Release Notes for Cisco DNA Center, Release 2.2.2.x

This document describes the features, limitations, and bugs for Cisco DNA Center, Release 2.2.2.x.

Change History

The following table lists changes to this document since its initial release.

Table 1. Document Change History
Date Change Location

2022-06-17

Added the Cloud Connectivity - Contextual Content package.

Package Versions in Cisco DNA Center, Release 2.2.2.x

2022-06-06

Added the list of packages in Cisco DNA Center 2.2.2.9.

Package Versions in Cisco DNA Center, Release 2.2.2.x

Added the Resolved Bugs table for 2.2.2.9.

Resolved Bugs

Added the open bugs CSCwa51827 and CSCwb73232.

Open Bugs

Noted that Cisco DNA Center 2.2.2.9 contains fixes for the Spring4Shell vulnerability.

New and Changed Information

Added details about the AI cloud client certificate renewal.

New and Changed Information

2022-04-12

Added information that beginning with release 2.2.2.x, Cisco DNA Assurance does not support sensor-driven tests using the legacy method.

New and Changed Information

2022-03-28

Added the open bug CSCwa23879.

Open Bugs

2021-12-21

Added the list of packages in Cisco DNA Center 2.2.2.8.

Package Versions in Cisco DNA Center, Release 2.2.2.x

Added the Resolved Bugs table for 2.2.2.8.

Resolved Bugs

Noted that Cisco DNA Center 2.2.2.8 contains fixes for the Apache Log4j vulnerability.

New and Changed Information

2021-10-26

Added the list of packages in Cisco DNA Center 2.2.2.6.

Package Versions in Cisco DNA Center, Release 2.2.2.x

Added the Resolved Bugs table for 2.2.2.6.

Resolved Bugs

2021-10-06

Added the open bug CSCvz76664.

Open Bugs

2021-09-24

Added the list of packages in Cisco DNA Center 2.2.2.5.

Package Versions in Cisco DNA Center, Release 2.2.2.x

Added the Resolved Bugs table for 2.2.2.5.

Resolved Bugs

2021-08-19

Added the open bug CSCvy30606.

Open Bugs

2021-08-09

Added the list of packages in Cisco DNA Center 2.2.2.4.

Package Versions in Cisco DNA Center, Release 2.2.2.x

Added the Resolved Bugs table for 2.2.2.4.

Resolved Bugs

2021-06-22

Explained how to replace a Cisco Catalyst 9800 HA device that fails in a fabric setup.

Limitations and Restrictions

2021-06-14

Added the link to download Cisco DNA Center software.

Package Versions in Cisco DNA Center, Release 2.2.2.x

2021-05-27

Added the list of packages in Cisco DNA Center 2.2.2.3.

Package Versions in Cisco DNA Center, Release 2.2.2.x

Added the Resolved Bugs table for 2.2.2.3.

Resolved Bugs

2021-05-07

Added the list of packages in Cisco DNA Center 2.2.2.1.

Package Versions in Cisco DNA Center, Release 2.2.2.x

Added the Resolved Bugs table for 2.2.2.1.

Resolved Bugs

2021-04-23

Initial release.

Upgrade to the Latest Cisco DNA Center Release

For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.

Package Versions in Cisco DNA Center, Release 2.2.2.x

To download Cisco DNA Center software, go to https://software.cisco.com/download/home/286316341/type.

Table 2. Updated Packages and Versions in Cisco DNA Center 2.2.2.x
Package Name Release 2.2.2.9 Release 2.2.2.8 Release 2.2.2.6 Release 2.2.2.5 Release 2.2.2.4 Release 2.2.2.3 Release 2.2.2.1 Release 2.2.2.0

System Updates

System

1.6.594

1.6.594

1.6.551

1.6.424

1.6.424

1.6.387

1.6.368

1.6.368

System Commons

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Package Updates

Access Control Application

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

AI Endpoint Analytics

1.4.375

1.4.375

1.4.365

1.4.365

1.4.365

1.4.365

1.4.290

1.4.290

AI Network Analytics

2.6.10.494

2.6.9.455

2.6.9.455

2.6.9.453

2.6.9.453

2.6.7.436

2.6.5.426

2.6.5.426

Application Hosting

1.6.6.2201241723

1.6.6.2112161504

1.6.0.2109011512

1.6.0.2107090810

1.6.0.2107090810

1.6.0.2104291515

1.6.0.2104071147

1.6.0.2104071147

Application Policy

2.1.369.170033

2.1.368.170003

2.1.366.170328

2.1.364.170201

2.1.364.170201

2.1.363.170112

2.1.360.117407

2.1.360.117403

Application Registry

2.1.369.170033

2.1.368.170003

2.1.366.170328

2.1.364.170201

2.1.364.170201

2.1.363.170112

2.1.360.117407

2.1.360.117403

Application Visibility Service

2.1.369.170033

2.1.368.170003

2.1.366.170328

2.1.364.170201

2.1.364.170201

2.1.363.170112

2.1.360.117407

2.1.360.117403

Assurance - Base

2.2.2.485

2.2.2.485

2.2.2.450

2.2.2.411

2.2.2.411

2.2.2.357

2.2.2.305

2.2.2.305

Assurance - Sensor

2.2.2.484

2.2.2.484

2.2.2.448

2.2.2.404

2.2.2.404

2.2.2.346

2.2.2.302

2.2.2.302

Automation - Base

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Automation - Intelligent Capture

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.364.62281

2.1.360.60878

2.1.360.60875

Automation - Sensor

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Cisco DNA Center Global Search

1.5.0.466

1.5.0.466

1.5.0.362

1.5.0.362

1.5.0.362

1.5.0.362

1.5.0.5

1.5.0.5

Cisco DNA Center Platform

1.5.1.182

1.5.1.180

1.5.1.171

1.5.1.137

1.5.1.137

1.5.1.120

1.5.1.64

1.5.1.62

Cisco DNA Center UI

1.6.2.448

1.6.2.446

1.6.2.442

1.6.2.432

1.6.2.407

1.6.2.349

1.6.2.341

1.6.2.303

Cisco SD-Access

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Cisco Umbrella

2.1.368.592066

2.1.368.592015

2.1.366.592043

2.1.364.592099

2.1.364.592099

2.1.363.590048

2.1.360.590210

2.1.360.590196

Cloud Connectivity - Contextual Content

1.3.1.364

1.3.1.364

1.3.1.364

1.3.1.359

1.3.1.359

1.3.1.307

Cloud Connectivity - Data Hub

1.6.0.380

1.6.0.380

1.6.0.380

1.6.0.380

1.6.0.380

1.6.0.380

1.6.0.263

1.6.0.263

Cloud Connectivity - Tethering

2.12.1.2

2.12.1.2

2.12.1.2

2.12.1.2

2.12.1.2

2.1.1.43

2.1.1.41

2.1.1.41

Cloud Device Provisioning Application

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Command Runner

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Device Onboarding

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Disaster Recovery

2.1.367.360196

2.1.367.360196

2.1.366.362051

2.1.364.362034

2.1.364.362034

2.1.363.360026

2.1.360.360163

2.1.360.360163

Group-Based Policy Analytics

2.2.1.401

2.2.1.401

2.2.1.230

2.2.1.226

2.2.1.226

2.2.1.209

2.2.1.162

2.2.1.162

Image Management

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Machine Reasoning

2.1.369.210024

2.1.368.210017

2.1.366.212047

2.1.364.212034

2.1.364.212034

2.1.363.210023

2.1.360.210102

2.1.360.210099

NCP - Base

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

NCP - Services

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Network Controller Platform

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Network Data Platform - Base Analytics

1.6.1031

1.6.1028

1.6.1022

1.6.1019

1.6.1019

1.6.1016

1.6.1014

1.6.1014

Network Data Platform - Core

1.6.596

1.6.596

1.6.589

1.6.579

1.6.579

1.6.576

1.6.574

1.6.574

Network Data Platform - Manager

1.6.543

1.6.543

1.6.542

1.6.541

1.6.541

1.6.539

1.6.538

1.6.538

Network Experience Platform - Core

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

Path Trace

2.1.369.60050

2.1.368.60015

2.1.366.62393

2.1.365.62360

2.1.364.62281

2.1.363.60202

2.1.360.60878

2.1.360.60875

RBAC Extensions

2.1.369.1910003

2.1.368.1910001

2.1.365.1910005

2.1.364.1910003

2.1.364.1910003

2.1.363.1900001

2.1.360.1900009

2.1.360.1900009

Rogue and aWIPS

2.2.0.51

2.2.0.51

2.2.0.51

2.2.0.45

2.2.0.45

2.2.0.42

2.2.0.37

2.2.0.37

Stealthwatch Security Analytics

2.1.369.1091317

2.1.368.1091226

2.1.366.1091170

2.1.364.1091088

2.1.364.1091088

2.1.363.1090038

2.1.360.1090037

2.1.360.1090024

Wide Area Bonjour

2.4.368.75006

2.4.368.75006

2.4.364.75035

2.4.363.75002

2.4.363.75002

2.4.363.75002

2.4.360.75032

2.4.360.75029

New and Changed Information

Important Updates in Cisco DNA Center 2.2.2.9

Feature Description

Fixes for the Spring4Shell Vulnerability

In March 2022, VMware disclosed vulnerabilities in the Spring4Shell Spring Framework. Cisco is committed to transparency and we have published a security advisory to make sure our customers understand the issue and how to address it. Please refer to our advisory for the latest information:

Cisco Security Advisory: Vulnerability in Spring Framework Affecting Cisco Products: March 2022

Cisco DNA Center 2.2.2.9 contains fixes for the Spring4Shell vulnerability. This effort is being tracked as CSCwb43650 for the Cisco DNA Center product and contains the following fix:

  • CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+.

To help assess, identify, and reduce exposure to vulnerabilities, consider running a trusted vulnerability scanner. For example:

  • Rapid7

AI Cloud Client Certificate Renewal

The on-premises Cisco AI Analytics agent uses a client X.509 certificate that is issued during the tenant registration process to authenticate to the Cisco AI Cloud.

Before June 2021, the issued client certificates were valid for three years. As of June 2021, the issued client certificates are valid for one year.

The automatic certificate renewal process has been added to the Cisco AI Analytics agent starting with the following releases:

Cisco DNA Center Release Cisco AI Network Analytics Release
2.2.2.9 2.6.10.494
2.2.3.4 2.7.14.582
2.3.2.3 2.8.15.455

To guarantee uninterrupted service, we recommend that you upgrade the Cisco AI Analytics agent to a release that supports automatic certificate renewal before the end of July 2022.

After the certificate has been automatically renewed, one month before expiration, a notification to back up the new configuration is shown on the Cisco AI Network Analytics window. This backup is mandatory to restore the services on a new appliance.

