Release Notes for Cisco DNA Center, Release 2.2.2.x
This document describes the features, limitations, and bugs for Cisco DNA Center, Release 2.2.2.x.
Change History
The following table lists changes to this document since its initial release.
Date | Change | Location |
---|---|---|
2023-07-27 |
Previously, the Cisco DNA Center Release Notes and the Cisco DNA Center Platform Release Notes were separate. Now, they are combined into a single release note; the Cisco DNA Center platform content has been consolidated into this document. |
— |
2022-06-17 |
Added the Cloud Connectivity - Contextual Content package. |
|
2022-06-06 |
Added the list of packages in Cisco DNA Center 2.2.2.9. |
Package Versions in Cisco DNA Center, Release 2.2.2.x |
Added the Resolved Bugs table for 2.2.2.9. |
||
Added the open bugs CSCwa51827 and CSCwb73232. |
||
Noted that Cisco DNA Center 2.2.2.9 contains fixes for the Spring4Shell vulnerability. |
||
Added details about the AI cloud client certificate renewal. |
||
2022-04-12 |
Added information that beginning with release 2.2.2.x, Cisco DNA Assurance does not support sensor-driven tests using the legacy method. |
|
2022-03-28 |
Added the open bug CSCwa23879. |
|
2021-12-21 |
Added the list of packages in Cisco DNA Center 2.2.2.8. |
|
Added the Resolved Bugs table for 2.2.2.8. |
||
Noted that Cisco DNA Center 2.2.2.8 contains fixes for the Apache Log4j vulnerability. |
||
2021-10-26 |
Added the list of packages in Cisco DNA Center 2.2.2.6. |
|
Added the Resolved Bugs table for 2.2.2.6. |
||
2021-10-06 |
Added the open bug CSCvz76664. |
|
2021-09-24 |
Added the list of packages in Cisco DNA Center 2.2.2.5. |
|
Added the Resolved Bugs table for 2.2.2.5. |
||
2021-08-19 |
Added the open bug CSCvy30606. |
|
2021-08-09 |
Added the list of packages in Cisco DNA Center 2.2.2.4. |
|
Added the Resolved Bugs table for 2.2.2.4. |
||
2021-06-22 |
Explained how to replace a Cisco Catalyst 9800 HA device that fails in a fabric setup. |
|
2021-06-14 |
Added the link to download Cisco DNA Center software. |
|
2021-05-27 |
Added the list of packages in Cisco DNA Center 2.2.2.3. |
|
Added the Resolved Bugs table for 2.2.2.3. |
||
2021-05-07 |
Added the list of packages in Cisco DNA Center 2.2.2.1. |
|
Added the Resolved Bugs table for 2.2.2.1. |
||
2021-04-23 |
Initial release. |
— |
Upgrade to the Latest Cisco DNA Center Release
For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.
Package Versions in Cisco DNA Center, Release 2.2.2.x
To download Cisco DNA Center software, go to https://software.cisco.com/download/home/286316341/type.
Package Name | Release 2.2.2.9 | Release 2.2.2.8 | Release 2.2.2.6 | Release 2.2.2.5 | Release 2.2.2.4 | Release 2.2.2.3 | Release 2.2.2.1 | Release 2.2.2.0 |
---|---|---|---|---|---|---|---|---|
System Updates |
||||||||
System |
1.6.594 |
1.6.594 |
1.6.551 |
1.6.424 |
1.6.424 |
1.6.387 |
1.6.368 |
1.6.368 |
System Commons |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Package Updates |
||||||||
Access Control Application |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
AI Endpoint Analytics |
1.4.375 |
1.4.375 |
1.4.365 |
1.4.365 |
1.4.365 |
1.4.365 |
1.4.290 |
1.4.290 |
AI Network Analytics |
2.6.10.494 |
2.6.9.455 |
2.6.9.455 |
2.6.9.453 |
2.6.9.453 |
2.6.7.436 |
2.6.5.426 |
2.6.5.426 |
Application Hosting |
1.6.6.2201241723 |
1.6.6.2112161504 |
1.6.0.2109011512 |
1.6.0.2107090810 |
1.6.0.2107090810 |
1.6.0.2104291515 |
1.6.0.2104071147 |
1.6.0.2104071147 |
Application Policy |
2.1.369.170033 |
2.1.368.170003 |
2.1.366.170328 |
2.1.364.170201 |
2.1.364.170201 |
2.1.363.170112 |
2.1.360.117407 |
2.1.360.117403 |
Application Registry |
2.1.369.170033 |
2.1.368.170003 |
2.1.366.170328 |
2.1.364.170201 |
2.1.364.170201 |
2.1.363.170112 |
2.1.360.117407 |
2.1.360.117403 |
Application Visibility Service |
2.1.369.170033 |
2.1.368.170003 |
2.1.366.170328 |
2.1.364.170201 |
2.1.364.170201 |
2.1.363.170112 |
2.1.360.117407 |
2.1.360.117403 |
Assurance - Base |
2.2.2.485 |
2.2.2.485 |
2.2.2.450 |
2.2.2.411 |
2.2.2.411 |
2.2.2.357 |
2.2.2.305 |
2.2.2.305 |
Assurance - Sensor |
2.2.2.484 |
2.2.2.484 |
2.2.2.448 |
2.2.2.404 |
2.2.2.404 |
2.2.2.346 |
2.2.2.302 |
2.2.2.302 |
Automation - Base |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Automation - Intelligent Capture |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.364.62281 |
2.1.360.60878 |
2.1.360.60875 |
Automation - Sensor |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Cisco DNA Center Global Search |
1.5.0.466 |
1.5.0.466 |
1.5.0.362 |
1.5.0.362 |
1.5.0.362 |
1.5.0.362 |
1.5.0.5 |
1.5.0.5 |
Cisco DNA Center Platform |
1.5.1.182 |
1.5.1.180 |
1.5.1.171 |
1.5.1.137 |
1.5.1.137 |
1.5.1.120 |
1.5.1.64 |
1.5.1.62 |
Cisco DNA Center UI |
1.6.2.448 |
1.6.2.446 |
1.6.2.442 |
1.6.2.432 |
1.6.2.407 |
1.6.2.349 |
1.6.2.341 |
1.6.2.303 |
Cisco SD-Access |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Cisco Umbrella |
2.1.368.592066 |
2.1.368.592015 |
2.1.366.592043 |
2.1.364.592099 |
2.1.364.592099 |
2.1.363.590048 |
2.1.360.590210 |
2.1.360.590196 |
Cloud Connectivity - Contextual Content |
1.3.1.364 |
1.3.1.364 |
1.3.1.364 |
1.3.1.359 |
1.3.1.359 |
1.3.1.307 |
— |
— |
Cloud Connectivity - Data Hub |
1.6.0.380 |
1.6.0.380 |
1.6.0.380 |
1.6.0.380 |
1.6.0.380 |
1.6.0.380 |
1.6.0.263 |
1.6.0.263 |
Cloud Connectivity - Tethering |
2.12.1.2 |
2.12.1.2 |
2.12.1.2 |
2.12.1.2 |
2.12.1.2 |
2.1.1.43 |
2.1.1.41 |
2.1.1.41 |
Cloud Device Provisioning Application |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Command Runner |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Device Onboarding |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Disaster Recovery |
2.1.367.360196 |
2.1.367.360196 |
2.1.366.362051 |
2.1.364.362034 |
2.1.364.362034 |
2.1.363.360026 |
2.1.360.360163 |
2.1.360.360163 |
Group-Based Policy Analytics |
2.2.1.401 |
2.2.1.401 |
2.2.1.230 |
2.2.1.226 |
2.2.1.226 |
2.2.1.209 |
2.2.1.162 |
2.2.1.162 |
Image Management |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Machine Reasoning |
2.1.369.210024 |
2.1.368.210017 |
2.1.366.212047 |
2.1.364.212034 |
2.1.364.212034 |
2.1.363.210023 |
2.1.360.210102 |
2.1.360.210099 |
NCP - Base |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
NCP - Services |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Network Controller Platform |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Network Data Platform - Base Analytics |
1.6.1031 |
1.6.1028 |
1.6.1022 |
1.6.1019 |
1.6.1019 |
1.6.1016 |
1.6.1014 |
1.6.1014 |
Network Data Platform - Core |
1.6.596 |
1.6.596 |
1.6.589 |
1.6.579 |
1.6.579 |
1.6.576 |
1.6.574 |
1.6.574 |
Network Data Platform - Manager |
1.6.543 |
1.6.543 |
1.6.542 |
1.6.541 |
1.6.541 |
1.6.539 |
1.6.538 |
1.6.538 |
Network Experience Platform - Core |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
Path Trace |
2.1.369.60050 |
2.1.368.60015 |
2.1.366.62393 |
2.1.365.62360 |
2.1.364.62281 |
2.1.363.60202 |
2.1.360.60878 |
2.1.360.60875 |
RBAC Extensions |
2.1.369.1910003 |
2.1.368.1910001 |
2.1.365.1910005 |
2.1.364.1910003 |
2.1.364.1910003 |
2.1.363.1900001 |
2.1.360.1900009 |
2.1.360.1900009 |
Rogue and aWIPS |
2.2.0.51 |
2.2.0.51 |
2.2.0.51 |
2.2.0.45 |
2.2.0.45 |
2.2.0.42 |
2.2.0.37 |
2.2.0.37 |
Stealthwatch Security Analytics |
2.1.369.1091317 |
2.1.368.1091226 |
2.1.366.1091170 |
2.1.364.1091088 |
2.1.364.1091088 |
2.1.363.1090038 |
2.1.360.1090037 |
2.1.360.1090024 |
Wide Area Bonjour |
2.4.368.75006 |
2.4.368.75006 |
2.4.364.75035 |
2.4.363.75002 |
2.4.363.75002 |
2.4.363.75002 |
2.4.360.75032 |
2.4.360.75029 |
New and Changed Information
Important Updates in Cisco DNA Center 2.2.2.9
Feature | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|
AI Cloud Client Certificate Renewal |
The on-premises Cisco AI Analytics agent uses a client X.509 certificate that is issued during the tenant registration process to authenticate to the Cisco AI Cloud. Before June 2021, the issued client certificates were valid for three years. As of June 2021, the issued client certificates are valid for one year. The automatic certificate renewal process has been added to the Cisco AI Analytics agent starting with the following releases:
To guarantee uninterrupted service, we recommend that you upgrade the Cisco AI Analytics agent to a release that supports automatic certificate renewal before the end of July 2022. After the certificate has been automatically renewed, one month before expiration, a notification to back up the new configuration is shown on the Cisco AI Network Analytics window. This backup is mandatory to restore the services on a new appliance. |
||||||||
Fixes for the Spring4Shell Vulnerability |
In March 2022, VMware disclosed vulnerabilities in the Spring4Shell Spring Framework. Cisco is committed to transparency and we have published a security advisory to make sure our customers understand the issue and how to address it. Please refer to our advisory for the latest information: Cisco Security Advisory: Vulnerability in Spring Framework Affecting Cisco Products: March 2022 Cisco DNA Center 2.2.2.9 contains fixes for the Spring4Shell vulnerability. This effort is being tracked as CSCwb43650 for the Cisco DNA Center product and contains the following fix:
To help assess, identify, and reduce exposure to vulnerabilities, consider running a trusted vulnerability scanner. For example:
|
Important Updates in Cisco DNA Center 2.2.2.8
Feature | Description |
---|---|
Fixes for the Apache Log4j Vulnerability |
In December 2021, the Apache Software Foundation disclosed vulnerabilities in the open-source Log4j logging library. At this time, almost all affected Cisco products have either been remediated or have a software update scheduled for release. Cisco is committed to transparency and we have published a security advisory to make sure our customers understand the issue and how to address it. Please refer to our advisory for the latest information: Cisco DNA Center 2.2.2.8 contains fixes for the Apache Log4j vulnerability. This effort is being tracked as CSCwa47322 for the Cisco DNA Center product and contains the following fixes:
To help assess, identify, and reduce exposure to vulnerabilities, consider running a trusted vulnerability scanner. For example: |
New and Changed Features—Cisco DNA Center 2.2.2.4
The following table summarizes the new and changed features in Release 2.2.2.4.
