Release Notes for Cisco DNA Center, Release 1.3.0.x
This document describes the features, limitations, and bugs for Cisco DNA Center, Release 1.3.0.x.
Change History
The following table lists changes to this document since its initial release.
| Date | Change | Location |
|---|---|---|
|
2020-07-08 |
Noted that IPv6 is not supported on Cisco Catalyst 9800 fabric devices. |
|
|
2020-04-10 |
Added that you can create a new AP_VLAN (2045) and template (ApAutzTemplate) on edge devices for AP connectivity. |
|
|
2020-03-18 |
Added an open bug: CSCvt00402. |
|
|
2020-02-18 |
Added the list of packages and resolved bugs in Cisco DNA Center 1.3.0.7. |
|
|
2020-02-05 |
Added CSCvq69305 and CSCvr12994 as resolved bugs in Cisco DNA Center 1.3.0.6. |
|
|
2020-01-28 |
Added information about the Wireless Pool option. |
Added information about the Wireless Pool option. |
|
Added CSCvs74635 as a resolved bug in Cisco DNA Center 1.3.0.6. |
||
|
Updated the following package version for Cisco DNA Center 1.3.0.6:
|
||
|
2020-01-09 |
Added the list of packages and resolved bugs in Cisco DNA Center 1.3.0.6. |
|
|
2019-11-05 |
Added the list of packages and resolved bugs in Cisco DNA Center 1.3.0.5. |
|
|
2019-10-16 |
Noted that Cisco DNA Center is not compatible with Cisco IMC 4.0(4c) and later. |
|
|
2019-10-08 |
Updated C9200 part numbers for fabric edge nodes with Cisco SD-Access wireless support in Cisco DNA Center 1.3. |
|
|
2019-10-07 |
Updated the description of CSCvr03768. |
|
|
2019-10-03 |
Added CSCvr03768 as a resolved bug in Cisco DNA Center 1.3.0.4. |
|
|
2019-09-08 |
Added the list of packages and resolved bugs in Cisco DNA Center 1.3.0.4. |
|
|
Added open bugs: CSCvq61912, CSCvq70700, CSCvq97736, CSCvr00675, CSCvr01185, CSCvr18650, CSCvr19265, and CSCvr19604. |
||
|
2019-08-28 |
Added Cisco Catalyst 9500 High Performance switches to the list of platforms supported on the Cisco Catalyst 9800 Embedded Wireless Controller. |
|
|
2019-08-06 |
Added a limitation related to Cisco Connected Mobile Experiences (CMX). |
|
|
Noted that starting in Cisco DNA Center 1.3, the following Cisco Catalyst 9500 High Performance switches can be used as seed devices and PnP agents for LAN automation:
|
||
|
2019-08-01 |
Moved CSCvn69306 to the Resolved Bugs table. |
|
|
Added the list of packages and resolved bugs in Cisco DNA Center 1.3.0.3. |
||
|
2019-07-25 |
Added CSCvq54634, CSCvq65765, and CSCvq65784. |
Open Bugs—Non-High Availability |
|
Added CSCvq54357. |
||
|
Updated the LAN automation enhancements description. |
||
|
2019-07-03 |
Added limitations related to Intelligent Capture. |
|
|
2019-06-21 |
Added the list of packages and resolved bugs in Cisco DNA Center 1.3.0.2. |
|
|
2019-05-31 |
Initial release. |
— |
Upgrade to the Latest Cisco DNA Center Release
For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.
New and Changed Information
The following table shows the updated packages and the versions.
| Package Name | Release 1.3.0.7 | Release 1.3.0.6 | Release 1.3.0.5 | Release 1.3.0.4 | Release 1.3.0.3 | Release 1.3.0.2 | Release 1.3 |
|---|---|---|---|---|---|---|---|
|
System Updates |
|||||||
|
System |
1.2.0.1021 |
1.2.0.1013 |
1.2.0.1013 |
1.2.0.1013 |
1.2.0.1008 |
1.2.0.998 |
1.2.0.998 |
|
Package Updates |
|||||||
|
Application Policy |
2.1.42.170001 |
2.1.42.170001 |
2.1.42.170001 |
2.1.42.170001 |
2.1.42.170001 |
2.1.40.170897 |
2.1.40.170897 |
|
Assurance - Base |
1.3.1.144 |
1.3.1.144 |
1.3.1.140 |
1.3.1.140 |
1.3.1.137 |
1.3.0.1345 |
1.3.0.1344 |
|
Assurance - Sensor |
1.3.0.1313 |
1.3.0.1313 |
1.3.0.1313 |
1.3.0.1313 |
1.3.0.1313 |
1.3.0.1313 |
1.3.0.1313 |
|
Automation - Base |
2.1.47.60007 |
2.1.45.60040 |
2.1.44.60004 |
2.1.43.60042 |
2.1.42.60056 |
2.1.41.60025 |
2.1.40.61847 |
|
Automation - Intelligent Capture |
2.1.47.60007 |
2.1.45.60040 |
2.1.43.60042 |
2.1.43.60042 |
2.1.42.60056 |
2.1.41.60025 |
2.1.40.61847 |
|
Automation - Sensor |
2.1.47.60007 |
2.1.45.60040 |
2.1.43.60042 |
2.1.43.60042 |
2.1.42.60056 |
2.1.41.60025 |
2.1.40.61847 |
|
Cisco DNA Center Platform |
1.1.1.2 |
1.1.1.2 |
1.1.1.2 |
1.1.1.2 |
1.1.1.2 |
1.1.0.4 |
1.1.0.4 |
|
Cisco DNA Center UI |
1.3.1.255 |
1.3.1.254 |
1.3.1.253 |
1.3.1.250 |
1.3.1.241 |
1.3.0.221 |
1.3.0.219 |
|
Cisco SD-Access |
2.1.47.60008 |
2.1.46.60001 |
2.1.44.60004 |
2.1.43.60045 |
2.1.42.60058 |
2.1.41.60025 |
2.1.40.61847 |
|
Command Runner |
2.1.45.60040 |
2.1.45.60040 |
2.1.43.60042 |
2.1.43.60042 |
2.1.41.60025 |
2.1.41.60025 |
2.1.40.61847 |
|
Device Onboarding |
2.1.47.60007 |
2.1.45.60040 |
2.1.43.60042 |
2.1.43.60042 |
2.1.42.60056 |
2.1.40.61847 |
2.1.40.61847 |
|
Image Management |
2.1.47.60007 |
2.1.45.60040 |
2.1.43.60042 |
2.1.43.60042 |
2.1.42.60056 |
2.1.41.60025 |
2.1.40.61847 |
|
NCP - Base |
2.1.45.60040 |
2.1.45.60040 |
2.1.43.60042 |
2.1.43.60042 |
2.1.40.61847 |
2.1.40.61847 |
2.1.40.61847 |
|
NCP - Services |
2.1.45.60040 |
2.1.45.60040 |
2.1.44.60004 |
2.1.43.60042 |
2.1.42.60056 |
2.1.41.60025 |
2.1.40.61847 |
|
Network Controller Platform |
2.1.47.60007 |
2.1.45.60040 |
2.1.44.60004 |
2.1.43.60046 |
2.1.42.60056 |
2.1.41.60025 |
2.1.40.61847 |
|
Network Data Platform - Base Analytics |
1.3.1.204 |
1.3.1.204 |
1.3.1.204 |
1.3.1.204 |
1.3.1.204 |
1.3.0.189 |
1.3.0.189 |
|
Network Data Platform - Core |
1.3.1.615 |
1.3.1.615 |
1.3.1.615 |
1.3.1.615 |
1.3.1.615 |
1.3.0.513 |
1.3.0.513 |
|
Network Data Platform - Manager |
1.3.1.185 |
1.3.1.185 |
1.3.1.185 |
1.3.1.185 |
1.3.1.185 |
1.3.0.173 |
1.3.0.173 |
|
Path Trace |
2.1.47.60007 |
2.1.45.60040 |
2.1.43.60042 |
2.1.43.60042 |
2.1.42.60056 |
2.1.41.60025 |
2.1.40.61847 |
New and Changed Features
The following tables summarize the new and changed features in Release 1.3.0.x.