Important Updates in Cisco DNA Center 2.2.2.8

Feature Description

Fixes for the Apache Log4j Vulnerability

In December 2021, the Apache Software Foundation disclosed vulnerabilities in the open-source Log4j logging library. At this time, almost all affected Cisco products have either been remediated or have a software update scheduled for release. Cisco is committed to transparency and we have published a security advisory to make sure our customers understand the issue and how to address it. Please refer to our advisory for the latest information:

Cisco Security Advisory: Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021

Cisco DNA Center 2.2.2.8 contains fixes for the Apache Log4j vulnerability. This effort is being tracked as CSCwa47322 for the Cisco DNA Center product and contains the following fixes:

  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

  • CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

To help assess, identify, and reduce exposure to vulnerabilities, consider running a trusted vulnerability scanner. For example:

New and Changed Features—Cisco DNA Center 2.2.2.4

The following table summarizes the new and changed features in Release 2.2.2.4.

Table 3. New and Changed Features in Cisco Software-Defined Access
Feature Description

Multicast Support on Multisite Remote Border

You can enable multicast on a virtual network that is anchored to a Multisite Remote Border. Configuring multicast on an anchored virtual network configures multicast on the devices in the inherited virtual network too, provided the inherited virtual network already contains a segment. If the inherited virtual network does not have a segment, multicast is deployed only after the first segment is created.

Note 
  • Multicast is deployed only if the type of multicast (headend replication or native multicast) is uniform across the virtual network and its inherited networks.

  • The edge devices of an inherited virtual network cannot be configured as a rendezvous point (RP).

Link Aggregation Control Protocol (LACP) Support

A port channel created on the fabric edge can use LACP to connect to the server or trunk ports.

Note that LACP cannot be used on a port channel that is connected to an extended node.

New and Changed Features—Cisco DNA Center 2.2.2.3

The following tables summarize the new and changed features in Release 2.2.2.3.

Table 4. New and Changed Features in Cisco DNA Center
Feature Description

Usage Insights Report

The Usage Insights report tracks key performance metrics for several Cisco DNA Center use cases and helps you translate KPIs into IT operational savings. The report translates in-product telemetry into end-user insights.

The Usage Insights report is a customized report that shows the productivity improvement of network operations with Cisco DNA Center and comparative return on investment (ROI) insights with a traditional NMS.

To view the report, click the Menu icon and choose Reports > Usage Insights.

Terminology Changes Related to Installation Wizards

As you install Cisco DNA Center 2.2.2.3 and configure the appliance, you will notice the following label changes:

  • The Express Configuration wizard has been renamed as the Install configuration wizard.

  • The Expert Configuration wizard has been renamed as the Advanced Install configuration wizard.

Table 5. New and Changed Features in Cisco Software-Defined Access
Feature Description

Support for APs on StackWise Virtual Edge Nodes

Fabric-mode APs can be connected to edge nodes deployed as a StackWise Virtual Pair.

Support for SD-Access Embedded Wireless on StackWise Virtual Fabric Nodes

The Cisco Catalyst 9800 Embedded Wireless Controller is supported on Catalyst 9400 and 9500 Series switches deployed as a StackWise Virtual Pair operating in a fabric role.

New and Changed Features—Cisco DNA Center 2.2.2.0

The following tables summarize the new and changed features in Release 2.2.2.0.

Table 6. New and Changed Features in Cisco DNA Center
Feature Description

Disaster Recovery

The following disaster recovery changes are new in this release:

  • Added support of three-node (1+1+1) setups. To view a table that lists which Cisco DNA Center appliances and releases support these setups, refer to the Cisco DNA Center Administrator Guide (see the "Prerequisites" topic in the "Implement Disaster Recovery" chapter).

  • Updated the GUI description with a screenshot of the new logical topology.

  • Added a description of the new Disaster Recovery System slide-in pane.

  • Updated the Supported Events table.

  • Updated the Disaster Recovery System Issues table.

  • The links that connect the main, recovery, and witness sites should have a maximum of 350 ms RTT latency (up from 250 ms in previous releases).

System Health

The following System Health changes are new in this release:

  • Listed the newly-supported events that a user can subscribe to in order to receive notifications.

  • Documented the scale numbers that Cisco DNA Center appliances support for various network components.

  • Topology updates occur when a certificate is set to expire or the hardware configuration for a connected appliance or external system is not compliant.

  • System Health now provides hardware information for both a disaster recovery system's main and recovery sites. Previously, this information was only provided for a system's main site.

  • Listed the REST APIs that System Health supports and provided sample API output.

Deregister Faulty Device from Cisco SSM

The RMA workflow deregisters a faulty device from Cisco SSM and registers the replacement device with Cisco SSM.

Automatic Download Option for ThousandEyes Enterprise Agent Application

ThousandEyes Enterprise Agent is an application that gets automatically downloaded within several minutes of starting the App Hosting service. In the absence of an internet connection, you can set a proxy connection from the console to download the application.

Firepower Management Center

Cisco DNA Center supports the integration of Firepower Management Center (FMC). FMC provides complete and unified management over Firepower Threat Defense (FTD) devices for managing Cisco network security solutions.

Create Network Profiles for Firewall

Cisco DNA Center allows you to create network profiles for firewalls. You can create custom configurations to configure security devices like the Adaptive Security Appliance (ASA) family of devices. You can also create FTD configurations to configure FTD devices.

Retry Option in Workflows

Cisco DNA Center allows you to retry the workflow with the click of a single button in a normal workflow. In the RMA workflow, the retry button is operational only if it is hidden from state.

Preview Devices 2.0

The Preview Devices 2.0 toggle button is new in the top-right corner of the Provision > Inventory page. Click the Preview Devices 2.0 toggle button to view the devices, site profiles, software images, topology, RMA, PnP, templates, and PSIRTs in a new framework.

Explore Menu

The following features are moved from Cisco DNA Center home page to Explore menu.

  • Design

  • Policy

  • Provision

  • Assurance

  • Platform

Topology Support for New Devices

Topology support is provided for the following devices:

  • Cisco Catalyst IR8100 Heavy Duty Series Routers (IR8140H-K9 and IR8140H-P-K9)

  • Cisco Catalyst 9124AX Access Point (C9124AXI and C9124AXD)

Cisco Umbrella Configuration Support for New Devices

With this release, Cisco Umbrella configuration support is available for the following devices:

  • Cisco Catalyst 9200 Access Switch with Cisco IOS-XE software release 17.3.1 or later

  • Cisco Catalyst 9300 Access Switch with Cisco IOS-XE software release 17.3.1 or later

Cisco Umbrella: Review Internal Domains

You can add and delete the list of internal domains from Cisco Umbrella.

Config Drift Visibility

The Config Drift page displays configuration changes and allows you to pick any two versions of the same device and compare their running configuration data.

Note 

With this release, the information under Previous Running vs Current Running has been moved to the Config Drift page.

Cisco Group-Based Policy Analytics

Access Contracts can now be created and modified directly from the Analytics tab.

Group-Based Access Control

You can now view the policy enforcement statistics data in the Policies listing window. The total number of policy permits and denies are displayed for the selected time period. Group-based access control policies can be created or updated based on the traffic flows for a given source and destination group pair.

You can also create custom views of the policy matrix to focus only on the policies that you are interested in.

Plug and Play Support for Cisco DNA Traffic Telemetry Appliance

You can claim a Cisco DNA Traffic Telemetry Appliance from the Plug and Play Devices list.

IPv6 Search

Cisco DNA Center allows you search for devices using their IPv6 addresses. You can search for a device using its full IPv6 address, any abbreviated form, or double column in the IPv6 address with prefix and postfix combinations.

User-Defined Fields

User-defined fields are custom labels that you can create and assign to any device in Cisco DNA Center. By assigning labels to a device and adding values to them, you can show more details about the device in the Device Details page.

Inventory Insights

Cisco DNA Center provides insights about the devices in your network if there are any inconsistencies in the device configuration of two connected devices.

Persistence Across Inventory Views

The device selection and the number of devices shown in the inventory table persist across inventory views in Cisco DNA Center.

Separation of Golden Tagging and Download

With this release, you can separate download and golden tagging of software images. Cisco DNA Center allows you to download the software images by not marking them as golden.

Export Cisco DNA Center PKI Certificate

Cisco DNA Center allows you to download the device certificates that are required to set up an external entity such as a AAA (pronounced "triple A") server or Cisco ISE server to authenticate the devices.

  1. Click the menu icon () and choose System > Settings > Trust & Privacy > PKI Certificates.

  2. Click Download CA Certificate to export the device CA and add it as the trusted CA on the external entities.

Cisco AI Endpoint Analytics

  • AI Endpoint Spoofing Detection: Cisco AI Endpoint Analytics analyzes NetFlow telemetry data to detect spoofed endpoints. If an endpoint’s behavior is not in line with its profile, the Cisco AI Endpoint Analytics flags the anomaly, assigns a Trust Score to the endpoint, and lists it as a spoofed endpoint. You then review the details of the flagged endpoints and apply Adaptive Network Control (ANC) policies (created in Cisco ISE) from the Cisco AI Endpoint Analytics window.

  • Automatic Profiling Rule Updates: Cisco provides automatic system rule updates to enhance endpoint profiling accuracy. These updates could help you profile endpoints more granularly and help profile previously unknown endpoints. Review the profiling changes suggested in an update. Then, you can either apply these changes or ignore the update. Major and minor profiling changes to existing endpoint profiles are displayed for your review.

  • Cisco ISE MDM Attributes Support: Cisco AI Endpoint Analytics receives MDM attributes from Cisco ISE if Cisco ISE is integrated with an MDM server. These MDM attributes are available for creating endpoint profiles using custom rules.

  • Global Search Support: In the Cisco DNA Center global search, when you search for endpoints by their IP address or MAC address, a link to AI Endpoint Analytics is displayed along with available profiling details for the endpoint. The profiling details and other information about the endpoint are displayed in the search result.

View IP Address Pools

  • In the IPv4 and IPv6 columns, an i icon appears next to the corresponding used percentage of IPv4 and IPv6 for a given IP address pool. The tooltip displays the percentage of Free, Unassignable, Assigned, and Default Assigned IP addresses.

  • In the IP address pool slide-in pane, the Used area displays Assigned and Unassigned IP addresses to a network device.

  • Global and site IP address pool can have blocklisted IP addresses.

  • Subpools cannot have blocklisted IP addresses.

  • Cisco DNA Center rejects the IP address pool creation request of a CIDR address pool if it contains blocklisted IP addresses.

  • In the next free IP address pool request, Cisco DNA Center skips the blocklisted IP addresses to find the next free IP address pool.

Table 7. New and Changed Features in Cisco DNA Automation
Feature Description

Support for a New AP

This release introduces support for Cisco Catalyst 9124AXE Series Access Points.

Multiple Ciphersuite Support

You can configure multiple DTLS (Data Datagram Transport Layer Security) Ciphersuites on Cisco Catalyst 9800 Series Wireless Controller, Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches, and Cisco Embedded Wireless Controller on Catalyst Access Points platforms running Release 17.5 or later.