Feature | Description | ||
---|---|---|---|
Link Aggregation Control Protocol (LACP) Support |
A port channel created on the fabric edge can use LACP to connect to the server or trunk ports. Note that LACP cannot be used on a port channel that is connected to an extended node. |
||
Multicast Support on Multisite Remote Border |
You can enable multicast on a virtual network that is anchored to a Multisite Remote Border. Configuring multicast on an anchored virtual network configures multicast on the devices in the inherited virtual network too, provided the inherited virtual network already contains a segment. If the inherited virtual network does not have a segment, multicast is deployed only after the first segment is created.
|
Feature | Description |
---|---|
New API Features |
|
SDA API (BETA) |
This Cisco DNA Center platform release supports the following new Cisco Software-Defined Access (SDA) API methods:
|
New and Changed Features—Cisco DNA Center 2.2.2.3
The following tables summarize the new and changed features in Release 2.2.2.3.
Feature | Description |
---|---|
Terminology Changes Related to Installation Wizards |
As you install Cisco DNA Center 2.2.2.3 and configure the appliance, you will notice the following label changes:
|
Usage Insights Report |
The Usage Insights report tracks key performance metrics for several Cisco DNA Center use cases and helps you translate KPIs into IT operational savings. The report translates in-product telemetry into end-user insights. The Usage Insights report is a customized report that shows the productivity improvement of network operations with Cisco DNA Center and comparative return on investment (ROI) insights with a traditional NMS. To view the report, click the Menu icon and choose . |
Feature | Description |
---|---|
Support for APs on StackWise Virtual Edge Nodes |
Fabric-mode APs can be connected to edge nodes deployed as a StackWise Virtual Pair. |
Support for SD-Access Embedded Wireless on StackWise Virtual Fabric Nodes |
The Cisco Catalyst 9800 Embedded Wireless Controller is supported on Catalyst 9400 and 9500 Series switches deployed as a StackWise Virtual Pair operating in a fabric role. |
Feature | Description |
---|---|
New API Features |
|
SDA API (BETA) |
This Cisco DNA Center platform release supports the following new SDA API methods:
To access the new SDA APIs in the Cisco DNA Center GUI, click the click the menu icon and choose . From the Connectivity drop-down list, choose SDA. |
New and Changed Features—Cisco DNA Center 2.2.2.0
The following tables summarize the new and changed features in Release 2.2.2.0.
Feature | Description | ||
---|---|---|---|
Automatic Download Option for ThousandEyes Enterprise Agent Application |
ThousandEyes Enterprise Agent is an application that gets automatically downloaded within several minutes of starting the App Hosting service. In the absence of an internet connection, you can set a proxy connection from the console to download the application. |
||
Cisco AI Endpoint Analytics |
|
||
Cisco Group-Based Policy Analytics |
Access Contracts can now be created and modified directly from the Analytics tab. |
||
Cisco Umbrella Configuration Support for New Devices |
With this release, Cisco Umbrella configuration support is available for the following devices:
|
||
Cisco Umbrella: Review Internal Domains |
You can add and delete the list of internal domains from Cisco Umbrella. |
||
Config Drift Visibility |
The Config Drift page displays configuration changes and allows you to pick any two versions of the same device and compare their running configuration data.
|
||
Create Network Profiles for Firewall |
Cisco DNA Center allows you to create network profiles for firewalls. You can create custom configurations to configure security devices like the Adaptive Security Appliance (ASA) family of devices. You can also create FTD configurations to configure FTD devices. |
||
Deregister Faulty Device from Cisco SSM |
The RMA workflow deregisters a faulty device from Cisco SSM and registers the replacement device with Cisco SSM. |
||
Disaster Recovery |
The following disaster recovery changes are new in this release:
|
||
Explore Menu |
The following features are moved from Cisco DNA Center home page to Explore menu.
|
||
Export Cisco DNA Center PKI Certificate |
Cisco DNA Center allows you to download the device certificates that are required to set up an external entity such as a AAA (pronounced "triple A") server or Cisco ISE server to authenticate the devices.
|
||
Firepower Management Center |
Cisco DNA Center supports the integration of Firepower Management Center (FMC). FMC provides complete and unified management over Firepower Threat Defense (FTD) devices for managing Cisco network security solutions. |
||
Group-Based Access Control |
You can now view the policy enforcement statistics data in the Policies listing window. The total number of policy permits and denies are displayed for the selected time period. Group-based access control policies can be created or updated based on the traffic flows for a given source and destination group pair. You can also create custom views of the policy matrix to focus only on the policies that you are interested in. |
||
Inventory Insights |
Cisco DNA Center provides insights about the devices in your network if there are any inconsistencies in the device configuration of two connected devices. |
||
IPv6 Search |
Cisco DNA Center allows you search for devices using their IPv6 addresses. You can search for a device using its full IPv6 address, any abbreviated form, or double column in the IPv6 address with prefix and postfix combinations. |
||
Persistence Across Inventory Views |
The device selection and the number of devices shown in the inventory table persist across inventory views in Cisco DNA Center. |
||
Plug and Play Support for Cisco DNA Traffic Telemetry Appliance |
You can claim a Cisco DNA Traffic Telemetry Appliance from the Plug and Play Devices list. |
||
Preview Devices 2.0 |
The Preview Devices 2.0 toggle button is new in the top-right corner of the page. Click the Preview Devices 2.0 toggle button to view the devices, site profiles, software images, topology, RMA, PnP, templates, and PSIRTs in a new framework. |
||
Retry Option in Workflows |
Cisco DNA Center allows you to retry the workflow with the click of a single button in a normal workflow. In the RMA workflow, the retry button is operational only if it is hidden from state. |
||
Separation of Golden Tagging and Download |
With this release, you can separate download and golden tagging of software images. Cisco DNA Center allows you to download the software images by not marking them as golden. |
||
System Health |
The following System Health changes are new in this release:
|
||
Topology Support for New Devices |
Topology support is provided for the following devices:
|
||
User-Defined Fields |
User-defined fields are custom labels that you can create and assign to any device in Cisco DNA Center. By assigning labels to a device and adding values to them, you can show more details about the device in the Device Details page. |
||
View IP Address Pools |
|
Feature | Description |
---|---|
AP Configuration Workflow |
The AP Configuration workflow helps you to configure and deploy AP-level and radio-level parameters in Cisco DNA Center. You can configure the following AP-level parameters:
You can configure the following radio-level parameters:
|
AP RMA Retry |
The AP RMA Retry feature allows you to retry a failed defective AP replacement. |
Custom Rogue Rule Workflow |
You can create custom rogue rules in Cisco DNA Center. Rogue rules are an easy way to segregate and manage rogues with different risk profiles. Rogue rules are easy to configure and they are applied in order of priority. They reduce false positives, noise for sites with interferers, and number of alerts. They provide the ability to adjust organizational risk profiles on a global and site basis. |
Enable ICMP Ping on APs in FlexConnect Mode |
You can enable or disable the Internet Control Message Protocol (ICMP) ping on APs in FlexConnect mode from Cisco DNA Center. Cisco DNA Center uses the ICMP to ping FlexConnect APs that are in unreachable state every 5 minutes to enhance reachability, and then updates the reachability status in the Inventory window. |
Mobility Cipher Configuration |
You can enable or disable the DTLS (Data Datagram Transport Layer Security) Cipher configuration for mobility on Cisco Catalyst 9800 Series Wireless Controller Release 17.5 or later. |
Multiple Ciphersuite Support |
You can configure multiple DTLS (Data Datagram Transport Layer Security) Ciphersuites on Cisco Catalyst 9800 Series Wireless Controller, Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches, and Cisco Embedded Wireless Controller on Catalyst Access Points platforms running Release 17.5 or later. |
Rogue Rule Profile Workflow |
You can create a rule with specific conditions and then associate it to a rule profile in Cisco DNA Center. |
Site Hierarchy Movement |
You can change the site hierarchy for unprovisioned devices while preserving AP locations on sitemaps. Note, however, that you cannot move an existing floor to a different building. |
Special Character Handling |
The following changes are introduced in this release:
|
Support for a New AP |
This release introduces support for Cisco Catalyst 9124AXE Series Access Points. |
Support for Band Select or Radio Policy Selection for Guest SSID |
You can configure wireless band preferences by selecting one of the following options:
|
Support for New aWIPS Signatures |
The following aWIPS signatures are introduced in this release:
|
Support to Modify AP Names in Cisco DNA Center |
You can edit AP names in bulk by using the AP Configuration workflow. |
Feature | Description |
---|---|
Application Experience Health Score Calculation Enhancements |
You can add the Application Response Time KPI to the Application Experience health score calculation. |
Application Health Score Customization |
You can customize the health score calculation for applications by changing the KPI thresholds on a per-traffic class basis and specifying the KPIs that are included for the calculation. |
Baselines Dashboard |
Cisco AI Network Analytics uses the most advanced machine learning techniques to define the baseline that is relevant to your specific network and sites. |
