Release Notes for Cisco DNA Center, Release 2.2.2.x

This document describes the features, limitations, and bugs for Cisco DNA Center, Release 2.2.2.x.

Change History

The following table lists changes to this document since its initial release.

Table 1. Document Change History
Date Change Location


Explained how to replace a Cisco Catalyst 9800 HA device that fails in a fabric setup.

Limitations and Restrictions


Added the link to download Cisco DNA Center software.

New and Changed Information


Added the list of packages in Cisco DNA Center

New and Changed Information

Added the Resolved Bugs table for

Resolved Bugs


Added the list of packages in Cisco DNA Center

New and Changed Information

Added the Resolved Bugs table for

Resolved Bugs


Initial release.

Upgrade to the Latest Cisco DNA Center Release

For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.

New and Changed Information

To download Cisco DNA Center software, go to

Table 2. Updated Packages and Versions in Cisco DNA Center Release 2.2.2.x
Package Name Release Release Release

System Updates





System Commons




Package Updates

Access Control Application




AI Endpoint Analytics




AI Network Analytics

Application Hosting

Application Policy




Application Registry




Application Visibility Service




Assurance - Base

Assurance - Sensor

Automation - Base




Automation - Intelligent Capture




Automation - Sensor




Cisco DNA Center Global Search

Cisco DNA Center Platform

Cisco DNA Center UI

Cisco SD-Access




Cisco Umbrella




Cloud Connectivity - Data Hub

Cloud Connectivity - Tethering

Cloud Device Provisioning Application




Command Runner




Device Onboarding




Disaster Recovery




Group-Based Policy Analytics

Image Management




Machine Reasoning




NCP - Base




NCP - Services




Network Controller Platform




Network Data Platform - Base Analytics




Network Data Platform - Core




Network Data Platform - Manager




Network Experience Platform - Core




Path Trace




RBAC Extensions




Rogue and aWIPS

Stealthwatch Security Analytics




Wide Area Bonjour




New and Changed Features—

The following tables summarize the new and changed features in Release

Table 3. New and Changed Features in Cisco DNA Center
Feature Description

Usage Insights report

The Usage Insights report tracks key performance metrics for several Cisco DNA Center use cases and helps you translate KPIs into IT operational savings. The report translates in-product telemetry into end-user insights.

The Usage Insights report is a customized report that shows the productivity improvement of network operations with Cisco DNA Center and comparative return on investment (ROI) insights with a traditional NMS.

To view the report, click the Menu icon and choose Reports > Usage Insights.

Terminology changes related to installation wizards

As you install Cisco DNA Center and configure the appliance, you will notice the following label changes:

  • The Express Configuration wizard has been renamed as the Install configuration wizard.

  • The Expert Configuration wizard has been renamed as the Advanced Install configuration wizard.

Table 4. New and Changed Features in Cisco Software-Defined Access
Feature Description

Support for wireless endpoints on fabric edge devices that are in StackWise Virtual mode

Cisco Catalyst 9000 Series fabric edge devices that are connected in StackWise Virtual (SVL) mode support wireless endpoints.

SVL support for embedded wireless deployment on Cisco Catalyst 9400 Series and Cisco Catalyst 9500 Series switches

StackWise Virtual link is supported when a Cisco Catalyst 9800 Series Wireless Controller is configured on Cisco Catalyst 9400 Series and Cisco Catalyst 9500 Series switches.

New and Changed Features—

The following tables summarize the new and changed features in Release

Table 5. New and Changed Features in Cisco DNA Center
Feature Description

Disaster recovery

The following disaster recovery changes are new in this release:

  • Added support of three-node (1+1+1) setups. To view a table that lists which Cisco DNA Center appliances and versions support these setups, refer to the Cisco DNA Center Administrator Guide (see the "Prerequisites" topic in the "Implement Disaster Recovery" chapter).

  • Updated the GUI description with a screenshot of the new logical topology.

  • Added a description of the new Disaster Recovery System slide-in pane.

  • Updated the Supported Events table.

  • Updated the Disaster Recovery System Issues table.

  • The links that connect the main, recovery, and witness sites should have a maximum of 350 ms RTT latency (up from 250 ms in previous releases).

System Health

The following System Health changes are new in this release:

  • Listed the newly-supported events that a user can subscribe to in order to receive notifications.

  • Documented the scale numbers that Cisco DNA Center appliances support for various network components.

  • Topology updates occur when a certificate is set to expire or the hardware configuration for a connected appliance or external system is not compliant.

  • System Health now provides hardware information for both a disaster recovery system's main and recovery sites. Previously, this information was only provided for a system's main site.

  • Listed the REST APIs that System Health supports and provided sample API output.

Deregister faulty device from Cisco SSM

The RMA workflow deregisters a faulty device from Cisco SSM and registers the replacement device with Cisco SSM.

Automatic download option for ThousandEyes Enterprise Agent application

ThousandEyes Enterprise Agent is an application that gets automatically downloaded within several minutes of starting the App Hosting service. In the absence of an internet connection, you can set a proxy connection from the console to download the application.

Firepower Management Center

Cisco DNA Center supports the integration of Firepower Management Center (FMC). FMC provides complete and unified management over Firepower Threat Defense (FTD) devices for managing Cisco network security solutions.

Create Network Profiles for Firewall

Cisco DNA Center allows you to create network profiles for firewalls. You can create custom configurations to configure security devices like the Adaptive Security Appliance (ASA) family of devices. You can also create FTD configurations to configure FTD devices.

Retry option in workflows

Cisco DNA Center allows you to retry the workflow with the click of a single button in a normal workflow. In the RMA workflow, the retry button is operational only if it is hidden from state.

Preview Devices 2.0

The Preview Devices 2.0 toggle button is new in the top-right corner of the Provision > Inventory page. Click the Preview Devices 2.0 toggle button to view the devices, site profiles, software images, topology, RMA, PnP, templates, and PSIRTs in a new framework.

Explore Menu

The following features are moved from Cisco DNA Center home page to Explore menu.

  • Design

  • Policy

  • Provision

  • Assurance

  • Platform

Topology support for new devices

Topology support is provided for the following devices:

  • Cisco Catalyst IR8100 Heavy Duty Series Routers (IR8140H-K9 and IR8140H-P-K9)

  • Cisco Catalyst 9124AX Access Point (C9124AXI and C9124AXD)

Cisco Umbrella configuration support for new devices

With this release, Cisco Umbrella configuration support is available for the following devices:

  • Cisco Catalyst 9200 Access Switch with Cisco IOS-XE software version 17.3.1 or later

  • Cisco Catalyst 9300 Access Switch with Cisco IOS-XE software version 17.3.1 or later

Cisco Umbrella: Review Internal Domains

You can add and delete the list of internal domains from Cisco Umbrella.

