Release Notes for Cisco DNA Center, Release 2.1.2.x

This document describes the features, limitations, and bugs for Cisco DNA Center, Release 2.1.2.x. Now make your network faster, more secure, and more usable. Identify endpoints and visualize traffic flows to define access policies, give users more control, and get ready to tap the power of Wi-Fi 6.

Change History

The following table lists changes to this document since its initial release.

Table 1. Document Change History
Date Change Location

2021-08-19

Added the open bug CSCvy30606.

Open Bugs

2021-07-14

Updated the following packages for 2.1.2.7:

  • Cloud Connectivity - Tethering

  • Network Data Platform - Core

New and Changed Information

2021-07-08

Explained how Cisco DNA Center collects telemetry data.

About Telemetry Collection

2021-07-02

Noted that when there is a change in the deployment status of the Cisco ISE nodes, it takes up to 20 minutes for the status to reflect correctly on the Cisco DNA Center System 360 window. A job scans for the deployment, which could take up to 20 minutes or longer if Cisco ISE does not accept the connection request.

Limitations and Restrictions

2021-06-23

Explained how to replace a Cisco Catalyst 9800 HA device that fails in a fabric setup.

Limitations and Restrictions

2021-06-11

Added the list of packages in Cisco DNA Center 2.1.2.7.

New and Changed Information

Added the Resolved Bugs table for 2.1.2.7.

Resolved Bugs

Added the open bug CSCvy54005.

Open Bugs

2021-04-26

Documented a limitation about device discovery with SNMPv3.

Limitations and Restrictions

2021-03-19

Added the list of packages in Cisco DNA Center 2.1.2.6.

New and Changed Information

Added the Resolved Bugs table for 2.1.2.6.

Resolved Bugs

2021-02-05

Updated the Network Controller Platform package for 2.1.2.5.

New and Changed Information

2021-01-20

Added new hardware, Cisco Catalyst 8300 Series and 8500 Series Platforms, in Cisco DNA Center 2.1.2.4.

New and Changed Information

2021-01-15

Added the list of packages in Cisco DNA Center 2.1.2.5.

New and Changed Information

Added the Resolved Bugs table for 2.1.2.5.

Resolved Bugs

2020-11-25

Added the list of packages in Cisco DNA Center 2.1.2.4.

New and Changed Information

Added the Resolved Bugs table for 2.1.2.4.

Resolved Bugs

Added the open bugs CSCvw60711 and CSCvw60743.

Open Bugs

2020-10-16

Added the list of packages in Cisco DNA Center 2.1.2.3.

New and Changed Information

Added the Resolved Bugs table for 2.1.2.3.

Resolved Bugs

Added various open bugs.

Open Bugs

Open Bugs—High Availability

2020-08-31

Initial release.

Upgrade to the Latest Cisco DNA Center Release

For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.

New and Changed Information

To download Cisco DNA Center software, go to https://software.cisco.com/download/home/286316341/type.

Table 2. Updated Packages and Versions in Cisco DNA Center Release 2.1.2.x
Package Name Release 2.1.2.7 Release 2.1.2.6 Release 2.1.2.5 Release 2.1.2.4 Release 2.1.2.3 Release 2.1.2.0

System Updates

System

1.5.285

1.5.279

1.5.255

1.5.248

1.5.225

1.5.208

System Commons

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

Package Updates

Access Control Application

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

AI Endpoint Analytics

1.2.1.621

1.2.1.549

1.2.1.427

1.2.1.427

1.2.1.381

1.2.1.320

AI Network Analytics

2.4.29.0

2.4.26.0

2.4.26.0

2.4.23.0

2.4.18.0

2.4.15.0

Application Hosting

1.4.300.210508

1.4.299.201120

1.4.292.201020

1.4.292.201020

1.4.272.200923

1.4.244.200727

Application Policy

2.1.267.170295

2.1.266.170289

2.1.265.170278

2.1.264.170254

2.1.263.170213

2.1.260.170177

Application Registry

2.1.267.170295

2.1.266.170289

2.1.265.170278

2.1.264.170254

2.1.263.170213

2.1.260.170177

Application Visibility Service

2.1.267.170295

2.1.266.170289

2.1.265.170278

2.1.264.170254

2.1.263.170213

2.1.260.170177

Assurance - Base

2.1.2.537

2.1.2.500

2.1.2.437

2.1.2.409

2.1.2.353

2.1.2.273

Assurance - Sensor

2.1.2.531

2.1.2.496

2.1.2.435

2.1.2.403

2.1.2.341

2.1.2.272

Automation - Base

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

Automation - Intelligent Capture

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

Automation - Sensor

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

Cisco DNA Center Global Search

1.2.5.14

1.2.5.14

1.2.5.12

1.2.5.12

1.2.5.12

1.2.5.9

Cisco DNA Center Platform

1.3.99.304

1.3.99.283

1.3.99.272

1.3.99.268

1.3.99.247

1.3.99.194

Cisco DNA Center UI

1.5.1.69

1.5.1.60

1.5.1.45

1.5.1.39

1.5.1.31

1.5.1.26

Cisco SD-Access

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62577

Cisco Umbrella

2.1.267.592472

2.1.266.592420

2.1.265.592334

2.1.264.592297

2.1.263.592248

2.1.260.592206

Cloud Connectivity - Data Hub

1.6.0.380

1.6.0.162

1.6.0.162

1.6.0.162

1.6.0.162

1.6.0.162

Cloud Connectivity - Tethering

1.3.1.108

(Updated on 2021-07-14. The originally released package version was 1.3.1.102.)

1.3.1.97

1.3.1.97

1.3.1.97

1.3.1.86

1.3.1.86

Cloud Device Provisioning Application

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

Command Runner

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

Device Onboarding

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

Disaster Recovery

2.1.267.362270

2.1.266.362261

2.1.264.362247

2.1.264.362247

2.1.263.362225

2.1.260.362216

Group-Based Policy Analytics

1.0.1.158

1.0.1.158

1.0.1.158

1.0.1.158

1.0.1.158

1.0.1.158

Image Management

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

Machine Reasoning

2.1.267.215230

2.1.266.215219

2.1.265.215198

2.1.264.215191

2.1.263.215185

2.1.260.215163

NCP - Base

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

NCP - Services

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

Network Controller Platform

2.1.267.62937

2.1.266.62815

2.1.265.62755

(Updated on 2021-02-05. The originally released package version was 2.1.265.62735.)

2.1.264.62702

2.1.263.62640

2.1.260.62555

Network Data Platform - Base Analytics

1.5.1.209

1.5.1.187

1.5.1.181

1.5.1.177

1.5.1.170

1.5.1.167

Network Data Platform - Core

1.5.1.869

(Updated on 2021-07-14. The originally released package version was 1.5.1.868.)

1.5.1.805

1.5.1.727

1.5.1.695

1.5.1.557

1.5.1.495

Network Data Platform - Manager

1.5.1.159

1.5.1.155

1.5.1.151

1.5.1.147

1.5.1.139

1.5.1.136

Path Trace

2.1.267.62937

2.1.266.62815

2.1.265.62735

2.1.264.62702

2.1.263.62640

2.1.260.62555

RBAC Extensions

2.1.266.1905024

2.1.266.1905024

2.1.265.1905023

2.1.264.1905022

2.1.263.1905019

2.1.260.1905017

Rogue and aWIPS

2.0.0.51

2.0.0.51

2.0.0.39

2.0.0.39

2.0.0.39

2.0.0.36

Stealthwatch Security Analytics

2.1.267.1095374

2.1.266.1095317

2.1.265.1095220

2.1.264.1095191

2.1.263.1095141

2.1.260.1095096

Wide Area Bonjour

2.4.265.75003

2.4.265.75003

2.4.264.12003

2.4.264.12003

2.4.263.75028

2.4.260.12079

New and Changed Features

The following table summarizes the new and changed features in Release 2.1.2.6

Table 3. New and Changed Features in Cisco Software-Defined Access 2.1.2.6
Feature Description

Ability to select multiple interfaces in Layer 2 Handoff

With this release, Cisco DNA Center provides the ability to hand off a virtual network on more than one interface. Layer 2 Handoff for a segment can also be done on two different devices.

The following tables summarize the new and changed features in Release 2.1.2.4.

Table 4. New and Changed Features in Cisco DNA Center 2.1.2.4
Feature Description

Model Config Editor

With this release, the Cisco DNA Center Model Config Editor allows you to configure Passive Client, Network Admission Control (NAC), Dynamic Host Configuration Protocol (DHCP), and Local Authentication in Advanced SSID Configuration on Cisco Catalyst 9800 Series Wireless Controller.

The Network Admission Control (NAC-SNMP) feature is not supported on the Cisco Catalyst 9800 Series Wireless Controller.

Table 5. New and Changed Features in Cisco Software-Defined Access 2.1.2.4
Feature Description

IP Device Tracking at the site level

Beginning with this release, you can enable IP device tracking (IPDT) for a site. By default, IPDT settings are disabled at the global site.

When you upgrade from an earlier release to Cisco DNA Center Release 2.1.2.4, IPDT settings are enabled for all the pre-existing fabric sites and devices.

You cannot disable the IPDT configuration for a fabric site irrespective of whether it is an upgrade or a new deployment.

Table 6. New Hardware in Cisco Software-Defined Access 2.1.2.4
Device Role Product Family Part Number Description

Fabric border and control plane node

Cisco Catalyst 8500 Series Edge Platforms

C8500-12X

C8500-12X4QC

Cloud edge platforms that are purpose-built for high-performance SD-WAN. They offer feature parity with existing Cisco 1000 Series Aggregation Services Routers.

Cisco Catalyst 8300 Series Edge Platforms

C8300-1N1S-4T2X

C8300-1N1S-6T

C8300-2N2S-4T2X

C8300-2N2S-6T

Cloud edge platforms that are purpose-built for high performance, supporting 10 GE, high availability, and advanced SD-WAN capabilities. They offer full-feature parity and module portability with Cisco Integrated Services Routers (ISRs).

The following tables summarize the new and changed features in Release 2.1.2.0.

Table 7. New and Changed Features in Cisco DNA Center 2.1.2.0
Feature Description

Updated navigation

When you log in to the Cisco DNA Center GUI, you'll notice that the navigation is streamlined in an easy-to-use menu with simplified headers.

The new menu centralizes the user experience, making it easy to locate all functions and tasks in Cisco DNA Center. The menu has a black background that makes the menu options stand out clearly.

After you make your menu selections, the window title shows the menu path.

Menu changes

In earlier releases, the Tools menu was located at the top-right corner of the GUI, in the global toolbar. The System Settings and log out link were under the gear icon, in the global toolbar.

With the new menu, the Tools, System Settings, and Sign Out have been placed with the other menus in one integrated structure, meaning you start any journey in Cisco DNA Center from the same place.

Enhancements to System Settings

The System Settings have been redesigned in this release. Click the Menu icon () and choose System > Settings.

The settings are grouped and categorized for ease of use. The landing page displays all the available settings in an easy-to-navigate view.

Use the search icon at the top left corner to search for a specific setting. As you enter information, Cisco DNA Center displays a list of possible options. For example, start typing account in the search field to quickly jump to the Smart Account or Account Lockout window.

Persistent site context

In this release, the GUI maintains the context of a site. For example, click the Menu icon and choose Design > Network Hierarchy.

In the Network Hierarchy window, expand the global hierarchy and drill down to a site.

Click the gear icon and choose View Devices. The Inventory window is displayed with the contextual selection.

Similarly, if you choose Design > Network Settings, the context of the site is maintained, and you can view the settings for the selected site.

Enhancements to Take a Tour

We have enhanced the Take a Tour functionality.

On the home page, click Take a Tour for a quick overview of the Search, Help, and Software Updates menus.

Then, click the Menu icon and choose Provision > Devices > Inventory.

In the Inventory window, click Take a Tour for an overview of the Inventory features.

Workflows

Workflows are new in this release.

In the GUI, click the Menu icon and choose Workflows.

A library of available workflows is displayed. These workflows guide you step-by-step through a particular task. For example, click Create a Role and define a custom role that permits or restricts user access to certain Cisco DNA Center functions.

If you don’t have time to complete a workflow, your work is automatically saved as in progress, and you can resume later.

System health

From the System Health page, you can monitor the health of the physical components on your Cisco DNA Center appliances and keep tabs on any issues that may occur.

System topology

From the System Health page's system topology, you can view a graphical representation of your Cisco DNA Center appliances and the external systems that are connected to your network, such as Cisco Connected Mobile Experiences (Cisco CMX) and Cisco ISE. From here, you can quickly identify any network components that are experiencing an issue and require further attention.