Mobility Cipher Configuration

You can enable or disable the DTLS (Data Datagram Transport Layer Security) Cipher configuration for mobility on Cisco Catalyst 9800 Series Wireless Controller Release 17.5 or later.

AP RMA Retry

The AP RMA Retry feature allows you to retry a failed defective AP replacement.

AP Configuration Workflow

The AP Configuration workflow helps you to configure and deploy AP-level and radio-level parameters in Cisco DNA Center.

You can configure the following AP-level parameters:

  • AP location

  • AP admin status

  • AP mode

  • AP LED status

  • AP failover priority

  • High availability

You can configure the following radio-level parameters:

  • Radio admin status

  • Radio power settings

  • Radio channel settings

Support to Modify AP Names in Cisco DNA Center

You can edit AP names in bulk by using the AP Configuration workflow.

Support for Band Select or Radio Policy Selection for Guest SSID

You can configure wireless band preferences by selecting one of the following options:

  • Dual-band operation (2.4 GHz and 5 GHz)

  • Dual-band operation with band select

  • 5 GHz only

  • 2.5 GHz only

Enable ICMP Ping on APs in FlexConnect Mode

You can enable or disable the Internet Control Message Protocol (ICMP) ping on APs in FlexConnect mode from Cisco DNA Center.

Cisco DNA Center uses the ICMP to ping FlexConnect APs that are in unreachable state every 5 minutes to enhance reachability, and then updates the reachability status in the Inventory window.

Site Hierarchy Movement

You can change the site hierarchy for unprovisioned devices while preserving AP locations on sitemaps. Note, however, that you cannot move an existing floor to a different building.

Special Character Handling

The following changes are introduced in this release:

  • The SSID name can have leading spaces, but trailing spaces are not allowed.

  • The AP name can contain only letters, numbers, hyphen, and underscore.

  • All special characters except for " & ? ' / < > are allowed for a building name.

  • All special characters except for & < > ? " / [ ] are allowed for a floor name.

  • The tags and profile names cannot contain leading or trailing spaces.

Custom Rogue Rule Workflow

You can create custom rogue rules in Cisco DNA Center. Rogue rules are an easy way to segregate and manage rogues with different risk profiles. Rogue rules are easy to configure and they are applied in order of priority. They reduce false positives, noise for sites with interferers, and number of alerts. They provide the ability to adjust organizational risk profiles on a global and site basis.

Rogue Rule Profile Workflow

You can create a rule with specific conditions and then associate it to a rule profile in Cisco DNA Center.

Support for New aWIPS Signatures

The following aWIPS signatures are introduced in this release:

  • Deauthentication Flood

  • Fuzzed Beacon

  • Fuzzed Probe Request

  • Fuzzed Probe Response

  • PS Poll Flood

  • EAPOL Start V1 Flood

  • Reassociation Request Flood

  • Beacon Flood

  • Probe Response Flood

  • Block Ack Flood

  • Airdrop Session

  • Malformed Association Request

  • Authentication Failure Flood

  • Invalid MAC OUI Frame

  • Malformed Authentication

Table 8. New and Changed Features in Cisco DNA Assurance
Feature Description

Device 360 - Interface Utilization Graph

For interfaces, Tx and Rx Utilization chart values are populated in absolute values (Percentage and Rate).

Network Device Health Summary UI Enhancement - Unmonitored to No Health

The Network Device Health Summary - Total Devices section provides the total number of network devices and the count of Good Health, Fair Health, Poor Health, and No Health data.

Cisco SD-Access: Network Health Dashboard Enhancements

The Network Health Summary dashlet provides new KPIs for fabric domains:

  • Fabric CP Reachability

  • External Multicast RP for Fabric Border

  • AAA Server Status for Fabric Edge and Extended Node

In the Network Device dashlet, you can filter the network device table based on the fabric types, including Extended Node.

Cisco SD-Access: Device 360 Enhancements

In the Network Device 360 - Device detail area, below the timeline, you can view additional information about the device such as Fabric Role, Fabric Domain, and Fabric Site.

In the Detailed Information area under the Fabric tab, new fabric KPIs are grouped under Fabric Infrastructure and VN Service included for device health.

Cisco SD-Access: Network Topology Enhancements

In the Physical Neighbor Topology for fabric domains, the fabric badge icons identify device fabric groups such as Border, Control Plane, Edge, Extended Node and Wireless.

Event Viewer Enhancements

In the Client 360 Dashboard, the Event Viewer detailed information area is enhanced to show:

  • Associate Start Event: The RSSI and SNR values throughout the session.

  • Delete Event: Detailed delete reasons for client disconnections.

WAN Link Utilization Dashlet

You can view the status of the WAN link utilization percentage only for the available WAN links in your network.

WAN Link Availability Dashlet

You can view the status of the available WAN links in your network.

Power Stack Visibility

In the Network Device 360 view, you can view the stack power connection details under the PoE tab.

Power over Ethernet Dashboard

The PoE dashboard is added to Assurance > Dashboards > PoE, which lets you monitor and view the operational state of the PoE-capable devices in your network.

The following dashlets are available: PoE Operational State Distribution, PoE Powered Device Distribution, Power Load Distribution, PoE Insights, and PoE Power Usage Dashlet.

Sensor Test - Proxy

With this release, proxy support is enabled for Sensor-Driven Tests. You can run the sensor test through proxy settings.

Application Experience Health Score Calculation Enhancements

You can add the Application Response Time KPI to the Application Experience health score calculation.

Application Health Score Customization

You can customize the health score calculation for applications by changing the KPI thresholds on a per-traffic class basis and specifying the KPIs that are included for the calculation.

Monitor Application Health Enhancements

Click the Managed Clients tab to view only the clients that are managed by Cisco DNA Center.

View and Manage Issues (Access Point Issues)

A poor RF issue triggers when APs have a poor wireless experience.

The poor RF issue instance second slide-in pane supports Problem Details, Impact Details, Troubleshooting, and Suggested Actions for poor RF issues.

Also, the poor RF issue instance second slide-in pane allows you to compare the health of AP radios across the floor in a building.

View and Manage Issues (Wireless Client Issues)

With this release, the Cisco DNA Center machine reasoning engine (MRE) supports root cause analysis (RCA) for AAA server issues. RCA allows you to analyze Cisco ISE syslog messages from various servers to derive the possible root causes that could have triggered the issue.

RCA support is extended for the following AAA server issues:

  • AAA wireless client failed to connect

  • AAA server timeout

  • AAA server rejected client

View and Manage Issues (Radio No Activity Issues)

The radio no activity issue instance identifies and raises an issue for AP radios that fail to serve clients for 60 to 240 minutes.

The radio no activity issue instance pane supports Problem Details, Relevant Issue, and Suggested Actions.

Monitor and Troubleshoot the Health of a Device

The Device 360 page now supports a Map and Comparison View that allows you to compare the last 5 minutes of health of AP radios across the floor in a building.

Baselines Dashboard

Cisco AI Network Analytics uses the most advanced machine learning techniques to define the baseline that is relevant to your specific network and sites.

MAC Randomization

With MAC randomization, client devices use unique private MAC Address - RCM Randomized and Changing MAC Address when connecting to the Wi-Fi network.

Deprecated Feature: Sensor-Driven Tests Using the Legacy Method

You can no longer create and run sensor-driven tests using the legacy method. You need to create and run sensor-driven tests using templates.

Table 9. New and Changed Software Features in Cisco Software-Defined Access
Feature Description

Support for VLAN ID Customization

You can now assign a desired VLAN ID to a host pool VLAN and Layer 3 handoff VLAN. The VLAN IDs can be in the range of 1 to 4095.

This feature provides more flexibility in segment creation for the brownfield SD-Access deployments. Delete any existing overlapping or conflicting VLANs or SVIs or AAA configurations from the device and resynchronize the device in the inventory prior to adding it to the SD-Access fabric.

When you upgrade from an earlier release, the existing VLANs continue to work normally. Post upgrade, you will need to provide an external VLAN ID for new Layer 3 handoffs. Layer 2 Handoff VLAN is auto populated based on the VLAN ID assigned to the host pool. You can edit the Layer 2 Handoff VLAN ID to assign a different VLAN number.

To change the VLAN ID for an existing IP pool VLAN, delete the IP pool and create the IP pool again with the desired VLAN ID.

Consider the following guidelines before assigning a custom VLAN ID:

  • If you do not provide a custom VLAN ID, Cisco DNA Center generates a VLAN ID in the range of 1021 to 2020.

  • VLAN IDs 1, 1002-1005, 2046, 4095 are reserved and cannot be used.

  • Critical voice or pre-auth VLAN is assigned a VLAN ID of 2046 and cannot be changed.

  • Borders in the same site or in different sites can share the same Layer 3 handoff VLAN IDs.

Fabric Edge Node Scale

The number of local endpoints that an SD-Access fabric edge node supports is now enhanced. The support is limited to the capability of the platform that is configured as the fabric edge.

Use the show lisp platform command to check the platform limits.

See the Cisco DNA Center Data Sheet for specific scale numbers.

Table 10. New Features in Cisco Group-Based Policy Analytics
Feature Description

View and Modify Access Contracts

Access Contracts can now be created and modified directly from the Analytics tab. You can view, create, edit, and delete access contracts from the Analytics tab directly.

Deprecated Features

SNMPv3 Data Encryption Standard (DES) Privacy Mode support is deprecated in Cisco DNA Center 2.2.2. SNMPv3 DES is no longer supported in Cisco DNA Center 2.2.2 or any later releases.

SNMPv3 DES is used to ensure data confidentiality, where the designated portion of an SNMP message is encrypted and included as part of the message sent to the recipient. DES is no longer considered secure due to its too-short key length and its proven ineffectiveness against brute force attacks. Advanced Encryption Standard (AES) is the recommended privacy mode.

Cisco DNA Center Compatibility Matrix

For information about devices, such as routers, switches, wireless APs, Cisco Enterprise NFV Infrastructure Software (NFVIS) platforms, and software releases supported by each application in Cisco DNA Center, see the Cisco DNA Center Compatibility Matrix.

Compatible Browsers

The Cisco DNA Center GUI is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: Version 73.0 or later.

  • Mozilla Firefox: Version 65.0 or later.

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

IP Address and FQDN Firewall Requirements

To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through any existing network firewall, see "Required Internet URLs and Fully Qualified Domain Names" in the "Plan the Deployment" chapter of the Cisco DNA Center Installation Guide.

About Telemetry Collection

Telemetry data is collected by default in Cisco DNA Center 2.1.x and later, but you can opt out of some data collection. The data collection is designed to help the development of product features and address any operational issues, providing greater value and return on investment (ROI). Cisco collects the following categories of data: Cisco.com ID, System, Feature Usage, Network Device Inventory, and License Entitlement. See the Cisco DNA Center Data Sheet for a more expansive list of data that we collect. To opt out of some of data collection, contact your Cisco account representative and the Cisco TAC.