| Feature | Description |
|---|---|
|
Ability to define an IP address pool as a wireless pool |
Cisco DNA Center, Release 1.3.0.6 provides the ability to select an IP pool as a wireless pool. You can choose from only the defined wireless pool while configuring the wireless SSID for the fabric. To enable the Wireless Pool toggle button, from the Cisco DNA Center home page, click Provisioning > Fabric > Fabric Name > Host Onboarding > VN Name > Advanced View. |
| Feature | Description | ||
|---|---|---|---|
|
Localization |
You can view the Cisco DNA Center GUI screens in English (the default), Chinese, Japanese, or Korean. To change the default language, simply change the locale in your browser to one of the supported languages: Chinese, Japanese, or Korean.
|
||
|
Network hierarchy |
When you select an area, building, or floor on the Network Hierarchy, Network Settings, or Provision page, the hierarchical selection is retained when you switch between these pages. |
||
|
Design usability enhancement |
The options under the Design menu are available as a drop-down list. |
||
|
Policy usability enhancement |
The options under the Policy menu are available as a drop-down list. |
||
|
Provision page navigation enhancement |
The Inventory and Plug and Play menu options are available under as a drop-down list. |
||
|
Inventory |
Starting in Cisco DNA Center, the Inventory feature is merged with the Provision page. From the Cisco DNA Center home page, click Provision. From the Provision Devices page, choose to view and use the inventory features. |
||
|
Image Repository |
Starting in Cisco DNA Center 1.3, the Image Repository tool is merged with the site-based Image Repository that is available as part of the Design page. Starting in Cisco DNA Center 1.3, you can assign a software image to device series filtered from cisco.com as well as to custom device series. |
||
|
IPv6 support |
You can now create and reserve IPv6 address pools in addition to IPv4 address pools. |
||
|
System 360 overview |
The System 360 Overview tab is updated to provide metrics of various functions of Cisco DNA Center in dashlets. The metrics include Hosts, High Availability, Cluster Tools, System Management Updates, Backup, Application Health, Identity Services Engine (ISE), and IP Address Manager (IPAM). |
||
|
ROMMON upgrade |
A ROMMON upgrade is included in the add-on for software image upgrade. For the ROMMON upgrade, the cisco.com configuration is mandatory. When a device is added, the latest ROMMON details are retrieved from cisco.com for applicable devices. Also, you import a base image or tag a base image, the ROMMON image is downloaded automatically from cisco.com. |
||
|
Device upgrade readiness prechecks |
Prechecks such as NFVIS Flash, Service Entitlement, Interface, CDP neighbors, Running Config, Spanning Tree Summary, and AP Summary are included as enhancements. |
||
|
Retry option to resync Cisco ISE connectivity |
If the Cisco ISE server configuration fails due to a password change, you can update the password and resync the ISE connectivity in the Authentication and Policy Servers page. |
||
|
Ability to import new certificate file and export certificate details |
You can import a new certificate file from your local system and export certificate details on the System Settings > Settings > Trustpool page. |
||
|
Schedule discovery |
You can schedule discovery for a later time. |
||
|
Include SSH key information in exported device credentials |
You can include information such as the SSH key and initial SSH key algorithm in the exported device credentials. |
||
|
View additional device details in the Topology page |
You can view additional device details such as device IP address and device name suffix in the Topology page. |
||
|
View all options available in the Topology page |
By clicking the Take a Tour link, you can view the details of all options available in the Topology page. |
| Feature | Description | ||
|---|---|---|---|
|
Support for N+1 High Availability |
Cisco DNA Center Release 1.3 introduces support for N+1 High Availability (HA) on the Cisco Wireless Controller and Cisco Catalyst 9800 Series Wireless Controller platforms. N+1 HA allows a single Cisco Wireless Controller to be used as a backup controller for multiple primary controllers. These wireless controllers are independent of each other and do not share configuration or IP addresses on any of their interfaces. Cisco DNA Center supports primary and secondary controller configurations for N+1 HA. N+1 HA is configured at the AP level, not at the global level. Configurations are pushed directly to the AP. |
||
|
Support for guest anchor Inter-Release Controller Mobility (IRCM) |
Inter-Release Controller Mobility (IRCM) supports seamless mobility and wireless services across different Cisco Wireless Controllers with different software versions. Cisco DNA Center supports guest anchor functionality for the following device combinations:
|
||
|
New platform support for Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series |
The Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series supports the following platforms in this release:
|
||
|
Advanced SSID configurations for enterprise and guest wireless network settings |
The following advanced SSID configurations are added in this release:
|
||
|
AAA per SSID |
The AAA per SSID feature solves the behavior of different AAA servers being mapped to different sites, buildings, and floors, which are managed by the same Cisco Wireless Controller. Cisco DNA Center pushes an SSID with respect to the AAA server. A network profile with an SSID and different sites is mapped with different AAA servers. Based on the AAA server, the SSID with a different name is pushed to the wireless controller after the wireless controller provisioning. Only two AAA servers are supported per site, building, and floor. Only one ISE server is mapped to a particular site, building, or floor. Brownfield is not supported. You cannot map the ISE server as the primary and the AAA server as the secondary to a particular site. |
| Feature | Description | ||
|---|---|---|---|
|
IPv6 endpoint support in fabric |
Fabric devices can now onboard IPv6 wired and wireless clients into a Cisco SD-Access fabric that has an IPv4 underlay. The following features are supported for IPv6 endpoints:
Note the following constraints:
|
||
|
LAN automation enhancements |
Cisco Catalyst 9400 Series Switches with 40-G ports now support LAN automation. Cisco Catalyst 9500 High Performance Series Switches running IOS XE 16.11.1 support LAN Automation. The switches now boot up in Layer 2 mode instead of Layer 3 mode. Validation of LAN subnet reachability from Cisco DNA Center: if the primary device on the LAN subnet is not reachable from Cisco DNA Center, an error message is displayed. The LAN Automation page now refreshes automatically. |
||
|
The following Cisco Catalyst 9500 High Performance series switches can be used as seed devices and PnP agents for LAN automation:
|
|||
|
Support for extended node |