Config Drift Visibility

The Config Drift page displays configuration changes and allows you to pick any two versions of the same device and compare their running configuration data.


With this release, the information under Previous Running vs Current Running has been moved to the Config Drift page.

Cisco Group-Based Policy Analytics

Access Contracts can now be created and modified directly from the Analytics tab.

Group-Based Access Control

You can now view the policy enforcement statistics data in the Policies listing window. The total number of policy permits and denies are displayed for the selected time period. Group-based access control policies can be created or updated based on the traffic flows for a given source and destination group pair.

You can also create custom views of the policy matrix to focus only on the policies that you are interested in.

Plug and Play support for Cisco DNA Traffic Telemetry Appliance

You can claim a Cisco DNA Traffic Telemetry Appliance from the Plug and Play Devices list.

IPv6 search

Cisco DNA Center allows you search for devices using their IPv6 addresses. You can search for a device using its full IPv6 address, any abbreviated form, or double column in the IPv6 address with prefix and postfix combinations.

User-defined fields

User-defined fields are custom labels that you can create and assign to any device in Cisco DNA Center. By assigning labels to a device and adding values to them, you can show more details about the device in the Device Details page.

Inventory Insights

Cisco DNA Center provides insights about the devices in your network if there are any inconsistencies in the device configuration of two connected devices.

Persistence across inventory views

The device selection and the number of devices shown in the inventory table persist across inventory views in Cisco DNA Center.

Separation of golden tagging and download

With this release, you can separate download and golden tagging of software images. Cisco DNA Center allows you to download the software images by not marking them as golden.

Export Cisco DNA Center PKI Certificate

Cisco DNA Center allows you to download the device certificates that are required to set up an external entity such as a AAA (pronounced "triple A") server or Cisco ISE server to authenticate the devices.

  1. In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > PKI Certificates.

  2. Click Download CA Certificate to export the device CA and add it as the trusted CA on the external entities.

Cisco AI Endpoint Analytics

  1. AI Endpoint Spoofing Detection: Cisco AI Endpoint Analytics analyzes NetFlow telemetry data to detect spoofed endpoints. If an endpoint’s behavior is not in line with its profile, the Cisco AI Endpoint Analytics flags the anomaly, assigns a Trust Score to the endpoint, and lists it as a spoofed endpoint. You then review the details of the flagged endpoints and apply Adaptive Network Control (ANC) policies (created in Cisco ISE) from the Cisco AI Endpoint Analytics window.

  2. Automatic Profiling Rule Updates: Cisco provides automatic system rule updates to enhance endpoint profiling accuracy. These updates could help you profile endpoints more granularly and help profile previously unknown endpoints. Review the profiling changes suggested in an update. Then, you can either apply these changes or ignore the update. Major and minor profiling changes to existing endpoint profiles are displayed for your review.

  3. Cisco ISE MDM Attributes Support: Cisco AI Endpoint Analytics receives MDM attributes from Cisco ISE if Cisco ISE is integrated with an MDM server. These MDM attributes are available for creating endpoint profiles using custom rules.

  4. Global Search Support: In the Cisco DNA Center global search, when you search for endpoints by their IP address or MAC address, a link to AI Endpoint Analytics is displayed along with available profiling details for the endpoint. The profiling details and other information about the endpoint are displayed in the search result.

View IP Address Pools

  • In the IPv4 and IPv6 columns, an i icon appears next to the corresponding used percentage of IPv4 and IPv6 for a given IP address pool. The tooltip displays the percentage of Free, Unassignable, Assigned, and Default Assigned IP addresses.

  • In the IP address pool slide-in pane, the Used area displays Assigned and Unassigned IP addresses to a network device.

  • Global and site IP address pool can have blocklisted IP addresses.

  • Subpools cannot have blocklisted IP addresses.

  • Cisco DNA Center rejects the IP address pool creation request of a CIDR address pool if it contains blocklisted IP addresses.

  • In the next free IP address pool request, Cisco DNA Center skips the blocklisted IP addresses to find the next free IP address pool.

Table 6. New and Changed Features in Cisco DNA Automation
Feature Description

Support for a new AP

This release introduces support for Cisco Catalyst 9124AXE Series Access Points.

Multiple Ciphersuite support

You can configure multiple DTLS (Data Datagram Transport Layer Security) Ciphersuites on Cisco Catalyst 9800 Series Wireless Controller, Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches, and Cisco Embedded Wireless Controller on Catalyst Access Points platforms running Release 17.5 or later.

Mobility Cipher configuration

You can enable or disable the DTLS (Data Datagram Transport Layer Security) Cipher configuration for mobility on Cisco Catalyst 9800 Series Wireless Controller Release 17.5 or later.

AP RMA Retry

The AP RMA Retry feature allows you to retry a failed defective AP replacement.

AP Configuration workflow

The AP Configuration workflow helps you to configure and deploy AP-level and radio-level parameters in Cisco DNA Center.

You can configure the following AP-level parameters:

  • AP location

  • AP admin status

  • AP mode

  • AP LED status

  • AP failover priority

  • High availability

You can configure the following radio-level parameters:

  • Radio admin status

  • Radio power settings

  • Radio channel settings

Support to modify AP names in Cisco DNA Center

You can bulk edit AP names in Cisco DNA Center using the AP Configuration workflow.

Support for band select or radio policy selection for Guest SSID

You can configure wireless band preferences by selecting one of the options:

  • Dual band operation (2.4 GHz and 5 GHz)

  • Dual band operation with band select

  • 5 GHz only

  • 2.5 GHz only

Enable ICMP ping on APs in FlexConnect mode

You can enable or disable the Internet Control Message Protocol (ICMP) Ping on APs in FlexConnect mode from Cisco DNA Center.

Cisco DNA Center uses the ICMP to ping FlexConnect APs that are in unreachable state every 5 minutes to enhance reachability and then updates the reachability status in the Inventory window.

Site hierarchy movement

You can change the site hierarchy for non provisioned devices while preserving AP locations on sitemaps.

These are the allowed site hierarchy movements:

  • You can move buildings under a new area which is empty without any site hierarchy under it.

  • You can move an area under a new area which is empty without any site hierarchy under it.

  • You cannot move an existing floor to a different building.

Special character handling

The following changes are introduced in this release:

  • The SSID name can have leading spaces but trailing spaces are not allowed.

  • The AP name can contain only letters, numbers, hyphen, and underscore.

  • All special characters except for " & ? ' / < > are allowed for a building name.

  • All special characters except for & < > ? " / [ ] are allowed for a floor name.

  • The tags and profile names cannot contain leading and trailing spaces.