Cisco SD-Access: Device 360 Enhancements |
In the Network Device 360 - Device detail area, below the timeline, you can view additional information about the device such as Fabric Role, Fabric Domain, and Fabric Site. In the Detailed Information area under the Fabric tab, new fabric KPIs are grouped under Fabric Infrastructure and VN Service included for device health. |
Cisco SD-Access: Network Health Dashboard Enhancements |
The Network Health Summary dashlet provides new KPIs for fabric domains:
In the Network Device dashlet, you can filter the network device table based on the fabric types, including Extended Node. |
Cisco SD-Access: Network Topology Enhancements |
In the Physical Neighbor Topology for fabric domains, the fabric badge icons identify device fabric groups such as Border, Control Plane, Edge, Extended Node and Wireless. |
Deprecated Feature: Sensor-Driven Tests Using the Legacy Method |
You can no longer create and run sensor-driven tests using the legacy method. You need to create and run sensor-driven tests using templates. |
Device 360 - Interface Utilization Graph |
For interfaces, Tx and Rx Utilization chart values are populated in absolute values (Percentage and Rate). |
Event Viewer Enhancements |
In the Client 360 Dashboard, the Event Viewer detailed information area is enhanced to show:
|
MAC Randomization |
With MAC randomization, client devices use unique private MAC Address - RCM Randomized and Changing MAC Address when connecting to the Wi-Fi network. |
Monitor and Troubleshoot the Health of a Device |
The Device 360 page now supports a Map and Comparison View that allows you to compare the last 5 minutes of health of AP radios across the floor in a building. |
Monitor Application Health Enhancements |
Click the Managed Clients tab to view only the clients that are managed by Cisco DNA Center. |
Network Device Health Summary UI Enhancement - Unmonitored to No Health |
The Network Device Health Summary - Total Devices section provides the total number of network devices and the count of Good Health, Fair Health, Poor Health, and No Health data. |
Power over Ethernet Dashboard |
The PoE dashboard is added to Assurance > Dashboards > PoE, which lets you monitor and view the operational state of the PoE-capable devices in your network. The following dashlets are available: PoE Operational State Distribution, PoE Powered Device Distribution, Power Load Distribution, PoE Insights, and PoE Power Usage Dashlet. |
Power Stack Visibility |
In the Network Device 360 view, you can view the stack power connection details under the PoE tab. |
Sensor Test - Proxy |
With this release, proxy support is enabled for Sensor-Driven Tests. You can run the sensor test through proxy settings. |
View and Manage Issues (Access Point Issues) |
A poor RF issue triggers when APs have a poor wireless experience. The poor RF issue instance second slide-in pane supports Problem Details, Impact Details, Troubleshooting, and Suggested Actions for poor RF issues. Also, the poor RF issue instance second slide-in pane allows you to compare the health of AP radios across the floor in a building. |
View and Manage Issues (Radio No Activity Issues) |
The radio no activity issue instance identifies and raises an issue for AP radios that fail to serve clients for 60 to 240 minutes. The radio no activity issue instance pane supports Problem Details, Relevant Issue, and Suggested Actions. |
View and Manage Issues (Wireless Client Issues) |
With this release, the Cisco DNA Center machine reasoning engine (MRE) supports root cause analysis (RCA) for AAA server issues. RCA allows you to analyze Cisco ISE syslog messages from various servers to derive the possible root causes that could have triggered the issue. RCA support is extended for the following AAA server issues:
|
WAN Link Availability Dashlet |
You can view the status of the available WAN links in your network. |
WAN Link Utilization Dashlet |
You can view the status of the WAN link utilization percentage only for the available WAN links in your network. |
Feature | Description |
---|---|
Fabric Edge Node Scale |
The number of local endpoints that an SD-Access fabric edge node supports is now enhanced. The support is limited to the capability of the platform that is configured as the fabric edge. Use the show lisp platform command to check the platform limits. See the Cisco DNA Center Data Sheet for specific scale numbers. |
Support for VLAN ID Customization |
You can now assign a desired VLAN ID to a host pool VLAN and Layer 3 handoff VLAN. The VLAN IDs can be in the range of 1 to 4095. This feature provides more flexibility in segment creation for the brownfield SD-Access deployments. Delete any existing overlapping or conflicting VLANs or SVIs or AAA configurations from the device and resynchronize the device in the inventory prior to adding it to the SD-Access fabric. When you upgrade from an earlier release, the existing VLANs continue to work normally. Post upgrade, you will need to provide an external VLAN ID for new Layer 3 handoffs. Layer 2 Handoff VLAN is auto populated based on the VLAN ID assigned to the host pool. You can edit the Layer 2 Handoff VLAN ID to assign a different VLAN number. To change the VLAN ID for an existing IP pool VLAN, delete the IP pool and create the IP pool again with the desired VLAN ID. Consider the following guidelines before assigning a custom VLAN ID:
|
Feature | Description | ||
---|---|---|---|
New API Features |
|||
Application Policy APIs |
The Cisco DNA Center platform supports the following new Application Policy APIs.
To access the new APIs in the Cisco DNA Center GUI, click the menu icon and choose . |
||
Audit Log API Updates |
The following updates have been made in the Audit Log API for this release.
To access the new APIs in the Cisco DNA Center GUI, click the menu icon and choose . |
||
Device Link Mismatch API Support |
This release supports updated APIs that provide additional information about device link mismatches. The following new method have been added to the Network Device API:
To access the new APIs in the Cisco DNA Center GUI, click the menu icon and choose . |
||
Display PoE Interface API |
This release supports updated APIs that diplay device interface PoE data. The following new method have been added to the Network Device API:
This API returns the following attributes:
To access the new APIs in the Cisco DNA Center GUI, click the menu icon and choose . |
||
IPAM APIs |
The Cisco DNA Center platform supports the following new IPAM APIs.
To access the new APIs in the Cisco DNA Center GUI, click the menu icon and choose . |
||
License Manager APIs |
The Cisco DNA Center platform supports the following new License Manager APIs.
To access the new APIs in the Cisco DNA Center GUI, click the menu icon and choose . |
||
PnP APIs |
This Cisco DNA Center platform release supports a new option in the PnP claim API that indicates if user authorization is needed for the claim to complete:
To access the new APIs in the Cisco DNA Center GUI, click the menu icon and choose . |
||
Reports API |
The Cisco DNA Center platform supports the following new Reports APIs. The following GET methods are supported:
The following POST method is supported:
The following DELETE method is supported:
To access the new APIs in the Cisco DNA Center GUI, click the menu icon and choose . From the Operational Tasks drop-down list, choose Reports. |
||
Supervisor and Line Card API Detail |
This release supports updated APIs that provide additional information about Cisco supervisor and line cards. The following new methods have been added to the Network Device API:
To access the new APIs in the Cisco DNA Center GUI, click the menu icon and choose . |
||
SWIM Automation API |
This release supports a new SWIM Automation API. This new API provides the following:
To access the new APIs in the Cisco DNA Center GUI, click the menu icon and choose . |
||
New Event Features |
|||
Event Notifications for Assurance Issues |
Event notification support has been added to the following Assurance issues:
For information about events and setting up a notification for an event, see Chapter 8, Developer Toolkit GUI in the Cisco DNA Center Platform User Guide. |
||
Event Notifications for SDA Assurance Fabric Issues |
Event notification support has been added to the following SDA Assurance issues:
For information about events and setting up a notification for an event, see Developer Toolkit GUI in the Cisco DNA Center Platform User Guide. |
||
Event Security Advisory Update |
This release supports a new event security advisory update event. When a security advisory update becomes available, Cisco DNA Center will recommend that you perform a network scan. For information about events and setting up a notification for an event, see Developer Toolkit GUI in the Cisco DNA Center Platform User Guide. |
||
Removal of Client Global Onboarding Time Issue Event Notification |
This release removes the event notification for the client global onboarding time issue by site baseline. This Assurance issue will no longer display in the Events window (accessible by clicking . |
||
SDA Event Subscription Updates |
This release supports the following SDA event subscription updates:
For information about events and subscribing to an event, see Developer Toolkit GUI in the Cisco DNA Center Platform User Guide. |
||
System Notification Events |
This release supports the following new System Notification events:
To view the new events, click the menu icon and choose . |
||
New Reports Features |
|||
Port Capacity |
This release supports a new Port Capacity report that provides the port capacity per device and reports on the following:
No time period is selected, but you can choose any particular date and time for the past 90 days. You can run the report once or run it on a recurring basis. The supported report file types are CSV and TDE. For detailed information about the new Port Capacity report, see Reports in the Cisco DNA Center Platform User Guide. |
||
VLAN |
This release supports a new VLAN report that supports the following features:
The supported report file types are CSV and TDE. For detailed information about the new VLAN report, see Reports in the Cisco DNA Center Platform User Guide. |
||
New Support Features |
|||
PagerDuty Integration Support |
For this release, there is support for Cisco DNA Center integration with PagerDuty.