Supported Hardware Appliances

Cisco supplies Cisco DNA Center in the form of a rack-mountable, physical appliance. The following versions of the Cisco DNA Center appliance are available:

  • First generation

    • 44-core appliance: DN1-HW-APL

  • Second generation

    • 44-core appliance: DN2-HW-APL

    • 44-core promotional appliance: DN2-HW-APL-U

    • 56-core appliance: DN2-HW-APL-L

    • 56-core promotional appliance: DN2-HW-APL-L-U

    • 112-core appliance: DN2-HW-APL-XL

    • 112-core promotional appliance: DN2-HW-APL-XL-U

Supported Firmware

Cisco Integrated Management Controller (Cisco IMC) versions are independent from Cisco DNA Center releases. This release of Cisco DNA Center has been validated against the following firmware:

  • Cisco IMC Version 3.0(3f) for appliance model DN1-HW-APL

  • Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL

  • Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL-L

  • Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL-XL

The preceding versions are the minimum firmware versions. While some later versions are also supported, Cisco DNA Center is not compatible with all later versions.

Installing Cisco DNA Center

You install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco DNA Center Installation Guide for information about installation and deployment procedures.


Note

Certain applications, like Group-Based Policy Analytics, are optional applications that are not installed on Cisco DNA Center by default. If you need any of the optional applications, you must manually download and install the packages separately.

For more information about downloading and installing a package, see "Manage Applications" in the Cisco DNA Center Administrator Guide.


Cisco DNA Center Platform Support

For information about the Cisco DNA Center platform, including information about new features, installation, upgrade, and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.

Support for Cisco Connected Mobile Experiences

Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) Release 10.6.2 or later. Earlier versions of Cisco CMX are not supported.


Note

While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password.


Plug and Play Considerations

Plug and Play Support

General Feature Support

Plug and Play supports the following features, depending on the Cisco IOS software release on the device:

  • AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.

  • Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)

Secure Unique Device Identifier Support

The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:

  • Cisco routers:

    • Cisco ISR 1100 Series with software release 16.6.2

    • Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later

    • Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1

  • Cisco switches:

    • Cisco Catalyst 3850 Series with software release 3.6.3E or 16.1.2E or later

    • Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, 3.7.3E, or 16.1.2E or later

    • Cisco Catalyst 4500 Series with Supervisor 8L-E with software release 3.8.1E or later

    • Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

    • Cisco Catalyst IE3300 Series with software release 16.10.1e or later

    • Cisco Catalyst IE3400 Series with software release 16.11.1a or later

  • NFVIS platforms:

    • Cisco ENCS 5400 Series with software release 3.7.1 or later

    • Cisco ENCS 5104 with software release 3.7.1 or later


Note

Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:

  • Cisco routers: Cisco ISR 43xx, Cisco ISR 44xx, Cisco ASR1001-X/HX, and Cisco ASR1002-HX

  • Cisco switches: Cisco Catalyst 4500 Series with Supervisor 8-E/8L-E/9-E, and Catalyst 9400 Series


Management Interface VRF Support

Plug and Play operates over the device management interface on the following platforms:

  • Cisco routers:

    • Cisco ASR 1000 Series with software release 16.3.2 or later

    • Cisco ISR 4000 Series with software release 16.3.2 or later

  • Cisco switches:

    • Cisco Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

4G Interface Support

Plug and Play operates over a 4G network interface module on the following Cisco routers:

  • Cisco 1100 Series ISR with software release 16.6.2 or later

Configure Server Identity

To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.

The SAN requirement applies to devices running the following Cisco IOS releases:

  • Cisco IOS Release 15.2(6)E2 and later

  • Cisco IOS Release 15.6(3)M4 and later

  • Cisco IOS Release 15.7(3)M2 and later

  • Cisco IOS XE Denali 16.3.6 and later

  • Cisco IOS XE Everest 16.5.3 and later

  • Cisco IOS Everest 16.6.3 and later

  • All Cisco IOS releases from 16.7.1 and later

The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:

  • For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.

  • For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.

  • For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.

  • For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.

If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a Network Address Translation (NAT) router, this public IP address must be included in the SAN field of the server certificate.

If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.

We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.

If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the Plug and Play process.


Note

The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field.


Bugs

Open Bugs

The following table lists the open bugs in Cisco DNA Center for this release.

Table 11. Open Bugs
Bug Identifier Headline

CSCvw61097

Under Policy > Group-Based Access Control > Manage Views, when you duplicate a custom view, the new (duplicate) is created with the string "_Copy" appended to the original view name. If you try to duplicate a given view (with a given name) more than once, and you didn't previously edit and rename the original duplicate, an error message appears. The message states that the new view cannot be created because the name already exists. Note that this is expected behavior, similar to what may be observed when creating new views.

CSCvx19662

The following behavior is seen on Cisco DNA Center 2.2.2 with the Cisco Wide Area Bonjour application and the Wide Area Bonjour patch:

  1. The running config for a switch that’s been added to the Inventory with Privilege 1 user credentials, NETCONF, and an enable password is visible in Cisco DNA Center. Because the user has Privilege 1 credentials in the switch, the running config should not be visible. However, it is visible.

  2. After the switch is added, even if you remove the enable password and update the switch in the Inventory, the behavior remains unchanged. You can still view the running configuration.

CSCvx90914

Image import fails with the following errors:

Unable to download the image from cisco.com.
The remote server presented an untrusted or expired certificate. Please verify the certificate.

CSCvx95166

For Cisco Catalyst 9000 switches, LAN automation coupled with SWIM deletes the current running software packages, as well as older packages, during a software image upgrade. In contrast, performing SWIM by itself does not delete the current software packages.

CSCvy08147

The route text box in the Maglev Configuration wizard has a limitation of 1024 characters. If the number of static routes exceed 1024 characters, then the Maglev Configuration wizard will crash.

CSCvy21115

For the Cisco DNA Center Application Hosting service, when you update a newer application version on top of an existing application version, the application name on the new version must match the existing application name. If the application names (from the package descriptor file) don’t match, the Application Hosting service rejects the Update operation.

CSCvy23774

A user with a Super Admin role cannot see notifications from the Notification Center. Also, when a user with an Admin role makes changes, those changes are not retained.

CSCvy30606

A wireless LAN controller stops sending telemetry data to Cisco DNA Center platform, so Assurance stops plotting health.

This problem occurs exactly one year from the date that the wireless LAN controller is added to the site in Cisco DNA Center platform. The following syslog message confirms the problem:

Aug 18 02:19:05.640: %PKI-3-KEY_CMP_MISMATCH:
Key in the certificate and stored key does not match for Trustpoint-sdn-network-infra-iwan.

Do the following to reconfigure the certificate:

  1. In the Cisco DNA Center platform GUI, choose Provision > Network Devices > Inventory.

  2. Choose the device and from the Actions drop-down list, choose Telemetry > Update Telemetry Settings.

  3. In the Update Telemetry Settings window, do the following:

    1. Check the Force Configuration Push check box to push the configuration changes to the device.

    2. Click Next.

    3. Click the Now radio button.

    4. Click Apply.

CSCvz76664

Under System > Settings, both the CCO ID and Device EULA acceptance are not set with fresh installations in an air gap environment.

CSCwa19027

Cisco DNA Center pushes the command "automate-tester username dummy ignore-acct-port probe-on" as part of its standard Cisco SD-Access configuration. Cisco DNA Center pushes the "automate-tester" configuration so that the device sends periodic RADIUS requests to the RADIUS server. The server is marked as Up if the device receives a response; the server is marked as Down if the device doesn't receive a response.

It doesn't matter whether the user exists in Cisco ISE, because the device merely looks for a response from the RADIUS server, regardless of whether authentication succeeds or fails.

If the corresponding Cisco ISE authentication policy uses the "Drop" action instead of the default "Access-Reject" action when the user does not exist, the AAA server might get marked as Dead when Cisco ISE drops the packet (because the dummy user does not exist on Cisco ISE). This in turn could affect CTS operation, and the following log is generated every minute:

%CTS-3-AAA_NO_RADIUS_SERVER: No RADIUS servers available for CTS AAA request for CTS env-data SM

CSCwa23879

When configuring integration of Cisco ISE with Cisco DNA Center, RADIUS is enabled by default, and the pxGrid connection to Cisco ISE is enabled. TACACS+ is not enabled by default.

If you choose to enable TACACS+ and to also disable RADIUS, you must manually disable the pxGrid connection. Otherwise, the Cisco DNA Center System 360 windows shows the pxGrid state as Unavailable.

CSCwa51827

The LISP key banner push fails for wireless devices in Cisco DNA Center 2.2.2.x.

CSCwb73232

The hostname of devices is not shown in the discovery results, even though the SNMP status is shown as Success.

Resolved Bugs

The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.9.

Table 12. Resolved Bugs in Cisco DNA Center, Release 2.2.2.9
Bug Identifier Headline

CSCvx24461

After editing an SSID that was previously configured in Cisco DNA Center, provisioning the Cisco Wireless Controller with the new information may fail with the following NETCONF error in the network-programmer service logs:

Validation failed Process DBAL response failed

CSCvz33630

Cisco DNA Center 2.2.2.3: Clear port is successful from the GUI, but the configuration is still present on the device.

CSCvz73492

Explicit or implicit Cisco Wireless Controller provisioning may cause a WLAN outage.

CSCvz94163

Cisco DNA Center 2.2.2.3: Deployment of security fix fabric banner removes RADIUS PAC from extended nodes.

CSCvz99700

Cisco DNA Center 2.2.2.4: Unable to delete a segment from host onboarding.

CSCwa00085

Configuration preview shows NAC-RADIUS gets disabled as part of best practices.

CSCwa01031

Cisco DNA Center 2.2.2.x: Segment removal fails due to stale references in the device interface information.

CSCwa43532

User intent validation fails when provisioning Cisco Wireless Controllers.

CSCwa59366

Cisco DNA Center 2.2.2.x: The following error occurs when running LAN automation for an already reserved pool for the site where the device is being provision through LAN automation:

NCND01134: Invalid IP Pool.  IpPoolId  is not a valid LAN IP pool for site.

CSCwa78814

Renewal of the client certificate used by the AI Analytics agent to communicate with the cloud.

The on-premises Cisco AI Analytics agent uses a client X.509 certificate that is issued during the tenant registration process to authenticate to the Cisco AI Cloud. Before June 2021, the issued client certificates were valid for three years. As of June 2021, the issued client certificates are valid for one year.

Starting with Cisco DNA Center 2.2.2.9, the automatic certificate renewal process has been added to the Cisco AI Analytics agent.

CSCwa88686

In the Cisco DNA Center Settings for Integrity Verification, importing the latest KGV files from cisco.com fails with the following error messages:

Unknown Error: An unexpected condition was encountered. Please try after the system is restored.
NCIV10077: Error reaching host tools.cisco.com.
NCIV10047: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46).

CSCwa97774

Cisco Wireless Controller provisioning fails because the snapshot doesn't exist for the namespace.