Custom Rogue Rule workflow

The rogue rule creation lets you create custom rogue rules using Workflows in Cisco DNA Center. Rogue rules are an easy way to segregate and manage rogues with different risk profiles. Rogue rules are easy to configure and they are applied in order of priority. They reduce false positives, noise for sites with interferers, and number of alerts. They provide the ability to adjust organizational risk profiles on a global and site basis.

Rogue Rule Profile workflow

You can create a rule with specific conditions and then associate it to a rule profile using a workflow in Cisco DNA Center.

Support for new aWIPS signatures

The following aWIPS signatures are introduced in this release:

  • Deauthentication Flood

  • Fuzzed Beacon

  • Fuzzed Probe Request

  • Fuzzed Probe Response

  • PS Poll Flood

  • EAPOL Start V1 Flood

  • Reassociation Request Flood

  • Beacon Flood

  • Probe Response Flood

  • Block Ack Flood

  • Airdrop Session

  • Malformed Association Request

  • Authentication Failure Flood

  • Invalid MAC OUI Frame

  • Malformed Authentication

Table 7. New and Changed Features in Cisco DNA Assurance
Feature Description

Device 360 - Interface Utilization Graph

For interfaces, Tx and Rx Utilization chart values are populated in absolute values (Percentage and Rate).

Network Device Health Summary UI Enhancement - Unmonitored to No Health

The Network Device Health Summary - Total Devices section provides the total number of network devices and the count of Good Health, Fair Health, Poor Health, and No Health data.

Cisco SD-Access: Network Health Dashboard Enhancements

The Network Health Summary dashlet provides new KPIs for fabric domains:

  • Fabric CP Reachability

  • External Multicast RP for Fabric Border

  • AAA Server Status for Fabric Edge and Extended Node

In the Network Device dashlet, you can filter the network device table based on the fabric types, including Extended Node.

Cisco SD-Access: Device 360 Enhancements

In the Network Device 360 - Device detail area, below the timeline, you can view additional information about the device such as Fabric Role, Fabric Domain, and Fabric Site.

In the Detailed Information area under the Fabric tab, new fabric KPIs are grouped under Fabric Infrastructure and VN Service included for device health.

Cisco SD-Access: Network Topology Enhancements

In the Physical Neighbor Topology for fabric domains, the fabric badge icons identify device fabric groups such as Border, Control Plane, Edge, Extended Node and Wireless.

Event Viewer Enhancements

In the Client 360 Dashboard, the Event Viewer detailed information area is enhanced to show:

  • Associate Start Event: The RSSI and SNR values throughout the session.

  • Delete Event: Detailed delete reasons for client disconnections.

WAN Link Utilization Dashlet

You can view the status of the WAN link utilization percentage only for the available WAN links in your network.

WAN Link Availability Dashlet

You can view the status of the available WAN links in your network.

Power Stack Visibility

In the Network Device 360 view, you can view the stack power connection details under the PoE tab.

Power over Ethernet Dashboard

The PoE dashboard is added to Assurance > Dashboards > PoE, which lets you monitor and view the operational state of the PoE-capable devices in your network.

The following dashlets are available: PoE Operational State Distribution, PoE Powered Device Distribution, Power Load Distribution, PoE Insights, and PoE Power Usage Dashlet.

Sensor Test - Proxy

With this release, proxy support is enabled for Sensor-Driven Tests. You can run the sensor test through proxy settings.

Application Experience Health Score Calculation Enhancements

You can add the Application Response Time KPI to the Application Experience health score calculation.

Application Health Score Customization

You can customize the health score calculation for applications by changing the KPI thresholds on a per-traffic class basis and specifying the KPIs that are included for the calculation.

Monitor Application Health Enhancements

Click the Managed Clients tab to view only the clients that are managed by Cisco DNA Center.

View and Manage Issues (Access Point Issues)

A poor RF issue triggers when APs have a poor wireless experience.

The poor RF issue instance second slide-in pane supports Problem Details, Impact Details, Troubleshooting, and Suggested Actions for poor RF issues.

Also, the poor RF issue instance second slide-in pane allows you to compare the health of AP radios across the floor in a building.

View and Manage Issues (Wireless Client Issues)

With this release, the Cisco DNA Center machine reasoning engine (MRE) supports root cause analysis (RCA) for AAA server issues. RCA allows you to analyze Cisco ISE syslog messages from various servers to derive the possible root causes that could have triggered the issue.

RCA support is extended for the following AAA server issues:

  • AAA wireless client failed to connect

  • AAA server timeout

  • AAA server rejected client

View and Manage Issues (Radio No Activity Issues)

The radio no activity issue instance identifies and raises an issue for AP radios that fail to serve clients for 60 to 240 minutes.

The radio no activity issue instance pane supports Problem Details, Relevant Issue, and Suggested Actions.

Monitor and Troubleshoot the Health of a Device

The Device 360 page now supports a Map and Comparison View that allows you to compare the last 5 minutes of health of AP radios across the floor in a building.

Baselines Dashboard

Cisco AI Network Analytics uses the most advanced machine learning techniques to define the baseline that is relevant to your specific network and sites.

MAC Randomization

With MAC randomization, client devices use unique private MAC Address - RCM Randomized and Changing MAC Address when connecting to the Wi-Fi network.

Table 8. New and Changed Software Features in Cisco Software-Defined Access
Feature Description

Support for VLAN ID customization

You can now assign a desired VLAN ID to a host pool VLAN and Layer 3 handoff VLAN. The VLAN IDs can be in the range of 1 to 4095.

This feature provides more flexibility in segment creation for the brownfield SD-Access deployments. Delete any existing overlapping or conflicting VLANs or SVIs or AAA configurations from the device and resynchronize the device in the inventory prior to adding it to the SD-Access fabric.

When you upgrade from an earlier release, the existing VLANs continue to work normally. Post upgrade, you will need to provide an external VLAN ID for new Layer 3 handoffs. Layer 2 Handoff VLAN is auto populated based on the VLAN ID assigned to the host pool. You can edit the Layer 2 Handoff VLAN ID to assign a different VLAN number.

To change the VLAN ID for an existing IP pool VLAN, delete the IP pool and create the IP pool again with the desired VLAN ID.

Consider the following guidelines before assigning a custom VLAN ID:

  • If you do not provide a custom VLAN ID, Cisco DNA Center generates a VLAN ID in the range of 1021 to 2020.

  • VLAN IDs 1, 1002-1005, 2046, 4095 are reserved and cannot be used.

  • Critical voice or pre-auth VLAN is assigned a VLAN ID of 2046 and cannot be changed.

  • Borders in the same site or in different sites can share the same Layer 3 handoff VLAN IDs.

Fabric edge node scale

The number of local endpoints that an SD-Access fabric edge node supports is now enhanced. The support is limited to the capability of the platform that is configured as the fabric edge.