You configure integration between Cisco DNA Center to PagerDuty using events. To configure an event using the Cisco DNA Center GUI, click the menu icon and choose . Click an individual event to configure its integration with PagerDuty. For detailed information about the Cisco DNA Center-to-PagerDuty integration, see the Cisco DNA Center ITSM Integration Guide. |
Feature | Description |
---|---|
View and Modify Access Contracts |
Access Contracts can now be created and modified directly from the Analytics tab. You can view, create, edit, and delete access contracts from the Analytics tab directly. |
Deprecated Features
SNMPv3 Data Encryption Standard (DES) Privacy Mode support is deprecated in Cisco DNA Center 2.2.2. SNMPv3 DES is no longer supported in Cisco DNA Center 2.2.2 or any later releases.
SNMPv3 DES is used to ensure data confidentiality, where the designated portion of an SNMP message is encrypted and included as part of the message sent to the recipient. DES is no longer considered secure due to its too-short key length and its proven ineffectiveness against brute force attacks. Advanced Encryption Standard (AES) is the recommended privacy mode.
Cisco SD-Access Compatibility Matrix
For information about Cisco SD-Access hardware and software support for Cisco DNA Center, see the Cisco Software-Defined Access Compatibility Matrix. This information is helpful for deploying Cisco SD-Access.
Cisco DNA Center Compatibility Matrix
For information about devices, such as routers, switches, wireless APs, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see the Cisco DNA Center Compatibility Matrix.
Compatible Browsers
The Cisco DNA Center GUI is compatible with the following HTTPS-enabled browsers:
-
Google Chrome: Version 73.0 or later.
-
Mozilla Firefox: Version 65.0 or later.
We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.
Cisco DNA Center Scale
For Cisco DNA Center scale numbers, see the Cisco DNA Center Data Sheet.
IP Address and FQDN Firewall Requirements
To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through an existing network firewall, see "Required Internet URLs and Fully Qualified Domain Names" in the "Plan the Deployment" chapter of the Cisco DNA Center Installation Guide.
About Telemetry Collection
Telemetry data is collected by default in Cisco DNA Center 2.1.x and later, but you can opt out of some data collection. The data collection is designed to help the development of product features and address any operational issues, providing greater value and return on investment (ROI). Cisco collects the following categories of data: Cisco.com ID, System, Feature Usage, Network Device Inventory, and License Entitlement. See the Cisco DNA Center Data Sheet for a more expansive list of data that we collect. To opt out of some of data collection, contact your Cisco account representative and the Cisco TAC.
Supported Hardware Appliances
Cisco supplies Cisco DNA Center in the form of a rack-mountable, physical appliance. The following versions of the Cisco DNA Center appliance are available:
-
First generation
-
44-core appliance: DN1-HW-APL
-
-
Second generation
-
44-core appliance: DN2-HW-APL
-
44-core promotional appliance: DN2-HW-APL-U
-
56-core appliance: DN2-HW-APL-L
-
56-core promotional appliance: DN2-HW-APL-L-U
-
112-core appliance: DN2-HW-APL-XL
-
112-core promotional appliance: DN2-HW-APL-XL-U
-
Supported Firmware
Cisco Integrated Management Controller (Cisco IMC) versions are independent from Cisco DNA Center releases. This release of Cisco DNA Center has been validated against the following firmware:
-
Cisco IMC Version 3.0(3f) for appliance model DN1-HW-APL
-
Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL
-
Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL-L
-
Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL-XL
The preceding versions are the minimum firmware versions. While some later versions are also supported, Cisco DNA Center is not compatible with all later versions.
Installing Cisco DNA Center
You install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco DNA Center Installation Guide for information about installation and deployment procedures.
Note |
Certain applications, like Group-Based Policy Analytics, are optional applications that are not installed on Cisco DNA Center by default. If you need any of the optional applications, you must manually download and install the packages separately. For more information about downloading and installing a package, see "Manage Applications" in the Cisco DNA Center Administrator Guide. |
Support for Cisco Connected Mobile Experiences
Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) Release 10.6.2 or later. Earlier versions of Cisco CMX are not supported.
Caution |
While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password. |
Plug and Play Considerations
Plug and Play Support
General Feature Support
Plug and Play supports the following features, depending on the Cisco IOS software release on the device:
-
AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.
-
Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)
Secure Unique Device Identifier Support
The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:
-
Cisco routers:
-
Cisco ISR 1100 Series with software release 16.6.2
-
Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later
-
Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1
-
-
Cisco switches:
-
Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later
-
Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later
-
Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later
-
Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later
-
Cisco Catalyst 9300 Series with software release 16.6.1 or later
-
Cisco Catalyst 9400 Series with software release 16.6.1 or later
-
Cisco Catalyst 9500 Series with software release 16.6.1 or later
-
Cisco Catalyst IE3300 Series with software release 16.10.1e or later
-
Cisco Catalyst IE3400 Series with software release 16.11.1a or later
-
-
NFVIS platforms:
-
Cisco ENCS 5400 Series with software release 3.7.1 or later
-
Cisco ENCS 5104 with software release 3.7.1 or later
-
Note |
Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:
|
Management Interface VRF Support
Plug and Play operates over the device management interface on the following platforms:
-
Cisco routers:
-
Cisco ASR 1000 Series with software release 16.3.2 or later
-
Cisco ISR 4000 Series with software release 16.3.2 or later
-
-
Cisco switches:
-
Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later
-
Cisco Catalyst 9300 Series with software release 16.6.1 or later
-
Cisco Catalyst 9400 Series with software release 16.6.1 or later
-
Cisco Catalyst 9500 Series with software release 16.6.1 or later
-
4G Interface Support
Plug and Play operates over a 4G network interface module on the following Cisco routers:
-
Cisco 1100 Series ISR with software release 16.6.2 or later
Configure Server Identity
To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.
The SAN requirement applies to devices running the following Cisco IOS releases:
-
Cisco IOS Release 15.2(6)E2 and later
-
Cisco IOS Release 15.6(3)M4 and later
-
Cisco IOS Release 15.7(3)M2 and later
-
Cisco IOS XE Denali 16.3.6 and later
-
Cisco IOS XE Everest 16.5.3 and later
-
Cisco IOS Everest 16.6.3 and later
-
All Cisco IOS releases from 16.7.1 and later
The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:
-
For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.
-
For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.
-
For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.
-
For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.
If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a Network Address Translation (NAT) router, this public IP address must be included in the SAN field of the server certificate.
If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.
We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.
If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the Plug and Play process.
Note |
The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field. |
Bugs
Open Bugs
The following table lists the open bugs in Cisco DNA Center for this release.
Bug Identifier | Headline |
---|---|
Under , when you duplicate a custom view, the new (duplicate) is created with the string "_Copy" appended to the original view name. If you try to duplicate a given view (with a given name) more than once, and you didn't previously edit and rename the original duplicate, an error message appears. The message states that the new view cannot be created because the name already exists. Note that this is expected behavior, similar to what may be observed when creating new views. |
|
The following behavior is seen on Cisco DNA Center 2.2.2 with the Cisco Wide Area Bonjour application and the Wide Area Bonjour patch:
|
|
Image import fails with the following errors:
|
|
For Cisco Catalyst 9000 switches, LAN automation coupled with SWIM deletes the current running software packages, as well as older packages, during a software image upgrade. In contrast, performing SWIM by itself does not delete the current software packages. |
|
The route text box in the Maglev Configuration wizard has a limitation of 1024 characters. If the number of static routes exceed 1024 characters, then the Maglev Configuration wizard will crash. |
|
For the Cisco DNA Center Application Hosting service, when you update a newer application version on top of an existing application version, the application name on the new version must match the existing application name. If the application names (from the package descriptor file) don’t match, the Application Hosting service rejects the Update operation. |
|
A user with a Super Admin role cannot see notifications from the Notification Center. Also, when a user with an Admin role makes changes, those changes are not retained. |
|
After successfully starting a report in Cisco DNA Center the report may display the following error: Sorry, data collection failed - this report failed because the operation timed out or the server not responding. Please try again later or create a new report. |
|
A wireless LAN controller stops sending telemetry data to Cisco DNA Center platform, so Assurance stops plotting health. This problem occurs exactly one year from the date that the wireless LAN controller is added to the site in Cisco DNA Center platform. The following syslog message confirms the problem:
Do the following to reconfigure the certificate:
|
|
Under , both the CCO ID and Device EULA acceptance are not set with fresh installations in an air gap environment. |
|
Cisco DNA Center pushes the command "automate-tester username dummy ignore-acct-port probe-on" as part of its standard Cisco SD-Access configuration. Cisco DNA Center pushes the "automate-tester" configuration so that the device sends periodic RADIUS requests to the RADIUS server. The server is marked as Up if the device receives a response; the server is marked as Down if the device doesn't receive a response. It doesn't matter whether the user exists in Cisco ISE, because the device merely looks for a response from the RADIUS server, regardless of whether authentication succeeds or fails. If the corresponding Cisco ISE authentication policy uses the "Drop" action instead of the default "Access-Reject" action when the user does not exist, the AAA server might get marked as Dead when Cisco ISE drops the packet (because the dummy user does not exist on Cisco ISE). This in turn could affect CTS operation, and the following log is generated every minute:
|
|
When configuring integration of Cisco ISE with Cisco DNA Center, RADIUS is enabled by default, and the pxGrid connection to Cisco ISE is enabled. TACACS+ is not enabled by default. If you choose to enable TACACS+ and to also disable RADIUS, you must manually disable the pxGrid connection. Otherwise, the Cisco DNA Center System 360 windows shows the pxGrid state as Unavailable. |
|
The LISP key banner push fails for wireless devices in Cisco DNA Center 2.2.2.x. |
|
The hostname of devices is not shown in the discovery results, even though the SNMP status is shown as Success. |
Resolved Bugs
Cisco DNA Center 2.2.2.9
The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.9.