CSCwb12871

When importing Ekahau project files, Cisco DNA Center may display different obstacle types and attenuation values than what is configured in the Ekahau project.

The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.8.

Table 13. Resolved Bugs in Cisco DNA Center, Release 2.2.2.8
Bug Identifier Headline

CSCvz56988

Cisco DNA Center's Stealthwatch Security Analytics (SSA) integration should address route lookup gaps for interface selection.

CSCvz87778

Cisco DNA Center's LAN automation may fail while reserving the link subnet, citing the error, "NCIP10288: There was a failure in the ipam-service: NCIP10024: An ip pool named <UUID>_pool_dummy_31 already exists" when there are already more than 31 dummy /27 IP address pools (and more than 900 IP addresses used) from the LAN automation pool for loopbacks and L3 link configuration.

CSCwa01977

LAN automation must align to the Cisco DNA Center Security Best Practices Guide.

CSCwa21789

EVENT_BASED_WIRED_WIRELESS_SYNC causes an internal error for the protocol endpoint.

CSCwa21979

Device discovery tasks remain stuck in RUNNING state for a long time, clogging up the inventory service, which in turn prevents global credentials from being displayed.

Because the global credentials don't load, new discovery tasks cannot start. The inventory service logs contain the following error logs:

ERROR | covery-Pingsweep-Thread-0 | | com.cisco.nm.discovery | 
ERROR: [Failed to process status of ping request]. | mid=10001, 
MSGNAME=ERROR, ch=com.cisco.nm.discovery, sev=error

The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.6.

Table 14. Resolved Bugs in Cisco DNA Center, Release 2.2.2.6
Bug Identifier Headline

CSCvx10782

Upgrading Cisco DNA Center's application packages fails because the table "lispmssiteeidprefix" violates a foreign key constraint.

CSCvx52786

Cisco DNA Center may not display an IP address pool or subnet when a user tries to create a segment, citing the error, "NCIP10071: pool name can contain only alphanumeric characters, underscores and hyphens."

CSCvy05782

In stacked devices, the TrustSec ID and password are set to primary/active serial numbers only.

CSCvy56987

An upgrade to Cisco DNA Center 2.1.2.x fails with the PSQLException, "ERROR: could not create unique index mdfproductfamily_pkey."

CSCvy63436

The Scheduler service restarts due to an out of memory (OOM) error.

CSCvy63818

Cisco DNA Center fails to generate a PKCS12 certificate due to the error, "Failed to find internal Trustpoint."

CSCvy66833

Cisco DNA Center cannot assign some Meraki APs to a site.

CSCvy69934

After a 2.1.2.6 upgrade, Cisco DNA Center doesn't configure policy-tags for modified wireless controllers and policies.

CSCvy72921

Restore inheritance breaks for AAA and Cisco ISE settings.

CSCvy77016

Reserved child pools for L3 handoff are not released after a failed fabric provision.

CSCvy85887

Cisco DNA Center's Application Experience feature may attempt to configure application experience commands on an interface that isn't available, but passes through an interface that is part of a port group.

CSCvy91546

Provisioning fails after segment deletion and site rename while a device is offline.

CSCvy98355

LAN automation may not configure the L3 link between the peer seed and the PnP agent.

CSCvz07929

NetFlow table updates are too aggressive for large-scale deployments.

CSCvz14636

Cisco DNA Center Application Visibility Control (AVC) needs to restrict pushing the NBAR configuration to only the access switch port.

CSCvz18219

Cisco DNA Center may fail to provision a wireless LAN controller that had previously been removed from a fabric, and inventory, citing a null pointer exception during the updateApN1HAConfig process.

CSCvz18421

The Network Access Control (NAC) RADIUS configuration on a WLAN profile is lost when the wireless controller reloads.

CSCvz24855

Fabric provisioning fails when a border device is removed.

CSCvz26522

Cisco DNA Center 2.1.2.7 doesn't add an internal border to a fabric site when a guest border exists.

CSCvz27424

The inventory overwrites the switched virtual interface (SVI) description to null.

CSCvz30929

Cannot start LAN automation due to the error, "NCND00050: An internal error occurred while processing the request."

CSCvz36352

Cisco DNA Center 2.1.2.6 LAN automation doesn't release the DHCP subnet while LAN auto start fails.

CSCvz43500

Cisco DNA Center may disable the wireless controllers on a foreign wireless controller if the anchor wireless controller is provisioned.

CSCvz43887

The Cisco DNA Center system upgrades to the desired version, but the Wide Area Bonjour applications fail to upgrade. This results in the application upgrade failing and the device hanging at a standstill.

CSCvz55757

The wrong L2 instance is pushed to the anchoring site if a different VLAN name is used.

CSCvz55914

Fabric-level provisioning fails and a subsequent fabric reconfigure device doesn't work.

CSCvz58650

Cisco DNA Center's Report and Compliance Tool may fail to transfer a report when Cisco DNA Center's certificate contains fully qualified domain names (FQDNs), but the transfer tries to use an IP address.

CSCvz59187

Create or update floormaps API documentation does not include the payload request schema.

CSCvz59447

Cisco DNA Center may fail to provision a managed device if the Loopback0 interface's IP address is not available.

CSCvz62216

All wireless controllers are disabled when enabling application telemetry for AireOS wireless controllers.

CSCvz62986

External Webauth and external Webpassthrough may not push all resolved IP addresses for portals. Cisco DNA Center may change the ACL IP address during the provisioning activity.

CSCvz66778

Cisco DNA Center does not configure BGP for the L3 handoff in border devices.

CSCvz69786

The AAA configuration is removed from the wireless controller while adding a new edge node to the fabric.

CSCvz70085

Cisco DNA Center may show that a device is in the managed state for Assurance, but the Inventory page may show that there has been an internal error while collecting inventory from the device.

CSCvz70561

After adding an edge switch to the fabric, the wireless controller device login AAA settings change from TACACS to RADIUS.

CSCvz71423

Cisco DNA Center's /dna/intent/api/v1/network-device REST API may return no more than 500 results. This impacts installations that have more than 500 managed devices.

CSCvz82009

Anchor controller provisioning fails.

CSCvz89312

When using an interface drop-down menu to select interfaces for configuration, regardless of the items selected, the interface deployed is GigabitEthernet0.

The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.5.

Table 15. Resolved Bugs in Cisco DNA Center, Release 2.2.2.5
Bug Identifier Headline

CSCvy97313

Cisco DNA Center might fail to collect the inventory from a switch that was upgraded from running Cisco IOS-XE 17.3.3 to 17.5.1, because internal database entries are missing.

CSCvz15536

Recovery API to recreate missing GRT entries.

CSCvz48575

After an upgrade to Cisco DNA Center to 2.2.2.4, you might not be able to log in to network devices. In Cisco ISE, the TACACS configuration (key) information on the Administration > Network Resources > Network Devices window shows that the TACACS configuration is unchecked and the key is removed.

The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.4.

Table 16. Resolved Bugs in Cisco DNA Center, Release 2.2.2.4
Bug Identifier Headline

CSCvw70570

The Cisco DNA Center maglev-system microservice might degrade into a crash loop. The pod status is marked as "False," even though the pod is in "Running" state.

CSCvx41364

The large MongoDB database size causes a MongoDB clustering failure.

CSCvx56010

Virtual Routing and Forwarding (VRF)-specific name servers are removed by Cisco DNA Center.

CSCvx62887

Cisco DNA Center doesn't configure "bandwidth remaining percentage" correctly on switches.

CSCvy06455

Cisco DNA Center might fail to provision a Nexus 7710 if there is an octothorp "#" character in the device login banner.

CSCvy16664

Device provisioning fails with a AAA update.

CSCvy27260

Cisco DNA Center might fail to synchronize a Cisco Catalyst 9000 series switch that is configured with an access list associated to the netconfig-yang configuration.

CSCvy29574

When the appliance is configured for the first time using the express mode (install mode) of the browser-based wizard, the enterprise IP address, virtual IP address, hostname, and pnpserver.domain details are missing from the SAN field in the Cisco DNA Center certificate.

CSCvy31186

You cannot add a second node to a Cisco DNA Center cluster installed with express mode.

CSCvy37982

Cisco DNA Center pushes a different Anycast Gateway MAC address to some fabric edge nodes.

CSCvy42676

After a successful upgrade from Cisco DNA Center 2.1.2.3 to 2.2.2.1, all users except the user with the Admin role receive the following error on the Software Updates window:

Connectivity check failed. Unable to locate new system updates.
An error occurred while checking connectivity.
Cannot locate new updates. Retry.

With the Admin login, there is no error. The window accurately shows "Your system package is up to date."

CSCvy43861

The Cisco DNA Center Config Archive might try to capture the startup configs and VLAN databases from unreachable devices.

CSCvy48594

The Assurance event notifications device parameter returns the device UUID, not the device IP address.

CSCvy55791

An upgrade failure occurs due to an expired Docker CA certificate.

CSCvy59061

Trend charts are empty in the Assurance Overview, Assurance Network Summary, and Assurance Client Summary windows.

CSCvy60496

Cisco DNA Center might fail to provision a device. The following error is generated:

Unable to push CLI 'timeout 0' to device x.x.x.x.

CSCvy63523

Cisco DNA Center Compliance flags configurations that are originally pushed by Cisco DNA Center but overridden by user templates. Cisco DNA Center Compliance also flags configurations that are pushed by Cisco DNA Center that are not overridden by user templates.

CSCvy65690

Reserved child pools for Layer 3 handoff are not released after a failed fabric provision.

CSCvy72487

Cisco DNA Center might be unable to deploy Stealthwatch Security Analytics (SSA) on a device that has more than 1000 entries in its routing table.

CSCvy73302

Cisco DNA Center might not generate a heatmap for the 2.4-GHz band of 9120 APs, even though the heatmap is generated for 5 GHz as expected.

CSCvy80252

Cisco ISE integration fails when FQDN x doesn't match the common name contained in the system certificate.

CSCvy88667

After upgrading to Cisco DNA Center 2.1.2.7, inventory collection from an existing Cisco Catalyst 9500 switch fails with the following error:

ERROR: update or delete on table 'protocolendpoint' violates foreign key constraint 
'fkad4b72e9a8fce39d' on table 'vxlannvesettings'.

CSCvy93346

Cisco DNA Center might be unable to remove a managed device from a fabric-in-a-box installation, citing the following error in the network programmer service's logs:

ERROR: update or delete on table "lisprtrlocatorset" violates foreign key constraint 
"fk9d5ac9b056ea3464" on table "lisprtrlocatorsetentry".

CSCvz10208

Cisco DNA Center might create a duplicate site tag with the default-flex-profile linked to it when an existing wireless LAN controller is reprovisioned.

CSCvx26054

A vulnerability in Cisco DNA Center's Command Runner application could allow an authenticated, local attacker to gain access to sensitive information on an affected device.