Disaster recovery

Disaster recovery builds upon the high availability (HA) that Cisco DNA Center already provides by adding another layer of redundancy to safeguard against network downtime. HA deals with a cluster node failure by switching operations to connected cluster nodes. Disaster recovery deals with a cluster failure by handing off network management duties to a connected cluster.

Note 

For the prerequisites, see the "Implement Disaster Recovery" chapter in the Cisco DNA Center 2.1.2 Administrator Guide.

Application Visibility

The Application Visibility service, hosted as an application stack within Cisco DNA Center, allows you to enable the Controller-Based Application Recognition (CBAR) function on a specific device to classify thousands of network and home-grown applications and network traffic.

Application Policy support for Cisco AireOS Controllers and Cisco Catalyst 9800 Series Wireless Controllers

Application policy support is extended for Cisco AireOS Controllers and Cisco Catalyst 9800 Series Wireless Controllers N + 1 high availability (HA) in nonfabric mode.

Cisco Umbrella

Cisco DNA Center provides a GUI-based workflow to enable Cisco Umbrella configurations on network devices so that external traffic goes to Cisco Umbrella, where specific security policies can be enforced.

Role-based access control

Cisco DNA Center supports role-based access control (RBAC), which enables a user with SUPER-ADMIN-ROLE privileges to define custom roles that permit or restrict users access to certain Cisco DNA Center functions.

External authentication fallback

The external authentication fallback behavior has changed in this Cisco DNA Center release. In releases earlier than 2.1.x, when external authentication is enabled, Cisco DNA Center falls back to local users if the AAA server is unreachable. In the current release, Cisco DNA Center does not fall back to local users if the AAA server is unreachable.

To enable external authentication fallback, SSH to the Cisco DNA Center instance and enter the following CLI command:

magctl rbac external_auth_fallback enable

Audit logging

Audit logs record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system are logged in separate log files for auditing.

The Audit log page displays the following logs:

  • Umbrella provisioning workflow

  • Create logs for Umbrella settings

  • Edit logs for Umbrella settings

  • Delete logs for Umbrella settings

The Audit log page displays the following logs (along with the serial number and device name) when you:

  • Add a new device in Plug and Play

  • Claim a device in Plug and Play

  • Edit a device entry in Plug and Play

  • Reset a device in Plug and Play

  • Delete a device in Plug and Play

Audit logs display wireless logs such as Create, Update, Delete, and Failed logs for fabric and nonfabric networks.

Audit logs also display northbound operation details such as POST, DELETE, and PUT with payload information, and southbound operation details such as the configuration pushed to a device. For detailed information about the APIs on Cisco DevNet, see Cisco DNA Center Platform Intent APIs.

IP Address Manager

Cisco DNA Center now supports the synchronization of existing IP address pools with a third-party IPAM server. Also, Cisco DNA Center supports reading an existing IPAM server and lets you change the username or password with respect to the external IPAM server.

IP address range and exclude IP address

Cisco DNA Center allows you type in a range of IP addresses and exclude IP addresses in the discovery details.

Support for global credentials and HTTP(S) credentials

You can add network devices using global credentials in CLI, SNMP, and HTTP(S).

The Meraki dashboard supports HTTP(S) credentials as mandatory with an API key and an organization key.

Enhanced telemetry collection

The telemetry feature collects user information and provides valuable data about the status and capabilities of the Cisco DNA Center appliance.

Enhanced Device Controllability

The following device settings are enabled as part of Device Controllability during discovery or at runtime:

  • Device Discovery

    • SNMP Credentials

    • NETCONF Credentials

  • Adding Devices to Inventory

    • Cisco TrustSec (CTS) Credentials

    • IPDT Enablement

  • Assigning Devices to a Site

    • Controller Certificates

    • SNMP Trap Server Definitions

    • Syslog Server Definitions

    • NetFlow Server Definitions

    • Wireless Service Assurance (WSA)

Global map export

You can export the selected global map hierarchy and download the file.

Customized login message

You can customize a message for all users to see when they log in to the Cisco DNA Center appliance.

Enhanced system settings

The following system settings are enhanced:

  • Cisco Account Credentials

  • Connection Mode

  • PnP Connect

  • Smart Account

  • Smart License Enablement

Smart Account credentials

Connect to your Smart Licensing account for entitlement and license management.

Configure telemetry

Application telemetry lets you configure global network settings on devices for monitoring and assessing their health.

From this release, Network Telemetry is removed from the Tools menu.

Automated DHCP-based discovery for a replacement device in fabric

In earlier releases, when a device was replaced in the fabric, the replacement device had to be manually configured with a static IP address for it to appear in Cisco DNA Center via discovery and then provisioned through the RMA workflow with the exact configurations as the failed device.

In this release, DHCP scope with option 43 is created on the upstream neighbor device in the fabric, so that when the replacement device is plugged in, its IP address appears as an unclaimed device in Cisco DNA Center and it can be provisioned with the same configuration as the failed device. This functionality is also supported on border/control nodes on the same device and on border/edge nodes on the same device.

RMA support for SMUs and packages

You can use the Return Material Authorization (RMA) workflow to replace defective software maintenance updates and packages.

RMA support for pushing latest configuration from faulty device to replaced device

The latest configuration changes are pushed from the faulty device to the replaced device during the RMA workflow.

SNMPv3 support in device RMA

Device RMA supports deploying SNMPv3 credentials to the replacement device during the RMA workflow.

Provision filter enhancement

You can use the Filter option to display specific information about the devices in the inventory with the following types of filters:

  • Quick Filter

  • Advanced Filters

  • Recent Filters

Site-to-site VPN

The Site-to-Site VPN service lets you create a VPN between sites.

View IP address pools

In the IP Address Pools window, you can view 10 or more IP address pools in table view and tree view.

Security Advisories overview

As a Cisco DNA Center user, you have the ability to opt in or out of telemetry that Cisco collects. The telemetry is designed to help the development of features you use within each dashboard, such as Security Advisories.

View security advisories

The Overview tab with its security advisories graphic displays the distribution percentage of impact on the network.

As a Cisco DNA Center user, you can detect the security advisories vulnerability based on Image Version match or Configuration match.

Schedule a security advisories scan

The Cisco DNA Center Security Advisory Scan lets you either scan the network immediately or schedule a scan on a recurring basis for a later date and time.

Network Reasoner tool

The Cisco DNA Center Network Reasoner tool lets you troubleshoot issues on your network devices.

Machine Reasoning Knowledge Base

Whenever there is a new update in the existing Network Reasoner workflow, AVAILABLE UPDATE appears in the Machine Reasoning Knowledge Base window, with details about the new update.

Cisco Group-Based Policy Analytics

Cisco Group-Based Policy Analytics is a network visibility tool that is built on the Network Data Platform (NDP) in Cisco DNA Center. Cisco Group-Based Policy Analytics ingests telemetry from Cisco Identity Services Engine (ISE), Cisco Stealthwatch, and NDP; discovers endpoints across the network; and visualizes the activity between them. Cisco Group-Based Policy Analytics collaborates with other Cisco DNA Center-based applications to provide a streamlined policy workflow experience.

Interactive help

Interactive Help opens a menu of interactive help flows that let you complete specific tasks from the GUI.

Application hosting on Cisco Catalyst 9000 Series APs

Application hosting allows you manage the lifecycle of third-party applications on devices managed by Cisco DNA Center. This release allows customers to bring in third-party SES-imagotag IoT Connector application on Cisco Catalyst 9000 Series Access Points with Cisco IOS-XE software version 17.3.

The SES-imagotag IoT Connector on the Cisco Catalyst 9000 Series Access Points can handle all Electronic Shelf Label (ESL) communication.

Change to AP VLAN 2045 in relation to the VLAN naming schema

You can enter a custom VLAN name (CUSTOM_AP_NAME) for the AP IP pool. If a custom name is not entered, the VLAN name inherits the IP pool address with the INFRA_VN suffix (IP_ADDRESS_INFRA_VN).

Inventory enhancements

Inventory now displays VLAN ports, power supply, and fan status of devices.

Displays ping reachability and device manageability status.

Troubleshoot device reachability issues

You can launch the Run Commands window from the Inventory window and run platform commands such as ping, traceroute, and snmpget to troubleshoot device reachability issues.

Enable application telemetry on devices

Cisco DNA Center automatically enables application telemetry on all applicable interfaces or WLANs that are selected based on the new automatic interfaces or WLAN selection algorithm.

Application Visibility Service support for Cisco DNA Traffic Telemetry Appliance

You can enable CBAR on the Cisco DNA Traffic Telemetry Appliance.

Error message in creating and importing new application workflow

If the new application name or the new server name is the same as the existing application name or server name, an error message shows the conflicting name.

Protocol pack upgrade support for CBAR-enabled devices

All CBAR-enabled devices are upgraded from protocol pack version 33 to 48 when you upgrade to Cisco DNA Center 2.1.2.

Note 
After upgrading to protocol pack 48, if the existing custom application name conflicts with the NBAR application on the new protocol pack, the custom application name is modified by adding a "c_" prefix.

Cisco Umbrella support for Cisco Catalyst 9100 Series APs

Cisco DNA Center supports Cisco Catalyst 9100 Series APs.

Cisco Umbrella dashlet

You can add the Cisco Umbrella dashlet in the System 360 page. The Cisco Umbrella dashlet shows the configuration status of Cisco Umbrella with Cisco DNA Center.

Cisco Umbrella deployment workflow enhancements

You can now choose the SSIDs and select the required Cisco Umbrella policy for each SSID.

External file server for image distribution

You can configure an external file server and add the servers for software image distribution.

View image update status

You can view precheck and postcheck details in the Image Update Status window.

Support for bulk delete, edit, and release of IP pools

You can edit, delete, and release IP pools in bulk.

Heartbeat monitoring for IPAM servers

Displays IP address manager configuration data and the integration status.

Out of Compliance report

You can generate and export a report that shows all the devices that are out of compliance.

Compliance audit for network devices

Compliance helps network administrators identify devices that do not meet the compliance requirement in Cisco DNA Center.

Preview CLI in Device Provisioning workflow

You can view the CLI configuration before deploying the device configuration.

Table 8. New and Changed Features in Cisco DNA Automation
Feature Description

Model Config Editor

  • Model Config lets you define advanced customizations of the Cisco Validated Design (CVD) that is encapsulated within provisioning applications. Model Configs are a set of model-based, discoverable, and customizable configuration capabilities, which you can deploy on your network devices with high-level service intent and device-specific CLI templates.

  • The Model Configs feature simplifies network provision by extracting complex device configurations and facilitating customizable network configurations using an intuitive GUI instead of device-specific CLIs. A common design is deployed to various device hardware platforms and software types in a uniform way. During deployments, the Cisco DNA Center infrastructure automatically validates and translates extracted designs to device-specific CLI commands.

  • The Model config feature support is extended for Cisco AireOS Controllers and Cisco Catalyst 9800 Series Wireless Controllers.

  • Cisco DNA Center now allows you to provision the Model configuration for Cisco Catalyst 9800 Series Wireless Controllers.

  • Multicast Configuration support is extended for Cisco AireOS Controllers and Cisco Catalyst 9800 Series Wireless Controllers.

  • Advanced SSID Configuration Peer to Peer blocking support is extended for Cisco AireOS Controllers and Cisco Catalyst 9800 Series Wireless Controllers.

  • Advanced SSID Configuration Network Admission Control support is extended for Cisco AireOS Controllers and Cisco Catalyst 9800 Series Wireless Controllers.

  • In the Model config design for advanced SSID, Cisco DNA Center now allows you to either lock all the properties in a single click or lock each property individually.

  • Cisco DNA Center also allows you to view the tab view to show the attribute groups in the Advanced SSID model config editor.

  • You can now choose a default model config design in the Model config editor Design Instance window. You cannot edit and delete a default model config designs.

Brownfield support for Cisco Catalyst 9800 Series Wireless Controllers

With Cisco DNA Center, you can add and provision brownfield Cisco Catalyst 9800 Series Wireless Controllers in the network. Brownfield refers to devices that belong to existing sites with pre-existing infrastructure.

Guest SSID with Layer 2 security support

Creating an SSID for a guest wireless network supports Layer 2 security with the following encryption and authentication types:

  • Enterprise: You can configure either WPA2 or WPA3 security authentication by checking the respective check boxes. By default, the WPA2 check box is checked.

    WPA3 is the latest version of WPA, which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks. WPA3-Enterprise provides high-grade security protocols for sensitive data networks.
  • Personal: You can configure both WPA2 and WPA3 or configure WPA2 and WPA3 individually by checking the respective check boxes.