Extended nodes are those devices that run in Layer 2 switch mode and do not support fabric technology natively. You can now configure extended nodes in a Cisco SD-Access fabric. For information on configuring an extended node, see the Configure an Extended Node section in the Cisco DNA Center User Guide. |
||
|
Support for port channels |
You can now create or delete port channels between the fabric edge ports and the extended node uplinks. |
||
|
Device support for Fabric in a Box |
You can now configure a Cisco Catalyst 9500 High Performance Series Switch to function as a Fabric in a Box. |
||
|
Ability to create a new AP_VLAN (2045) and template (ApAutzTemplate) on edge devices for AP connectivity |
In Cisco DNA Center 1.2.x, when you perform a VN-to-IP pool assignment for an AP pool under the INFRA_VN, a VLAN with a name syntax like <ip pool>_INFRA_VN is created in every site where the assignment occurs. In Cisco DNA Center 1.3.x, a dedicated AP VLAN with the name AP_VLAN and VLAN ID 2045 is created with a corresponding SVI interface. After you perform the VN-to-IP pool assignment under INFRA_VN for an AP pool, the IP address is assigned to the SVI interface. This can be used in Cisco ISE to assign the VLAN for AP profiling. This feature does not delete or change the existing fabric behavior for 1.2.x upgrades, which continue to use the old VLAN. If a new fabric site is created, a VLAN is created with the AP_VLAN name and VLAN ID 2045. If you want to standardize the AP_VLAN name to use in the Cisco ISE profile, you must remove the old VN-to-IP pool assignment and recreate the VN-to-IP pool assignment for the AP pool. This change requires network downtime; therefore, plan this change for a maintenance window. |
||
|
Layer 2 border local endpoints: scale of 32,000 |
Cisco Catalyst 9500 Switches or Cisco Catalyst 9400 Switches deployed as a Layer 2 border can now have up to 32,000 local endpoints connected to them. |
||
|
AAA per SSID |
AAA per SSID feature solves the behavior of different AAA servers being mapped to different sites, buildings, and floors, which are managed by the same Cisco Wireless Controller. Cisco DNA Center pushes an SSID with respect to the AAA server. A network profile with an SSID and different sites are mapped with different AAA servers. Based on the AAA server, the SSID with a different profile name is pushed to the wireless controller after the wireless controller provisioning. Only two AAA servers are supported per site, building, and floor. Only one ISE server is mapped to a particular site, building, or floor. Brownfield is not supported. You cannot map an ISE server as primary and AAA server as secondary to a particular site. |
||
|
New platform support for Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series |
The Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series supports the following platforms in this release:
|
||
|
Advanced SSID configurations for enterprise and guest wireless network settings |
The following advanced SSID configurations are newly added in this release:
|
|
Device Role |
Product Family |
Part Number |
Description |
|---|---|---|---|
|
Fabric border and control plane node |
Cisco Catalyst 9600 Series Switches |
C9600-SUP-1 C9600-LC-48YL C9600-LC-24C |
Cisco Catalyst 9600 Series Switches can be configured as a fabric border node, fabric control plane node, or both. |
|
Fabric border node |
Cisco Nexus 7700 Series Switches |
N77-SUP3E |
The Nexus 7700 Series Switch with the Supervisor Module-3 (SUP 3E) can be configured as a fabric external border node, only with the M3 line card. |
|
Fabric edge node |
Cisco Catalyst 9200 Series Switches |
C9200L-24PXG-2Y C9200L-24PXG-4X C9200L-48PXG-2Y C9200L-48PXG-4X |
Cisco Catalyst 9200 Series Multigigabit switches can be configured as a fabric edge node. |
|
Fabric edge node with SD-Access Wireless support |
Cisco Catalyst 9200 Series Switches |
- |
All Cisco Catalyst 9200 Series Switches, except the Catalyst 9200L Series, support fabric edge with wireless to terminate VXLAN tunnel. Note that the Cisco Catalyst 9800 Embedded Wireless Controller is not supported on either the Cisco Catalyst 9200 Series or Cisco Catalyst 9200L Series Switches. |
|
Access Points |
Cisco Catalyst 9100 Series Wi-Fi 6 (802.11ax) Access Points |
C9120AXI-x C9120AXE-x C9120AXP-x |
The Cisco Catalyst 9100 Series Access Points can be configured as a Fabric Wireless node. |
| Feature | Description | ||
|---|---|---|---|
|
Application Experience enhancements |
Enhanced the window:
|
||
|
Enhanced the Application 360 window:
|
|||
|
Enhanced the Device 360 window for routers:
|
|||
|
IPv6 address support for wireless and wired clients |
Enhanced the window:
|
||
|
Enhanced the Client 360 window:
|
|||
|
Simplifies the health score formula for wireless clients |
|
||
|
Support KPIs and baselining for On-Device AI (on-premises) |
Added the following enhancements:
|
||
|
Intelligent Capture |
|
||
|
Cisco ISE configuration unification |
|
Cisco SD-Access Compatibility Matrix
For information about Cisco SD-Access hardware and software support for Cisco DNA Center, see the Cisco SD-Access Hardware and Software Compatibility Matrix. This information is helpful for deploying Cisco SD-Access.
Cisco DNA Center-Supported Devices
For information about devices such as routers, switches, wireless access points, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see Supported Devices.
Compatible Browsers
The Cisco DNA Center web interface is compatible with the following HTTPS-enabled browsers:
-
Google Chrome: Version 73.0 or later
-
Mozilla Firefox: Version 65.0 or later
We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.
Cisco DNA Center Scale
For Cisco DNA Center scale numbers, see the Cisco DNA Center Data Sheet.
IP Address and FQDN Firewall Requirements
To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through any existing network firewall, see "Required Internet URLs and FQDNs" in the Cisco DNA Center Installation Guide.
Supported Firmware
Cisco Integrated Management Controller (Cisco IMC) versions are independent from Cisco DNA Center releases. This release of Cisco DNA Center has been validated against the following firmware:
-
Cisco IMC Version 3.0(3f) for appliance model DN1-HW-APL
-
Cisco IMC Version 3.1(2c) for appliance model DN2-HW-APL
-
Cisco IMC Version 3.1(3a) for appliance model DN2-HW-APL-L
-
Cisco IMC Version 4.0(1a) for appliance model DN2-HW-APL-XL
The preceding versions are the minimum firmware versions. While some later versions are also supported, Cisco DNA Center is not compatible with Cisco IMC 4.0(4c) and later. Do not update later than Cisco IMC 4.0(4b).
Installing Cisco DNA Center
You can install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco DNA Center Installation Guide.
 Note |
The following applications are not installed on Cisco DNA Center by default. If you need any of these applications, you must manually download and install the packages separately.
|
For more information about downloading and installing a package, see "Manage Applications" in the Cisco DNA Center Administrator Guide.