Bug Identifier | Headline |
---|---|
After editing an SSID that was previously configured in Cisco DNA Center, provisioning the Cisco Wireless Controller with the new information may fail with the following NETCONF error in the network-programmer service logs:
|
|
Cisco DNA Center 2.2.2.3: Clear port is successful from the GUI, but the configuration is still present on the device. |
|
Explicit or implicit Cisco Wireless Controller provisioning may cause a WLAN outage. |
|
Cisco DNA Center 2.2.2.3: Deployment of security fix fabric banner removes RADIUS PAC from extended nodes. |
|
CSCvz99700 |
Cisco DNA Center 2.2.2.4: Unable to delete a segment from host onboarding. |
Configuration preview shows NAC-RADIUS gets disabled as part of best practices. |
|
Cisco DNA Center 2.2.2.x: Segment removal fails due to stale references in the device interface information. |
|
User intent validation fails when provisioning Cisco Wireless Controllers. |
|
Cisco DNA Center 2.2.2.x: The following error occurs when running LAN automation for an already reserved pool for the site where the device is being provision through LAN automation:
|
|
Renewal of the client certificate used by the AI Analytics agent to communicate with the cloud. The on-premises Cisco AI Analytics agent uses a client X.509 certificate that is issued during the tenant registration process to authenticate to the Cisco AI Cloud. Before June 2021, the issued client certificates were valid for three years. As of June 2021, the issued client certificates are valid for one year. Starting with Cisco DNA Center 2.2.2.9, the automatic certificate renewal process has been added to the Cisco AI Analytics agent. |
|
CSCwa88686 |
In the Cisco DNA Center Settings for Integrity Verification, importing the latest KGV files from cisco.com fails with the following error messages:
|
Cisco Wireless Controller provisioning fails because the snapshot doesn't exist for the namespace. |
|
When importing Ekahau project files, Cisco DNA Center may display different obstacle types and attenuation values than what is configured in the Ekahau project. |
Cisco DNA Center 2.2.2.8
The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.8.
Bug Identifier | Headline |
---|---|
Cisco DNA Center's Stealthwatch Security Analytics (SSA) integration should address route lookup gaps for interface selection. |
|
Cisco DNA Center's LAN automation may fail while reserving the link subnet, citing the error, "NCIP10288: There was a failure in the ipam-service: NCIP10024: An ip pool named <UUID>_pool_dummy_31 already exists" when there are already more than 31 dummy /27 IP address pools (and more than 900 IP addresses used) from the LAN automation pool for loopbacks and L3 link configuration. |
|
LAN automation must align to the Cisco DNA Center Security Best Practices Guide. |
|
EVENT_BASED_WIRED_WIRELESS_SYNC causes an internal error for the protocol endpoint. |
|
Device discovery tasks remain stuck in RUNNING state for a long time, clogging up the inventory service, which in turn prevents global credentials from being displayed. Because the global credentials don't load, new discovery tasks cannot start. The inventory service logs contain the following error logs:
|
Cisco DNA Center 2.2.2.6
The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.6.
Bug Identifier | Headline |
---|---|
Upgrading Cisco DNA Center's application packages fails because the table "lispmssiteeidprefix" violates a foreign key constraint. |
|
Cisco DNA Center may not display an IP address pool or subnet when a user tries to create a segment, citing the error, "NCIP10071: pool name can contain only alphanumeric characters, underscores and hyphens." |
|
In stacked devices, the TrustSec ID and password are set to primary/active serial numbers only. |
|
An upgrade to Cisco DNA Center 2.1.2.x fails with the PSQLException, "ERROR: could not create unique index mdfproductfamily_pkey." |
|
The Scheduler service restarts due to an out of memory (OOM) error. |
|
Cisco DNA Center fails to generate a PKCS12 certificate due to the error, "Failed to find internal Trustpoint." |
|
Cisco DNA Center cannot assign some Meraki APs to a site. |
|
After a 2.1.2.6 upgrade, Cisco DNA Center doesn't configure policy-tags for modified wireless controllers and policies. |
|
Restore inheritance breaks for AAA and Cisco ISE settings. |
|
Reserved child pools for L3 handoff are not released after a failed fabric provision. |
|
Cisco DNA Center's Application Experience feature may attempt to configure application experience commands on an interface that isn't available, but passes through an interface that is part of a port group. |
|
Provisioning fails after segment deletion and site rename while a device is offline. |
|
LAN automation may not configure the L3 link between the peer seed and the PnP agent. |
|
NetFlow table updates are too aggressive for large-scale deployments. |
|
Cisco DNA Center Application Visibility Control (AVC) needs to restrict pushing the NBAR configuration to only the access switch port. |
|
Cisco DNA Center may fail to provision a wireless LAN controller that had previously been removed from a fabric, and inventory, citing a null pointer exception during the updateApN1HAConfig process. |
|
The Network Access Control (NAC) RADIUS configuration on a WLAN profile is lost when the wireless controller reloads. |
|
Fabric provisioning fails when a border device is removed. |
|
Cisco DNA Center 2.1.2.7 doesn't add an internal border to a fabric site when a guest border exists. |
|
The inventory overwrites the switched virtual interface (SVI) description to null. |
|
Cannot start LAN automation due to the error, "NCND00050: An internal error occurred while processing the request." |
|
Cisco DNA Center 2.1.2.6 LAN automation doesn't release the DHCP subnet while LAN auto start fails. |
|
Cisco DNA Center may disable the wireless controllers on a foreign wireless controller if the anchor wireless controller is provisioned. |
|
The Cisco DNA Center system upgrades to the desired version, but the Wide Area Bonjour applications fail to upgrade. This results in the application upgrade failing and the device hanging at a standstill. |
|
The wrong L2 instance is pushed to the anchoring site if a different VLAN name is used. |
|
Fabric-level provisioning fails and a subsequent fabric reconfigure device doesn't work. |
|
Cisco DNA Center's Report and Compliance Tool may fail to transfer a report when Cisco DNA Center's certificate contains fully qualified domain names (FQDNs), but the transfer tries to use an IP address. |
|
Create or update floormaps API documentation does not include the payload request schema. |
|
Cisco DNA Center may fail to provision a managed device if the Loopback0 interface's IP address is not available. |
|
Cisco DNA Center supports email notification for events and reports. Cisco DNA Center saves the first configuration entry; however, it may fail if you change the parameters. When you click the save button, Cisco DNA Center reports the updated configuration is saved successfully; however, Cisco DNA Center shows the previous configuration. |
|
All wireless controllers are disabled when enabling application telemetry for AireOS wireless controllers. |
|
External Webauth and external Webpassthrough may not push all resolved IP addresses for portals. Cisco DNA Center may change the ACL IP address during the provisioning activity. |
|
Cisco DNA Center does not configure BGP for the L3 handoff in border devices. |
|
The AAA configuration is removed from the wireless controller while adding a new edge node to the fabric. |
|
Cisco DNA Center may show that a device is in the managed state for Assurance, but the Inventory page may show that there has been an internal error while collecting inventory from the device. |
|
After adding an edge switch to the fabric, the wireless controller device login AAA settings change from TACACS to RADIUS. |
|
Cisco DNA Center's /dna/intent/api/v1/network-device REST API may return no more than 500 results. This impacts installations that have more than 500 managed devices. |
|
Anchor controller provisioning fails. |
|
When using an interface drop-down menu to select interfaces for configuration, regardless of the items selected, the interface deployed is GigabitEthernet0. |
Cisco DNA Center 2.2.2.5
The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.5.
Bug Identifier | Headline |
---|---|
Cisco DNA Center might fail to collect the inventory from a switch that was upgraded from running Cisco IOS-XE 17.3.3 to 17.5.1, because internal database entries are missing. |
|
Recovery API to recreate missing GRT entries. |
|
After an upgrade to Cisco DNA Center to 2.2.2.4, you might not be able to log in to network devices. In Cisco ISE, the TACACS configuration (key) information on the window shows that the TACACS configuration is unchecked and the key is removed. |
Cisco DNA Center 2.2.2.4
The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.4.