  • Open Secured: From the Assign Open SSID drop-down list, choose an open SSID to associate with the open SSID. Associating secures the open SSID. You must have an open SSID created before associating it with the open secured SSID.

  • Open: The open policy provides no security. It allows any device to connect to the wireless network without any authentication.

Wireless automation support for disaster recovery

Wireless automation supports disaster recovery, where cluster failover is avoided by handing off network management duties to a connected cluster.

Support for adding FlexConnect group names and AP groups during AP provisioning

You can customize AP groups and FlexConnect group names during AP provisioning through APIs.

This functionality is available only for Cisco AireOS Controllers.

Support for aWIPS

As the Cisco Adaptive Wireless Intrusion Prevention System (aWIPS) functionality is integrated into Cisco DNA Center, you must enable the aWIPS functionality within the Rogue Management dashboard to get a detailed threat analysis and global view of all rogue APs and aWIPS signatures detected on the network.

aWIPS is a wireless intrusion threat detection and mitigation mechanism intended to report and prevent attacks on wireless environments.

aWIPS is supported on Cisco Catalyst 9800 Series Wireless Controller 17.1,17.2, 17.3, and later.

Cisco DNA Center supports the following standard aWIPS signatures in this release:

  • Authentication flood

  • Association flood

  • CTS Flood

  • RTS flood

  • Broadcast probe

  • Disassociation flood

  • Disassociation broadcast

  • Deauthentication flood

  • Deauthentication broadcast

  • EAPOL logoff flood

Cisco Catalyst 9800 Series Wireless Controller Release 17.3 or later sends only one alarm based on aWIPS signature, which bundles all sources or destinations, based on the aWIPS signature.

Cisco Catalyst 9800 Series Wireless Controller Release 17.3 or later shows AP MAC Address as the Threat MAC Address for RTS and CTS flood.

Rogue and aWIPS Report Template

Rogue and aWIPS report template allows you to preview, run, download, and email an aggregated report, that provides a detailed information about the new rogue AP and aWIPS threats in the network.

Rogue and aWIPS template supports PDF, CSV, TDE, and JSON file format to generate the report.

User-defined networks

The Cisco User-Defined Network service provides secure and remote onboarding of client devices in shared environments such as dormitory rooms, residence halls, classrooms, and auditoriums. With the User-Defined Network service, users can securely use Simple Service Discovery Protocol (SSDP) such as Apple Bonjour; multicast DNS (mDNS) protocols such as AirPlay, AirPrint, Screen Mirroring, or Print; or Universal Plug and Play (UPnP) protocol to interact and share with only their registered device in the shared environment.

Enable IoT Services workflow

Using the Enable IoT Services workflow, you can enable and manage IoT applications on selected Cisco Catalyst 9000 Series Access Points.

AP Model Catalog

The AP Model Catalog feature allows you to configure one AP on the floor with the AP model, antenna type, azimuth, and elevation orientation, and then replicate that configuration on rest of the APs that belong to the same model type.

Support for AP impersonation

AP impersonation support for MAC address spoofing is extended for AireOS and eWLC

Cisco DNA Center does not classify AP impersonation; therefore, the controller (AireOS or Ewlc) must report AP impersonation to Cisco DNA Center.

Cisco DNA Center classifies a rogue AP as a friendly AP unless the controller (AireOS or Ewlc) reports an AP impersonation to Cisco DNA Center.

Defective AP replacement

You can replace a defective AP using the RMA workflow by marking the defective AP for replacement, and selecting the replacement AP added through Inventory.

AP Refresh workflow

The AP Refresh feature lets you replace older AP models with newer ones.

The AP Refresh workflow supports APs that are associated with Cisco AireOS Controllers and Cisco Catalyst 9800 Series Wireless Controllers.

Switch connection visualization on floor maps

Using the view options for switches, you can view a list of APs that are available for a particular switch on a floor map.

Support for the Jinja language

Cisco DNA Center now supports Jinja syntax. You can define templates using the Jinja language and create composite templates with Jinja templates. Composite templates can also have a mix of Velocity templates and Jinja templates.

Ability to export, import, and clone templates

Cisco DNA Center provides the following Template Editor capabilities:

  • You can export a template or a project, including all templates under it. The exported templates and projects are stored in a single JSON file.

  • You can import a template or import a project that imports all the templates under the project. Note that you can import a template or a project only from a JSON file.

  • You can clone a template to reuse portions of it.

Support for implicit variables

Some system variables are always bound to their corresponding source. These implicit variables are available for use in the template code editor. You cannot override or change the behavior of implicit variables.

Ability to define filters for system variables

While creating templates, you can use regular expressions to define filters on system variables. The filtered values are the only set of values displayed at the time of provisioning.

Template Editor

The following enhancements are made to the Template Editor:

  • Cisco DNA Center now allows you to add a template with multiple device type attributes to a composite template, if it matches with one of the device type attributes specified for that composite template.

  • When the template is modified and saved, a warning icon appears to commit the template to use it for provisioning.

  • When you create a new template, a visual indication appears adjacent to the template, that shows the selected template languages.

    • Velocity template language indication is shown as V.

    • Jinja template language indication is shown as J.

  • If you create a template and associate to a network profile, a link icon appears adjacent to the template. Click the link icon to view the associated Profiles, Sites, and Devices.

  • If there are implicit variables in your template, Cisco DNA Center allows you to select a device or site in the Simulation Input form to run the simulation against real devices based on your bindings.

Plug and Play

When adding devices from a Cisco Smart Account, you can specify that the credentials are used only one time and are not saved. When adding devices in bulk, imported data is validated. Improvements in the claim workflow make it easier to provision devices and understand and resolve errors. Cisco DNA Center now supports Plug and Play Provisioning for the Cisco Catalyst 9800 Series Wireless Controller.

Ekahau Pro Planning Workflow

Ekahau Pro tool version 10.2 allows you to automatically create the site hierarchy, save it as a project file, and import it into Cisco DNA Center.

Import Bulk Access Points into Cisco DNA Center

Cisco DNA Center allows you to import, assign, and position a collection of access points on the floormap. If you have an existing collection of access points on Cisco Prime Infrastructure, you can import it into Cisco DNA Center, saving time and effort spent in importing, assigning, and positioning access points on the floormap.

Preprovisioning of AP Group, Flex Group, and Site Tag

Cisco DNA Center allows you to preprovision the AP Group, Flex Group, and Site Tag in a network profile. This saves time during AP provisioning by eliminating the need to make repetitive configuration changes and ensures consistency across your devices.

  • AP Group configuration is applicable to Wireless LAN controllers running an AireOS image.

  • Flex Group configuration is applicable to Wireless LAN controllers running an AireOS image.

  • Site Tag configuration is applicable to Cisco Catalyst 9800 Series Wireless Controllers.

Cisco AI Endpoint Analytics

Cisco AI Endpoint Analytics also uses AI and machine learning capabilities to intuitively group endpoints with similar attributes. Administrators can review such groups and assign labels to them.

Cisco AI Endpoint Analytics improves endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to a variety of endpoints. Information gathered through deep packet inspection and a range of probes from sources like Cisco ISE, Cisco SD-AVC, and network devices is analyzed for endpoint profiling.

Table 9. New and Changed Features in Cisco DNA Assurance
Feature Description

Simplified navigation

Navigating to Assurance features is simplified. Click the Menu icon () and choose Assurance, and then choose the appropriate feature.

SNMPv3 support for Assurance

You can secure your network operations with full support for SNMPv3 for Assurance capabilities.

Client, Network, and Application dashboard timeline extended to 30 days

You can use the arrow buttons on the right of the timeline to view data for up to 30 days.

Network Devices Reachability dashlet

You can view the information about the device reachability status in the Network Device Reachability dashlet.

Availability monitoring using ICMP

You can view the device ping reachability status using ICMP.

Mark and unmark device replacement events for device RMA

New events are supported for devices that are marked and unmarked for replacement in Device RMA.

Interface discards

An issue is raised for high input and output discards on router and switch interfaces.

Link discards parameter is added to the router and switch health score calculation.

Application Health

  • Optimized Application Performance Monitoring (APM) is added to routers, Cisco 9800 Series Wireless Controller, and Cisco DNA Traffic Telemetry Appliance.

  • New Automatic Selection Algorithm—Cisco DNA Center automatically enables application telemetry on all applicable interfaces or WLANs that are selected based on the new automatic interfaces or WLAN selection algorithm.

  • The following enhancements are made to the Application 360 window:

    • The Quality information area (below the timeline) displays information about latency, jitter, and packet loss. For latency, the following aspects of delay between the client and the application are displayed: LAN, WAN, and Application delay.

    • The Application Experience tab is now called Exporters tab.

    • The Application Endpoint table contains details about each client, such as identifier (user ID, hostname, IP address, or MAC address,whichever is available in that order), client, client health, app health, usage, device type, MAC address, and VLAN ID.

New reports

The following new reports are supported:

  • Wireless power and channel.

  • POE port availability and power budget report.

  • Client usage (from highest to lowest usage).

  • Network device availability.

  • Rogue and aWIPS report for network threats.

Enhancements are added to the Reports windows. The following reports are introduced:

  • AP and AP Radio are grouped under Access Points Report templates.

  • Client Summary, Top N Summary, Client Detail, Client Trend and Client Session templates are grouped under Client Report Templates.

High availability

High availability (HA) support is now added to Assurance.

For information about HA, see the Cisco DNA Center High Availability Guide.

Disaster recovery

Disaster recovery builds upon the HA that Cisco DNA Center already provides by adding another layer of redundancy to safeguard against network downtime.

For information about disaster recovery, see the Cisco DNA Center Administrator Guide.

Audit logs

Audit logs record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system are logged in separate log files for auditing.

Role-based access control

Assurance supports role-based access control (RBAC), which enables a user with SUPER-ADMIN-ROLE privileges to define custom roles that permit or restrict users access to certain Assurance features.

Assurance GUI screens localized

You can view the Assurance GUI screens in English (the default), Chinese, Japanese, or Korean.

Sensors

  • To navigate to the Sensor dashboard, choose Assurance > Dashboards > Wireless Sensors.

  • To manage Sensors, choose Assurance > Manage > Sensors.

  • iPerf3 speed test support is added to sensor test category to determine the performance of the network.

  • SCEP Profiles support is added to sensors. You can add, manage and enroll the profiles to the sensors.

  • ClearPass server support is added to External Web Authentication in sensor test.

  • You can configure SSIDs for both Wired Backhaul Settings and Wireless Backhaul Settings in the Create Sensor Backhaul SSID Assignment window.

  • Support is now added for 802.1x EAP.

Cisco AI Network Analytics enhancements

  • Cisco AI Network Analytics features are now supported on the Catalyst 9800 Series Wireless Controller.

  • The following enhancements are provided in the Network Heatmap window: You can filter APs by site and building. You can sort information in the heatmap. You can provide feedback about the information displayed in the Network Heatmap window.

  • You can open the Device 360 page for a specific AP from the Network Insights window.

  • An issue is raised when there is a drop in radio throughput for Collaboration applications.

  • The site-to-site comparison user interface is enhanced.

Cisco StackWise support

Added support for Cisco StackWise, which is supported on the Cisco Catalyst 3650, 3850, and 9300 Series Switches.

Wi-Fi 6

The Wi-Fi 6 Readiness feature allows you to determine the percentage of clients that are Wi-Fi 6 capable and the percentage of AP infrastructure that is Wi-Fi 6 ready. Based on the above information, recommendations are provided about the actions that you can take to experience the full benefits of the Wi-Fi 6 network.

Configure syslog, SNMP traps, and NetFlow Collector servers

You can now configure Syslog, SNMP Traps, and NetFlow Collector Servers in one location.

Intelligent Capture

  • Intelligent Capture is now supported on Catalyst 9130 AP, Catalyst IW6300 Heavy Duty Series APs, and Catalyst ESW6300 Embedded Services APs.

  • The Realtime FFT feature allows you to view the RF environment in real time.

  • You can now zoom in and view data for a specific range of channels in the Spectrum Analysis chart.

Access to the Topology tool

You can access the Topology tool from the top-menu bar of the Network dashboard. The Topology tool provides a map view of your network and a topology view of how the components in the network are connected.

Power over Ethernet (PoE) Telemetry and Analytics

PoE Telemetry and Analytics enables you to monitor the PoE-capable devices in your network.