Cisco DNA Center Platform Support
For information about the Cisco DNA Center platform, including information about new features, installation, upgrade, and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.
Support for Cisco Connected Mobile Experiences
Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) 10.6.1. Earlier versions of CMX are not supported.
Note |
While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password. |
Plug and Play Considerations
Plug and Play Support
General Feature Support
Plug and Play supports the following features, depending on the Cisco IOS software release on the device:
-
AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.
-
Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)
Secure Unique Device Identifier Support
The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:
-
Cisco routers:
-
Cisco ISR 1100 Series with software release 16.6.2
-
Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later
-
Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1
-
-
Cisco switches:
-
Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later
-
Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later
-
Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later
-
Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later
-
Cisco Catalyst 9300 Series with software release 16.6.1 or later
-
Cisco Catalyst 9400 Series with software release 16.6.1 or later
-
Cisco Catalyst 9500 Series with software release 16.6.1 or later
-
Cisco Catalyst IE3300 Series with software release 16.10.1e or later
-
Cisco Catalyst IE3400 Series with software release 16.11.1a or later
-
-
NFVIS platforms:
-
Cisco ENCS 5400 Series with software release 3.7.1 or later
-
Cisco ENCS 5104 with software release 3.7.1 or later
-
Note |
Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:
|
Management Interface VRF Support
Plug and Play operates over the device management interface on the following platforms:
-
Cisco routers:
-
Cisco ASR 1000 Series with software release 16.3.2 or later
-
Cisco ISR 4000 Series with software release 16.3.2 or later
-
-
Cisco switches:
-
Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later
-
Cisco Catalyst 9300 Series with software release 16.6.1 or later
-
Cisco Catalyst 9400 Series with software release 16.6.1 or later
-
Cisco Catalyst 9500 Series with software release 16.6.1 or later
-
4G Interface Support
Plug and Play operates over a 4G network interface module on the following Cisco routers:
-
Cisco 1100 Series ISR with software release 16.6.2 or later
Configure Server Identity
To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.
The SAN requirement applies to devices running the following Cisco IOS releases:
-
Cisco IOS Release 15.2(6)E2 and later
-
Cisco IOS Release 15.6(3)M4 and later
-
Cisco IOS Release 15.7(3)M2 and later
-
Cisco IOS XE Denali 16.3.6 and later
-
Cisco IOS XE Everest 16.5.3 and later
-
Cisco IOS Everest 16.6.3 and later
-
All Cisco IOS releases from 16.7.1 and later
The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:
-
For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.
-
For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.
-
For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.
-
For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.
If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a NAT router, this public IP address must be included in the SAN field of the server certificate.
If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.
We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.
If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the plug and play process.
Note |
The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field. |
Bugs
Use the Bug Search Tool
Use the Bug Search tool to search for a specific bug or to search for all bugs in this release.
Procedure
| Step 1 |
Enter the following URL in your browser: |
||
| Step 2 |
In the Log In window, enter your registered cisco.com username and password and click Log In. The Bug Search window opens.
|
||
| Step 3 |
To search for a specific bug, enter the bug ID in the Search For field and press Return. |
||
| Step 4 |
To search for bugs in the current release: |
Open Bugs—Non-High Availability
The following table lists the open non-HA bugs in Cisco DNA Center for this release.
|
Bug Identifier |
Headline |
|---|---|
|
Importing a Plug and Play CSV with 25 APs fails. |
|
|
Wireless controller goes into unmonitored state after a restore from the backup. |
|
|
Network health appears for the Cisco Catalyst 9800 wireless controller in both the monitored and unmonitored sections. |
|
| CSCvo44394 |
When you try to add Cisco ISE 2.4 to Cisco DNA Center 1.3, the following certificate error is generated: The workaround is to configure the network MTU size to 9100 between Cisco ISE and Cisco DNA Center. |
|
Device activation fails when the image is not the minimum supported image version. |
|
|
Devices remain in Partial Collection Failure state after an incomplete provision and resynch. This problem occurs only when there is an incomplete manual clearing of CLI commands on a device. When a device goes through the full removal flow, subsequent synchronizations work correctly. Related bug: CSCvj15139. |
|
|
A crash occurs when the RADIUS Change of Authorization (CoA) feature is triggered for an environment data update and the clear cts environment-data command is issued at the same time. The problem occurs because the clear cts environment-data command fails to clear the environment data. |
|
|
After you delete a wireless controller with 4000 APs from Cisco DNA Center, it takes 25 minutes or longer for the wireless controller to be removed from the inventory. |
|
|
Cisco Software-Defined Access: Events are missing from the Event Viewer on the Device 360 page. |
|
|
IR829 does not display the correct Gigabit interface in the WAN interface drop-down list. |
|
|
Software image management: Catalyst 6000 image activation fails while upgrading image version 152-2.SY to 152-2.SY*. |
|
|
A Cisco Catalyst 6000 ISSU upgrade from SY2 to SY3 fails when the device has snmp-server enable traps vstack in the running configuration. |
|
|
The Maglev Cassandra service fills up the disk with index files. |
|
|
A Cisco DNA Center local backup fails if the maglev password starts with special characters. |
|
|
The Time API takes a very long time to respond when there are multiple user sessions browsing the Assurance GUI. |
|
| CSCvp73793 |
The Cisco Catalyst 9800 wireless controller neighbor topology does not update the AP count in the inventory. |
|
Air quality is missing randomly from an AP 360 page health chart. |
|
|
Provisioning fails if you choose "Do not change" and enter an interface name. |
|
|
The Flex Connect SSID with Cisco Catalyst 9800 does not appear on an AP when you choose VLAN name management. |
|
|
External site borders point to other external borders in a site, which causes loops. |
|
|
Border Gateway Protocol (BGP) advertises Multicast Rendezvous Point (RP) /32 and /128 prefixes from non-RP borders. |
|
|
AP mode and uptime don't get updated, affecting Intelligent Capture functionality. |
|
|
After upgrading the embedded wireless software on Cisco Catalyst 9000 devices from 16.10.1.e to 16.11.1s, the AP country code configuration is lost. |
|
|
An image change on the wireless controller causes the AP Intelligent Capture 360 page to lose all data. |
|
|
After upgrading from Cisco DNA Center 1.2.3 or 1.2.6 to 1.2.8, then 1.2.10, then 1.3, the Network Plug and Play menu option is available under the Tools menu. (The Network Plug and Play menu option should not be present.) If you upgrade from Cisco DNA Center 1.2.10 to 1.3, the Network Plug and Play menu option is not available under the Tools menu, which is correct. |
|
|
Cisco DNA Center 1.3 SDA end users can HTTPS to the fabric edge default gateway IP address. |
|
|
Multicast does not work on an edge device that is added to a fabric on which multicast is already enabled. |
|
|
The NDP package upgrade fails from 1.2.10.4 to 1.3.0.3. The Elasticsearch pod does not run in the NDP namespace. |
|
|
Maglev upgrade from 1.2.12 to 1.3.0.3 fails with the error "Timeout waiting to pull system update hook bundle." |
|
|
After upgrading Cisco DNA Center to 1.3.0.4, the software image update status always shows Activation in progress. |
|
|
After upgrading to Cisco DNA Center 1.3.0.3 and enabling the Autoconf feature, macro configurations are not removed from extended nodes. |
|
|
When IPv4 multicasting is enabled on an edge device, Cisco DNA Center does not push the ip igmp explicit-tracking command to the Layer 2 handoff VLAN on the corresponding border device. |
|
|
Parent catalog settings validation fails and packages cannot be retrieved from the cloud. This problem occurs only when the proxy is not configured through the Config wizard during ISO install. To work around this problem, SSH to the cluster IP and enter magctl service restart -d catalogserver. Wait for 90 seconds and then enter maglev catalog settings validate. |
|
|
After migration, extended nodes are flagged as out of compliance. |
|
|
Deploying an onboarding interface fails with the following error: |
|
|
After upgrading or restarting a node, the API /api/system/v1/license/credentials/cco returns a 502 error code and CCO credentials are not set. To work around this problem, enter the following CLI command to restart the license service: Related bug: CSCvq70700. |
|
|
After upgrading from Cisco DNA Center 1.2.12 to 1.3.0.4, the command no macro auto global processing is not pushed to the edge node after enabling AVC. |
|
|
Catalyst 3k switch with 1.6GB flash size unable to do software image upgrade between 16.12.x images. |
Open Bugs—High Availability
The following table lists the open high availability (HA) bugs in Cisco DNA Center for this release.