CSCvx80673

Cisco DNA Center 2.1.2.5: IPDT configs are not considered for IP Phone-connected interfaces.

CSCvx82358

The User 360 Events and Health graph shows combined events for all devices on each device window.

CSCvx91402

IPDT Policy config is pushed to a Cisco Catalyst 9300 switch unexpectedly.

CSCvx96481

In Cisco DNA Center's Template Editor tool, the bind to source options might not return expected outputs for the interfaceCount, lineCardCount, lineCardId, or tagCount variables.

CSCvx96823

Anomaly Intelligent Capture does not enable on all capable APs.

CSCvx98227

In Cisco DNA Center, when attempting to run CLI commands using magctl or maglev, the command might fail with the following error:

You must be logged in to the server (Unauthorized).

CSCvy09367

In Cisco DNA Center's SWIM window, entries for the Catalyst 9800 Series Wireless Controller might show "undefined" as the only option for "Device Series" when defining custom checks.

CSCvy10934

Cisco DNA Center's Stealthwatch integration might be unable to connect due to the OCSP responder missing from the Stealthwatch Management Console's (SMC) certificate.

CSCvy14023

Rediscovering a device fails when logged into a non-English UI.

CSCvy18066

Unable to import a composite template with deviceTypes error.

CSCvy19747

Path trace fails with the following error:

Failed to obtain complete L2 path between source and the destination.

CSCvy21198

The IPAM system health check fails for a generic implementation.

CSCvy23264

Cisco DNA Center might fail to collect inventory from a Cisco Catalyst 9000 switch. The following error is generated:

ERROR: duplicate key value violates unique constraint "bgpprocesssettings_bk".

CSCvy24024

The Inventory report fails to generate. The BAPI API does not work as expected.

CSCvy24834

Cisco ISE and Cisco DNA Center integration: The pxGrid connection goes down due to an invalid certificate chain presented by Cisco ISE.

CSCvy30387

An imported Ekahau project heatmap shows a weak wireless signal.

CSCvy35642

Provisioning a composite day-n template after deleting and reonboarding a device to Cisco DNA Center might fail.

CSCvy41070

An Ekahau import fails when the area name is System Campus.

CSCvy42587

Cisco DNA Center shows an SSID for a client that is no longer present on the wireless controller.

CSCvy46835

Cisco DNA Center 2.1.2.6: LAN automation doesn't determine whether the PnP happened via LAN A or startup VLAN.

CSCvy50435

Cisco DNA Center 2.1.2.6: A failure occurs while adding a device to Cisco ISE as a network device for TACACS/RADIUS.

CSCvy50695

Values are not returned for Velocity template variables.

CSCvy60761

Device list in Application Visibility: The Site Device window does not populate with all devices.

CSCvy61436

Cisco DNA Center wireless guest portal window scalability issue.

CSCvy62873

Issue while learning 40-MHz profiles with channels that aren't in pairs from Catalyst 9800 Series Wireless Controller.

CSCvy65758

An extended node becomes unreachable after an expected reboot.

CSCvy65915

When changing the length of a floor from feet to meters, the following error is generated:

Value entered invalid, range is not accepted.

CSCvy69896

Cannot import .csv files from a Windows PC to Cisco DNA Center 2.2.2.3.

CSCvy71772

Proxy configuration fails when etcd is missing the key /maglev/config/cluster/service_addressing_mode.

CSCvy78537

Cisco DNA Center 2.2.2.3: An unactionable error message occurs when making site hierarchy changes.

CSCvy81569

Cisco DNA Center 2.2.2.3: Rogue event match does not work per applied rogue profile and rules.

CSCvy86301

Exporting the details of a particular Assurance issue does not work.

CSCvx64371

The System Health dashboard shows stale node information after restoring a backup.

CSCvx94618

Cisco DNA Center's RCA bundle is missing process information, and should include the output of the top command. This will help with diagnosing situations where the server is under a high load.

CSCvy13554

Cisco DNA Center's root user's history should be included in an RCA bundle with the timestamps and commands run by the root user.

CSCvy38976

Cisco DNA Center might fail to synchronize SGTs with Cisco ISE when RT_SYNC_THREAD is not running in aca-controller.

CSCvy58793

Cisco DNA Center's AI Analytics settings window might show a "cloud unreachable" status.

CSCvy66973

Associated clients display label does not work on floor map.

CSCvy28145

Remove username/password fields from Email configuration.

The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.3.

Table 17. Resolved Bugs in Cisco DNA Center, Release 2.2.2.3
Bug Identifier Headline

CSCvx43231

Wireless controller partial collection failure occurs if proxy mobile IP Network Access controller (PMIP NAI) is longer than 32 characters.

CSCvx62172

Cisco DNA Center does not support the AP Location field which many customers use to track the physical location of the AP inside the floor and building where it is installed. When migrating from Prime Infrastructure to Cisco DNA Center, the AP will have this value overwritten by Cisco DNA Center upon the first AP provisioning.

CSCvx64681

Cisco DNA Center can't provision the ISR transit control plane after provisioning with a routing template.

CSCvx73110

A managed access point might not show its operational details on the Cisco DNA Center Assurance Device 360 window. Additionally, clients on the WLC, where this AP is joined, shows a blank device location.

CSCvx74221

Provisioning fails when adding an AAA server using a port number greater than 32767 to Cisco DNA Center.

CSCvx86351

The Cisco DNA Center Provision window might show all device provisioning hangs in "In-Progress" on the Activity window when Cisco ISE integration is broken, and the PxGrid service is not available, causing a queue to fill.

CSCvx88137

Heatmaps for the 5-GHz band are not generated for a Cisco Catalyst 9800 Series Wireless Controller.

CSCvx88587

Image distribution servers won't allow a valid IP address.

CSCvx89052

When attempting to add an edge device to a fabric, Cisco DNA Center might return the following error:

Provisioning failed due to invalid parameter.
The interface does not exist in the device, select a valid interface.

CSCvx99908

Unable to open a virtual network in L2 Handoff settings or click the Save button after an upgrade to Cisco DNA Center 2.1.2.6.

CSCvy00986

For Cisco Catalyst 9800 Series Wireless Controller, the Remote Procedure Call (RPC) rfdca-removed-channel operation fails with a data missing error tag.

CSCvy10747

For Cisco DNA Center 1.3.3.7, messages in the "dna.lan.common.service" queue are blocking subsequent LAN automation.

CSCvy12915

In Cisco DNA Center, when you import an Ekahau .esx file from a project, the antenna azimuth might be reported incorrectly by 90 degrees for wall and ceiling mounted access points.

CSCvy20557

When looking in Cisco DNA Center for details about a wireless sensor, the sensor 5 GHz links are missing.

CSCvy26789

When attempting to set up the integration between Cisco DNA Center and Cisco DNA Spaces, the integration might fail with the following error:

Unable to export hierarchy to the CMX DNA Spaces for one or more domains. 
An internal failure occurred while pushing an archive to the CMX.

The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.1.

Table 18. Resolved Bugs in Cisco DNA Center, Release 2.2.2.1
Bug Identifier Headline

CSCvx89202

In the External Authentication window > AAA Server(s) area, the Shared Secret field is missing text or string information.

In Cisco DNA Center 1.3.3.9, the Shared Secret field shows descriptive text for the required value. If the value is empty, additional text is displayed under the "Shared secret must not be empty" line.

However, in Cisco DNA Center 2.2.2.0, the following problems occur:

  • The shared secret is not displayed when empty, so it's unclear what the field is used for.

  • When the Shared Secret field contains a value, nothing is displayed. In earlier releases, a string such as " ****** " was displayed to show that a value was configured.

  • When you click Show to see if there is a value configured, nothing is displayed. If a value is already configured, there is no indicator.

CSCvx92936

Under the My Profile and Settings window, a change to the first name does not take effect.

CSCvx97127

When the Notification Center is enabled for License notification, Assurance issue notifications are reported along with the license notifications. While there is no functional impact, notifications become a bit noisy based on the amount of network issues that Cisco DNA Center detects. Also, the Assurance issues don't provide any details when you click the notifications.

This problem occurs when you enable notifications for licensing issues (Notification Center > Settings > Notification Preferences > Know Your Network > Devices).

CSCvx99671

In the Workflows GUI, when the text in an "In Progress" tile is long or impedes other elements in the tile, the text should be truncated or abbreviated.

For example, the title of the following in-progress workflow is too long and should be truncated:

"Enable Apps on Switches (thousandeyes/enterprise-agent:Global/North America/North Carolina - 
Research Triangle Park/<conference-room>)"

The following table lists the resolved bugs in Cisco DNA Center, Release 2.2.2.0.

Table 19. Resolved Bugs in Cisco DNA Center, Release 2.2.2.0
Bug Identifier Headline

CSCvm82680

The Cisco DNA Center 1.1.6 GUI might become unavailable.

CSCvo40217

Cisco DNA Center interactive wireless template is not applied to the wireless controller.

CSCvq74218

When attempting to use Cisco DNA Center to provision a wireless LAN controller, the following error might be returned:

NCWL 10001: Site Profile is not present for site.

CSCvs21955

Cisco DNA Center might fail to collect inventory from a wireless controller that has unassociated APs that are not deleted or moved to another wireless controller.

CSCvs50772

The Cisco DNA Center threadmanagermonitor table should be pruned periodically to keep the size of the database from growing too large.

CSCvs69086

Cisco DNA Center should not allow provisioning until the Fabric Authentication Key Security fix is applied.

CSCvs86093

For the Template Editor, integer input types need a way to check for null.

CSCvu25442

The sdn-network-infra-iwan certificate expires on the device.

CSCvu39101

Cisco DNA Center fabric provisioning takes a long time when multiple sites are connected to the transit.

CSCvv08806

In Cisco DNA Center, extended nodes must be configured on distinct edge ports.

CSCvv17779

In Cisco DNA Center, the dna-event-runtime pod crashes while accessing the Audit Logs window.

CSCvv39538

The Cisco DNA Center Image Repository displays "Failed to load data" after adding a Meraki dashboard to Cisco DNA Center.

CSCvv58048

Cisco DNA Center might be unable to provision a managed device after an initial provision failure, instead citing the following error:

NCSP10237: Provisioning failed during workflow step spf.cfsTranslatorTaskAdapter due to null.

CSCvv58971

Cisco ISE integration fails when the Cisco DNA Center PPAN certificate contains an unreachable CDP.

CSCvv60854

A Cisco Catalyst 9800 Series Wireless Controller in HA fails inventory collection.

CSCvv63265

The Cisco DNA Center Public Key Infrastructure (PKI) service might use a cached certificate, instead of a refreshed certificate, even after the cached certificate's expiration date.

CSCvv64614

Cisco DNA Center might not push the IP Device Tracking (IPDT) configuration to switch ports that are in access mode, in switches whose role is defined as access switches.

CSCvv67156

Cisco DNA Center is unable to start LAN automation if the primary seed device was deleted before stopping a previous LAN automation session. This causes subsequent LAN automation sessions to fail.