The following functionality is added for PoE Telemetry and Analytics:

  • Added the following four dashlets to the Health > Network dashboard: PoE Operational State Distribution, PoE Powered Device Distribution, Power Load Distribution, and PoE Insights.

  • Added the PoE section in Device 360, which provides PoE telemetry and details for a specific PoE-capable switch.

  • Added the following issues:

    • PoE port in error state

    • PoE powered device flagged faulty

    • Power denied for PoE powered device

Private Network Connectivity in Client 360

User Defined Network support is introduced in Client 360 for Wireless clients.

Retries KPI

Retries KPI is introduced in Device 360 and Client 360 for Connectivity.

Sync KPI threshold values

Customize and sync the threshold values of common KPIs between health and issue settings.

Table 10. New and Changed Software Features in Cisco Software-Defined Access
Feature Description

Multisite remote border

This feature enables multiple fabric sites to use one common external border node.

This capability enables a virtual network to be available across multiple sites, and the same subnet that is associated with the virtual network is spread across sites. A common external border or control plane is assigned to terminate all traffic in this virtual network, regardless of where the traffic originates.

Note 

Multicast is not supported with multisite remote border.

Flex OTT template

New Flex OTT template support for wireless over Cisco SD-Access fabric. This support is available for Cisco AireOS-based devices and Cisco 9800 Series devices.

Audit logging

Audit log page now displays the audit logs for all SDA underlay and overlay operations.

IPv6 support

With this release, IPv6 is supported on the Cisco Catalyst 9800 Series Wireless Controller and the Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches. Existing support for the Cisco AireOS Controller is maintained.

N+1 rolling AP upgrade

The rolling AP upgrade feature on the Cisco AireOS Controller and Cisco Catalyst 9800 Series Wireless Controller provides a way to upgrade the wireless controller and APs with minimal to zero downtime. To achieve the zero downtime, it is possible to upgrade APs in a staggered fashion using the N+1 rolling AP upgrade feature.

IP Directed Broadcast

The IP directed broadcast feature helps wake up silent hosts by sending a subnet-directed broadcast packet.

Layer 2 flooding must be enabled for IP directed broadcast to function.

IP directed broadcast cannot be enabled on a segment that has Layer 2 intersite enabled.

Routers and Nexus 7000 series switches do not support IP directed broadcast.

Cisco Catalyst 9000 Series Switches as Policy Extended Nodes

Cisco Catalyst 9200 Series, including C9200L Series, Cisco Catalyst 9300 Series, including C9300L Series, Cisco Catalyst 9400 Series, and Cisco Catalyst 9500 Series, including C9500H Series switches can be configured as policy extended nodes if they run IOS XE 17.3.1 or later releases.

Note that the Cisco Catalyst 9000 Series switches that are configured as StackWise Virtual cannot be configured as policy extended nodes.

802.1x and MAB authentication is enabled on a policy extended node to communicate with Cisco ISE in order to download the VLAN and scalable group tag (SGT) attributes for the endpoints.

The link between the edge node and policy extended node is configured with inline tagging to propagate the SGT.

A policy extended node performs SGACL enforcement.

StackWise Virtual link (SVL) support at border, edge, control plane, and Fabric in a Box

Cisco Catalyst 9400 Series Switches, when configured as StackWise Virtual, can be added to the fabric as an edge, border, border with collocated control plane, or Fabric in a Box device.

Cisco Catalyst 9600 Series Switches when configured as StackWise Virtual, can be added to the fabric as a border, a control plane, or a border with collocated control plane.

Note the following:

  • Edge nodes that are connected as SVL support only wired clients.

  • SVL configuration on the device should be done manually before adding the device to the Inventory.

Support for N+1 HA on the Embedded Wireless Controller

Cisco Software-Defined Access now supports N+1 high availability on the Embedded Wireless Controller on Catalyst 9000 Series Switches.

Cisco Group-Based Policy Analytics support for SD-Access Fabric

Cisco Group-Based Policy Analytics is a network visibility tool that is built on the Network Data Platform (NDP) in Cisco DNA Center. Cisco Group-Based Policy Analytics ingests telemetry from Cisco Identity Services Engine (ISE), Cisco Stealthwatch, and NDP; discovers endpoints across the network; and visualizes the activity between them. Cisco Group-Based Policy Analytics collaborates with other Cisco DNA Center-based applications to provide a streamlined policy workflow experience.

New and Changed Hardware Features in Cisco Software-Defined Access

Table 11. New Hardware in Cisco Software-Defined Access
Device Role Product Family Part Number Description

Fabric Edge

Cisco Catalyst 9200 Series Switches

C9200-24PB-A

C9200-48PB-A

Cisco Catalyst switches that support 32 virtual networks.

Extended Node

Cisco Embedded Services 3300 Series Switches

ESS-3300-NCP-E

ESS-3300-CON-E

ESS-3300-NCP-A

ESS-3300-CON-A

The Cisco Embedded Services 3300 Series switches are designed for embedded applications that require low power, small size, and ruggedization.

ESS-3300-NCP-E and ESS-3300-CON-E support Network Essentials software.

ESS-3300-NCP-A and ESS-3300-CON-A support Network Advantage software.

Access Point

Access Point

C9105AXI-B

C9105AXW-B

Cisco Catalyst 9105AXI Series Access Points are enterprise class 2x2 series access points and supported with dual band 802.11a/b/g/n/ac/ax with voltage specification of 15.4 W of DC power on each port, power over Ethernet.

Table 12. New Features in Cisco Group-Based Policy Analytics
Feature Description

Destination MAC Address Filter

In the Search Results window, you can filter your search results on the destination MAC address.

Column Selector

In the Search Results window, you can use the column selector to customize your search view. You can choose to view specific columns to avoid focusing on the other data on the screen.

View Contract

The View Contract option displays the contract details between a single source group and a single destination group. It shows the complete list of permitted and denied applications or port numbers between the two groups.

Deprecated Features

SNMPv3 Data Encryption Standard (DES) Privacy Mode support is undergoing a phased deprecation in Cisco DNA Center. The feature will not be supported in later Cisco DNA Center releases. SNMPv3 DES is used to generate the secret key for encrypting messages that are exchanged with devices that support DES encryption.

Cisco SD-Access Compatibility Matrix

For information about Cisco SD-Access hardware and software support for Cisco DNA Center, see the Cisco SD-Access Compatibility Matrix. This information is helpful for deploying Cisco SD-Access.

Cisco DNA Center Compatibility Matrix

For information about devices, such as routers, switches, wireless APs, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see the Cisco DNA Center Compatibility Matrix.

Compatible Browsers

The Cisco DNA Center web interface is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: Version 73.0 or later

  • Mozilla Firefox: Version 65.0 or later

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

IP Address and FQDN Firewall Requirements

To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through any existing network firewall, see "Required Internet URLs and FQDNs" in the Cisco DNA Center Installation Guide.

About Telemetry Collection

Telemetry data is collected by default in Cisco DNA Center 2.1.x and later, but you can opt out of some data collection. The data collection is designed to help the development of product features and address any operational issues, providing greater value and return on investment (ROI). Cisco collects the following categories of data: Cisco.com ID, System, Feature Usage, Network Device Inventory, and License Entitlement. See the Cisco DNA Center Data Sheet for a more expansive list of data that we collect. To opt out of some of data collection, contact your Cisco account representative and the Cisco TAC.

Supported Hardware Appliances

Cisco supplies Cisco DNA Center in the form of a rack-mountable, physical appliance. The following versions of the Cisco DNA Center appliance are available:

  • First generation

    • 44-core appliance: DN1-HW-APL

  • Second generation

    • 44-core appliance: DN2-HW-APL

    • 44-core promotional appliance: DN2-HW-APL-U

    • 56-core appliance: DN2-HW-APL-L

    • 56-core promotional appliance: DN2-HW-APL-L-U

    • 112-core appliance: DN2-HW-APL-XL

    • 112-core promotional appliance: DN2-HW-APL-XL-U

Supported Firmware

Cisco Integrated Management Controller (Cisco IMC) versions are independent from Cisco DNA Center releases. This release of Cisco DNA Center has been validated against the following firmware:

  • Cisco IMC Version 3.0(3f) for appliance model DN1-HW-APL

  • Cisco IMC Version 4.0(4b) for appliance model DN2-HW-APL

  • Cisco IMC Version 4.0(4b) for appliance model DN2-HW-APL-L

  • Cisco IMC Version 4.0(4b) for appliance model DN2-HW-APL-XL

The preceding versions are the minimum firmware versions. While some later versions are also supported, Cisco DNA Center is not compatible with all later versions. Do not update later than Cisco IMC 4.0(4b), unless you update to 4.0(4k) or later.

Installing Cisco DNA Center

You install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco DNA Center Installation Guide for information about installation and deployment procedures.


Note

The following applications are not installed on Cisco DNA Center by default. If you need any of these applications, you must manually download and install the packages separately.

  • AI Network Analytics

  • Application Hosting

  • Application Visibility

  • Assurance - Sensor

  • Cisco Wide Area Bonjour Application

  • Cloud Provision Core

  • Group-Based Policy Analytics

  • Intelligent Capture

  • Rogue Management

  • Umbrella


For more information about downloading and installing a package, see "Manage Applications" in the Cisco DNA Center Administrator Guide.

Cisco DNA Center Platform Support

For information about the Cisco DNA Center platform, including information about new features, installation, upgrade, and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.

Support for Cisco Connected Mobile Experiences

Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) Release 10.6.2 or later. Earlier versions of Cisco CMX are not supported.


Note

While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password.


Plug and Play Considerations

Plug and Play Support

General Feature Support

Plug and Play supports the following features, depending on the Cisco IOS software release on the device:

  • AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.

  • Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)

Secure Unique Device Identifier Support

The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:

  • Cisco routers:

    • Cisco ISR 1100 Series with software release 16.6.2

    • Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later

    • Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1

  • Cisco switches:

    • Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later

    • Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later

    • Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later

    • Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

    • Cisco Catalyst IE3300 Series with software release 16.10.1e or later

    • Cisco Catalyst IE3400 Series with software release 16.11.1a or later

  • NFVIS platforms:

    • Cisco ENCS 5400 Series with software release 3.7.1 or later

    • Cisco ENCS 5104 with software release 3.7.1 or later


Note

Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:

  • Cisco routers: Cisco ISR 43xx, Cisco ISR 44xx, Cisco ASR1001-X/HX, and Cisco ASR1002-HX

  • Cisco switches: Cisco Catalyst 4500 Series with Supervisor 8-E/8L-E/9-E, and Catalyst 9400 Series


Management Interface VRF Support

Plug and Play operates over the device management interface on the following platforms:

  • Cisco routers:

    • Cisco ASR 1000 Series with software release 16.3.2 or later

    • Cisco ISR 4000 Series with software release 16.3.2 or later

  • Cisco switches:

    • Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

4G Interface Support

Plug and Play operates over a 4G network interface module on the following Cisco routers:

  • Cisco 1100 Series ISR with software release 16.6.2 or later

Configure Server Identity

To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.

The SAN requirement applies to devices running the following Cisco IOS releases:

  • Cisco IOS Release 15.2(6)E2 and later

  • Cisco IOS Release 15.6(3)M4 and later

  • Cisco IOS Release 15.7(3)M2 and later

  • Cisco IOS XE Denali 16.3.6 and later

  • Cisco IOS XE Everest 16.5.3 and later

  • Cisco IOS Everest 16.6.3 and later

  • All Cisco IOS releases from 16.7.1 and later

The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:

  • For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.

  • For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.

  • For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.

  • For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.

If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a Network Address Translation (NAT) router, this public IP address must be included in the SAN field of the server certificate.

If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.

We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.

If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the Plug and Play process.


Note

The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field.


Bugs

Use the Bug Search Tool

Use the Bug Search tool to search for a specific bug or to search for all bugs in this release.

Procedure


Step 1

Enter the following URL in your browser:

Step 2

In the Log In window, enter your registered cisco.com username and password and click Log In.

The Bug Search window opens.

Note 
If you do not have a cisco.com username and password, register at https://idreg.cloudapps.cisco.com/idreg/guestRegistration.do.
Step 3

To search for a specific bug, enter the bug ID in the Search For field and press Return.

Step 4

To search for bugs in the current release:

  1. In the Search For field, enter Cisco DNA Center and press Return. (Leave the other fields empty.)

  2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by modified date, status, severity, and so on.

    To export the results to a spreadsheet, click the Export Results to Excel link.

Open Bugs

The following table lists the open bugs in Cisco DNA Center for this release.

Table 13. Open Bugs
Bug Identifier Headline

CSCvt50035

The Endpoint Inventory page takes around 40 seconds to load on a Cisco DNA Center 112-core appliance when there are 75,000 or more endpoints in the system.