|
Bug Identifier |
Headline |
|---|---|
|
In a three-node setup, if you bring down the node while LAN automation is in progress, the LAN automation status shows as complete, yet without success. This problem occurs if you perform a network-orchestration service restart or a full node restart while LAN automation is in progress. The network orchestration service doesn't resume the ongoing LAN automation session. It marks LAN automation as complete and releases all IP addresses allocated from IPAM. Users are expected to perform a configuration cleanup on the seed device, write-erase/reload discovered devices, and start a new LAN automation session. |
|
|
Maglev cassandra-1 goes into the crashloop state on a three-node cluster after upgrading Cisco DNA Center. |
|
|
The VIP toggles between the three nodes every minute and "Invalid VRRPv3 checksum" messages are seen in keepalived. |
Resolved Bugs
The following tables list the resolved bugs in Cisco DNA Center Release 1.3.0.x.
|
Bug Identifier |
Headline |
|---|---|
|
The increased length of the JWT token causes a wireless controller to fail posting WSA data. |
|
|
Backup fails with the error "Taskname-BACKUP.fusion:postgres. |
|
|
A system upgrade fails with the error "Kubernetes upgrade to version v1.10.2 failed." |
|
|
MongoDB doesn't perform write operations, causing the identitymgmt service and other dependencies to fail. |
|
|
Credential manager backup fails because the upsert to MongoDB fails. |
|
|
Cisco DNA Center may fail to consistently apply CLI templates for RADIUS NAC configurations on a wireless controller. |
|
|
In a three-node cluster, Cisco DNA Center might become unresponsive after more than 100 days of service. |
|
|
Clicking a device in the Provision tab generates the error "An unknown error occurred. Please try again." |
|
|
When provisioning a new AP, the policy tag gets deleted from the associated WLAN, and clients cannot access the WLAN. |
|
|
The Maglev server restarts continuously when the backup server becomes unreachable. |
|
|
A wireless connectivity problem occurs for a AAA override-enabled Virtual Extensible LAN (VXLAN) network identifier. |
|
Bug Identifier |
Headline |
|---|---|
|
A provisioning task hangs when the device is not reachable. |
|
|
Cisco Catalyst 9800 Series Wireless Controller provisioning fails when a special character is used in the Cisco ISE shared key. |
|
|
If there is a failure in the template, the failed status is not shown in red. |
|
|
Wireless controller provisioning fails with the error "NCWL10481: DeviceInfo with Id xxxx could not be fetched from SPR." |
|
|
Even though an image is present on the device, image distribution is triggered again. |
|
|
The GUI shows an inventory collection partial failure, even though the device is successfully provisioned by Cisco DNA Center. |
|
|
AP provisioning fails with the error "OwningEntityId" for a wireless controller that is missing in the database. |
|
|
LAN automation fails after updating the management IP address of the seed device. |
|
|
A vulnerability in the web-based user interface (Web UI) of Cisco DNA Center could allow an authenticated, remote attacker to perform an arbitrary command injection attack. The vulnerability is due to incorrect input validation of user-supplied data. An attacker could exploit this vulnerability by supplying a malicious input parameter on a form in the Web UI and then submitting that form. An exploit could allow the attacker to disable a menu option on the Web UI. |
|
|
Assurance API yields invalid values for client slot ID and health score. |
|
|
The ca/trustpool API returns a trustpool bundle instead of 404. |
|
|
A heatmap persists even after AP disassociation. |
|
|
Cisco DNA Center does not display virtual network information after upgrading from 1.2.10.4 to 1.3.0.3. |
|
|
Cisco DNA Center-managed fabric devices report being in "Failed" provisioning state, even though their last provisioning task completed successfully. |
|
|
Unable to modify a guest wireless SSID after upgrading from Cisco DNA Center 1.2 to 1.3 when Fast Transition is null. |
|
|
An unexpected "DHCP IP address obtain failure" issue occurs for IPv6-only clients. |
|
|
An access tunnel goes down and does not recover after applying a security fix with an AireOS wireless controller. |
|
|
Upgrade from Cisco DNA Center 1.2.12 to 1.3.0.4: Applying a security fix for Site 2 fails with errors for devices in Site 1. |
|
|
A vulnerability in the web-based management interface of Cisco DNA Center could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs administrator credentials. Cisco has released software updates that address the vulnerability described in this advisory. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190205-dnac-xss |
|
|
The IP address manager (IPAM) service hangs and does not process requests in the RabbitMQ queue; multiple restarts are required to recover. |
|
|
Cisco DNA Center 1.3.0.3: WPA2 personal passphrase with "&" fails to provision a Cisco Catalyst 9800 Series Wireless Controller. |
|
|
Under heavy load, wireless clients are missing after several days. |
|
|
Unable to provision wireless controllers because AP groups are deleted from wireless controllers. |
|
|
AP provisioning fails with a "character '< ' is not allowed" error. |
|
|
Enhancement: Provide an option to configure the country code. |
|
|
A wired client does not show the correct value for the data transmitting and receiving rate. |
|
|
Cisco DNA Center image distribution to the switch expires after one hour. |
|
|
Cisco DNA Center is missing a port configuration and fails to deploy an onboarding interface. |
|
|
Cisco Catalyst 9800 Series Wireless Controller with scaled APs takes longer than three hours to synchronize. |
|
|
The Edit Virtual Network page under Host Onboarding is blank when the SGT is not available in Cisco ISE. |
|
|
Unable to delete a device from Inventory due to a constraint violation exception. |
|
|
Need a descriptive and user friendly message when integration fails due to an expired certificate. |
|
|
Inventory collection fails due to a ConstraintViolationException ACL. |
|
|
Inventory resync takes a long time for lldp_neighbors and VLAN features. |
|
|
CPU utilization goes high on a fabric-in-a-box device when the connected client is asleep and traffic comes in for a client. |
|
|
After successful bulk image distribution, some devices remain in distribution pending status. |
|
|
After upgrading to Cisco DNA Center 1.3.0.6, wireless connectivity problems might occur. If the IP pool association from the AAA override for a client is not defined as part of the Cisco DNA Center host onboarding, connectivity issues occur. The problem occurs because with Cisco DNA Center 1.3.0.6, all IP pools that are not associated with a fabric SSID are deleted from the wireless controller during reprovisioning. |
|
Bug Identifier |
Headline |
|---|---|
|
Creating virtual networks in host onboarding touches the network unnecessarily. |
|
|
Cisco Catalyst 9300 macros are applied to IP phone ports. |
|
|
When a configuration is pushed through Cisco DNA Center, unreachable devices should be skipped. |
|
|
The SPF service (spf-service-manager-service) restarts multiple times due to a java heap space out of memory error. |