Bug Identifier | Headline |
---|---|
The Cisco DNA Center maglev-system microservice might degrade into a crash loop. The pod status is marked as "False," even though the pod is in "Running" state. |
|
Cisco DNA Center MongoDB instance hosts the following:
This results in an increased size of the MongoDB store. The observed impacts of the larger store are:
|
|
Cisco DNA Center fails to send test email using NTLM for encryption and authentication. This causes confusion with the customer if they accidentally use an incorrect username or password, because the test email button sends an email without using the username or password. |
|
Virtual Routing and Forwarding (VRF)-specific name servers are removed by Cisco DNA Center. |
|
Cisco DNA Center doesn't configure "bandwidth remaining percentage" correctly on switches. |
|
In Cisco DNA Center, Client Detail, Client Session, and AP Radio report may fail to run, timeout, or return no data when the report's time frame is set for one month. These reports run as expected with shorter time frames. client summary with data collection report may fail because of connection time out. |
|
In Cisco DNA Center, when you enable the email notifications for event subscriptions, the email notifications may stop being sent. In Cisco DNA Center, the Try It feature generates an error message stating Invalid email configuration. This error message occurs even if the email integration test succeeds. |
|
When you generate a report, schedule a report, and choose a web-hook notification, Cisco DNA Center fails to display all the webhook destinations in the subscription profile. |
|
Cisco DNA Center might fail to provision a Nexus 7710 if there is an octothorp "#" character in the device login banner. |
|
In the Cisco DNA Assurance events, email notifications may not work after an upgrade to release version 2.1.2.6. |
|
Device provisioning fails with a AAA update. |
|
Cisco DNA Center might fail to synchronize a Cisco Catalyst 9000 series switch that is configured with an access list associated to the netconfig-yang configuration. |
|
When the appliance is configured for the first time using the express mode (install mode) of the browser-based wizard, the enterprise IP address, virtual IP address, hostname, and pnpserver.domain details are missing from the SAN field in the Cisco DNA Center certificate. |
|
You cannot add a second node to a Cisco DNA Center cluster installed with express mode. |
|
Cisco DNA Center pushes a different Anycast Gateway MAC address to some fabric edge nodes. |
|
After a successful upgrade from Cisco DNA Center 2.1.2.3 to 2.2.2.1, all users except the user with the Admin role receive the following error on the Software Updates window:
With the Admin login, there is no error. The window accurately shows "Your system package is up to date." |
|
The Cisco DNA Center Config Archive might try to capture the startup configs and VLAN databases from unreachable devices. |
|
The Assurance event notifications device parameter returns the device UUID, not the device IP address. |
|
An upgrade failure occurs due to an expired Docker CA certificate. |
|
Trend charts are empty in the Assurance Overview, Assurance Network Summary, and Assurance Client Summary windows. |
|
Cisco DNA Center might fail to provision a device. The following error is generated:
|
|
Cisco DNA Center Compliance flags configurations that are originally pushed by Cisco DNA Center but overridden by user templates. Cisco DNA Center Compliance also flags configurations that are pushed by Cisco DNA Center that are not overridden by user templates. |
|
Reserved child pools for Layer 3 handoff are not released after a failed fabric provision. |
|
Cisco DNA Center might be unable to deploy Stealthwatch Security Analytics (SSA) on a device that has more than 1000 entries in its routing table. |
|
Cisco DNA Center might not generate a heatmap for the 2.4-GHz band of 9120 APs, even though the heatmap is generated for 5 GHz as expected. |
|
Cisco ISE integration fails when FQDN x doesn't match the common name contained in the system certificate. |
|
Cisco DNA Center either displays the changed audit log messages or fails to display the audit log messages. |
|
After upgrading to Cisco DNA Center 2.1.2.7, inventory collection from an existing Cisco Catalyst 9500 switch fails with the following error:
|
|
Cisco DNA Center might be unable to remove a managed device from a fabric-in-a-box installation, citing the following error in the network programmer service's logs:
|
|
Cisco DNA Center might create a duplicate site tag with the default-flex-profile linked to it when an existing wireless LAN controller is reprovisioned. |
|
A vulnerability in Cisco DNA Center's Command Runner application could allow an authenticated, local attacker to gain access to sensitive information on an affected device. |
|
Cisco DNA Center 2.1.2.5: IPDT configs are not considered for IP Phone-connected interfaces. |
|
The User 360 Events and Health graph shows combined events for all devices on each device window. |
|
IPDT Policy config is pushed to a Cisco Catalyst 9300 switch unexpectedly. |
|
In Cisco DNA Center's Template Editor tool, the bind to source options might not return expected outputs for the interfaceCount, lineCardCount, lineCardId, or tagCount variables. |
|
Anomaly Intelligent Capture does not enable on all capable APs. |
|
In Cisco DNA Center, when attempting to run CLI commands using magctl or maglev, the command might fail with the following error:
|
|
In Cisco DNA Center's SWIM window, entries for the Catalyst 9800 Series Wireless Controller might show "undefined" as the only option for "Device Series" when defining custom checks. |
|
Cisco DNA Center's Stealthwatch integration might be unable to connect due to the OCSP responder missing from the Stealthwatch Management Console's (SMC) certificate. |
|
Rediscovering a device fails when logged into a non-English UI. |
|
Unable to import a composite template with deviceTypes error. |
|
Path trace fails with the following error:
|
|
The IPAM system health check fails for a generic implementation. |
|
Cisco DNA Center might fail to collect inventory from a Cisco Catalyst 9000 switch. The following error is generated:
|
|
The Inventory report fails to generate. The BAPI API does not work as expected. |
|
Cisco ISE and Cisco DNA Center integration: The pxGrid connection goes down due to an invalid certificate chain presented by Cisco ISE. |
|
An imported Ekahau project heatmap shows a weak wireless signal. |
|
Provisioning a composite day-n template after deleting and reonboarding a device to Cisco DNA Center might fail. |
|
An Ekahau import fails when the area name is System Campus. |
|
Cisco DNA Center shows an SSID for a client that is no longer present on the wireless controller. |
|
Cisco DNA Center 2.1.2.6: LAN automation doesn't determine whether the PnP happened via LAN A or startup VLAN. |
|
Cisco DNA Center 2.1.2.6: A failure occurs while adding a device to Cisco ISE as a network device for TACACS/RADIUS. |
|
Values are not returned for Velocity template variables. |
|
Device list in Application Visibility: The Site Device window does not populate with all devices. |
|
Cisco DNA Center wireless guest portal window scalability issue. |
|
Issue while learning 40-MHz profiles with channels that aren't in pairs from Catalyst 9800 Series Wireless Controller. |
|
An extended node becomes unreachable after an expected reboot. |
|
When changing the length of a floor from feet to meters, the following error is generated:
|
|
Cannot import .csv files from a Windows PC to Cisco DNA Center 2.2.2.3. |
|
Proxy configuration fails when etcd is missing the key /maglev/config/cluster/service_addressing_mode. |
|
Cisco DNA Center 2.2.2.3: An unactionable error message occurs when making site hierarchy changes. |
|
Cisco DNA Center 2.2.2.3: Rogue event match does not work per applied rogue profile and rules. |
|
Exporting the details of a particular Assurance issue does not work. |
|
The System Health dashboard shows stale node information after restoring a backup. |
|
Cisco DNA Center's RCA bundle is missing process information, and should include the output of the top command. This will help with diagnosing situations where the server is under a high load. |
|
Cisco DNA Center's root user's history should be included in an RCA bundle with the timestamps and commands run by the root user. |
|
Cisco DNA Center might fail to synchronize SGTs with Cisco ISE when RT_SYNC_THREAD is not running in aca-controller. |
|
Cisco DNA Center's AI Analytics settings window might show a "cloud unreachable" status. |
|
Associated clients display label does not work on floor map. |
|
Remove username/password fields from Email configuration. |
Cisco DNA Center 2.2.2.3
The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.3.
Bug Identifier | Headline |
---|---|
Wireless controller partial collection failure occurs if proxy mobile IP Network Access controller (PMIP NAI) is longer than 32 characters. |
|
Cisco DNA Center does not support the AP Location field which many customers use to track the physical location of the AP inside the floor and building where it is installed. When migrating from Prime Infrastructure to Cisco DNA Center, the AP will have this value overwritten by Cisco DNA Center upon the first AP provisioning. |
|
CSCvx64681 |
Cisco DNA Center can't provision the ISR transit control plane after provisioning with a routing template. |
A managed access point might not show its operational details on the Cisco DNA Center Assurance Device 360 window. Additionally, clients on the WLC, where this AP is joined, shows a blank device location. |
|
Provisioning fails when adding an AAA server using a port number greater than 32767 to Cisco DNA Center. |
|
The Cisco DNA Center Provision window might show all device provisioning hangs in "In-Progress" on the Activity window when Cisco ISE integration is broken, and the PxGrid service is not available, causing a queue to fill. |
|
Heatmaps for the 5-GHz band are not generated for a Cisco Catalyst 9800 Series Wireless Controller. |
|
Image distribution servers won't allow a valid IP address. |
|
When attempting to add an edge device to a fabric, Cisco DNA Center might return the following error:
|
|
Unable to open a virtual network in L2 Handoff settings or click the Save button after an upgrade to Cisco DNA Center 2.1.2.6. |
|
For Cisco Catalyst 9800 Series Wireless Controller, the Remote Procedure Call (RPC) rfdca-removed-channel operation fails with a data missing error tag. |
|
For Cisco DNA Center 1.3.3.7, messages in the "dna.lan.common.service" queue are blocking subsequent LAN automation. |
|
In Cisco DNA Center, when you import an Ekahau .esx file from a project, the antenna azimuth might be reported incorrectly by 90 degrees for wall and ceiling mounted access points. |
|
When looking in Cisco DNA Center for details about a wireless sensor, the sensor 5 GHz links are missing. |
|
When attempting to set up the integration between Cisco DNA Center and Cisco DNA Spaces, the integration might fail with the following error:
|
Cisco DNA Center 2.2.2.1
The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.1.
Bug Identifier | Headline |
---|---|
In the External Authentication window > AAA Server(s) area, the Shared Secret field is missing text or string information. In Cisco DNA Center 1.3.3.9, the Shared Secret field shows descriptive text for the required value. If the value is empty, additional text is displayed under the "Shared secret must not be empty" line. However, in Cisco DNA Center 2.2.2.0, the following problems occur:
|
|
Under the My Profile and Settings window, a change to the first name does not take effect. |
|
When the Notification Center is enabled for License notification, Assurance issue notifications are reported along with the license notifications. While there is no functional impact, notifications become a bit noisy based on the amount of network issues that Cisco DNA Center detects. Also, the Assurance issues don't provide any details when you click the notifications. This problem occurs when you enable notifications for licensing issues ( ). |
|
In the Workflows GUI, when the text in an "In Progress" tile is long or impedes other elements in the tile, the text should be truncated or abbreviated. For example, the title of the following in-progress workflow is too long and should be truncated:
|
Cisco DNA Center 2.2.2.0
The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.0.