CSCvt85764

If the Cisco Catalyst 9800 Series Wireless Controller is running Cisco IOS XE 17.3.x or earlier, you must ignore the mismatch regarding TACACS ports in compliance.

CSCvt94742

When you provision a guest user wireless LAN from Cisco DNA Center that goes directly to the device, it changes the mapped webauth parameter map on the wireless LAN.

Upon synchronization, differences are shown for the attributes in the webauth parameter, rather than showing the differences that the webauth parameter association changed.

The Cisco DNA Center compliance feature does not support the changes to the webauth parameter map associated with wireless LAN and enables the intent values to enforce for attributes.

CSCvt94939

When you configure a guest anchor and foreign anchor from Cisco DNA Center, it goes to the anchor controller directly and changes the mobility group name of the peer. No difference is shown for the mobility group name change for the peer in the mobility controller and anchor.

CSCvt96450

While running compliance on a wireless controller version 8.9 or earlier, datalink encryption is shown as Compliant.

CSCvu48418

The provisioning status is shown as "Pending" even when the last provision succeeded.

CSCvu51469

In an environment with Cisco Catalyst 9800, when you use Cisco DNA Center to provision an access point on the device, and then later you go to the device directly and change the AP location on the device, after synchronization the AP location from the Catalyst 9800 is ignored for compliance. This problem occurs because the device truncates the AP location to 32 characters.

CSCvu61546

With Stealthwatch Security Analytics already enabled on Cisco Catalyst 9300 Series Switches or Cisco Catalyst 9400 Series Switches, after upgrading the device version from 16.x to 17.3.1, attempts to update Stealthwatch Security Analytics on the new eligible ports (such as new connected access points and interfaces) fail with the error "% Flow Monitor: Failed to remove monitor from interface: Removal of flow monitor not allowed first remove et-analytics on this target!"

To work around this problem, perform a one-time postupgrade Stealthwatch Security Analytics task to disable Stealthwatch Security Analytics on the particular device or devices. Then, enable Stealthwatch Security Analytics again on the particular device or devices.

CSCvv05360

GlusterFS file creation and access fails as part of the remedy controller and multiple services hang in bad state.

CSCvv05784

A single rule created in the Policies section of Cisco DNA Center is shown as two different rules in Cisco Group-Based Policy Analytics. For example, if you create a rule to permit any source TCP port to the destination TCP port 111, in Cisco Group-Based Policy Analytics you will see two rules in the Contract Table with one being to permit all source traffic to destination TCP port 111 and the second one as permit any source TCP port to send traffic to all destinations.

CSCvv09033

After performing a device upgrade, it takes between 30 minutes and one hour for the Stealthwatch Security Analytics readiness to reflect under the Stealthwatch Security Analytics Provisioning.

To work around this problem, navigate to the Inventory in Cisco DNA Center and resynchronize the device.

CSCvv14780

Intelligent Capture Access Point RF statistics GUI charts show data, but the feature shows as disabled.

Alternately, the Access Point RF statistics GUI charts have no data, but the feature shows as enabled.

CSCvv17294

When the Cisco credentials or Smart Account credentials are updated (or are no longer valid), those credentials continue to work for up to 2 hours on Cisco DNA Center. Those credentials continue to enable Cisco DNA Center image downloads for up to 2 hours.

CSCvv17343

Support for new tdl-based features for greenfield deployments.

CSCvv19898

The Values for Protocol in ACL Rule: In the Cisco DNA Center Network Profile compliance type, the DNAC Value and Device Value are shown as integer values instead of as enumerated values. For corresponding enumerated values, see https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

CSCvv24008

The Application Health site-level trend chart does not display data.

CSCvv24861

A Cisco AireOS Mobility Express device stops externalizing data after a Cisco DNA Center upgrade.

CSCvv25434

A full synch from IOS for unmodelled commands fails due to an IP SLA CLI error.

CSCvv41902

In Assurance, the AP heatmap does not show the channel change count. APs registered with eWLC do not show the channel change count, even though the Assurance AP 360 page shows the channel change in the Event Viewer.

CSCvv49069

When you upgrade from Cisco DNA Center 2.1.1.0 or 2.1.1.3 to 2.1.2.0, the upgrade banner text message is not visible. The banner appears as a black band and is not readable.

CSCvv56317

Provision an IPv6 access control list using Cisco DNA Center. Change the rule in eWLC for the ACL. The rule is set on the eWLC. Edit the rule and modify one of the source or destination ports. Run the Cisco DNA Center Compliance feature. Two duplicate entries are shown for the start and end port numbers.

CSCvv56712

AAA/RADIUS should have a way to adjust the MTU based on interface settings.

CSCvv73754

A Cisco 3700 Series AP appears as a wired client in the Assurance page.

CSCvv79026

After a Cisco DNA Center upgrade, a mismatch is seen in compliance. The noncompliance report on Policy Profile - Interface Name - Management Vs 1 shows a mismatch.

CSCvv79809

An Assurance database restore fails.

CSCvv81975

After an upgrade, a device with a fabric configuration reports noncompliance on fabric for the Mac Filtering List attribute.

This problem occurs because in earlier releases, the Mac Filtering List attribute was default. In the current release, the Mac Filtering List attribute has changed to dnac-cts-list.

CSCvv94589

Wireless flows such as Cisco ISE connection and site creation fail due to the file-service not responding.

CSCvv97719

After a Cisco DNA Center upgrade, some compliance mismatches are seen on devices.

CSCvw01682

A package update from Cisco DNA Center 1.3.3.x to 2.1.2 fails with an indexing error in Elasticsearch.

CSCvw60711

When you execute the mem_swap_ext.sh script due to bug CSCvw60743, Cisco DNA Center may be unresponsive for a couple of minutes. A system upgrade during this time may fail.

As a workaround to fix the issue, restart the system upgrade from the GUI.

CSCvw60743

Cisco DNA Center with the following appliances may experience slowness:

  • DN1-HW-APL

  • DN2-HW-APL

  • DN1-HW-APL-U

  • DN2-HW-APL-U

As a workaround to fix the issue, run the mem_swap_ext.sh script.

CSCvx39328

When a Cisco Catalyst 9800 is provisioned for application telemetry, the health timeline and Business Relevant Application Health fields in Assurance do not populate with data.

Currently, Business Relevant Application Health and the application health timeline are not supported features for Cisco Catalyst 9800 Wireless Controllers.

CSCvx45017

When there is a network delay that exceeds 1 second, the Assurance Application Health page shows reduced values.

CSCvx94722

Cisco IOS-XE version 16.12.5 does generate jumbo frames (2143 bytes in our tests) for 802.1x. The Policy Service Nodes (PSNs) are seeing the frames as giants, are dropping the frames, and are incrementing the RX Error counter as expected.

CSCvx97376

After enabling IP-directed broadcast on Cisco DNA Center 2.1.2.5, intermittent ICMP packet loss occurs on the silent host in the SDA fabric.

This problem occurs only when the silent host sends UDP broadcast traffic, which is propagated throughout the SDA fabric and affects LISP/CEF.

On the border node, the CEF table indicates that the next hop for the silent host is intermittently known, then unknown.

The source in the LISP map cache table changes between "NONE" and "Mobility Map-Notify."

When Cisco DNA Center sends an IP-directed broadcast, a Layer 2 instance is created on the border nodes. On Layer 3 handoffs, all VLANs are added by default on the trunk. As a result, the Layer 2 instance is also added to that trunk. If a Layer 2 path exists between two borders, the result is relearning.

Therefore, if IP-directed broadcast is being pushed, pruning of VLANs is required to not flood the IP-directed broadcast pool.

CSCvy28241

Cisco DNA Center changes the group name for SNMPv3 credentials to "default" if an access list is attached and it does not contain the physical enterprise IP address and the virtual IP address.

On the device, if you manually change the group name for the SNMPv3 credentials, a partial collection failure (PCF) error appears after you perform a resynch due to the SNMPv3 credentials. If you change the group name manually and you don't perform a resynch, Cisco DNA Center changes the group name to "default" after some time.

CSCvy30606

A wireless LAN controller stops sending telemetry data to Cisco DNA Center, so Assurance stops plotting health.

This problem occurs exactly one year from the date that the wireless LAN controller is added to the site in Cisco DNA Center. The following syslog message confirms the problem:

Aug 18 02:19:05.640: %PKI-3-KEY_CMP_MISMATCH:
Key in the certificate and stored key does not match for Trustpoint-sdn-network-infra-iwan.

Do the following to reconfigure the certificate:

  1. In the Cisco DNA Center GUI, choose Provision > Network Devices > Inventory.

  2. Choose the device and from the Actions drop-down list, choose Telemetry > Update Telemetry Settings.

  3. In the Update Telemetry Settings window, do the following:

    1. Check the Force Configuration Push check box to push the configuration changes to the device.

    2. Click Next.

    3. Click the Now radio button.

    4. Click Apply.

CSCvy44039

When the default policy set has been deleted in Cisco ISE, Cisco DNA Center shows the following error when trying to add the portal to a guest SSID in the Portal Builder section:

java.lang.Exception: Validation Error - Illegal values: 
[authenticationMethod should not be null or empty]

CSCvy54005

The Image Distribution server would not be listed if same Cisco DNA Center is used as Image Distribution server.

CSCvy58676

Under Event Details, when you choose SYSTEM as the type, the details object is empty in the model schema. However, for APP and NETWORK types of events, the details object is not empty in the model schema. For APP and NETWORK types of events, the correct schema attributes are shown.

Open Bugs—High Availability

The following table lists the open high availability (HA) bugs in Cisco DNA Center for this release.

Table 14. Open Bugs—HA
Bug Identifier Headline

CSCvu14606

If the main site or the recovery site is down for longer than 7 minutes, the site is marked as Down. When the site comes back up, it is still shown as Down in the Disaster Recovery GUI.

CSCvv06367

HA cluster services go down if the backup NFS server is down.

CSCvv30481

When an existing witness is taken down for upgrade or maintenance, the IPsec connectivity between the witness and the main/recovery nodes stays up. This causes new witness registration to fail with the following error:

SODR10055: Unable to get package details for site witness.

CSCvv75169

HA activation fails on a fresh install.

CSCvv93360

In a three-node cluster, shut down one node for 30 to 40 minutes and then bring it back up. Wait 3 to 4 hours and then shut down another node. After that, Assurance data is blank on the Cisco DNA Center GUI. However, the GUI recovers by itself after about 14 hours.

CSCvw23247

The node holds the enterprise VIP, but the keepalived daemon doesn't trigger the event notify callback. The purpose of the callback is to update the mastership status in ETCd and also to trigger the IPsec to flip the tunnels to the node that holds the VIP. Because of this situation, the IPsec service is running on the node that doesn't hold the enterprise VIP; IPsec isn't running on the node that holds the enterprise VIP.

Resolved Bugs

The following table lists the resolved bugs in Cisco DNA Center, Release 2.1.2.7.

Table 15. Resolved Bugs in Cisco DNA Center, Release 2.1.2.7
Bug Identifier Headline

CSCvv77466

An AP shows no data on the map all over Cisco DNA Center.

CSCvw29593

A NullPointerException occurs in the maps service when trying to add APs in wireless maps.

CSCvw80355

Cisco DNA Center's device provisioning may fail with an "NCSP10000 Internal" error. In the reporting installation, Cisco ISE with TACACS+ is used for network AAA; ISE with RADIUS is used for client AAA.

CSCvx21215

A Guest SSID with the Fast Transition value configured as Adaptive in an earlier release of Cisco DNA Center causes wireless controller provisioning issues in Cisco DNA Center 2.1.2.5.

CSCvx22746

Cisco DNA Center fails image activation with a timeout error. A device takes longer than one hour to upgrade.

CSCvx32185

The Task web page returns an error.

CSCvx43231

A wireless controller partial collection failure occurs if the "PMIP NAI" type is longer than 32 characters.

CSCvx47887

After a failed wireless controller provisioning attempt, Cisco DNA Center may not roll back the configuration from the wireless controller, which may cause a network outage.

CSCvx56258

Cisco DNA Center inventory resync results in an internal error.

CSCvx62172

Cisco DNA Center must support the AP Location field.

CSCvx64681

In an installation where several ISR routers are deployed as transit control plane devices in Cisco SD-Access transit, after a routing template is provisioned on these devices, subsequent device provisioning attempts fail for both devices.

CSCvx62958

Cisco DNA Center's GUI may become unavailable, while some pods are not running and may be crashing in the maglev-system namespace, when the disk partition for the maglev-system becomes full.