Use the show lisp platform command to check the platform limits.

See the Cisco DNA Center Data Sheet for specific scale numbers.

Table 9. New Features in Cisco Group-Based Policy Analytics
Feature Description

View and Modify Access Contracts

Access Contracts can now be created and modified directly from the Analytics tab. You can view, create, edit, and delete access contracts from the Analytics tab directly.

Deprecated Features

SNMPv3 Data Encryption Standard (DES) Privacy Mode support is deprecated in Cisco DNA Center 2.2.2. SNMPv3 DES is no longer supported in Cisco DNA Center 2.2.2 or any later releases.

SNMPv3 DES is used to ensure data confidentiality, where the designated portion of an SNMP message is encrypted and included as part of the message sent to the recipient. DES is no longer considered secure due to its too-short key length and its proven ineffectiveness against brute force attacks. Advanced Encryption Standard (AES) is the recommended privacy mode.

Cisco DNA Center-Supported Devices

For information about devices such as routers, switches, wireless access points, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see Supported Devices.

Compatible Browsers

The Cisco DNA Center GUI is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: Version 73.0 or later.

  • Mozilla Firefox: Version 65.0 or later.

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

IP Address and FQDN Firewall Requirements

To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through any existing network firewall, see "Required Internet URLs and FQDNs" in the Cisco DNA Center Installation Guide.

About Telemetry Collection

As first implemented in Cisco DNA Center 2.1.1.x, telemetry is mandatory; Cisco DNA Center 2.2.2.x follows the same practice. The telemetry is designed to help the development of features that you use. Cisco collects your ID, system telemetry, feature usage telemetry, network device inventory, and license entitlement. Telemetry is not application or feature specific; the disclosure of telemetry is for all of Cisco DNA Center. See the Cisco DNA Center Data Sheet for a more expansive list of data that we collect.

Supported Hardware Appliances

Cisco supplies Cisco DNA Center in the form of a rack-mountable, physical appliance. The following versions of the Cisco DNA Center appliance are available:

  • First generation

    • 44-core appliance: DN1-HW-APL

  • Second generation

    • 44-core appliance: DN2-HW-APL

    • 44-core promotional appliance: DN2-HW-APL-U

    • 56-core appliance: DN2-HW-APL-L

    • 56-core promotional appliance: DN2-HW-APL-L-U

    • 112-core appliance: DN2-HW-APL-XL

    • 112-core promotional appliance: DN2-HW-APL-XL-U

Supported Firmware

Cisco Integrated Management Controller (Cisco IMC) versions are independent from Cisco DNA Center releases. This release of Cisco DNA Center has been validated against the following firmware:

  • Cisco IMC Version 3.0(3f) for appliance model DN1-HW-APL

  • Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL

  • Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL-L

  • Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL-XL

The preceding versions are the minimum firmware versions. While some later versions are also supported, Cisco DNA Center is not compatible with all later versions.

Installing Cisco DNA Center

You install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco DNA Center Installation Guide for information about installation and deployment procedures.


Certain applications, like Group-Based Policy Analytics, are optional applications that are not installed on Cisco DNA Center by default. If you need any of the optional applications, you must manually download and install the packages separately.

For more information about downloading and installing a package, see "Manage Applications" in the Cisco DNA Center Administrator Guide.

Cisco DNA Center Platform Support

For information about the Cisco DNA Center platform, including information about new features, installation, upgrade, and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.

Support for Cisco Connected Mobile Experiences

Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) 10.6.2. Earlier versions of CMX are not supported.


While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password.

Plug and Play Considerations

Plug and Play Support

General Feature Support

Plug and Play supports the following features, depending on the Cisco IOS software release on the device:

  • AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.

  • Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)

Secure Unique Device Identifier Support

The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:

  • Cisco routers:

    • Cisco ISR 1100 Series with software release 16.6.2

    • Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later

    • Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1

  • Cisco switches:

    • Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later

    • Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later

    • Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later

    • Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

    • Cisco Catalyst IE3300 Series with software release 16.10.1e or later

    • Cisco Catalyst IE3400 Series with software release 16.11.1a or later

  • NFVIS platforms:

    • Cisco ENCS 5400 Series with software release 3.7.1 or later

    • Cisco ENCS 5104 with software release 3.7.1 or later


Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:

  • Cisco routers: Cisco ISR 43xx, Cisco ISR 44xx, Cisco ASR1001-X/HX, Cisco ASR1002-HX

  • Cisco switches: Cisco Catalyst 4500 Series with Supervisor 8-E/8L-E/9-E, Catalyst 9400 Series

Management Interface VRF Support

Plug and Play operates over the device management interface on the following platforms:

  • Cisco routers:

    • Cisco ASR 1000 Series with software release 16.3.2 or later

    • Cisco ISR 4000 Series with software release 16.3.2 or later

  • Cisco switches:

    • Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

4G Interface Support

Plug and Play operates over a 4G network interface module on the following Cisco routers:

  • Cisco 1100 Series ISR with software release 16.6.2 or later

Configure Server Identity

To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.

The SAN requirement applies to devices running the following Cisco IOS releases:

  • Cisco IOS Release 15.2(6)E2 and later

  • Cisco IOS Release 15.6(3)M4 and later

  • Cisco IOS Release 15.7(3)M2 and later

  • Cisco IOS XE Denali 16.3.6 and later

  • Cisco IOS XE Everest 16.5.3 and later

  • Cisco IOS Everest 16.6.3 and later

  • All Cisco IOS releases from 16.7.1 and later

The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:

  • For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.

  • For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.

  • For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.

  • For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.

If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a NAT router, this public IP address must be included in the SAN field of the server certificate.

If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.

We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.

If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the plug and play process.


The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field.


Use the Bug Search Tool

Use the Bug Search tool to search for a specific bug or to search for all bugs in this release.


Step 1

Enter the following URL in your browser:

Step 2

In the Log In window, enter your registered username and password and click Log In.

The Bug Search window opens.

If you do not have a username and password, register at
Step 3

To search for a specific bug, enter the bug ID in the Search For field and press Return.

Step 4

To search for bugs in the current release:

  1. In the Search For field, enter Cisco DNA Center and press Return. (Leave the other fields empty.)

  2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by modified date, status, severity, and so forth.

    To export the results to a spreadsheet, click the Export Results to Excel link.

Open Bugs

The following table lists the open bugs in Cisco DNA Center for this release.

Table 10. Open Bugs
Bug Identifier Headline


Under Policy > Group-Based Access Control > Manage Views, when you duplicate a custom view, the new (duplicate) is created with the string "_Copy" appended to the original view name. If you then try to duplicate a given view (with a given name) more than once, and you didn't previously edit and rename the original duplicate, an error message states that the new view cannot be created because the name already exists. Note that this is expected behavior, similar to what may be observed when creating new views.