Bug Identifier | Headline |
---|---|
The Cisco DNA Center 1.1.6 GUI might become unavailable. |
|
Cisco DNA Center interactive wireless template is not applied to the wireless controller. |
|
When attempting to use Cisco DNA Center to provision a wireless LAN controller, the following error might be returned:
|
|
Cisco DNA Center might fail to collect inventory from a wireless controller that has unassociated APs that are not deleted or moved to another wireless controller. |
|
The Cisco DNA Center threadmanagermonitor table should be pruned periodically to keep the size of the database from growing too large. |
|
Cisco DNA Center should not allow provisioning until the Fabric Authentication Key Security fix is applied. |
|
For the Template Editor, integer input types need a way to check for null. |
|
The sdn-network-infra-iwan certificate expires on the device. |
|
Cisco DNA Center fabric provisioning takes a long time when multiple sites are connected to the transit. |
|
In Cisco DNA Center, extended nodes must be configured on distinct edge ports. |
|
In Cisco DNA Center, the dna-event-runtime pod crashes while accessing the Audit Logs window. |
|
The URL in the notification email is not working. |
|
The Cisco DNA Center Image Repository displays "Failed to load data" after adding a Meraki dashboard to Cisco DNA Center. |
|
Cisco DNA Center might be unable to provision a managed device after an initial provision failure, instead citing the following error:
|
|
Cisco ISE integration fails when the Cisco DNA Center PPAN certificate contains an unreachable CDP. |
|
A Cisco Catalyst 9800 Series Wireless Controller in HA fails inventory collection. |
|
The Cisco DNA Center Public Key Infrastructure (PKI) service might use a cached certificate, instead of a refreshed certificate, even after the cached certificate's expiration date. |
|
Cisco DNA Center might not push the IP Device Tracking (IPDT) configuration to switch ports that are in access mode, in switches whose role is defined as access switches. |
|
CSCvv67156 |
Cisco DNA Center is unable to start LAN automation if the primary seed device was deleted before stopping a previous LAN automation session. This causes subsequent LAN automation sessions to fail. |
Cisco DNA Center pushes conflicting configurations to the extended node interfaces during PnP. |
|
MongoDB-2 goes into crashloop after upgrading to Cisco DNA Center 2.1.2.x. |
|
Cisco DNA Center might fail to provision a wireless access point if the wireless LAN controller it is joined to has a name longer than 31 characters, including the domain name. |
|
Wireless controller provisioning fails because a guest SSID is created during Cisco DNA Center 1.2.x with Fast Transition. |
|
The network license count for Cisco Catalyst 9300 switches is incorrect. |
|
In Cisco DNA Center, the IPDT configuration is rejected by the Bluetooth interface during provisioning. |
|
Cisco DNA Center cannot start LAN automation because a discovered site is deleted from the system. |
|
Device-tracking configuration push fails when the Catalyst 9407 device role changes to ACCESS. |
|
Software image activation fails on Cisco DNA Center with the error "NCSW10244: The task is hung and is auto-aborted." |
|
Cisco DNA Center might be unable to start new LAN automation sessions, citing the following error:
|
|
Cisco DNA Center might configure the default-flex-profile of a wireless controller with an external webauth SSID that has "central-webauth" enabled. |
|
Cisco DNA Center does not push the default-site-tag-fabric configuration to the Cisco Catalyst 9800 Series Wireless Controller after upgrade. |
|
Adding a Cisco Catalyst 9800 Series Wireless Controller to the fabric fails if the fabric contains Layer 3 only IP address pool segments. |
|
After a successful system upgrade to Cisco DNA Center 2.1.2.X, the bulk application upgrade downloads from the GUI fails with the warning, "Downloading packages ended with an error." |
|
Cisco DNA Center-to-ServiceNow Configuration Management Database (CMDB) sync fails because the inventory includes AP sensors. |
|
The RMA process fails when a faulty device is in NETWORK-READINESS-FAILED status. |
|
The Cisco DNA Center GUI and CLI becomes very slow after upgrading from 1.3.3.x to 2.1.2.3. |
|
Elasticsearch cluster formation fails in an XL appliance cluster with 12 instances. |
|
Cisco DNA Center doesn't have an option to mark a golden image for Cisco Catalyst 9400 Supervisor Engine-1XL-Y. |
|
Cisco DNA Center might incorrectly configure ACL_WEBAUTH_REDIRECT on multiple devices at the same site. |
|
An AP map loads very slowly after upgrading to Cisco DNA Center 2.1.2.3. |
|
The Cisco Catalyst 9800 Series Wireless Controller inventory collection fails when the AAA authorization method length is greater than 31 characters. |
|
Cisco DNA Center doesn't provision the NetFlow collector settings from the Design window. |
|
It is possible to delete a custom-provisioned RF profile. |
|
Wireless controller provisioning is blocked when the RF profile is deleted from the Design window but not cleaned from the database. |
|
When executed manually from , the Cnsr-reasoner service restarts every time and there is no issue report. |
|
The Cisco DNA Center Task window doesn't load any data. |
|
In the Cisco DNA Center Policy, QoS does not push outbound configurations. |
|
In Cisco DNA Center, the Pkcs12 configuration fails due to internal errors after discovering Cisco Catalyst 9800 Series Wireless Controllers in a cluster. |
|
There is a mismatch in the unassigned device count and what is seen in inventory after removal of the GPS marker. |
|
Cisco DNA Center-to-Service Now integration fails with a rate limit exceeded error. |
|
Application upgrade fails due to the RabbitMQ maximum message size. |
|
Duplicate Flex Profiles are found in wireless controllers after an upgrade. |
|
RBAC prevents network hierarchy maps from loading; "Error 11015" is displayed. |
|
After fixing an authorization failure, AAA users are able to log in but cannot perform certain operations. |
|
A suboptimal closed authorization configuration is pushed when a critical VLAN/IP address pool is not explicitly defined. |
|
Cisco DNA Center is unable to perform RMA because a field value exceeds the integer range. |
|
Cisco Catalyst 9800 Series Wireless Controller provisioning doesn't work because changes to FlexProfilePolicyAclConfig are not picked up. |
|
CSCvw95827 |
The Cisco DNA Center default application policy configuration does not handle the IS-IS protocol correctly. |
CSCvx02345 |
Cisco DNA Center might become unable to start a new LAN automation session, citing the following error:
|
CSCvx02368 |
Cisco DNA Center might become unable to start a new LAN automation session after a LAN-automated fabric-in-a-box device is deleted from the system and readded via Discovery and Inventory. The following error is returned:
|
Restoring a backup to Cisco DNA Center 2.1.2.5 might appear to hang, but it fails with the error "SoftTimeLimitExceeded()" for the component "RESTORE.MONITOR_SERVICES_RESTART". |
|
CSCvx09990 |
Cisco DNA Center pushes additional flex profiles to a managed wireless LAN controller after upgrading to 2.1.2.x, and those profiles have incorrect VLAN-name and VLAN-id mapping in the site tags. |
Upgrading the Cisco DNA Center application packages fails due to a constraint violation on the lispcomponent table. |
|
The Inventory status of a managed device in Cisco DNA Center might change to "Internal Error" when a value returned by the device that should be an IP address is null. The logs show the error "Null value was assigned to a property of primitive type setter of com.cisco.xmp.model.foundation.connectivity.ip.IpV4Properties.directedBroadcast." |
|
When Cisco DNA Center is used to enabling application telemetry on a network device by tagging the desired LAN interfaces with the "lan" keyword in the interface description, Tunnel and Port-Channel interfaces do not get enabled. |
|
Router provisioning fails with the error "NCSP10250: Error During persistence (provision) of CFS." |
|
Restoring a backup might fail the 7200 second timeout for pg_restore. |
|
A Guest SSID with the Fast Transition value configured as Adaptive in an earlier release of Cisco DNA Center causes wireless controller provisioning issues in Cisco DNA Center 2.1.2.5. |
|
Cisco DNA Center discovery fails to retrieve global credentials while trying to create a new task. |
|
Cisco DNA Center 2.1.2.4: An incorrect policy profile is linked with new wireless controllers pushed by Cisco DNA Center while provisioning. |
|
The Cisco DNA Center Inventory service might crash if the managed devices send many syslogs. |
|
Cisco DNA Center provisioning AAA configurations to a Cisco Catalyst 9800 Series Wireless Controller might fail due to an invalid command in the configuration model that includes "$timeout". |
|
CSCvx41602 |
When the Cisco DNA Center Licensing Tool tries to configure a SLR reservation for stacked switches, it might become stuck at Generating Authorization code. |
CSCvx43441 |
In the Cisco DNA Center Inventory, in the PnP area, wireless sensors hang at "Certificate install is in progress. Device is ready to be claimed." |
An incorrect web auth configuration might be pushed when a PSK (personal) SSID is added. This causes a conflict in the actual configuration push to the device through Cisco DNA Center provisioning. |
|
After a failed wireless controller provisioning attempt, Cisco DNA Center might not roll back the configuration from the wireless controller, which might cause a network outage. |
|
Devices that are already registered for Smart Licensing in an existing installation of CSSM On-Prem will be deregistered when On-Prem is integrated with Cisco DNA Center. While this is documented in the Cisco DNA Center Administrator Guide, the warning should be more pronounced. |
|
When the kubelet certificate expires and is refreshed, the kubelet goes down and all services go down. |
|
The Cisco DNA Center Inventory resync results in an internal error. |
|
Reconfigure device provision might not determine configuration changes for the Dot1x Auth Template. |
|
After upgrading to Cisco DNA Center 2.1.2.4 and later, the following error is displayed after modifying IP address pools for a virtual network on the fabric Host Onboarding window:
|
|
During an upgrade of Cisco DNA Center application packages, the upgrade might appear to be stuck for hours at 20% with no obvious movement forward. The migration logs show a deadlock on the Postgres executionevent table. This issue stems from a large database table upon which database update queries pile up, causing a deadlock. |
Limitations and Restrictions
Upgrade Limitation
If you are upgrading to Cisco DNA Center and all of the following conditions apply, the upgrade never starts:
-
Cisco ISE is already configured in Cisco DNA Center.
-
The version of Cisco ISE is not 2.6 patch 1 or 2.4 patch 7 or later.
-
Cisco DNA Center contains an existing fabric site.
-
The number of DNS servers must not exceed three.
Although the UI does not indicate that the upgrade failed to start, the logs contain messages related to the upgrade failure.
To work around this problem, upgrade Cisco ISE to 2.6 patch 1 or 2.4 patch 7 or later, and retry the Cisco DNA Center upgrade.
Backup and Restore Limitations
-
You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.
-
After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose . Choose Edit for the server. Enter your Cisco ISE password to update.
-
After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.
-
Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.
-
Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.
-
You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.
Cisco ISE Integration Limitations
-
ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.
-
Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.
-
Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).
-
The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.
-
If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.
-
The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.
-
Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.
-
Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.
Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.
-
The Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.
License Limitation
The Cisco DNA Center License Manager supports Smart Licensing only for wireless LAN controller models that run Cisco IOS XE. License Manager does not support Smart License registration of the Cisco 5500 Series AireOS Wireless Controller when the connection mode is smart-proxy..
Fabric Limitations
-
Cisco DNA Center supports up to a maximum of 1.2 million interfaces on fabric devices. Fabric interfaces include physical and virtual interfaces like switched virtual interfaces, loopback interfaces, and so on.
Physical ports cannot exceed 480,000 ports on a 112-core appliance.
-
IP address pools reserved at the area level are shown as inherited at the building level on the Host Onboarding window if the fabric site is defined at the building level. If the fabric site is defined at the building level, you must reserve the IP address pools at the building level; if the fabric site is defined at the area level, you must reserve the IP address pools at the area level.
window; however, these IP address pools are not listed on theTo work around this issue, release and reserve the IP address pool at the same level (area or building) as the fabric site, or reconfigure the fabric site at the same level as the reserved IP address pool.