CSCvx66928

The Cisco DNA Center postgres standby instance crashes with an error that the server forked off from that timeline.

CSCvx68948

Reconfiguring device provisioning may not determine configuration changes for the Dot1x Auth template.

CSCvx74221

Provisioning fails when adding a AAA server using a port number greater than 32767 to Cisco DNA Center.

CSCvx76405

During an upgrade of Cisco DNA Center's application packages, the upgrade may appear to be stuck for hours at 20% with no obvious progression. The migration logs show a deadlock on the postgres executionevent table.

CSCvx79755

Interface information takes a long time to populate after LAN automation.

CSCvx86351

Device provisioning hangs in In Progress because the Cisco ISE integration is broken.

CSCvx88137

Heatmaps for the 5-GHz band are not generated for a Cisco Catalyst 9800 Series Wireless Controller.

CSCvx88587

Image distribution servers won't allow a valid IP address.

CSCvx89052

Port channel entries are missing from several tables, which breaks virtual network anchor provisioning.

CSCvx93717

Cisco DNA Center's Client Detail, Client Session, and AP Radio report may fail to run, time out, or return no data when the time frame of the report is set for one month. These reports run as expected with shorter time frames.

CSCvx99908

When clicking a virtual network on Cisco DNA Center's Fabric > Border > Configure > Layer 2 Handoff page, nothing happens. You can click the first virtual network on the list, but after making changes and clicking Save, nothing happens.

CSCvy00986

Cisco Catalyst 9800 Series Wireless Controller: RPC rfdca-removed-channel operation fails with a data missing error tag.

CSCvy06152

Cisco DNA Center may not provision the AAA configuration displayed in the provisioning summary.

CSCvy10747

Messages in the "dna.lan.common.service" queue block subsequent LAN automation.

CSCvy12915

When a Cisco DNA Center user imports an Ekahau .esx file from a project, the antenna azimuth may be reported incorrectly by 90 degrees for wall and ceiling mounted access points.

CSCvy19567

Cisco DNA Center's Application Hosting service may restart itself continuously, without a clear reason.

CSCvy20557

The sensor link is missing from the 5-GHz view.

CSCvy24764

Offline APs are shown as active on the heatmap.

CSCvy26789

When attempting to set up the integration between Cisco DNA Center and Cisco DNA Spaces, the integration may fail with the following error message:

Unable to export hierarchy to the CMX DNA Spaces for one or more domains.

CSCvy73506

Upgrading Cisco DNA Center application packages to version 2.1.2.7 may fail with the error, "UPGRADE_ERROR - Exception in package: cloud-connectivity-tethering, kind: ServiceBundle, name: telemetry-agent - 'telemetry-agent 1.3.1.102' took more than the expected '230' seconds to start. Please review the service logs for errors." If the system is configured with a proxy that requires user credentials, the telemetry-agent service will not upgrade or start as expected.

CSCvy83860

The Cisco DNA Center InfluxDB instance may degrade into a crashloop condition with exit code, 137/OOMKilled. Due to excessive data, the InfluxDB pod runs out of memory, which results in service disruption in the normal runtime and can cause a software upgrade failure. This problem can also cause an outage in a fresh install of Cisco DNA Center 2.1.2.7.

The following table lists the resolved bugs in Cisco DNA Center, Release 2.1.2.6.

Table 16. Resolved Bugs in Cisco DNA Center, Release 2.1.2.6
Bug Identifier Headline

CSCvw02077

After upgrading from Cisco DNA Center 1.3.3.x to 2.1.2.x, libraries are missing on upgraded clusters.

CSCvw49759

When executed manually from Cisco DNA Center's Tools > Network Reasoner > CPU Utilization workflow, an internal server error occurs during the Machine Reasoning Engine's (MRE's) analysis, and the cnsr-reasoner service restarts itself. This issue causes the MRE service container to run out of memory.

CSCvw59092

Pkcs12 configuration fails due to an internal error after Cisco Catalyst 9800 Series Wireless Controller discovery.

CSCvw62170

Mismatch in unassigned device count and what is seen in inventory after removal of the GPS marker.

CSCvw62379

Cisco DNA Center's integration with Service Now may break, with the message "Rate limit exceeded" recorded in the logs.

CSCvw67480

Duplicate Flex profiles are found in the wireless controller following a Cisco DNA Center upgrade.

CSCvw72645

RBAC prevents network hierarchy maps from loading with "Error 11015."

CSCvw74679

Suboptimal closed auth configuration is pushed when critical VLAN/IP address pool isn't explicitly defined.

CSCvw95827

Default application policy configuration does not handle the IS-IS protocol correctly.

CSCvx02345

Cisco DNA Center is unable to start a new LAN automation session, citing the error "NCND00006: The input payload contains an invalid key."

CSCvx02368

Cisco DNA Center may become unable to start a new LAN Automation session, citing the error "Failed to start Network Orchestration Session: null."

CSCvx08471

Restore to Cisco DNA Center 2.1.2.5 fails with error "SoftTimeLimitExceeded()."

CSCvx09990

Cisco DNA Center pushes additional flex profiles with incorrect VLAN-name and VLAN-id mapping.

CSCvx10390

Upgrading Cisco DNA Center's application packages may fail, citing the error "insert or update on table lisp component violates foreign key constraint fkdda1c963df34cf04."

CSCvx12639

A managed device's inventory status in Cisco DNA Center may change to "Internal Error" when a value returned by the device that should be an IP address is null.

CSCvx14538

Cisco DNA Center may fail to provision a managed device, citing the error, "NCSP10250:Error during persistence (provision) of CFS.

CSCvx16385

Cisco DNA Center may fail to restore a backup for the Postgres service with the error "Error: Shell command /usr/bin/pg_restore --username appuser --host 127.0.0.1 --port 5433 -j 5 -F d -v --dbname campus /var/lib/postgresql/postgres-backup/data/campus timed out after 7213.737733886024 seconds of inactivity."

CSCvx21853

Cisco DNA Center Discovery fails to retrieve global credentials while trying to create new task.

CSCvx27169

Cisco DNA Center's Inventory service may crash if the managed devices send lots of syslogs.

CSCvx56103

When the kubelet certificate expires and is refreshed, the kubelet goes down and all services go down.

The following table lists the resolved bugs in Cisco DNA Center, Release 2.1.2.5.

Table 17. Resolved Bugs in Cisco DNA Center, Release 2.1.2.5
Bug Identifier Headline

CSCvt58303

Cisco DNA Center's GUI might load intermittently when using the virtual IP and when the enterprise and cluster virtual IPs are assigned to two nodes in a three-node cluster. The wireless controller Assurance functionality might also be affected.

CSCvv17779

Cisco DNA Center's dna-event-runtime pod may occasionally crash under load. This can happen while accessing the audit logs, and tasks pages, when the audit logs exceed one million entries.

CSCvw14715

Cisco DNA Center doesn't push the default-site-tag-fabric configuration to the Catalyst 9800 Series Wireless Controller after upgrade.

CSCvw30297

The RMA process fails when the faulty device is in "NETWORK-READINESS-FAILED" status.

CSCvw31619

Elasticsearch cluster formation fails in a three-node XL appliance cluster with 12 instances.

CSCvw34337

A Cisco DNA Center and Prime floor map name sync issue causes special character issues.

CSCvw34578

Cisco DNA Center doesn't have an option to mark a golden image for the Cisco Catalyst C9400 Supervisor Engine-1XL-Y.

CSCvw37064

Cisco DNA Center may incorrectly configure ACL_WEBAUTH_REDIRECT on multiple devices at the same site.

CSCvw37462

AP map pages load very slowly after upgrading to Cisco DNA Center 2.1.2.3.

CSCvw45329

Cisco DNA Center doesn't provision NetFlow collector settings from the Design page.

CSCvw47447

An RF profile that has already been provisioned to access points is allowed to be deleted from Cisco DNA Center.

CSCvw49445

Wireless controller provisioning is blocked because an RF profile that is deleted from Design is not cleaned from the database.

CSCvw53139

Cisco DNA Center's Task page doesn't load any data.

CSCvw67029

Application upgrade fails due to a RabbitMQ maximum message size.

CSCvw70342

Elasticsearch migration hangs while upgrading from Cisco DNA Center 1.3.3.x to 2.1.2.4.

CSCvw76030

Unable to perform RMA due to a field value exceeding the integer range.

The following table lists the resolved bugs in Cisco DNA Center, Release 2.1.2.4.

Table 18. Resolved Bugs in Cisco DNA Center, Release 2.1.2.4
Bug Identifier Headline

CSCvo34022

Need notification about limitation of authentication template changes.

CSCvp34431

Cisco DNA Center 1.3 uses a longer JWT token, which may cause the integration with a wireless controller to fail, causing incoming Assurance data to stop.

CSCvp42465

The NTP service doesn't recover from a failure on its own.

CSCvq09974

Cisco DNA Center's InfluxDB service may crash with Out Of Memory errors, in a system managing over 18,000 devices and 100,000 clients.

CSCvq31127

Backup fails with the error "Taskname=BACKUP.fusion:postgres Failure."

CSCvq42401

Cisco DNA Center upgrade from 1.2.10 to 1.3 fails when you click Switch Now twice in quick succession.

CSCvq42780

Cisco DNA Center 1.3 application packages fail to upgrade.

CSCvq43900

System upgrade fails because etcd goes into error state.

CSCvq47566

Cisco DNA Center's etcd service may exhaust its memory, causing the system to become unstable.

CSCvq74218

Reprovisioning a wireless controller fails after site floor deletion.

CSCvq77240

After upgrading Cisco DNA Center from 1.2.10.4 to 1.3, the gluster mount point is not mounted.

CSCvq85822

Upgrading to Cisco DNA Center 1.3.0.3 hangs at 40%.

CSCvq97467

Cisco DNA Center does not display virtual network information after an upgrade from 1.2.10.4 to 1.3.0.3.

CSCvr56949

In extreme installations where Cisco DNA Center has been manually scaled up to eight instances of the network-programmer service, virtual network provisioning may fail, and the Postgres database service may exhaust its memory resources and crash.

CSCvr63731

Cisco DNA Center may fail to upgrade the network-visibility application package from version 2.1.110.62003 to 2.1.110.62006, due to a problem creating a database view.

CSCvs02409

After a fresh installation of Cisco DNA Center, the root partition of the appliance may be 85% or more full. An out of disk space situation can cause Kubernetes to be unable to schedule or destroy any pods.

CSCvs18203

Cisco DNA Center's search service may not work, even when the correct version of the package is installed, but the MongDB connection is unstable.

CSCvs21955

A wireless controller fails inventory collection due to stale entries in "managednetworkelement_bk".

CSCvs22065

Cisco DNA Center is unusable in a three-node cluster.

CSCvs42952

After enabling maximal visibility, the flow monitor config is sent to the wrong L3 port.

CSCvs43581

System upgrade: The etcd service fails to start due to an invalid memory value.

CSCvs47174

Cisco DNA Center 1.3.0.5 packages are missing from the catalog server.

CSCvs52947

GlusterFS doesn't heal automatically because of a stale reference.

CSCvs68068

Cisco DNA Center's virtual IP addresses (VIPs) may be removed at random points when an internal script times out. The VIPs come back when the script resumes, but while the VIPs are absent, problems can occur such as pages not loading or Assurance data not being received.

Related bug ID: CSCvs84207.

CSCvs76592

A large number of device-registration "Sensor-Client-AP" requests to Kong and the Identitymgmt services lead to slow access of the Cisco DNA Center GUI when wireless Assurance telemetry is enabled.

CSCvs77047

Cisco DNA Center should not allow you to add the Global site to the default LAN fabric.

CSCvs83663

Cisco DNA Center may randomly have the MTU size for the intercluster route set to 985 bytes, resulting in larger packets being dropped, and RabbitMQ missing a number of messages, and potentially going into a partitioned state.

CSCvs85704

Cisco DNA Center fails to decrypt passwords after restoring from backup.

CSCvs86290

An enterprise port failure causes service disruption in a three-node cluster.

CSCvs88856

System upgrade fails due to an internal subnet check.

CSCvt09877

Upgrade to Cisco DNA Center 1.3.1.4 fails at the INSTALL_PRE_HOOKS stage due to a missing directory in /opt/maglev/hooks/.

CSCvt20441

Hook directory creation fails.

CSCvt24453

Network-Orchestration service crashes due to a switch in Maintenance state.

CSCvt25042

The Cisco DNA Center GUI goes into maintenance mode intermittently.

CSCvt32266

Unable to configure Layer 2 handoff on the border node.