The following behavior is seen on Cisco DNA Center 2.2.2 with the Cisco Wide Area Bonjour application and the Wide Area Bonjour patch:

  1. The switch running config is visible in Cisco DNA Center for a switch added to Inventory with Priv 1 user and NETCONF if that switch was also added with the enable password. Because the user has Privilege 1 credentials in the switch, the running config should not be visible. However, it is visible.

  2. After the switch is added, even if you remove the enable password and update the switch in the Inventory, the behavior remains unchanged; you can still view the running configuration.


Searching for a specific rule in Endpoint Analytics rules pages might take longer than 10 seconds.


In a Cisco DNA Center environment with large numbers of endpoints (around 200,000), if you try to perform a Global search for MAC/IP address and go to Endpoint Analytics, it might take around 10 seconds to see the Endpoint Details page.


Disaster recovery system status stuck in registering and recovery site stuck in connecting to main site during register.


The SD-AVC classification is rejected for endpoints that change during an upgrade.


Image import fails with the following errors:

Unable to download the image from
The remote server presented an untrusted or expired certificate. Please verify the certificate.


For Cisco Catalyst 9000 switches, LAN automation coupled with SWIM deletes the current running software packages, as well as older packages, during a software image upgrade. In contrast, performing SWIM by itself does not delete the current software packages.


The route text box in the config-wizard has a limitation of 1024 characters. If the number of static routes exceed that number of characters, then the config-wizard will crash.


Cisco Wide Area Bonjour: On powering up from Cisco IMC, a single-node cluster does not come up after several hours. While coming up, several pods go into Error State while waiting for the GlusterFS mount point. Remedyctl starts to recover, but fails because the maglevserver pod is down.


For the Cisco DNA Center Application Hosting service, when you update a newer application version on top of an existing application version, the application name on the new version must match the existing application name. If the application names (from the package descriptor file) don’t match, the Application Hosting service rejects the Update operation.


A user with a Super Admin role cannot see notifications from the Notification Center. Also, changes made by a user with an Admin role don't persist.


After a successful upgrade from Cisco DNA Center to, all users other than the Admin user see the following error on the Software Updates page:

Connectivity check failed. Unable to locate new system updates. An error occurred while checking connectivity.
Cannot locate new updates. Retry.

With the Admin login, there is no error. The page accurately shows "Your system package is up to date."


An IPv6 traffic drop is observed because the map-cache ::/0 map-request is missing under the service IPv6 of the instance-id of the remote anchor VN (the inherited VN).

Resolved Bugs

The following table lists the resolved bugs in Cisco DNA Center, Release

Table 11. Resolved Bugs in Cisco DNA Center, Release
Bug Identifier Headline


Wireless controller partial collection failure occurs if proxy mobile IP Network Access controller (PMIP NAI) is longer than 32 characters.


Cisco DNA Center support for the AP Location field.


Cisco DNA Center can't provision the ISR transit control plane after provisioning with a routing template.


A managed access point may not show its operational details on the Assurance Device 360 page.


Provisioning fails when adding a AAA server using a port number greater than 32767 to Cisco DNA Center.


Cisco DNA Center's Provision page may show all device provisioning hangs in "In-Progress" on the Activity page when Cisco ISE integration is broken, and the PxGrid service is not available, causing a queue to fill.


Heatmaps for the 5-Ghz band are not generated for a Cisco Catalyst 9800 Series Wireless Controller.


Image distribution servers won't allow a valid IP address.


When attempting to add an edge device to a fabric, Cisco DNA Center may return the error "Provisioning failed due to invalid parameter. The interface does not exist in the device, select a valid interface."


Unable to open a virtual network in L2 Handoff settings or click Save button after an upgrade to Cisco DNA Center


Cisco Catalyst 9800 Series Wireless Controller: The Remote Procedure Call (RPC) rfdca-removed-channel operation fails with a data missing error tag.


Cisco DNA Center Messages in "dna.lan.common.service" queue blocking subsequent LAN automation.


When importing an esx file from an Ekahau project, the azimuth is always off by 90 degrees.


The sensor link is missing for the 5-GHz view.


When attempting to set up the integration between Cisco DNA Center and Cisco DNA Spaces, the integration may fail with the error message "Unable to export hierarchy to the CMX DNA Spaces for one or more domains. An internal failure occurred while pushing an archive to the CMX."

The following table lists the resolved bugs in Cisco DNA Center, Release

Table 12. Resolved Bugs in Cisco DNA Center, Release
Bug Identifier Headline


In the External Authentication page > AAA Server(s) area, the Shared Secret field is missing text or string information.

In Cisco DNA Center, the Shared Secret field shows descriptive text for the required value. If the value is empty, additional text is displayed under the "Shared secret must not be empty" line.

However, in Cisco DNA Center, the following problems occur:

  • The shared secret is not displayed when empty, so it's unclear what the field is used for.

  • When the Shared Secret field contains a value, nothing is displayed. In earlier releases, a string such as " ****** " was displayed to show that a value was configured.

  • When you click Show to see if there is a value configured, nothing is displayed. If a value is already configured, there is no indicator.


Under the My Profile and Settings page, a change to the first name does not take effect.


When the Notification Center is enabled for License notification, Assurance issue notifications are reported along with the license notifications. While there is no functional impact, notifications become a bit noisy based on the amount of network issues that Cisco DNA Center detects. Also, the Assurance issues don't provide any details when you click the notifications.

This problem occurs when you enable notifications for licensing issues (Notification Center > Settings > Notification Preferences > Know Your Network > Devices).


In the Workflows GUI, when text in an "In Progress" tile is long or impedes other elements in the tile, the text should be truncated or abbreviated.

For example, the title of the following in-progress workflow is too long and should be truncated:

"Enable Apps on Switches (thousandeyes/enterprise-agent:Global/North America/North Carolina - 
Research Triangle Park/<conference-room>)"

The following table lists the resolved bugs in Cisco DNA Center, Release

Table 13. Resolved Bugs in Cisco DNA Center, Release
Bug Identifier Headline


The Cisco DNA Center 1.1.6 GUI may become unavailable.


Cisco DNA Center interactive wireless template is not applied to the wireless controller.


Reprovisioning a wireless controller fails after site floor deletion.


Cisco DNA Center may fail to collect inventory from a wireless controller that has unassociated APs that are not deleted or moved to another wireless controller.


Cisco DNA Center's threadmanagermonitor table should be pruned periodically, to keep the size of the database from growing too large.


Cisco DNA Center should not allow provisioning until the Fabric Authentication Key Security fix is applied.


Template Editor: Integer input types need a way to check for null.