CSCvv70086

Cisco DNA Center pushes conflicting configurations to the extended node interfaces during PnP.

CSCvv74034

MongoDB-2 goes into crashloop after upgrading to Cisco DNA Center 2.1.2.x.

CSCvv81218

Cisco DNA Center might fail to provision a wireless access point if the wireless LAN controller it is joined to has a name longer than 31 characters, including the domain name.

CSCvv84323

Wireless controller provisioning fails because a guest SSID is created during Cisco DNA Center 1.2.x with Fast Transition.

CSCvv88978

The network license count for Cisco Catalyst 9300 switches is incorrect.

CSCvv91822

In Cisco DNA Center, the IPDT configuration is rejected by the Bluetooth interface during provisioning.

CSCvv94215

Cisco DNA Center cannot start LAN automation because a discovered site is deleted from the system.

CSCvv95170

Device-tracking configuration push fails when the Catalyst 9407 device role changes to ACCESS.

CSCvv95313

Software image activation fails on Cisco DNA Center with the error "NCSW10244: The task is hung and is auto-aborted."

CSCvw03683

Cisco DNA Center might be unable to start new LAN automation sessions, citing the following error:

NCND05022: New LAN Automation cannot start as previous session is still in-progress.

CSCvw09106

Cisco DNA Center might configure the default-flex-profile of a wireless controller with an external webauth SSID that has "central-webauth" enabled.

CSCvw14715

Cisco DNA Center does not push the default-site-tag-fabric configuration to the Cisco Catalyst 9800 Series Wireless Controller after upgrade.

CSCvw16983

Adding a Cisco Catalyst 9800 Series Wireless Controller to the fabric fails if the fabric contains Layer 3 only IP address pool segments.

CSCvw20926

After a successful system upgrade to Cisco DNA Center 2.1.2.X, the bulk application upgrade downloads from the GUI fails with the warning, "Downloading packages ended with an error."

CSCvw24685

Cisco DNA Center-to-ServiceNow Configuration Management Database (CMDB) sync fails because the inventory includes AP sensors.

CSCvw30297

The RMA process fails when a faulty device is in NETWORK-READINESS-FAILED status.

CSCvw31167

The Cisco DNA Center GUI and CLI becomes very slow after upgrading from 1.3.3.x to 2.1.2.3.

CSCvw31619

Elasticsearch cluster formation fails in an XL appliance cluster with 12 instances.

CSCvw34578

Cisco DNA Center doesn't have an option to mark a golden image for Cisco Catalyst 9400 Supervisor Engine-1XL-Y.

CSCvw37064

Cisco DNA Center might incorrectly configure ACL_WEBAUTH_REDIRECT on multiple devices at the same site.

CSCvw37462

An AP map loads very slowly after upgrading to Cisco DNA Center 2.1.2.3.

CSCvw43696

The Cisco Catalyst 9800 Series Wireless Controller inventory collection fails when the AAA authorization method length is greater than 31 characters.

CSCvw45329

Cisco DNA Center doesn't provision the NetFlow collector settings from the Design window.

CSCvw47447

It is possible to delete a custom-provisioned RF profile.

CSCvw49445

Wireless controller provisioning is blocked when the RF profile is deleted from the Design window but not cleaned from the database.

CSCvw49759

When executed manually from Tools > Network Reasoner > CPU Utilization workflow, the Cnsr-reasoner service restarts every time and there is no issue report.

CSCvw53139

The Cisco DNA Center Task window doesn't load any data.

CSCvw58651

In the Cisco DNA Center Policy, QoS does not push outbound configurations.

CSCvw59092

In Cisco DNA Center, the Pkcs12 configuration fails due to internal errors after discovering Cisco Catalyst 9800 Series Wireless Controllers in a cluster.

CSCvw62170

There is a mismatch in the unassigned device count and what is seen in inventory after removal of the GPS marker.

CSCvw62379

Cisco DNA Center-to-Service Now integration fails with a rate limit exceeded error.

CSCvw67029

Application upgrade fails due to the RabbitMQ maximum message size.

CSCvw67480

Duplicate Flex Profiles are found in wireless controllers after an upgrade.

CSCvw72645

RBAC prevents network hierarchy maps from loading; "Error 11015" is displayed.

CSCvw73184

After fixing an authorization failure, AAA users are able to log in but cannot perform certain operations.

CSCvw74679

A suboptimal closed authorization configuration is pushed when a critical VLAN/IP address pool is not explicitly defined.

CSCvw76030

Cisco DNA Center is unable to perform RMA because a field value exceeds the integer range.

CSCvw76745

Cisco Catalyst 9800 Series Wireless Controller provisioning doesn't work because changes to FlexProfilePolicyAclConfig are not picked up.

CSCvw95827

The Cisco DNA Center default application policy configuration does not handle the IS-IS protocol correctly.

CSCvx02345

Cisco DNA Center might become unable to start a new LAN automation session, citing the following error:

NCND00006: The input payload contains an invalid key.
CSCvx02368

Cisco DNA Center might become unable to start a new LAN automation session after a LAN-automated fabric-in-a-box device is deleted from the system and readded via Discovery and Inventory. The following error is returned:

Failed to start Network Orchestration Session: null.

CSCvx08471

Restoring a backup to Cisco DNA Center 2.1.2.5 might appear to hang, but it fails with the error "SoftTimeLimitExceeded()" for the component "RESTORE.MONITOR_SERVICES_RESTART".

CSCvx09990

Cisco DNA Center pushes additional flex profiles to a managed wireless LAN controller after upgrading to 2.1.2.x, and those profiles have incorrect VLAN-name and VLAN-id mapping in the site tags.

CSCvx10390

Upgrading the Cisco DNA Center application packages fails due to a constraint violation on the lispcomponent table.

CSCvx12639

The Inventory status of a managed device in Cisco DNA Center might change to "Internal Error" when a value returned by the device that should be an IP address is null. The logs show the error "Null value was assigned to a property of primitive type setter of com.cisco.xmp.model.foundation.connectivity.ip.IpV4Properties.directedBroadcast."

CSCvx12949

When Cisco DNA Center is used to enabling application telemetry on a network device by tagging the desired LAN interfaces with the "lan" keyword in the interface description, Tunnel and Port-Channel interfaces do not get enabled.

CSCvx14538

Router provisioning fails with the error "NCSP10250: Error During persistence (provision) of CFS."

CSCvx16385

Restoring a backup might fail the 7200 second timeout for pg_restore.

CSCvx21215

A Guest SSID with the Fast Transition value configured as Adaptive in an earlier release of Cisco DNA Center causes wireless controller provisioning issues in Cisco DNA Center 2.1.2.5.

CSCvx21853

Cisco DNA Center discovery fails to retrieve global credentials while trying to create a new task.

CSCvx25703

Cisco DNA Center 2.1.2.4: An incorrect policy profile is linked with new wireless controllers pushed by Cisco DNA Center while provisioning.

CSCvx27169

The Cisco DNA Center Inventory service might crash if the managed devices send many syslogs.

CSCvx34837

Cisco DNA Center provisioning AAA configurations to a Cisco Catalyst 9800 Series Wireless Controller might fail due to an invalid command in the configuration model that includes "$timeout".

CSCvx41602

When the Cisco DNA Center Licensing Tool tries to configure a SLR reservation for stacked switches, it might become stuck at Generating Authorization code.

CSCvx43441

In the Cisco DNA Center Inventory, in the PnP area, wireless sensors hang at "Certificate install is in progress. Device is ready to be claimed."

CSCvx47878

An incorrect web auth configuration might be pushed when a PSK (personal) SSID is added. This causes a conflict in the actual configuration push to the device through Cisco DNA Center provisioning.

CSCvx47887

After a failed wireless controller provisioning attempt, Cisco DNA Center might not roll back the configuration from the wireless controller, which might cause a network outage.

CSCvx50896

Devices that are already registered for Smart Licensing in an existing installation of CSSM On-Prem will be deregistered when On-Prem is integrated with Cisco DNA Center. While this is documented in the Cisco DNA Center Administrator Guide, the warning should be more pronounced.

CSCvx56103

When the kubelet certificate expires and is refreshed, the kubelet goes down and all services go down.

CSCvx56258

The Cisco DNA Center Inventory resync results in an internal error.

CSCvx68948

Reconfigure device provision might not determine configuration changes for the Dot1x Auth Template.

CSCvx75231

After upgrading to Cisco DNA Center 2.1.2.4 and later, the following error is displayed after modifying IP address pools for a virtual network on the fabric Host Onboarding window:

NCWL10004: L3 Only pools are not supported.
Please delete and recreate the segment.

CSCvx76405

During an upgrade of Cisco DNA Center application packages, the upgrade might appear to be stuck for hours at 20% with no obvious movement forward. The migration logs show a deadlock on the Postgres executionevent table. This issue stems from a large database table upon which database update queries pile up, causing a deadlock.

Limitations and Restrictions

Upgrade Limitation

If you are upgrading to Cisco DNA Center and all of the following conditions apply, the upgrade never starts:

  • Cisco ISE is already configured in Cisco DNA Center.

  • The version of Cisco ISE is not 2.6 patch 1 or 2.4 patch 7 or later.

  • Cisco DNA Center contains an existing fabric site.

  • The number of DNS servers must not exceed three.

Although the UI does not indicate that the upgrade failed to start, the logs contain messages related to the upgrade failure.

To work around this problem, upgrade Cisco ISE to 2.6 patch 1 or 2.4 patch 7 or later, and retry the Cisco DNA Center upgrade.

Backup and Restore Limitations

  • You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.

  • After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose System Settings > Settings > Authentication and Policy Servers. Choose Edit for the server. Enter your Cisco ISE password to update.

  • After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.

  • Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial-collection after restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.

  • Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.

  • You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

Cisco ISE Integration Limitations

  • ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, or in certificates in Cisco DNA Center and Cisco ISE.

  • Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.

  • Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).

  • The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

  • If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.

  • The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.

  • Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.

  • Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.

    Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.

  • The Cisco ISE internal certificate authority must issue the pxGrid certificate for Cisco DNA Center.

License Limitation

The Cisco DNA Center License Manager supports Smart Licensing only for wireless LAN controller models that run Cisco IOS XE. License Manager does not support Smart License registration of the Cisco 5500 Series AireOS Wireless Controller when the connection mode is smart-proxy..

Fabric Limitations

  • Cisco DNA Center supports up to a maximum of 1.2 million interfaces on fabric devices. Fabric interfaces include physical and virtual interfaces like switched virtual interfaces, loopback interfaces, and so on.

    Physical ports cannot exceed 480,000 ports on a 112-core appliance.

  • IP address pools reserved at the area level are shown as inherited at the building level on the Design > Network Settings > IP Address Pools window; however, these IP address pools are not listed on the Host Onboarding window if the fabric site is defined at the building level. If the fabric site is defined at the building level, you must reserve the IP address pools at the building level; if the fabric site is defined at the area level, you must reserve the IP address pools at the area level.