CSCvt32995

Disable IPv6 to avoid services binding to the IPv6 address space.

CSCvt36321

Application data is missing in the Application Health dashboard.

CSCvt40676

Cisco DNA Center goes back to the initial config prompt after an etcd crash.

CSCvt54526

Upgrading Cisco DNA Center from 1.2.12 to 1.3.1.5 fails at zero percent.

CSCvt78024

Software image management: Cannot upgrade the wireless controller image from 16.12.1s to 16.12.3.

CSCvu08666

Backup delete does not work due to a syntax error in the find command.

CSCvu15218

Cisco DNA Center upgrade to 1.3.3.5 fails at 41% due to 2/3 RabbitMQ instances in crashloop.

CSCvu25754

The Network Insight Site Comparison page doesn't load.

CSCvu38860

Adding low impact policy to permit UDP BOOTPS creates a policy for UCP.

CSCvu49120

Application upgrade from Cisco DNA Center 1.3.1.2 to 1.3.3.4 fails due to pipelineadmin in CrashLoopBackOff.

CSCvu76516

Multiple unclaimed devices in PnP block the LAN automation status page.

CSCvv04386

When using Cisco DNA Center to provision devices, wireless controller provisioning may fail with the error message, "NCSP10001: User intent validation failed."

CSCvv38555

After disaster recovery is activated, the enterprise cluster virtual IP is not removed from the device configuration as telemetry settings (SNMP host, log server, and so on).

CSCvv55243

When you upgrade to Cisco DNA Center 2.1.2.0, the automatic execution of the certificate refresh Ansible task fails.

CSCvv62098

The Cisco DNA Center appliance fails to boot because the maglev-system partition fails to mount by UUID.

CSCvv74034

After upgrading from 1.3.3.7 to 2.1.2.3, the pod in the crash loop has a mongodb container that fails during the container creation stage.

CSCvv75227

Disaster Recovery "Re-join" initiates duplicate BGP peer session requests, causing session collisions.

CSCvv75472

Cannot scroll and select the site for Transit Control Plane.

CSCvv81218

AP provisioning fails when the wireless controller's hostname is longer than 31 characters.

CSCvv86302

After upgrading to Cisco DNA Center 2.1.2.x, AireOS wireless LAN controllers are reported as unmonitored, and wireless device and wireless client Assurance data is not shown in the Cisco DNA Center GUI. Wireless LAN controller devices fail to register and a 403 error is generated.

CSCvv95296

In Cisco DNA Center 2.1.2, the default issue priority of Cisco AI Network Analytics issues is raised from P3 to P2.

When you upgrade from an earlier release to Cisco DNA Center 2.1.2, the issue priority for AI Network Analytics issues is reset to P3, even though the default priority is P2.

On a fresh installation of Cisco DNA Center 2.1.2, the issue priority of AI Network Analytics issues is P2.

CSCvw00342

Cisco DNA Center XL appliances fail the Elasticsearch schema migration.

CSCvw00591

Cisco DNA Center doesn't remove a stale VLAN config.

CSCvw24685

Cisco DNA Center-to-ServiceNow CMDB synch fails because the inventory includes AP sensors.

CSCvw26250

ENCS5412 is not available in Cisco DNA Center Assurance.

CSCvw34475

Cisco AI Network Analytics intermittently stops sending data because the metricstream topic queue offset is stuck. Consequently, no dashboard data is shown for some time.

CSCvw42212

LAN automation doesn't work due to an IPAM IP address allocation issue.

The following table lists the resolved bugs in Cisco DNA Center, Release 2.1.2.3.

Table 19. Resolved Bugs in Cisco DNA Center, Release 2.1.2.3
Bug Identifier Headline

CSCvs69086

Cisco DNA Center should not allow provisioning until the fabric authentication key security fix is applied.

CSCvt93172

In a three-node cluster, Cisco DNA Center does not form an HA cluster for the Cassandra database.

Related bug: CSCvv42685.

CSCvu25203

The external authentication protocol automatically changes from TACACS to RADIUS when Cisco ISE and Cisco DNA Center are reintegrated.

CSCvu31396

Cisco DNA Center constantly pushes the RADIUS configuration without the PAC key, causing an outage.

CSCvu38087

A map file that is exported from Cisco DNA Center 1.3.3.3 has an exclusion region with duplicate vertices.

CSCvu39101

The fabric provision operation takes longer when multiple sites are connected to a transit.

CSCvu57991

Cisco DNA Center fails to learn the brownfield configuration of a wireless LAN controller when the wireless controller has an invalid selection of channel width and DCA channels.

CSCvu71843

AP deletion causes a wireless controller provisioning failure.

CSCvu96315

AI Network Analytics registration fails due to proxy authentication.

CSCvv19893

You must ignore mismatches with respect to the case-sensitive checks for the interface mapping name on AP groups for AireOS devices.

CSCvv25658

Cisco ISE platform exchange grid (pxGrid) connections are missing after a manual disaster recovery failover.

CSCvv38703

While creating a connectivity domain and running commands, a 403 client error is returned.

CSCvv38749

Network devices are added before the disaster recovery configuration. After disaster recovery is activated, the enrollment URL still points to the cluster VIP instead of to the disaster recovery VIP. Consequently, the devices can't download the PKI certificate after a failover because the old active is in standby mode and doesn't respond to the API request.

CSCvv42973

The Application Health page usage does not reflect application usage on all devices.

CSCvv58048

Cannot reprovision if the first-time provision fails.

CSCvv58971

Cisco ISE integration fails when the Cisco ISE primary PAN certificate contains an unreachable CDP.

CSCvv63265

Cisco DNA Center's PKI service may use a cached certificate, instead of a refreshed certificate, even after the cached certificate's expiration date.

CSCvv73881

LAN automation does not work due to an IPAM IP address allocation issue.

CSCvw09106

External webauth SSID configured with "central-webauth" enabled.

CSCvw31167

Cisco DNA Center becomes very slow after an upgrade from 1.3.3.x to 2.1.2.3.

CSCvw36210

System update failed from Cisco DNA Center 1.3.3.6 to 2.1.2.4 at 68% node update on single node cluster.

The following table lists the resolved bugs in Cisco DNA Center, Release 2.1.2.0.

Table 20. Resolved Bugs in Cisco DNA Center, Release 2.1.2.0
Bug Identifier Headline

CSCvr12997

CVE-2021-1257: Cisco DNA Center Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco DNA Center software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user into executing malicious actions without their awareness or consent.

The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a web-based management user to follow a specially crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the authenticated user. These actions include modifying the device configuration, disconnecting the user's session, and executing Command Runner commands.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-csrf-dC83cMcV

CSCvr22575

After upgrading to Cisco DNA Center 1.3.1, provisioning fails with the error "NCWL10100: WlanController is not found for the device."

CSCvr74393

Multiple vulnerabilities in the web-based management interface of Cisco DNA Center software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device.

The vulnerabilities exist because the web-based management interface on an affected device does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

There are no workarounds that address these vulnerabilities.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-mlt-xss-zUzbcdEV

CSCvr85371

CVE-2021-1265: Cisco DNA Center Information Disclosure Vulnerability

A vulnerability in the configuration archive functionality of Cisco DNA Center could allow any privilege-level authenticated, remote attacker to obtain the full unmasked running configuration of managed devices.

The vulnerability is due to the configuration archives files being stored in clear text, which can be retrieved by various API calls. An attacker could exploit this vulnerability by authenticating to the device and executing a series of API calls. A successful exploit could allow the attacker to retrieve the full unmasked running configurations of managed devices.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnacid-OfeeRjcn

CSCvs48901

Changing the Cisco ISE virtual IP in Cisco DNA Center's System Settings and in the Network Design for a site causes the SGT configuration "cts manual" to be removed from ports configured in host onboarding when the corresponding edge device is subsequently provisioned.

CSCvt17308

In a three-node cluster, a restore fails with the following error:

NoClassDefFoundError: com/mongodb/WriteConcern.

CSCvt20541

The configuration object "DNAC_ACL_WEBAUTH_REDIRECT" gets removed and added again to a managed wireless controller when adding or removing a dot1x/PSK SSID.

CSCvt54592

After upgrading to Cisco DNA Center 1.3.3.1, several devices begin to fail inventory collection, with the logs citing an error that the RADIUS server key is longer than 65 characters.

CSCvt59517

Application 360 is missing information for clients connected to Cisco Catalyst 9000.

CSCvt82136

On the Device 360 page for an AP, the Intelligent Capture panel shows the warning message "GRPC link is not ready (TRANSIENT FAILURE)." However, contrary to what the message suggests, the condition persists.

CSCvu00218

A Cisco DNA Center upgrade fails on a three-node cluster and the GUI becomes inaccessible.

CSCvu03730

Cisco Catalyst 9800 Series Wireless Controller is unmonitored in Cisco DNA Center because the sdn-network-infra-iwan certificate is not installed.

CSCvu09115

Cisco DNA Center fails to provision an access point and returns the error "OwningEntityId details for wireless controller missing in the database."

CSCvu24866

Cisco DNA Center does not generate a request code for all member switches of stacked devices while registering with Specific License Registration (SLR). Consequently, all member switches remain stuck in the "reservation in progress" state.

CSCvu25442

The sdn-network-infra-iwan certificate expires on the device.

CSCvu27207

Cisco DNA Center cannot enable telemetry for an AireOS wireless controller in HA mode.

CSCvu48408

Wireless controller provisioning fails due to a special character in the site name.

CSCvu77536

Assurance generates a false "Dual-Active Detection Link has failed" error for non-DAD interface down.

CSCvu83593

BGP VPNv4 gets configured on an L2-only border.

CSCvu93584

Application Experience is down in Cisco DNA Assurance.

CSCvv04838

Cisco DNA Center's PnP onboarding of a switch stack may fail with the error "NCOB02051: Failed to parse CLI output for show mod" when the output of the show module command contains special characters like ++.

CSCvv06151

The INFRA_VN is not available under the L2 handoff for border configuration and therefore cannot be removed.

CSCvv18653

In a large Cisco SD-Access environment, Cisco DNA Center's app-policy-provisioning-service crashes due to an OutofMemoryError condition, and remains in CrashLoopBackoff state and generates heap dump files.

CSCvv22070

After restoring a backup, provisioning doesn't work if the inventory sync is disabled.

CSCvv25678

Intermittent data visibility loss occurs on the Assurance Overall page.

CSCvv33878

The link in the search feature for Application Visibility is broken.

CSCvv33983

The link in the search feature for Email Configuration is wrong.

CSCvv38470

Topology fails to show the number of uplinks between edge to border switches in Cisco DNA Center 1.3.3.6.

CSCvv73958

Cisco DNA Center's LAN Automation app may not show a clear error message when a device being LAN automated does not receive an IP address from IPAM. The following error is returned:

NCSU10000: 'Internal error: something went wrong unexpectedly. null'.

Limitations and Restrictions

Upgrade Limitation

If you are upgrading to Cisco DNA Center and all of the following conditions apply, the upgrade never starts:

  • Cisco ISE is already configured in Cisco DNA Center.

  • The version of Cisco ISE is not the required 2.6 patch 1 or 2.4 patch 7 or later.

  • Cisco DNA Center contains an existing fabric site.

  • The number of DNS servers must not exceed three.

Although the UI does not indicate that the upgrade failed to start, the logs contain messages related to the upgrade failure.

To work around this problem, upgrade Cisco ISE to 2.6 patch 1 or 2.4 patch 7 or later, and retry the Cisco DNA Center upgrade.

Backup and Restore Limitations

  • You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.

  • After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose System Settings > Settings > Authentication and Policy Servers. Choose Edit for the server. Enter your Cisco ISE password to update.

  • After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.

  • Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.

  • Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.

  • You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

Cisco ISE Integration Limitations

  • ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.

  • Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.

  • Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).

  • The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

  • If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.

  • The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.

  • Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.

  • Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.

    Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.

  • The Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.

  • When there is a change in the deployment status of the Cisco ISE nodes, it takes up to 20 minutes for the status to reflect correctly on the Cisco DNA Center System 360 window. A job scans for the deployment, which could take up to 20 minutes or longer if Cisco ISE does not accept the connection request.

Software Image Management Limitation

For ASA devices, Cisco DNA Center supports software image management (SWIM) for ASA in a standalone deployment. Cisco DNA Center does not support L3 redundancy in SWIM operations. Cisco DNA Center does not provide SWIM support for ASA HA pairs.

License Limitation

The Cisco DNA Center License Manager supports Smart Licensing only for wireless LAN controller models that run Cisco IOS XE. License Manager does not support wireless LAN controller models that run Cisco AireOS.

