCvp79622

mongodb resource usage is 100% on a scale setup, causing performance issues.

CSCvp79623

If you use the DNS name instead of the IP address in the URL to access the Cisco DNA Center UI, inventory data does not load.

CSCvp87542

Cisco Catalyst 9800 Series Wireless Controller provisioning failure when special characters are used in the Cisco ISE shared key.

CSCvp88833

Cisco DNA Center and Meraki Dashboard integration fails because of a missing systemName value.

CSCvp89837

If you upgrade Cisco DNA Center 1.2.10 to 1.3 and make embedded wireless LAN controller image changes, the controller goes into Unmonitored state, and Assurance shows no client data.

CSCvp90804

Backup/Restore GUI becomes unresponsive (until timeout) when backup server is unreachable.

CSCvp91221

NetFlow is not pushed to the router interface when using the management IP.

CSCvp94220

Cisco DNA Center doesn't remove the map-cache command from the second border/control plane when selecting "Connected to internet."

CSCvp95641

When you create a new port channel, greyed out interfaces become selectable again via the filter output.

CSCvp95666

When the secret key is changed, the confirmation message is unclear.

CSCvp95942

Provisioning a composite template with three templates fails before moving to success.

CSCvp96021

Spanning-tree portfast is not pushed when closed auth is used in host onboarding.

CSCvp96079

After an upgrade, the compliance check fails with a false alarm for the fabric role on the Cisco Nexus 7000.

CSCvp96167

In the Border Node Configuration page, when you click Details, it shows a page with only "test" on it.

CSCvp96981

Device 360 page: Moving an issue to resolved state returns an error.

CSCvq02516

Fabric-enabled wireless is not supported with Cisco Catalyst 9200 switches.

CSCvq02799

Filtering for clients with SNR less than 9 dB fetches incorrect clients.

CSCvq03217

Wireless controller inventory collection fails due to "ERROR: value too long for type character varying (255)".

CSCvq03589

Cisco Catalyst 9000 readiness check fails for flash: "Need recommended storage but not found."

CSCvq07100

Remove polling of "show licensing" command on Cisco Catalyst 4500 during resynchronization.

CSCvq16253

In Assurance, resolving one issue updates all issues to resolved state.

CSCvq24742

Cisco ISE-reported wireless client data causes Assurance to show wireless clients as wired clients.

CSCvq28692

Physical Neighbor Topology blank, BadMessageException: 500: Request header too large.

CSCvq32539

Template provisioning doesn't show the exact CLI command that failed due to an SSH connection time out.

CSCvq33368

Wireless controller inventory collection fails with the error "unique constraint p2plinkterminationpoint_bk."

CSCvq33426

An application upgrade fails due to tenant data migration.

CSCvq54357

After enabling multicast, access points stop broadcasting their SSID and WLANs enter the down state.

Table 12. Resolved Bugs in Cisco DNA Center, Release 1.3.0.2

Bug Identifier

Headline

CSCvp85607

After an upgrade, an AireOS wireless LAN controller with TrustSec/SXP experiences partial collection failure.

CSCvp85982

After an upgrade, reprovisioning fails for embedded wireless LAN controllers and AireOS wireless LAN controllers.

CSCvp86063

Cisco DNA Center does not prevent you from removing an extended node Cisco Catalyst IE3300 or IE3400 device from the fabric and then adding it back to the fabric as an edge. In other words, you can manually add IE3300 and IE3400 extended nodes that have been removed from the fabric.

CSCvp86074

Cannot add IPv6 to the fabric if external IP address managers (IPAMs) are used for IP pools.

CSCvp86132

During an upgrade from Cisco DNA Center 1.2.8 to 1.2.10, the Cisco DNA Center 1.3 is Here! banner appears. However, if you upgrade to 1.3 without first upgrading the system to 1.2.10, package upgrade issues occur.

CSCvp88055

A Cisco ISR 4400 border device returns an error when the fabric is enabled with a multicast rendezvous point on the other fabric border.

CSCvp88213

After an upgrade, an embedded wireless LAN controller access point does not broadcast the SSID.

CSCvp89082

Embedded wireless LAN controller provisioning fails with a Java null pointer exception.

Related bug: CSCvp88853.

CSCvp89654

A software maintenance update on a Cisco Catalyst 9000 with Release 16.9.3 fails with an "NCSW10363" error.

CSCvp90174

After an upgrade, a Cisco IE5000 loses connectivity to Cisco DNA Center after the fabric is reconfigured.

CSCvp92365

After an upgrade, the RADIUS configuration is removed and added back during reprovisioning.

CSCvp92498

After an upgrade, Cisco DNA Center pushes incorrect PSN timeout values to switches.

CSCvp92735

Deleting an extended node port channel from the edge causes the edge to lose connectivity to Cisco DNA Center.

CSCvp94448

The Image Upgrade Readiness page shows the wrong golden image for the add-on package.

CSCvp96137

After an upgrade, the first reprovisioning of an embedded wireless LAN controller fails.

CSCvp97212

The fabric banner displays the oldest extended node error instead of the newest error.