-
Cisco DNA Center does not support multicast across multiple fabric sites that are connected by an SDA transit network.
-
In a fabric setup with Cisco Catalyst 9800 HA devices, if one of the HA devices goes down, you must complete the following steps to replace it:
-
From the Cisco DNA Center Inventory window, resynchronize the HA device that failed. Cisco DNA Center shows the device as standalone; the standby has failed and has been removed.
-
Set the priority for the devices. If you want the existing device to return as the active device after forming HA with the new device, ensure that the HA priority of the existing device is set to 2 (or the highest available priority value). You configure the device priority from the web UI, under
. Alternatively, you can enter the following CLI command to configure the device priority:chassis <chassis_number> priority 2
To view the chassis number and the current priority value, enter the show chassis EXEC command.
If the priority is set to the default value of 1 on both devices, the device with the lower MAC address becomes the active device.
-
Configure the chassis redundancy command on the new device using the same local and remote IP addresses that were used on the failed device. You configure the chassis redundancy in either the web UI or the CLI.
-
Reboot both devices to form the HA pair.
-
After HA is up, resynchronize the devices in Cisco DNA Center. The Inventory window shows the new HA pair. Verify the serial numbers in the Serial Number column. For an HA pair, both the active and standby serial numbers are shown.
-
Brownfield Feature-Related Limitations
-
Cisco DNA Center cannot learn device credentials.
-
You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.
-
Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.
-
Cisco DNA Center can learn only one wireless controller at a time.
-
For site profile creation, only the AP groups with AP and SSID entries are considered.
-
Automatic site assignment is not possible.
-
SSIDs with an unsupported security type and radio policy are discarded.
-
For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.
-
The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.
-
The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.
-
When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.
-
A wireless conflict is based only on the SSID name, and does not consider other attributes.
Wireless Policy Limitation
If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP
location before deploying the policy. Otherwise, Policy Deployment failed
is displayed.
AP Limitations
-
AP as a sensor is not supported in this release of Cisco DNA Center.
-
Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, the AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.
After the provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.
-
Provisioning of 100 APs takes longer in this release as compared to 3 minutes in earlier releases. The amount of time varies depending on the "wr mem" time of the Cisco Catalyst 9800 Series Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices.
Inter-Release Controller Mobility (IRCM) Limitation
The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.
IP Device Tracking on Trunk Port Limitation
Rogue-on-wire detection is impacted; Cisco DNA Center does not show all clients connected to a switch via an access point in bridge mode. The trunk port is used to exchange all VLAN information. When you enable IP device tracking on the trunk port, clients connected on the neighbor switch are also shown. Cisco DNA Center does not collect client data if the connected interface is a trunk port and the neighbor is a switch. As a best practice, disable IP device tracking on the trunk port. The rogue-on-wire is not detected if the IP device tracking is enabled on the trunk port. See Disabling IP Device Tracking for more information.
IP Address Manager Limitations
-
Infoblox limitations:
-
Infoblox does not expose a name attribute; therefore, the comment field in Infoblox is populated by the IP pool name during a sync.
-
For a pool import, the first 50 characters of the comment field are used. If there are spaces in the comments, they are replaced by underscores.
-
If an IP pool name is updated for an imported pool, the comments are overwritten and the new name is reflected.
-
-
BlueCat: There are no limitations identified with BlueCat integration at this time.
-
Cisco DNA Center supports integration with an external IPAM server that has trusted certificates. In the Cisco DNA Center GUI, under , you might see the following error:
NCIP10282: Unable to find the valid certification path to the requested target.
To correct this error for a self-signed certificate:
-
Using OpenSSL, enter one of the following commands to download the self-signed certificate, depending on your IPAM type. (You can specify the FQDN [domain name] or IP address in the command.)
openssl s_client -showcerts -connect Infoblox-FQDN:443
openssl s_client -showcerts -connect Bluecat-FQDN:443
-
From the output, use the content from ---BEGIN CERTIFICATE--- to ---END CERTIFICATE--- to create a new .pem file.
-
Go to Import, and upload the certificate (.pem file).
, click -
Go to
and configure the external IPAM server. (If the IPAM server is already configured, skip this step.)
To correct this error for a CA-signed certificate, install the root certificate and any intermediate certificates of the CA that is installed on the IPAM into the Cisco DNA Center trustpool ( ).
-
-
You might see the following error if a CA-signed certificate is revoked by the certificate authority:
NCIP10286: The remote server presented with a revoked certificate. Please verify the certificate.
To correct this, obtain a new certificate from the certificate authority and upload it to
. -
You might see the following error after configuring the external IPAM details:
IPAM external sync failed: NCIP10264: Non Empty DNAC parent pool <CIDR> exists in external ipam.
To correct this, log in to the external IPAM server (such as BlueCat). Confirm that the parent pool CIDR exists in the external IPAM server, and remove all the child pools that are configured under that parent pool. Then, return to the Cisco DNA Center GUI and reconfigure the IPAM server under .
-
You might see the following error while using IP Address Manager to configure an external IPAM:
NCIP10114: I/O error on GET request for "https://<IP>/wapi/v1.2/": Host name '<IP>' does not match the certificate subject provided by the peer (CN=www.infoblox.com, OU=Engineering, O=Infoblox, L=Sunnyvale, ST=California, C=US); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name '<IP>' does not match the certificate subject provided by the peer (CN=www.infoblox.com, OU=Engineering, O=Infoblox, L=Sunnyvale, ST=California, C=US) |
To correct this, log in to the external IPAM server (such as Infoblox) and regenerate your external IPAM certificate with the common name (CN) value as the valid hostname or IP address. In the preceding example, the CN value is www.infoblox.com, which is not the valid hostname or IP address of the external IPAM.
After you regenerate the certificate with a valid CN value, go to Import and upload the new certificate (.pem file).
. ClickThen, go to
and configure the external IPAM server with the server URL as the valid hostname or IP address (as listed as the CN value in the certificate).
IPv6 Limitations
If you choose to run Cisco DNA Center in IPv6 mode:
-
Access Control Application, Group-Based Policy Analytics, and Cisco AI Endpoint Analytics packages are disabled and cannot be downloaded or installed.
-
Communication through Cisco ISE pxGrid is disabled, because Cisco ISE pxGrid does not support IPv6.
Cisco Plug and Play Limitations
-
Virtual Switching System (VSS) is not supported.
-
The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.
-
The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.
-
The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:
pnp startup-vlan <vlan_number>
Cisco Group-Based Policy Analytics Limitations
-
Cisco Group-Based Policy Analytics supports up to five concurrent requests based on realistic customer data. While it is desirable for GUI operations to respond within 5 seconds or less, for extreme cases based on realistic data, it can take up to 20 seconds. There is no mechanism to prevent more than five simultaneous requests at a time, but if it does happen, it might cause some GUI operations to fail. Operations that take longer than 1 minute will time out.
-
Data aggregation occurs at hourly offsets from UTC in Cisco Group-Based Policy Analytics. However, some time zones are at a 30-minute or 45-minute offset from UTC. If the Cisco DNA Center server is located in a time zone with a 30-minute or 45-minute offset from UTC and the client is located in a time zone with an hourly offset from UTC, or vice versa, the time ranges for data aggregation in Cisco Group-Based Policy Analytics are incorrect for the client.
For example, assume that the Cisco DNA Center server is located in California PDT (UTC-7) where data aggregations occur at hourly offsets (8:00 a.m., 9:00 a.m., 10:00 a.m., and so on). When a client located in India IST (UTC+5.30) wants to see the data between 10:00 - 11:00 p.m. IST, which corresponds to the time range 9:30 - 10:30 a.m. PDT in California, no aggregations are seen.
-
Group changes that occur within an hour are not captured. When an endpoint changes from one scalable group to another, Cisco Group-Based Policy Analytics is unaware of this change until the next hour.
-
You cannot sort the Scalable Group and Stealthwatch Host Group columns in the Search Results window.
-
You might see discrepancies in the information related to Network Access Device (including location) between Cisco DNA Assurance and Cisco Group-Based Policy Analytics.
Application Telemetry Limitation
When configuring application telemetry on a device, Cisco DNA Center might choose the wrong interface as the source for NetFlow data.
To force Cisco DNA Center to choose a specific interface, add netflow-source in the description of the interface. You can use a special character followed by a space after netflow-source , but not before it. For example, the following syntax is valid:
netflow-source
MANAGEMENT netflow-source
MANAGEMENTnetflow-source
netflow-source MANAGEMENT
netflow-sourceMANAGEMENT
netflow-source & MANAGEMENT
netflow-source |MANAGEMENT
The following syntax is invalid:
MANAGEMENT | netflow-source
* netflow-source
netflow-source|MANAGEMENT
Reports Limitation
Reports with significant data can sometimes fail to generate in the Cisco DNA Center platform. If this occurs, we recommend that you use filters to reduce the report size to prevent such failures.
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.
Documentation Feedback
To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.
Related Documentation
We recommend that you read the following documents relating to Cisco DNA Center.
For This Type of Information... | See This Document... |
---|---|
Release information, including new features, limitations, and open and resolved bugs. |
|
Installation and configuration of Cisco DNA Center, including postinstallation tasks. |
|
Upgrade information for your current release of Cisco DNA Center. |
|
Use of the Cisco DNA Center GUI and its applications. |
|
Configuration of user accounts, security certificates, authentication and password policies, and backup and restore. |
|
Security features, hardening, and best practices to ensure a secure deployment. |
|
Supported devices, such as routers, switches, wireless APs, and software releases. |
|
Hardware and software support for Cisco SD-Access. |
|
Use of the Cisco DNA Assurance GUI. |
|
Use of the Cisco DNA Center platform GUI and its applications. |
|
Cisco DNA Center ITSM integration and Cisco DNA Center ITSM support. |
|
Use of the Cisco Wide Area Bonjour Application GUI. |
|
Use of the Stealthwatch Security Analytics Service on Cisco DNA Center. |
|
Use of Rogue and aWIPS functionality to monitor threats in Cisco DNA Center. |
Cisco DNA Center Rogue Management and aWIPS Application Quick Start Guide |