|
|
Multiple template provisioning operations hang when there are unreachable devices. |
|
|
The SPF service (spf-service-manager-service) goes down after associating an IP pool to a virtual network. |
|
|
During provisioning, the SPF logs report a device cache lookup failure as "DeviceInfoCache: Cache lookup miss for key instanceUuid and value." The log is repeated several times because the cache is not updated with the data retrieved from the database after the initial cache lookup failure. |
|
|
During provisioning, a log message such as "Providing DataSource RemoteDCacheDataSource" is logged every time a device cache lookup occurs, which fills the SPF logs. |
|
Bug Identifier |
Headline |
|---|---|
|
Reprovisioning of devices managed by Cisco DNA Center results in looping validating the config. |
|
|
IP address management: Cannot create a global pool for IPv4. |
|
|
Cisco DNA Center does not deploy a CLI template to more than one device when the firewall profile is assigned to two or more sites. |
|
|
Provisioning a composite template with three templates fails before moving to success. |
|
|
During an upgrade to Cisco DNA Center 1.3, the GUI appears to hang at 40% complete. |
|
|
Fabric in a box: Synchronization occasionally takes longer than 30 minutes. |
|
|
CommonBorder issues with INFRA_VN pool addition/names. |
|
|
Cannot update the IP address pool in a virtual network. |
|
|
During LAN automation, Cisco DNA Center does not push "write memory" to the peer seed. |
|
|
Cisco DNA Center pushes the wrong Pre-Auth ACL. |
|
|
Devices are unreachable, partial collection failures occur, and SNMP timeouts occur frequently. |
|
|
IPSLA operation and reachability sessions are not cleaned up when an IP address is unprovisioned. |
|
|
Cannot create custom applications in Application Policy. |
|
|
Due to a large number of hung pykube connections, the Maglev server is unresponsive to services. |
|
|
While provisioning an IP pool in a virtual network, the following error is generated: "java.lang.OutOfMemoryError: GC overhead limit exceeded." |
|
|
Plug and Play UI: The Advanced Configuration is missing a scroll bar for templates with many attributes. |
|
|
Host onboarding hangs at "fetching interfaces details... please wait..." |
|
| CSCvq49071 |
CMX locations of clients are missing on Cisco DNA Center floor maps. |
|
Cisco DNA Center fails to provision a wireless controller. The error "Incorrect input!" is generated. |
|
|
Assurance incorrectly reports "Excessive time lag" for a wireless controller. |
|
|
Floor creation fails due to an internal server error 500. |
|
|
Cisco DNA Center silently pushes IBNS 2.0. |
|
|
Cisco DNA Center 1.3 upgrade fails due to tenant data migration. |
|
|
The same devices belong to unassigned and to a site. |
|
|
After adding a device to the fabric with Layer 3 handoff, the device domain name is lost. |
|
|
Cannot provision a template that contains the string "FAILED". |
|
|
Reprovisioning a wireless controller fails after site or floor deletion. |
|
|
The underlay custom route-map is removed during reprovisioning. |
|
|
Software upgrade shows inconsistent software upgrade status. |
|
|
Border devices are deleted from the inventory without the user explicitly deleting those devices. |
|
|
Cisco DNA Center cannot claim devices with the Composite Day 0 template. |
|
|
Cisco DNA Center upgrade fails due to tenant data migration: duplicated entry in serialnumberipaddressmapping. |
|
|
The platform exchange grid (PxGrid) service crashes due to a large number of scalable groups. |
|
|
Guest ACL reprovisioning fails on the 8.5 wireless controller. |
|
|
Cisco DNA Center upgrade from 1.2.12 to 1.3.0.4: Access-tunnel is gone on the access point connected to the extended node after applying the security fix. |
|
|
Adding internal border/Layer 3 handoff should not push config/connect to fabric edges. |
|
|
The WSDL certificate in Cisco DNA Center's EJBCA Public Key Infrastructure (PKI) broker service expired on October 4, 2019. After this server certificate expires, Cisco DNA Center clients that use the EJBCA service for secure sessions fail to connect. As a result, Cisco DNA Center fails to onboard the Embedded Wireless Controller on Cisco Catalyst 9800 series devices and 1800s wireless sensors. Apart from the Cisco Catalyst 9800 Series Wireless Controller, there is no impact to any other WLC, switch, or router onboarding, or any other feature in Cisco DNA Center. There is no workaround for this problem. You must upgrade Cisco DNA Center to a version that has been patched to include a new WSDL certificate. The following Cisco DNA Center releases have the fix with the new WSDL certificate: 1.2.10.5, 1.2.12.2, 1.3.0.4, and 1.3.1.1. The new certificate has a 20-year expiry. |
|
Bug Identifier |
Headline |
|---|---|
|
Device upgrade scenario must handle version changes. |
|
|
Deletion of an unreachable device fails in a nonfabric Assurance-only setup. |
|
|
Cisco DNA Center UI pages stop responding and display no values. |
|
|
While provisioning a device to a fabric with a template applied, the "ip dhcp snooping" command is not pushed to the devices in the fabric. |
|
|
Fabric in a Box does not differentiate Layer 2 from Layer 3 links. |
|
|
Provisioning an AP with the High RF profile fails with an internal error. |
|
|
AAA RADIUS primary Auth/Acct and secondary Auth/Acct indexes are changed when a wireless controller is provisioned. |
|
|
The Authentication configuration is not pushed to newly added switch stack members. |
|
|
An AP search using global search doesn't show all access points with duplicate names. |
|
|
Cannot reconfigure the edge switch port after the extended node is moved. |
|
|
The Template programmer service goes down. |
|
|
Reprovisioning fabric devices may cause removal of CTS commands. |
|
|
mongodb resource usage is 100% on a scale setup, causing performance issues. |
|
|
If you use the DNS name instead of the IP address in the URL to access the Cisco DNA Center UI, inventory data does not load. |
|
|
Cisco Catalyst 9800 Series Wireless Controller provisioning failure when special characters are used in the Cisco ISE shared key. |
|
|
Cisco DNA Center and Meraki Dashboard integration fails because of a missing systemName value. |
|
|
If you upgrade Cisco DNA Center 1.2.10 to 1.3 and make embedded wireless LAN controller image changes, the controller goes into Unmonitored state, and Assurance shows no client data. |
|
|
Backup/Restore GUI becomes unresponsive (until timeout) when backup server is unreachable. |
|
|
NetFlow is not pushed to the router interface when using the management IP. |
|
|
Cisco DNA Center doesn't remove the map-cache command from the second border/control plane when selecting "Connected to internet." |
|
|
When you create a new port channel, greyed out interfaces become selectable again via the filter output. |
|
|
When the secret key is changed, the confirmation message is unclear. |
|
|
Provisioning a composite template with three templates fails before moving to success. |
|
|
Spanning-tree portfast is not pushed when closed auth is used in host onboarding. |
|
|