The sdn-network-infra-iwan certificate expires on the device.


Cisco DNA Center fabric provisioning takes a long time when multiple sites are connected to the transit.


Cisco DNA Center: Extended nodes must be configured on distinct edge ports.


Cisco DNA Center: Dna-event-runtime pod crashes while accessing the Audit Logs page.


Image repository displays "Failed to load data" after adding a Meraki dashboard to Cisco DNA Center.


Unable to provision again if provisioning fails the first time.


Cisco ISE integration fails when the Cisco DNA Center PPAN certificate contains an unreachable CDP.


A Cisco Catalyst 9800 Series Wireless Controller in HA fails inventory collection.


Cisco DNA Center's PKI service may use a cached certificate, instead of a refreshed certificate, even after the cached certificate's expiration date.


Cisco DNA Center may not push the IP Device Tracking (IPDT) configuration to switch ports that are in access mode, in switches whose role is defined as access switches.


Cisco DNA Center is unable to start LAN automation if the primary seed device was deleted before stopping a previous LAN automation session. This causes subsequent LAN automation sessions to fail.


Cisco DNA Center pushes conflicting configurations to the extended node interfaces during PnP.


MongoDB-2 goes into crashloop after upgrading to Cisco DNA Center 2.1.2.x.


AP provisioning fails when the hostname of the wireless controller is longer than 31 characters.


Wireless controller provisioning fails because a guest SSID is created during Cisco DNA Center 1.2.x with Fast Transition.


The network license count for Cisco Catalyst 9300 switches is incorrect.


Cisco DNA Center: The IPDT configuration is rejected by the Bluetooth interface during provisioning.


Cannot start LAN automation because a discovered site is deleted from the system.


Device-tracking configuration push fails when the Catalyst 9407 device role changes to ACCESS.


Software image activation fails on Cisco DNA Center with the error "NCSW10244: The task is hung and is auto-aborted."


Cisco DNA Center may be unable to start new LAN automation sessions, citing the error "NCND05022: New LAN Automation cannot start as previous session is still in-progress."


Cisco DNA Center may configure the default-flex-profile of a wireless controller with an external webauth SSID that has "central-webauth" enabled.


Cisco DNA Center does not push the default-site-tag-fabric configuration to the Cisco Catalyst 9800 Series Wireless Controller after upgrade.


Adding a Cisco Catalyst 9800 Series Wireless Controller to the fabric fails if the fabric contains L3-only IP address pool segments.


After upgrading to Cisco DNA Center, download of application upgrades fails.


Cisco DNA Center-to-ServiceNow Configuration Management Database (CMDB) sync fails because the inventory includes AP sensors.


The RMA process fails when a faulty device is in NETWORK-READINESS-FAILED status.


Cisco DNA Center becomes very slow after upgrading from 1.3.3.x to


Elasticsearch cluster formation fails in an XL appliance cluster with 12 instances.


Cisco DNA Center doesn't have an option to mark a golden image for Cisco Catalyst 9400 Supervisor Engine-1XL-Y.


ACL_WEBAUTH_REDIRECT is not configured correctly.


An AP map page loads very slowly after upgrading to Cisco DNA Center


Cisco Catalyst 9800 Series Wireless Controller inventory collection fails when the AAA authorization method length is greater than 31characters.


Cisco DNA Center doesn't provision NetFlow collector settings from the Design page.


It is possible to delete a custom-provisioned RF profile.


Wireless controller provisioning is blocked when the RF profile is deleted from the Design page but not cleaned from the database.


When executed manually from Tools > Network Reasoner > CPU Utilization workflow, the Cnsr-reasoner service restarts every time and there is no issue report.


Cisco DNA Center's Task page doesn't load any data.


Policy: QoS does not push outbound configurations.


Cisco DNA Center: Pkcs12 configuration fails due to internal errors after discovering Cisco Catalyst 9800 Series Wireless Controllers in a cluster.


There is a mismatch in the unassigned device count and what is seen in inventory after removal of the GPS marker.


Cisco DNA Center-to-Service Now integration fails with a rate limit exceeded error.


Application upgrade fails due to the RabbitMQ maximum message size.


Duplicate Flex Profiles are found in wireless controllers after upgrade.


RBAC prevents network hierarchy maps from loading; "Error 11015" is displayed.


After fixing an authorization failure, AAA users are able to log in but cannot perform certain operations.


Suboptimal closed authorization configuration is pushed when a critical VLAN/IP address pool is not explicitly defined.


Unable to perform RMA because a field value exceeds the integer range.


Cisco Catalyst 9800 Series Wireless Controller provisioning doesn't work because changes to FlexProfilePolicyAclConfig are not picked up.


Default application policy configuration does not handle the IS-IS protocol correctly.


Cisco DNA Center may become unable to start a new LAN automation session, citing the error "NCND00006: The input payload contains an invalid key."


Cisco DNA Center may become unable to start a new LAN automation session, citing the error "Failed to start Network Orchestration Session: null," following a LAN-automated Fabric-In-A-Box device being deleted from the system, then readded by discovery and inventory.


Restore to Cisco DNA Center fails with the error "SoftTimeLimitExceeded()."


Cisco DNA Center pushes additional flex profiles with an incorrect VLAN-name and VLAN-id mapping.


App upgrade fails due to a constraint violation on the lispcomponent table.


A managed device's inventory status in Cisco DNA Center may change to "Internal Error" when a value returned by the device that should be an IP address is null. The logs show the error "Null value was assigned to a property of primitive type setter of"


Supporting port-channel and tunnel interfaces for tagging-based Application telemetry.


Router provisioning fails with the error "NCSP10250: Error During persistence (provision) of CFS."


Restore may fail the 7200 second timeout for pg_restore.


A Guest SSID with the Fast Transition value configured as Adaptive in an earlier release of Cisco DNA Center causes wireless controller provisioning issues in Cisco DNA Center


Cisco DNA Center discovery fails to retrieve global credentials while trying to create a new task.


Cisco DNA Center An incorrect policy profile is linked with new wireless controllers pushed by Cisco DNA Center while provisioning.


Cisco DNA Center's Inventory service may crash if the managed devices send lots of syslogs.


Cisco DNA Center provisioning AAA configurations to a Cisco Catalyst 9800 Series Wireless Controller may fail due to an invalid command in the configuration model that includes "$timeout".


SLR reservation for stacked switches is stuck at Generating Authorization code.


In the PnP section of the Inventory GUI, wireless sensors hang at "Certificate install is in progress. Device is ready to be claimed."


An incorrect web auth configuration may be pushed when a PSK (personal) SSID is added. This causes a conflict in the actual configuration push to the device through Cisco DNA Center provisioning.