CSCvp99456

After an upgrade, reconfiguring the fabric fails with "NCSP10000: Internal error."

CSCvq01546

Cisco DNA Center configures "map-cache ::/0 map-request" on border devices that are part of an IP transit, even though that configuration is not required.

CSCvq01667

When upgrading the application packages after a Cisco DNA Center 1.3 system upgrade, the package upgrade might fail with a "tenant migration failure" error. The root cause is a missing device record in the GRT table.

CSCvq11420

When upgrading the Cisco DNA Center cluster from 1.2.10 to 1.3, the sensor goes into Unclaimed state with "Error: [lua] handler.lua:303: ACCESS DENIED."

Table 13. Resolved Bugs in Cisco DNA Center, Release 1.3

Bug Identifier

Headline

CSCvh16564

For any NFVIS with version 3.7.x or earlier, there is no API to retrieve the system uptime.

CSCvn69306

After a system update, the jboss service does not run for the next hour. After 1 hour, the service recovers automatically.

CSCvn71409

Cisco 1800s running 8.8258.2 go into error state after an upgrade from Cisco DNA Center 1.2.6 to Cisco DNA Center 1.2.8.

CSCvo07310

Purge and aggregation jobs do not run.

CSCvo16429

When editing an existing test suite by changing its location, the existing sensor's configuration is removed without warning the user.

CSCvo16662

An internal error occurs when you choose Add VNF and add a device to the Inventory.

CSCvo20051

A system update fails if the hook-installer is not running.

CSCvo21174

In the Provision > Devices window, uptime (the period of time that a devices has been up and running) is not shown for NFVIS 3.10 and later devices.

CSCvo24817

The Assurance topology graph does not show when a link is down, but the automation topology graph is updated.

CSCvo30065

In the Inventory window, after you change the WAN IP address to the management IP address (and vice versa), interfaces are not listed in the NFVIS provisioning flow.

CSCvo30319

After removing a failed node and adding a new node to a multihost cluster, app stack services go into a crashloop state.

CSCvo30471

The Cisco Aironet 1800S Active Sensor doesn't pull software images immediately when inventoried, but only after a nightly synch.

CSCvo34972

Cisco DNA Center and CMX 10.6 integration doesn't sync the floor and building automatically.

CSCvo36052

Sensor: Test suites disappear after removing all sensors from inventory.

CSCvo38279

During sensor test suite creation, all SSIDs are not being shown for the selected floor.

CSCvo40364

It takes a few seconds to load the heat map and AP and client details.

CSCvo42491

A Catalyst 9000 image cannot be assigned to Catalyst 9400 devices.

CSCvo42517

When embedded wireless STP is turned on (the default is off), a path trace involving embedded wireless fails at the point between the embedded wireless controller and its connected switch. The path trace returns the error "Failed to obtain complete L2 path between routers."

CSCvo43286

When updating Cisco DNA Center from 1.2.8 to 1.2.10, the following error is reported for the system update:

System update failed during INSTALLED_CLUSTER_UPDATES.
Cluster update timed-out. Retry.

To work around this problem, enter the magctl service restart -d system-updater command.

CSCvo44418

On a restored cluster, new Assurance issues might not be generated.

CSCvo49209

A system update fails around 88% with an error that the hook download failed. To work around this problem, retry the system update.

CSCvp30313

Cisco DNA Center 1.2.10 (PxGrid client hangs): Integration fails when HA failover happens from a different Cisco ISE.

CSCvp36943

Cisco ISE Policy Administration Node (PAN) HA failover is not auto detected by Cisco DNA Center.

CSCvp42465

The NTP service does not recover from a failure on its own.

CSCvp60090

A Cisco wireless LAN controller goes to unreachable and partial collection failure (SNMP timeout) frequently.

Limitations and Restrictions

Backup and Restore Limitations

Backup and restore limitations and restrictions include:

  • You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.

  • After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose System Settings > Settings > Authentication and Policy Servers. Choose Edit for the server. Enter your Cisco ISE password to update.

  • After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.

  • Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.

  • Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.

  • You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

HA Limitation

In this release, Cisco DNA Center provides HA support only for Automation and Cisco SD-Access. HA for Assurance is not supported.

Cisco ISE Integration Limitations

Cisco ISE integration limitations and restrictions include:

  • ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.

  • Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.

  • Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).

  • The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

  • If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.

  • The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.

  • Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.

  • Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.

    Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.

  • The Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.

Brownfield Feature-Related Limitations

Brownfield feature-related limitations include:

  • Cisco DNA Center cannot learn device credentials.

  • You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.

  • Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.

  • Cisco DNA Center can learn only one wireless controller at a time.

  • For site profile creation, only the AP groups with AP and SSID entries are considered.

  • Automatic site assignment is not possible.

  • SSIDs with an unsupported security type and radio policy are discarded.

  • For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.

  • The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.

  • The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.

  • When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.

  • A wireless conflict is based only on the SSID name, and does not consider other attributes.

Wireless Policy Limitation

Wireless policy limitations include:

  • If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise, Policy Deployment failed is displayed.

Cisco Plug and Play Limitations

Plug and Play limitations and restrictions include:

  • Virtual Switching System (VSS) is not supported.