After an upgrade, the compliance check fails with a false alarm for the fabric role on the Cisco Nexus 7000. |
|
|
In the Border Node Configuration page, when you click Details, it shows a page with only "test" on it. |
|
|
Device 360 page: Moving an issue to resolved state returns an error. |
|
|
Fabric-enabled wireless is not supported with Cisco Catalyst 9200 switches. |
|
|
Filtering for clients with SNR less than 9 dB fetches incorrect clients. |
|
|
Wireless controller inventory collection fails due to "ERROR: value too long for type character varying (255)". |
|
|
Cisco Catalyst 9000 readiness check fails for flash: "Need recommended storage but not found." |
|
|
Remove polling of "show licensing" command on Cisco Catalyst 4500 during resynchronization. |
|
|
In Assurance, resolving one issue updates all issues to resolved state. |
|
|
Cisco ISE-reported wireless client data causes Assurance to show wireless clients as wired clients. |
|
|
Physical Neighbor Topology blank, BadMessageException: 500: Request header too large. |
|
|
Template provisioning doesn't show the exact CLI command that failed due to an SSH connection time out. |
|
|
Wireless controller inventory collection fails with the error "unique constraint p2plinkterminationpoint_bk." |
|
|
An application upgrade fails due to tenant data migration. |
|
|
After enabling multicast, access points stop broadcasting their SSID and WLANs enter the down state. |
|
Bug Identifier |
Headline |
|---|---|
|
After an upgrade, an AireOS wireless LAN controller with TrustSec/SXP experiences partial collection failure. |
|
|
After an upgrade, reprovisioning fails for embedded wireless LAN controllers and AireOS wireless LAN controllers. |
|
|
Cisco DNA Center does not prevent you from removing an extended node Cisco Catalyst IE3300 or IE3400 device from the fabric and then adding it back to the fabric as an edge. In other words, you can manually add IE3300 and IE3400 extended nodes that have been removed from the fabric. |
|
|
Cannot add IPv6 to the fabric if external IP address managers (IPAMs) are used for IP pools. |
|
|
During an upgrade from Cisco DNA Center 1.2.8 to 1.2.10, the Cisco DNA Center 1.3 is Here! banner appears. However, if you upgrade to 1.3 without first upgrading the system to 1.2.10, package upgrade issues occur. |
|
|
A Cisco ISR 4400 border device returns an error when the fabric is enabled with a multicast rendezvous point on the other fabric border. |
|
|
After an upgrade, an embedded wireless LAN controller access point does not broadcast the SSID. |
|
|
Embedded wireless LAN controller provisioning fails with a Java null pointer exception. Related bug: CSCvp88853. |
|
|
A software maintenance update on a Cisco Catalyst 9000 with Release 16.9.3 fails with an "NCSW10363" error. |
|
|
After an upgrade, a Cisco IE5000 loses connectivity to Cisco DNA Center after the fabric is reconfigured. |
|
|
After an upgrade, the RADIUS configuration is removed and added back during reprovisioning. |
|
|
After an upgrade, Cisco DNA Center pushes incorrect PSN timeout values to switches. |
|
|
Deleting an extended node port channel from the edge causes the edge to lose connectivity to Cisco DNA Center. |
|
|
The Image Upgrade Readiness page shows the wrong golden image for the add-on package. |
|
|
After an upgrade, the first reprovisioning of an embedded wireless LAN controller fails. |
|
|
The fabric banner displays the oldest extended node error instead of the newest error. |
|
|
After an upgrade, reconfiguring the fabric fails with "NCSP10000: Internal error." |
|
|
Cisco DNA Center configures "map-cache ::/0 map-request" on border devices that are part of an IP transit, even though that configuration is not required. |
|
|
When upgrading the application packages after a Cisco DNA Center 1.3 system upgrade, the package upgrade might fail with a "tenant migration failure" error. The root cause is a missing device record in the GRT table. |
|
|
When upgrading the Cisco DNA Center cluster from 1.2.10 to 1.3, the sensor goes into Unclaimed state with "Error: [lua] handler.lua:303: ACCESS DENIED." |
|
Bug Identifier |
Headline |
|---|---|
|
For any NFVIS with version 3.7.x or earlier, there is no API to retrieve the system uptime. |
|
|
After a system update, the jboss service does not run for the next hour. After 1 hour, the service recovers automatically. |
|
|
Cisco 1800s running 8.8258.2 go into error state after an upgrade from Cisco DNA Center 1.2.6 to Cisco DNA Center 1.2.8. |
|
|
Purge and aggregation jobs do not run. |
|
|
When editing an existing test suite by changing its location, the existing sensor's configuration is removed without warning the user. |
|
|
An internal error occurs when you choose Add VNF and add a device to the Inventory. |
|
|
A system update fails if the hook-installer is not running. |
|
|
In the window, uptime (the period of time that a devices has been up and running) is not shown for NFVIS 3.10 and later devices. |
|
|
The Assurance topology graph does not show when a link is down, but the automation topology graph is updated. |
|
|
In the Inventory window, after you change the WAN IP address to the management IP address (and vice versa), interfaces are not listed in the NFVIS provisioning flow. |
|
|
After removing a failed node and adding a new node to a multihost cluster, app stack services go into a crashloop state. |
|
|
The Cisco Aironet 1800S Active Sensor doesn't pull software images immediately when inventoried, but only after a nightly synch. |
|
|
Cisco DNA Center and CMX 10.6 integration doesn't sync the floor and building automatically. |
|
|
Sensor: Test suites disappear after removing all sensors from inventory. |
|
|
During sensor test suite creation, all SSIDs are not being shown for the selected floor. |
|
|
It takes a few seconds to load the heat map and AP and client details. |
|
|
A Catalyst 9000 image cannot be assigned to Catalyst 9400 devices. |
|
|
When embedded wireless STP is turned on (the default is off), a path trace involving embedded wireless fails at the point between the embedded wireless controller and its connected switch. The path trace returns the error "Failed to obtain complete L2 path between routers." |
|
|
When updating Cisco DNA Center from 1.2.8 to 1.2.10, the following error is reported for the system update: To work around this problem, enter the magctl service restart -d system-updater command. |
|
|
On a restored cluster, new Assurance issues might not be generated. |
|
|
A system update fails around 88% with an error that the hook download failed. To work around this problem, retry the system update. |
|
|
Cisco DNA Center 1.2.10 (PxGrid client hangs): Integration fails when HA failover happens from a different Cisco ISE. |
|
|
Cisco ISE Policy Administration Node (PAN) HA failover is not auto detected by Cisco DNA Center. |
|
|
The NTP service does not recover from a failure on its own. |
|
|
A Cisco wireless LAN controller goes to unreachable and partial collection failure (SNMP timeout) frequently. |
Limitations and Restrictions
Backup and Restore Limitations
Backup and restore limitations and restrictions include:
-
You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.