    To work around this issue, release and reserve the IP address pool at the same level (area or building) as the fabric site, or reconfigure the fabric site at the same level as the reserved IP address pool.

  • Cisco DNA Center does not support multicast across multiple fabric sites that are connected by an SDA transit network.

  • In a fabric setup with Cisco Catalyst 9800 HA devices, if one of the HA devices goes down, you must complete the following steps to replace it:

    1. From the Cisco DNA Center Inventory window, resynchronize the HA device that failed. Cisco DNA Center shows the device as standalone; the standby has failed and has been removed.

    2. Set the priority for the devices. If you want the existing device to return as the active device after forming HA with the new device, ensure that the HA priority of the existing device is set to 2 (or the highest available priority value). You configure the device priority from the web UI, under Administration > Device > Redundancy. Alternatively, you can enter the following CLI command to configure the device priority:

      chassis <chassis_number> priority 2

      To view the chassis number and the current priority value, enter the show chassis EXEC command.

      If the priority is set to the default value of 1 on both devices, the device with the lower MAC address becomes the active device.

    3. Configure the chassis redundancy command on the new device using the same local and remote IP addresses that were used on the failed device. You configure the chassis redundancy in either the web UI or the CLI.

    4. Reboot both devices to form the HA pair.

    5. After HA is up, resynchronize the devices in Cisco DNA Center. The Inventory window shows the new HA pair. Verify the serial numbers in the Serial Number column. For an HA pair, both the active and standby serial numbers are shown.

Brownfield Feature-Related Limitations

  • Cisco DNA Center cannot learn device credentials.

  • You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.

  • Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.

  • Cisco DNA Center can learn only one wireless controller at a time.

  • For site profile creation, only the AP groups with AP and SSID entries are considered.

  • Automatic site assignment is not possible.

  • SSIDs with an unsupported security type and radio policy are discarded.

  • For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.

  • The Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.

  • The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.

  • When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.

  • A wireless conflict is based only on the SSID name, and does not consider other attributes.

Wireless Policy Limitation

If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise, Policy Deployment failed is displayed.

AP Limitations

  • AP as a sensor is not supported in this release of Cisco DNA Center.

  • Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, the AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.

    After the provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.

  • Provisioning of 100 APs takes longer in this release as compared to 3 minutes in earlier releases. The amount of time varies depending on the "wr mem" time of the Cisco Catalyst 9800 Series Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices.

Inter-Release Controller Mobility (IRCM) Limitation

The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.

IP Device Tracking on Trunk Port Limitation

Rogue-on-wire detection is impacted; Cisco DNA Center does not show all clients connected to a switch via an access point in bridge mode. The trunk port is used to exchange all VLAN information. When you enable IP device tracking on the trunk port, clients connected on the neighbor switch are also shown. Cisco DNA Center does not collect client data if the connected interface is a trunk port and the neighbor is a switch. As a best practice, disable IP device tracking on the trunk port. The rogue-on-wire is not detected if the IP device tracking is enabled on the trunk port. See Disabling IP Device Tracking for more information.

IP Address Manager Limitations

  • Cisco DNA Center supports integration with an external IPAM server that has trusted certificates. In the Cisco DNA Center GUI, under System > Settings > External Services > IP Address Manager, you might see the following error:

    NCIP10282: Unable to find the valid certification path to the requested target.

    To correct this error for a self-signed certificate:

    1. Using OpenSSL, enter one of the following commands to download the self-signed certificate, depending on your IPAM type. (You can specify the FQDN [domain name] or IP address in the command.)

      openssl s_client -showcerts -connect Infoblox-FQDN:443
      openssl s_client -showcerts -connect Bluecat-FQDN:443
    2. From the output, use the content from ---BEGIN CERTIFICATE--- to ---END CERTIFICATE--- to create a new .pem file.

    3. Go to System > Settings > Trust & Privacy > Trustpool, click Import, and upload the certificate (.pem file).

    4. Go to System > Settings > External Services > IP Address Manager and configure the external IPAM server. (If the IPAM server is already configured, skip this step.)

    To correct this error for a CA-signed certificate, install the root certificate and any intermediate certificates of the CA that is installed on the IPAM into the Cisco DNA Center trustpool (System > Settings > Trust & Privacy > Trustpool).

  • You might see the following error if a CA-signed certificate is revoked by the certificate authority:

    NCIP10286: The remote server presented with a revoked certificate. Please verify the certificate.

    To correct this, obtain a new certificate from the certificate authority and upload it to System > Settings > Trust & Privacy > Trustpool.

  • You might see the following error after configuring the external IPAM details:

    IPAM external sync failed:
    NCIP10264: Non Empty DNAC parent pool <CIDR> exists in external ipam.

    To correct this, log in to the external IPAM server (such as BlueCat). Confirm that the parent pool CIDR exists in the external IPAM server, and remove all the child pools that are configured under that parent pool. Then, return to the Cisco DNA Center GUI and reconfigure the IPAM server under System > Settings > External Services > IP Address Manager.

  • You might see the following error while using IP Address Manager to configure an external IPAM:

    NCIP10114: I/O error on GET request for "https://<IP>/wapi/v1.2/":
    Host name '<IP>' does not match the certificate subject provided by the peer
    (CN=www.infoblox.com, OU=Engineering, O=Infoblox, L=Sunnyvale, ST=California, C=US);
    nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name '<IP>'
    does not match the certificate subject provided by the peer (CN=www.infoblox.com, OU=Engineering,
    O=Infoblox, L=Sunnyvale, ST=California, C=US) |

    To correct this, log in to the external IPAM server (such as Infoblox) and regenerate your external IPAM certificate with the common name (CN) value as the valid hostname or IP address. In the preceding example, the CN value is www.infoblox.com, which is not the valid hostname or IP address of the external IPAM.

    After you regenerate the certificate with a valid CN value, go to System > Settings > Trust & Privacy > Trustpool. Click Import and upload the new certificate (.pem file).

    Then, go to System > Settings > External Services > IP Address Manager and configure the external IPAM server with the server URL as the valid hostname or IP address (as listed as the CN value in the certificate).

IPv6 Limitations

If you choose to run Cisco DNA Center in IPv6 mode:

  • Access Control Application, Group-Based Policy Analytics, and Cisco AI Endpoint Analytics packages are disabled and cannot be downloaded or installed.

  • Communication through Cisco ISE pxGrid is disabled, because Cisco ISE pxGrid does not support IPv6.

Cisco Plug and Play Limitations

  • Virtual Switching System (VSS) is not supported.

  • The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.

  • The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.

  • The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:

    pnp startup-vlan <vlan_number>

Cisco Group-Based Policy Analytics Limitations

  • Cisco Group-Based Policy Analytics supports up to five concurrent requests based on realistic customer data. While it is desirable for GUI operations to respond within 5 seconds or less, for extreme cases based on realistic data, it can take up to 20 seconds. There is no mechanism to prevent more than five simultaneous requests at a time, but if it does happen, it might cause some GUI operations to fail. Operations that take longer than 1 minute will time out.

  • Data aggregation occurs at hourly offsets from UTC in Cisco Group-Based Policy Analytics. However, some time zones are at a 30-minute or 45-minute offset from UTC. If the Cisco DNA Center server is located in a time zone with a 30-minute or 45-minute offset from UTC and the client is located in a time zone with an hourly offset from UTC, or vice versa, the time ranges for data aggregation in Cisco Group-Based Policy Analytics are incorrect for the client.

    For example, assume that the Cisco DNA Center server is located in California PDT (UTC-7) where data aggregations occur at hourly offsets (8:00 a.m., 9:00 a.m., 10:00 a.m., and so on). When a client located in India IST (UTC+5.30) wants to see the data between 10:00 - 11:00 p.m. IST, which corresponds to the time range 9:30 - 10:30 a.m. PDT in California, no aggregations are seen.

  • Group changes that occur within an hour are not captured. When an endpoint changes from one scalable group to another, Cisco Group-Based Policy Analytics is unaware of this change until the next hour.

  • You cannot sort the Scalable Group and Stealthwatch Host Group columns in the Search Results window.

  • You might see discrepancies in the information related to Network Access Device (including location) between Cisco DNA Assurance and Cisco Group-Based Policy Analytics.

Application Telemetry Limitation

When configuring application telemetry on a device, Cisco DNA Center might choose the wrong interface as the source for NetFlow data.

To force Cisco DNA Center to choose a specific interface, add netflow-source in the description of the interface. You can use a special character followed by a space after netflow-source , but not before it. For example, the following syntax is valid:

netflow-source
MANAGEMENT netflow-source
MANAGEMENTnetflow-source
netflow-source MANAGEMENT
netflow-sourceMANAGEMENT
netflow-source & MANAGEMENT
netflow-source |MANAGEMENT

The following syntax is invalid:

MANAGEMENT | netflow-source
* netflow-source
netflow-source|MANAGEMENT

Get Assistance from the Cisco TAC

Use this link to open a TAC case. Choose the following when opening a TAC case:

  • Technology: Cisco DNA - Software-Defined Access

  • Subtechnology: Cisco DNA Center Appliance (SD-Access)

  • Problem Code: Install, uninstall, or upgrade

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.

Documentation Feedback

To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.

Related Documentation

We recommend that you read the following documents relating to Cisco DNA Center.

For This Type of Information... See This Document...

Release information, including new features, limitations, and open and resolved bugs.

Cisco DNA Center Release Notes

Installation and configuration of Cisco DNA Center, including postinstallation tasks.

Cisco DNA Center Installation Guide

Upgrade information for your current release of Cisco DNA Center.

Cisco DNA Center Upgrade Guide

Use of the Cisco DNA Center GUI and its applications.

Cisco DNA Center User Guide

Configuration of user accounts, security certificates, authentication and password policies, and backup and restore.

Cisco DNA Center Administrator Guide

Security features, hardening, and best practices to ensure a secure deployment.

Cisco DNA Center Security Best Practices Guide

Supported devices, such as routers, switches, wireless APs, and software releases.

Cisco DNA Center Compatibility Matrix

Hardware and software support for Cisco SD-Access.

Cisco SD-Access Compatibility Matrix

Use of the Cisco DNA Assurance GUI.

Cisco DNA Assurance User Guide

Use of the Cisco DNA Center platform GUI and its applications.

Cisco DNA Center Platform User Guide

Cisco DNA Center platform release information, including new features, deployment, and bugs.

Cisco DNA Center Platform Release Notes

Use of the Cisco Wide Area Bonjour Application GUI.

Cisco Wide Area Bonjour Application User Guide

Use of the Stealthwatch Security Analytics Service on Cisco DNA Center.

Cisco Stealthwatch Analytics Service User Guide

Use of Rogue Management functionality as a dashboard within Cisco DNA Assurance in the Cisco DNA Center GUI.

Cisco DNA Center Rogue Management Application Quick Start Guide