Fabric Limitations

  • Cisco DNA Center supports up to a maximum of 1.2 million interfaces on fabric devices. Fabric interfaces include physical and virtual interfaces like switched virtual interfaces, loopback interfaces, and so on.

    Physical ports cannot exceed 480,000 ports on a 112-core appliance.

  • IP address pools reserved at the area level are shown as inherited at the building level on the Design > Network Settings > IP Address Pools window; however, these IP address pools are not listed on the Host Onboarding window if the fabric site is defined at the building level. If the fabric site is defined at the building level, you must reserve the IP address pools at the building level; if the fabric site is defined at the area level, you must reserve the IP address pools at the area level.

    To work around this issue, release and reserve the IP address pool at the same level (area or building) as the fabric site, or reconfigure the fabric site at the same level as the reserved IP address pool.

  • Cisco DNA Center does not support multicast across multiple fabric sites that are connected by an SDA transit network.

  • In a fabric setup with Cisco Catalyst 9800 HA devices, if one of the HA devices goes down, you must complete the following steps to replace it:

    1. From the Cisco DNA Center Inventory window, resynchronize the HA device that failed. Cisco DNA Center shows the device as standalone; the standby has failed and has been removed.

    2. Set the priority for the devices. If you want the existing device to return as the active device after forming HA with the new device, ensure that the HA priority of the existing device is set to 2 (or the highest available priority value). You configure the device priority from the web UI, under Administration > Device > Redundancy. Alternatively, you can enter the following CLI command to configure the device priority:

      chassis <chassis_number> priority 2

      To view the chassis number and the current priority value, enter the show chassis EXEC command.

      If the priority is set to the default value of 1 on both devices, the device with the lower MAC address becomes the active device.

    3. Configure the chassis redundancy command on the new device using the same local and remote IP addresses that were used on the failed device. You configure the chassis redundancy in either the web UI or the CLI.

    4. Reboot both devices to form the HA pair.

    5. After HA is up, resynchronize the devices in Cisco DNA Center. The Inventory window shows the new HA pair. Verify the serial numbers in the Serial Number column. For an HA pair, both the active and standby serial numbers are shown.

Brownfield Feature-Related Limitations

  • Cisco DNA Center cannot learn device credentials.

  • You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.

  • Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.

  • Cisco DNA Center can learn only one wireless controller at a time.

  • For site profile creation, only the AP groups with AP and SSID entries are considered.

  • Automatic site assignment is not possible.

  • SSIDs with an unsupported security type and radio policy are discarded.

  • For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.

  • The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.

  • The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.

  • When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.

  • A wireless conflict is based only on the SSID name, and does not consider other attributes.

Wireless Policy Limitation

If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise, Policy Deployment failed is displayed.

AP Limitations

  • AP as a sensor is not supported in this release of Cisco DNA Center.

  • Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, the AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.

    After the provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.

  • Provisioning of 100 APs takes longer in this release as compared to 3 minutes in earlier releases. The amount of time varies depending on the "wr mem" time of the Cisco Catalyst 9800 Series Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices.

Inter-Release Controller Mobility (IRCM) Limitation

The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.

IP Device Tracking on Trunk Port Limitation

Rogue-on-wire detection is impacted; Cisco DNA Center does not show all clients connected to a switch via an access point in bridge mode. The trunk port is used to exchange all VLAN information. When you enable IP device tracking on the trunk port, clients connected on the neighbor switch are also shown. Cisco DNA Center does not collect client data if the connected interface is a trunk port and the neighbor is a switch. As a best practice, disable IP device tracking on the trunk port. The rogue-on-wire is not detected if the IP device tracking is enabled on the trunk port. See Disabling IP Device Tracking for more information.

IP Address Manager Limitations

  • Cisco DNA Center supports integration with an external IPAM server that has trusted certificates. In the Cisco DNA Center GUI, under System > Settings > External Services > IP Address Manager, you might see the following error:

    NCIP10282: Unable to find the valid certification path to the requested target. 

    To correct this error for a self-signed certificate:

    1. Using OpenSSL, enter one of the following commands to download the self-signed certificate, depending on your IPAM type. (You can specify the FQDN [domain name] or IP address in the command.)

      openssl s_client -showcerts -connect Infoblox-FQDN:443 
      openssl s_client -showcerts -connect Bluecat-FQDN:443 
    2. From the output, use the content from ---BEGIN CERTIFICATE--- to ---END CERTIFICATE--- to create a new .pem file.

    3. Go to System > Settings > Trust & Privacy > Trustpool, click Import, and upload the certificate (.pem file).

    4. Go to System > Settings > External Services > IP Address Manager and configure the external IPAM server. (If the IPAM server is already configured, skip this step.)

    To correct this error for a CA-signed certificate, install the root certificate and any intermediate certificates of the CA that is installed on the IPAM into the Cisco DNA Center trustpool (System > Settings > Trust & Privacy > Trustpool).

  • You might see the following error if a CA-signed certificate is revoked by the certificate authority:

    NCIP10286: The remote server presented with a revoked certificate. Please verify the certificate. 

    To correct this, obtain a new certificate from the certificate authority and upload it to System > Settings > Trust & Privacy > Trustpool.

  • You might see the following error after configuring the external IPAM details:

    IPAM external sync failed: 
    NCIP10264: Non Empty DNAC parent pool <CIDR> exists in external ipam. 

    To correct this, log in to the external IPAM server (such as BlueCat). Confirm that the parent pool CIDR exists in the external IPAM server, and remove all the child pools that are configured under that parent pool. Then, return to the Cisco DNA Center GUI and reconfigure the IPAM server under System > Settings > External Services > IP Address Manager.

  • You might see the following error while using IP Address Manager to configure an external IPAM:

    NCIP10114: I/O error on GET request for "https://<IP>/wapi/v1.2/": 
    Host name '<IP>' does not match the certificate subject provided by the peer 
    (CN=www.infoblox.com, OU=Engineering, O=Infoblox, L=Sunnyvale, ST=California, C=US); 
    nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name '<IP>' 
    does not match the certificate subject provided by the peer (CN=www.infoblox.com, OU=Engineering, 
    O=Infoblox, L=Sunnyvale, ST=California, C=US) | 

    To correct this, log in to the external IPAM server (such as Infoblox) and regenerate your external IPAM certificate with the common name (CN) value as the valid hostname or IP address. In the preceding example, the CN value is www.infoblox.com, which is not the valid hostname or IP address of the external IPAM.

    After you regenerate the certificate with a valid CN value, go to System > Settings > Trust & Privacy > Trustpool. Click Import and upload the new certificate (.pem file).

    Then, go to System > Settings > External Services > IP Address Manager and configure the external IPAM server with the server URL as the valid hostname or IP address (as listed as the CN value in the certificate).

Cisco Plug and Play Limitations

  • Virtual Switching System (VSS) is not supported.

  • The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.

  • The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.

  • A PnP claim with a Cisco Catalyst 9800 does not support only SNMPv3 site credentials. SNMPv2 read/write must be configured for a successful PnP claim.

  • The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:

    pnp startup-vlan <vlan_number> 

Cisco Group-Based Policy Analytics Limitations

  • Cisco Group-Based Policy Analytics supports up to five concurrent requests based on realistic customer data. While it is desirable for UI operations to respond within five seconds or less, for extreme cases based on realistic data, it can take up to 20 seconds. There is no mechanism to prevent more than five simultaneous requests at a time, but if it does happen, it might cause some UI operations to fail. Operations that take longer than a minute will time out.

  • Data aggregation occurs at hourly offsets from UTC in Cisco Group-Based Policy Analytics. However, some time zones are at a 30-minute or 45-minute offset from UTC. If the Cisco DNA Center server is located in a time zone with a 30-minute or 45-minute offset from UTC and the client is located in a time zone with an hourly offset from UTC, or vice versa, the time ranges for data aggregation in Cisco Group-Based Policy Analytics are incorrect for the client.

    For example, assume that the Cisco DNA Center server is located in California PDT (UTC-7) where data aggregations occur at hourly offsets (8:00 a.m., 9:00 a.m., 10:00 a.m., and so on). When a client located in India IST (UTC+5.30) wants to see the data between 10:00 - 11:00 p.m. IST, which corresponds to the time range 9:30 - 10:30 a.m. PDT in California, no aggregations are seen.

  • Group changes that occur within an hour are not captured. When an endpoint changes from one scalable group to another, Cisco Group-Based Policy Analytics is unaware of this change until the next hour.

  • You cannot sort the Scalable Group and Stealthwatch Host Group columns in the Search Results window.

  • You might see discrepancies in the information related to Network Access Device (including location) between Cisco DNA Assurance and Cisco Group-Based Policy Analytics.

Application Telemetry Limitation

When configuring application telemetry on a device, Cisco DNA Center might choose the wrong interface as the source for NetFlow data.

To force Cisco DNA Center to choose a specific interface, add netflow-source in the description of the interface. You can use a special character followed by a space after netflow-source, but not before it. For example, the following syntax is valid:

netflow-source 
MANAGEMENT netflow-source 
MANAGEMENTnetflow-source 
netflow-source MANAGEMENT 
netflow-sourceMANAGEMENT 
netflow-source & MANAGEMENT 
netflow-source |MANAGEMENT 

The following syntax is invalid:

MANAGEMENT | netflow-source 
* netflow-source 
netflow-source|MANAGEMENT 

Discovery Limitation

When a device is configured with the SNMPv3 user and group that are used for Discovery, if SNMP polling fails during Discovery, Cisco DNA Center creates a "default" SNMPv3 group and maps that default group to the SNMPv3 user that is defined during Discovery.

Cisco Catalyst 9800 Series Wireless Controller Release 17.3 or Later Shows 00:00:00:00:00:00 as the Threat MAC Address for the aWIPS Attack

Cisco Catalyst 9800 Series Wireless Controller Release 17.3 or later, which is managed by Cisco DNA Center Release 2.1.2, shows 00:00:00:00:00:00 as the threat MAC address for the aWIPS attack. This is due to the aWIPS format change in Catalyst 9800 Series Wireless Controller Release 17.3 for providing more scalable data format transfer. Cisco DNA Center does not understand the new aWIPS format in Release 2.1.1.

In Cisco DNA Center Release 2.1.2, aWIPS is supported on Catalyst 9800 Series Wireless Controller 17.1, 17.2, and 17.3. The aWIPS enhancement in Catalyst 9800 Series Wireless Controller Release 17.3 is not backward compatible and is therefore not supported in Cisco DNA Center Release 2.1.1.

Get Assistance from the Cisco TAC

Use this link to open a TAC case. Choose the following when opening a TAC case:

  • Technology: Cisco DNA - Software-Defined Access

  • Subtechnology: Cisco DNA Center Appliance (SD-Access)

  • Problem Code: Install, uninstall, or upgrade

Related Documentation

We recommend that you read the following documents relating to Cisco DNA Center.


Note

The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on standards documentation, or language that is used by a referenced third-party product.


For This Type of Information... See This Document...

Release information, including new features, limitations, and open and resolved bugs.

Cisco DNA Center Release Notes

Installation and configuration of Cisco DNA Center, including postinstallation tasks.

Cisco DNA Center Installation Guide

Upgrade information for your current release of Cisco DNA Center.

Cisco DNA Center Upgrade Guide

Use of the Cisco DNA Center GUI and its applications.

Cisco DNA Center User Guide

Configuration of user accounts, security certificates, authentication and password policies, and backup and restore.

Cisco DNA Center Administrator Guide

Security features, hardening, and best practices to ensure a secure deployment.

Cisco DNA Center Security Best Practices Guide

Supported devices, such as routers, switches, wireless APs, and software releases.

Cisco DNA Center Compatibility Matrix

Hardware and software support for Cisco SD-Access.

Cisco SD-Access Compatibility Matrix

Use of the Cisco DNA Assurance GUI.

Cisco DNA Assurance User Guide

Use of the Cisco DNA Center platform GUI and its applications.

Cisco DNA Center Platform User Guide

Cisco DNA Center platform release information, including new features, deployment, and bugs.

Cisco DNA Center Platform Release Notes

Use of the Cisco Wide Area Bonjour Application GUI.

Cisco Wide Area Bonjour Application User Guide

Use of the Stealthwatch Security Analytics Service on Cisco DNA Center.

Cisco Stealthwatch Analytics Service User Guide

Use of Rogue Management functionality as a dashboard within Cisco DNA Assurance in the Cisco DNA Center GUI.

Cisco DNA Center Rogue Management Application Quick Start Guide