After a failed wireless controller provisioning attempt, Cisco DNA Center may not roll back the configuration from the wireless controller, which may cause a network outage.


More pronounced warning for "Deregister" in SSM On-Prem Integration in Cisco DNA Center documentation.


Cisco DNA Center inventory resync results in an internal error.


Reconfigure device provision may not determine configuration changes for the Dot1x Auth Template.


After upgrading to Cisco DNA Center and later, the following error is displayed after modifications of IP address pools for a virtual network on the fabric Host Onboarding page:

NCWL10004: L3 Only pools are not supported.
Please delete and recreate the segment.


During an upgrade of Cisco DNA Center's application packages, the upgrade may appear to be stuck for hours at 20% with no obvious movement forward. The migration logs show a deadlock on the Postgres executionevent table. This issue stems from a large database table upon which database update queries pile up, causing a deadlock.

Limitations and Restrictions

Upgrade Limitation

If you are upgrading to Cisco DNA Center and all of the following conditions apply, the upgrade never starts:

  • Cisco ISE is already configured in Cisco DNA Center.

  • The version of Cisco ISE is not 2.6 patch 1 or 2.4 patch 7 or later.

  • Cisco DNA Center contains an existing fabric site.

  • The number of DNS servers must not exceed three.

Although the UI does not indicate that the upgrade failed to start, the logs contain messages related to the upgrade failure.

To work around this problem, upgrade Cisco ISE to 2.6 patch 1 or 2.4 patch 7 or later, and retry the Cisco DNA Center upgrade.

Backup and Restore Limitations

  • You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.

  • After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose System Settings > Settings > Authentication and Policy Servers. Choose Edit for the server. Enter your Cisco ISE password to update.

  • After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.

  • Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.

  • Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.

  • You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

Cisco ISE Integration Limitations

  • ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.

  • Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.

  • Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).

  • The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

  • If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.

  • The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.

  • Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.

  • Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.

    Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.

  • The Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.

License Limitation

The Cisco DNA Center License Manager supports Smart Licensing only for wireless LAN controller models that run Cisco IOS XE. License Manager does not support wireless LAN controller models that run Cisco AireOS.

Fabric Limitations

  • Cisco DNA Center supports up to a maximum of 1.2 million interfaces on fabric devices. Fabric interfaces include physical and virtual interfaces like switched virtual interfaces, loopback interfaces, and so on.

    Physical ports cannot exceed 480,000 ports on a 112-core appliance.

  • IP address pools reserved at the area level are shown as inherited at the building level on the Design > Network Settings > IP Address Pools window; however, these IP address pools are not listed on the Host Onboarding window if the fabric site is defined at the building level. If the fabric site is defined at the building level, you must reserve the IP address pools at the building level; if the fabric site is defined at the area level, you must reserve the IP address pools at the area level.

    To work around this issue, release and reserve the IP address pool at the same level (area or building) as the fabric site, or reconfigure the fabric site at the same level as the reserved IP address pool.

  • Cisco DNA Center does not support multicast across multiple fabric sites that are connected by an SDA transit network.

  • In a fabric setup with Cisco Catalyst 9800 HA devices, if one of the HA devices goes down, you must complete the following steps to replace it:

    1. From the Cisco DNA Center Inventory window, resynchronize the HA device that failed. Cisco DNA Center shows the device as standalone; the standby has failed and has been removed.

    2. Set the priority for the devices. If you want the existing device to return as the active device after forming HA with the new device, ensure that the HA priority of the existing device is set to 2 (or the highest available priority value). You configure the device priority from the web UI, under Administration > Device > Redundancy. Alternatively, you can enter the following CLI command to configure the device priority:

      chassis <chassis_number> priority 2

      To view the chassis number and the current priority value, enter the show chassis EXEC command.

      If the priority is set to the default value of 1 on both devices, the device with the lower MAC address becomes the active device.

    3. Configure the chassis redundancy command on the new device using the same local and remote IP addresses that were used on the failed device. You configure the chassis redundancy in either the web UI or the CLI.

    4. Reboot both devices to form the HA pair.

    5. After HA is up, resynchronize the devices in Cisco DNA Center. The Inventory window shows the new HA pair. Verify the serial numbers in the Serial Number column. For an HA pair, both the active and standby serial numbers are shown.

Brownfield Feature-Related Limitations

  • Cisco DNA Center cannot learn device credentials.

  • You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.

  • Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.

  • Cisco DNA Center can learn only one wireless controller at a time.

  • For site profile creation, only the AP groups with AP and SSID entries are considered.

  • Automatic site assignment is not possible.

  • SSIDs with an unsupported security type and radio policy are discarded.

  • For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.

  • The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.

  • The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.

  • When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.

  • A wireless conflict is based only on the SSID name, and does not consider other attributes.

Wireless Policy Limitation

If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise, Policy Deployment failed is displayed.

AP Limitations

  • AP as a sensor is not supported in this release of Cisco DNA Center.

  • Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, the AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.

    After the provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.

  • Provisioning of 100 APs takes longer in this release as compared to 3 minutes in earlier releases. The amount of time varies depending on the "wr mem" time of the Cisco Catalyst 9800 Series Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices.

Inter-Release Controller Mobility (IRCM) Limitation

The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.

IP Device Tracking on Trunk Port Limitation

Rogue-on-wire detection is impacted; Cisco DNA Center does not show all clients connected to a switch via an access point in bridge mode. The trunk port is used to exchange all VLAN information. When you enable IP device tracking on the trunk port, clients connected on the neighbor switch are also shown. Cisco DNA Center does not collect client data if the connected interface is a trunk port and the neighbor is a switch. As a best practice, disable IP device tracking on the trunk port. The rogue-on-wire is not detected if the IP device tracking is enabled on the trunk port. See Disabling IP Device Tracking for more information.

IP Address Manager Limitations

  • Cisco DNA Center supports integration with an external IPAM server that has trusted certificates. In the Cisco DNA Center GUI, under System > Settings > External Services > IP Address Manager, you might see the following error:

    NCIP10282: Unable to find the valid certification path to the requested target.

    To correct this error for a self-signed certificate:

    1. Using OpenSSL, enter one of the following commands to download the self-signed certificate, depending on your IPAM type. (You can specify the FQDN [domain name] or IP address in the command.)

      openssl s_client -showcerts -connect Infoblox-FQDN:443
      openssl s_client -showcerts -connect Bluecat-FQDN:443
    2. From the output, use the content from ---BEGIN CERTIFICATE--- to ---END CERTIFICATE--- to create a new .pem file.

    3. Go to System > Settings > Trust & Privacy > Trustpool, click Import, and upload the certificate (.pem file).

    4. Go to System > Settings > External Services > IP Address Manager and configure the external IPAM server. (If the IPAM server is already configured, skip this step.)