-
After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose . Choose Edit for the server. Enter your Cisco ISE password to update.
-
After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.
-
Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.
-
Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.
-
You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.
HA Limitation
In this release, Cisco DNA Center provides HA support only for Automation and Cisco SD-Access. HA for Assurance is not supported.
Cisco ISE Integration Limitations
Cisco ISE integration limitations and restrictions include:
-
ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.
-
Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.
-
Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).
-
The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.
-
If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.
-
The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.
-
Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.
-
Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.
Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.
-
The Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.
Brownfield Feature-Related Limitations
Brownfield feature-related limitations include:
-
Cisco DNA Center cannot learn device credentials.
-
You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.
-
Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.
-
Cisco DNA Center can learn only one wireless controller at a time.
-
For site profile creation, only the AP groups with AP and SSID entries are considered.
-
Automatic site assignment is not possible.
-
SSIDs with an unsupported security type and radio policy are discarded.
-
For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.
-
The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.
-
The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.
-
When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.
-
A wireless conflict is based only on the SSID name, and does not consider other attributes.
Wireless Policy Limitation
Wireless policy limitations include:
-
If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise,
Policy Deployment failedis displayed.
Cisco Plug and Play Limitations
Plug and Play limitations and restrictions include:
-
Virtual Switching System (VSS) is not supported.
-
The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.
-
The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.
-
The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:
pnp startup-vlan <vlan_number>
AP Provisioning Failure Limitation
Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, the AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.
After the provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.
AP Performance Limitation
Provisioning of 100 APs takes longer in Cisco DNA Center, Release 1.3, than compared to 3 minutes in Cisco DNA Center, Release 1.2.10. The amount of time varies depending on the "wr mem" time of the Cisco Catalyst 9800 Series Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices.
Inter-Release Controller Mobility (IRCM) Limitation
The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.
CMX Limitation
When integrating Cisco DNA Center with CMX 10.6.1, the site hierarchy that is created in Cisco DNA Center might not synchronize fully with CMX.
This problem occurs when CMX 10.6.1 is used and the site hierarchy in Cisco DNA Center contains one or more area elements that are children of other area elements; for example, Global > Area1 > Area1.1 > Building > Floor. CMX version 10.6.1 (and earlier) supports only hierarchies in the form of Global > Area > Building > Floor. CMX 10.6.1 does not support nested area elements.
The workaround is to rearrange the hierarchy in Cisco DNA Center so that there are no nested area elements. In other words, make sure the hierarchy is in the form of Global > Area > Building > Floor.
Intelligent Capture Limitations
Intelligent Capture limitations and restrictions include:
-
Cisco DNA Center might not receive anomaly packets.
Under the following conditions, an AP does not send anomaly packets to Cisco DNA Center; therefore, anomaly events don't have correlated captured packets in Cisco DNA Center:
-
An anomaly event throttle limit is reached inside an AP
-
An AP consumes high CPU
-
A client roams to a non-Intelligent Capture AP
-
A wireless controller sends delete mobile to an AP before an anomaly timer is triggered
-
-
Enabling live or scheduled packet capture fails because the wireless controller exceeds the 16 MAC address limit for partial packet capture.
Because the wireless controller can support a maximum of 16 MAC addresses for partial packet capture, if the list of MAC addresses on the wireless controller is not synchronized with Cisco DNA Center, enabling live or scheduled packet capture for a client fails with the following error messages:
Failed to enable partial packet trace. NCSP10001: User intent validation failed.Failed to enable partial packet trace. config icap global subscription client packet-trace partial filter add [CLIENT MAC] Max filters configured:Failed to add new filter.Failed to enable client RF statistics. NCSP10001: User intent validation failed.Failed to enable filter channel. NCSP10001: User intent validation failed.Any of the following events can cause an out-of-synch condition:
-
Partial packet capture is enabled directly on the wireless controller rather than on the Intelligent Capture UI
-
Cisco DNA Center is reimaged or upgraded without first disabling all Intelligent Capture features
-
The wireless controller is deleted and then rediscovered on Cisco DNA Center
-
-
Enabling data packet capture fails because there is an existing MAC address in a full packet trace subscription on the wireless controller.
Because the wireless controller supports only one MAC address for full packet capture, if there is an existing MAC address for full packet capture on the wireless controller, enabling data packet capture fails on that wireless controller. The following warning message is displayed:
Max filter allowed for this topic is 1. Remove existing client filter before adding a new filter.
Get Assistance from the Cisco TAC
Use this link to open a TAC case. Choose the following when opening a TAC case:
-
Technology: Cisco DNA - Software-Defined Access
-
Subtechnology: Cisco DNA Center Appliance (SD-Access)
-
Problem Code: Install, uninstall, or upgrade
Related Documentation
We recommend that you read the following documents relating to Cisco DNA Center:
| For This Type of Information... | See This Document... |
|---|---|
|
Release information, including new features, limitations, and open and resolved bugs. |
|
|
Installation and configuration of Cisco DNA Center, including postinstallation tasks. |
|
|
Upgrade information for your current release of Cisco DNA Center. |
|
|
Use of the Cisco DNA Center GUI and its applications. |
|
|
Configuration of user accounts, security certificates, authentication and password policies, and backup and restore. |
|
|
Security features, hardening, and best practices to ensure a secure deployment. |
|
|
Supported devices, such as routers, switches, wireless access points, NFVIS platforms, and software releases. |
|
|
Hardware and software support for Cisco SD-Access. |
|
|
Use of the Cisco DNA Assurance GUI. |
|
|
Use of the Cisco DNA Center platform GUI and its applications. |
|
|
Cisco DNA Center platform release information, including new features, deployment, and bugs. |
|
|
Use of the Cisco Wide Area Bonjour Application GUI. |
|
|
Use of the Stealthwatch Security Analytics Service on Cisco DNA Center. |
|
|
Use of Rogue Management functionality as a dashboard within Cisco DNA Assurance in the Cisco DNA Center GUI. |
Cisco DNA Center Rogue Management Application Quick Start Guide |
Feedback