  • The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.

  • The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.

  • The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:

    pnp startup-vlan <vlan_number>

AP Provisioning Failure Limitation

Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, the AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.

After the provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.

AP Performance Limitation

Provisioning of 100 APs takes longer in Cisco DNA Center, Release 1.3, than compared to 3 minutes in Cisco DNA Center, Release 1.2.10. The amount of time varies depending on the "wr mem" time of the Cisco Catalyst 9800 Series Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices.

Inter-Release Controller Mobility (IRCM) Limitation

The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.

CMX Limitation

When integrating Cisco DNA Center with CMX 10.6.1, the site hierarchy that is created in Cisco DNA Center might not synchronize fully with CMX.

This problem occurs when CMX 10.6.1 is used and the site hierarchy in Cisco DNA Center contains one or more area elements that are children of other area elements; for example, Global > Area1 > Area1.1 > Building > Floor. CMX version 10.6.1 (and earlier) supports only hierarchies in the form of Global > Area > Building > Floor. CMX 10.6.1 does not support nested area elements.

The workaround is to rearrange the hierarchy in Cisco DNA Center so that there are no nested area elements. In other words, make sure the hierarchy is in the form of Global > Area > Building > Floor.

Intelligent Capture Limitations

Intelligent Capture limitations and restrictions include:

  • Cisco DNA Center might not receive anomaly packets.

    Under the following conditions, an AP does not send anomaly packets to Cisco DNA Center; therefore, anomaly events don't have correlated captured packets in Cisco DNA Center:

    • An anomaly event throttle limit is reached inside an AP

    • An AP consumes high CPU

    • A client roams to a non-Intelligent Capture AP

    • A wireless controller sends delete mobile to an AP before an anomaly timer is triggered

  • Enabling live or scheduled packet capture fails because the wireless controller exceeds the 16 MAC address limit for partial packet capture.

    Because the wireless controller can support a maximum of 16 MAC addresses for partial packet capture, if the list of MAC addresses on the wireless controller is not synchronized with Cisco DNA Center, enabling live or scheduled packet capture for a client fails with the following error messages:

    Failed to enable partial packet trace. NCSP10001: User intent validation failed.

    Failed to enable partial packet trace. config icap global subscription client packet-trace partial filter add [CLIENT MAC] Max filters configured:Failed to add new filter.

    Failed to enable client RF statistics. NCSP10001: User intent validation failed.

    Failed to enable filter channel. NCSP10001: User intent validation failed.

    Any of the following events can cause an out-of-synch condition:

    • Partial packet capture is enabled directly on the wireless controller rather than on the Intelligent Capture UI

    • Cisco DNA Center is reimaged or upgraded without first disabling all Intelligent Capture features

    • The wireless controller is deleted and then rediscovered on Cisco DNA Center

  • Enabling data packet capture fails because there is an existing MAC address in a full packet trace subscription on the wireless controller.

    Because the wireless controller supports only one MAC address for full packet capture, if there is an existing MAC address for full packet capture on the wireless controller, enabling data packet capture fails on that wireless controller. The following warning message is displayed:

    Max filter allowed for this topic is 1. Remove existing client filter before adding a new filter.

Get Assistance from the Cisco TAC

Use this link to open a TAC case. Choose the following when opening a TAC case:

  • Technology: Cisco DNA - Software-Defined Access

  • Subtechnology: Cisco DNA Center Appliance (SD-Access)

  • Problem Code: Install, uninstall, or upgrade

Related Documentation

We recommend that you read the following documents relating to Cisco DNA Center:

For This Type of Information... See This Document...

Release information, including new features, system requirements, and open and resolved bugs.

Cisco DNA Center Release Notes

Installation and configuration of Cisco DNA Center, including postinstallation tasks.

Cisco DNA Center Installation Guide

Upgrade information for your current release of Cisco DNA Center.

Cisco DNA Center Upgrade Guide

Use of the Cisco DNA Center GUI and its applications.

Cisco DNA Center User Guide

Configuration of user accounts, RBAC scope, security certificates, authentication and password policies, and global discovery settings.

Monitoring and managing Cisco DNA Center services.

Backup and restore.

Cisco DNA Center Administrator Guide

Security features, hardening, and best practices to ensure a secure deployment.

Cisco DNA Center Security Best Practices Guide

Supported devices, such as routers, switches, wireless access points, NFVIS platforms, and software releases.

Supported Devices

Hardware and software support for Cisco SD-Access.

Cisco SD-Access Hardware and Software Compatibility Matrix

Use of the Cisco DNA Assurance GUI.

Cisco DNA Assurance User Guide

Licenses and notices for open source software used in Cisco DNA Assurance.

Open Source Used in Cisco DNA Assurance

Use of the Cisco DNA Center platform GUI and its applications.

Cisco DNA Center Platform User Guide

Cisco DNA Center platform release information, including new features, deployment, and open bugs.

Cisco DNA Center Platform Release Notes

Licenses and notices for open source software used in Cisco DNA Center platform.

Open Source Used in Cisco DNA Center Platform

Key features and scale numbers.

Cisco DNA Center Data Sheet