    To correct this error for a CA-signed certificate, install the root certificate and any intermediate certificates of the CA that is installed on the IPAM into the Cisco DNA Center trustpool (System > Settings > Trust & Privacy > Trustpool).

  • You might see the following error if a CA-signed certificate is revoked by the certificate authority:

    NCIP10286: The remote server presented with a revoked certificate. Please verify the certificate.

    To correct this, obtain a new certificate from the certificate authority and upload it to System > Settings > Trust & Privacy > Trustpool.

  • You might see the following error after configuring the external IPAM details:

    IPAM external sync failed:
    NCIP10264: Non Empty DNAC parent pool <CIDR> exists in external ipam.

    To correct this, log in to the external IPAM server (such as BlueCat). Confirm that the parent pool CIDR exists in the external IPAM server, and remove all the child pools that are configured under that parent pool. Then, return to the Cisco DNA Center GUI and reconfigure the IPAM server under System > Settings > External Services > IP Address Manager.

  • You might see the following error while using IP Address Manager to configure an external IPAM:

    NCIP10114: I/O error on GET request for "https://<IP>/wapi/v1.2/":
    Host name '<IP>' does not match the certificate subject provided by the peer
    (, OU=Engineering, O=Infoblox, L=Sunnyvale, ST=California, C=US);
    nested exception is Host name '<IP>'
    does not match the certificate subject provided by the peer (, OU=Engineering,
    O=Infoblox, L=Sunnyvale, ST=California, C=US) |

    To correct this, log in to the external IPAM server (such as Infoblox) and regenerate your external IPAM certificate with the common name (CN) value as the valid hostname or IP address. In the preceding example, the CN value is, which is not the valid hostname or IP address of the external IPAM.

    After you regenerate the certificate with a valid CN value, go to System > Settings > Trust & Privacy > Trustpool. Click Import and upload the new certificate (.pem file).

    Then, go to System > Settings > External Services > IP Address Manager and configure the external IPAM server with the server URL as the valid hostname or IP address (as listed as the CN value in the certificate).

IPv6 Limitations

If you choose to run Cisco DNA Center in IPv6 mode:

  • Access Control Application, Group-Based Policy Analytics, and Cisco AI Endpoint Analytics packages are disabled and cannot be downloaded or installed.

  • Communication through Cisco ISE pxGrid is disabled, because Cisco ISE pxGrid does not support IPv6.

Cisco Plug and Play Limitations

  • Virtual Switching System (VSS) is not supported.

  • The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.

  • The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.

  • The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:

    pnp startup-vlan <vlan_number>

Cisco Group-Based Policy Analytics Limitations

  • Cisco Group-Based Policy Analytics supports up to five concurrent requests based on realistic customer data. While it is desirable for GUI operations to respond within 5 seconds or less, for extreme cases based on realistic data, it can take up to 20 seconds. There is no mechanism to prevent more than five simultaneous requests at a time, but if it does happen, it might cause some GUI operations to fail. Operations that take longer than 1 minute will time out.

  • Data aggregation occurs at hourly offsets from UTC in Cisco Group-Based Policy Analytics. However, some time zones are at a 30-minute or 45-minute offset from UTC. If the Cisco DNA Center server is located in a time zone with a 30-minute or 45-minute offset from UTC and the client is located in a time zone with an hourly offset from UTC, or vice versa, the time ranges for data aggregation in Cisco Group-Based Policy Analytics are incorrect for the client.

    For example, assume that the Cisco DNA Center server is located in California PDT (UTC-7) where data aggregations occur at hourly offsets (8:00 a.m., 9:00 a.m., 10:00 a.m., and so on). When a client located in India IST (UTC+5.30) wants to see the data between 10:00 - 11:00 p.m. IST, which corresponds to the time range 9:30 - 10:30 a.m. PDT in California, no aggregations are seen.

  • Group changes that occur within an hour are not captured. When an endpoint changes from one scalable group to another, Cisco Group-Based Policy Analytics is unaware of this change until the next hour.

  • You cannot sort the Scalable Group and Stealthwatch Host Group columns in the Search Results window.

  • You might see discrepancies in the information related to Network Access Device (including location) between Cisco DNA Assurance and Cisco Group-Based Policy Analytics.

Application Telemetry Limitation

When configuring application telemetry on a device, Cisco DNA Center might choose the wrong interface as the source for NetFlow data.

To force Cisco DNA Center to choose a specific interface, add netflow-source in the description of the interface. You can use a special character followed by a space after netflow-source , but not before it. For example, the following syntax is valid:

MANAGEMENT netflow-source
netflow-source MANAGEMENT
netflow-source & MANAGEMENT
netflow-source |MANAGEMENT

The following syntax is invalid:

MANAGEMENT | netflow-source
* netflow-source

Get Assistance from the Cisco TAC

Use this link to open a TAC case. Choose the following when opening a TAC case:

  • Technology: Cisco DNA - Software-Defined Access

  • Subtechnology: Cisco DNA Center Appliance (SD-Access)

  • Problem Code: Install, uninstall, or upgrade

Related Documentation

We recommend that you read the following documents relating to Cisco DNA Center.


The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.

For This Type of Information... See This Document...

Release information, including new features, limitations, and open and resolved bugs.

Cisco DNA Center Release Notes

Installation and configuration of Cisco DNA Center, including postinstallation tasks.

Cisco DNA Center Installation Guide

Upgrade information for your current release of Cisco DNA Center.

Cisco DNA Center Upgrade Guide

Use of the Cisco DNA Center GUI and its applications.

Cisco DNA Center User Guide

Configuration of user accounts, security certificates, authentication and password policies, and backup and restore.

Cisco DNA Center Administrator Guide

Security features, hardening, and best practices to ensure a secure deployment.

Cisco DNA Center Security Best Practices Guide

Supported devices, such as routers, switches, wireless access points, NFVIS platforms, and software releases.

Supported Devices

Hardware and software support for Cisco SD-Access.

Cisco SD-Access Hardware and Software Compatibility Matrix

Use of the Cisco DNA Assurance GUI.

Cisco DNA Assurance User Guide

Use of the Cisco DNA Center platform GUI and its applications.

Cisco DNA Center Platform User Guide

Cisco DNA Center platform release information, including new features, deployment, and bugs.

Cisco DNA Center Platform Release Notes

Use of the Cisco Wide Area Bonjour Application GUI.

Cisco Wide Area Bonjour Application User Guide

Use of the Stealthwatch Security Analytics Service on Cisco DNA Center.

Cisco Stealthwatch Analytics Service User Guide

Use of Rogue Management functionality as a dashboard within Cisco DNA Assurance in the Cisco DNA Center GUI.

Cisco DNA Center Rogue Management Application Quick Start Guide