These caveats are open in controller software release 18.104.22.168.
- CSCsb57163—Controllers sometimes fail to boot using the backup image.
- CSCsb77595—When logging out from Telnet/SSH sessions, the session always prompts the user to save changes, even when no changes have been made.
Workaround: Ignore the prompt and exit as usual.
- CSCsd54928—The CPU ACL is unable to block LWAPP packets that are destined for the IP address of the dynamic interface.
- CSCsd77121—Only one CLI session is permitted from the router to the controller network module in a Cisco 28/37/38xx Series Integrated Services Router, even if multiple sessions are configured.
- CSCsd84706—Containment information for ad-hoc rogue access points is not shown on the controller GUI.
Workaround: Use the controller CLI.
- CSCsd95723—Some users might be confused when presented with the None and DHCP options for configuring the service port interface in the initial controller setup wizard. These options are available for a controller that has no configuration and the setup wizard is being used to configure it.
Workaround: Users can interpret the None option as Static and a logical alternative to DHCP.
- CSCse06202—When a controller’s IKE lifetime expires, a rekey is not offered.
- CSCse06206—The controller sends a DEL notification when the IKE lifetime expires, but it does not send the notice to the client.
- CSCse43488—The controller might not show the correct maximum output power configuration of a 1000 series access point 5-GHz radio in the -P domain.
- CSCse75417—A 1000 series access point might report an 802.11b client transmitting at 12 Mbps.
- CSCse87087—A controller with link aggregation (LAG) enabled fails Ethernet link redundancy. This problem occurs when the controller uses an Ethernet copper gigabit interface converter (GBIC) instead of a fiber GBIC and one of two Ethernet cables is pulled out of the GBIC.
Workaround: Clear the configuration on the controller. Then reconfigure the controller and perform the redundancy test.
- CSCsg04831—There are not enough debugs to determine the packet flow in the controller for guest access.
Workaround: Use a wireless sniffer trace.
- CSCsg32646—If link aggregation (LAG) is enabled on the controller and the port channel is configured on the infrastructure switch, the controller displays only a single entry for its neighbor when you enter the sh cdp neighbor CLI command. When you enter the same command on the switch, it displays two entries for the controller for two different ports that are part of LAG. The controller should display two entries when the command is entered on the controller because the switch sends the CDP message from two different ports that are part of the port channel.
- CSCsg39910—The 1000 series access points should support direct Telnet to the controller CLI.
- CSCsg39928—The 1000 series access points should support direct Secure Shell (SSH) to the controller CLI.
- CSCsg45938—Devshell commands do not work on SSH or Telnet sessions.
Workaround: Enter the devshell commands in a console session.
- CSCsg48089—If you lose your controller password and have not backed up the configuration, the recovery mechanism is to revert to the factory default settings.
- CSCsg66040—After a software upgrade, controllers might experience intermittent access to the management interface through HTTPS.
Workaround: Follow these steps to workaround the issue:
a. Make sure HTTPS is enabled on the controller’s management interface, reboot the controller from the CLI, and monitor the last service if error messages appear after the controller prompts you to enter a username and password to login.
b. Login with the relevant credentials and reconfigure the virtual interface with this CLI command:
config interface address virtual 22.214.171.124
c. Reboot the controller and make sure the Secure Web service shows up as OK.
d. Generate a certificate using this CLI command:
config certificate generate webauth
e. Click Yes when prompted and wait a few minutes for the certificate to generate.
f. Reboot the controller.
- CSCsg68046—The complete reason for a TFTP download failure needs to appear on the controller GUI. If the controller cannot find the software file on the TFTP server during a software upgrade, it reports that the transfer failed rather than that the file is not present.
Workaround: Make sure that the file and filename are entirely correct before upgrading, or upgrade using the CLI to receive a more accurate reason for the failure. Further details are available if you use the debug transfer all enable command prior to upgrade.
- CSCsg74578—If you change a controller’s management IP address, it is not sent to the access point unless the access point is reset. As a result, multicasting does not work until the change is made on the access point.
Workaround: Reset the access point so that it rejoins the controller and the controller updates the access point with the new configuration.
- CSCsg84209—The export foreign controller is not deleting the client device when it receives a HandoffEnd message.
- CSCsg87111—While editing a WLAN configured for WPA1+WPA2 with a conditional web redirect to 802.1X, the MIB browser shows a commit failure error.
Workaround: Do not directly change from WPA1+WPA2+conditional web redirect to 802.1X+conditional web redirect. Instead, follow these steps:
a. Remove conditional web redirect and save your change.
b. Change Layer2 to 802.1X and save your change.
c. Change Layer3 to conditional web redirect and save your change.
- CSCsg88704—When you use the default controller setting of 512 for the controller database size, the following problems may occur:
– If you attempt to add a MAC address to a very long MAC filter list, the following error message appears: “Error in creating MAC filter.”
– If you add a large number of users to the local database, some user entries might be silently ignored.
– If you add SSCs for the access points, at some point no more entries can be added, and the following error message appears: “Authorization entry does not exist in Controller’s AP Authorization List.”
Workaround: Configure a larger value for the controller database, such as 2048.
- CSCsh11086—If you press Ctrl-S and Ctrl-Q to pause and restart the output of a command such as debug dot1x event enable, the controller reboots.
Workaround: Do not stop the console using Ctrl-S.
- CSCsh15411—When an access point drops the IAPP packet from a CCX client just after association, the CCX Layer 2 roam history may not be available for CCX clients on the controller.
- CSCsh31104—The word channel is misspelled in the message log.
- CSCsh93279—The 1000 series access points do not consistently forward probe requests to the controller.
- CSCsi13399—The Expiration Timeout for Rogue AP Entries parameter on the Rogue Policies page applies to both rogue access point entries and rogue client entries. The parameter name should be changed to reflect both types of entries.
Workaround: None. This is a cosmetic issue.
- CSCsi17242—If a controller starts a timer (such as reauthentication or keylife time) after running for approximately 52 days, the timer might take a long time to fire (up to another 52 days).
Workaround: Clean up the timers. If the problem is related to the client, deauthenticate the client to clean the timer. If the problem is related to the WLAN, such as a broadcast key update, disable and then re-enable the WLAN.
- CSCsi26248—You might lose connectivity when adding or recovering a second link aggregation (LAG) link.
Workaround: Recover the LAG link when service is not in use. You might also want to consider not using this type of configuration.
- CSCsi27596—The controller lacks a supported way to configure the broadcast key rotation interval. Instead, it is hardcoded to a group key rotation interval of 3600 seconds (1 hour).
Workaround: On the console, configure the hidden command devshell dot1xUpdateBroadcastRekeyTimer ( seconds). This command does not work in an SSH or Telnet session and does not survive a reboot.
(Cisco Controller) >devshell dot1xUpdateBroadcastRekeyTimer(86400)
- CSCsi30541—Loss of connectivity to the management interface occurs when you add a new dynamic interface and the configured DHCP server on all other interfaces is in the new dynamic interface subnet and the new interface has a shorter mask than the other interfaces.
Workaround: Configure a 10/24 interface or a different 10/16 subnet such that the new dynamic interface does not contain the DHCP server IP address currently defined on all interfaces.
- CSCsi40354—Traffic stream metrics (TSM) information is not sorted chronologically on the controller GUI.
- CSCsi54588—Some 802.1X error messages have inadequate descriptions or incorrect severity levels. For example, the following messages, which can be caused by an incorrectly configured client, have a severity level of 1 when they should have a severity level of 3. As a result, they are logged even when the logging level is set to Critical.
Workaround: Make sure that clients are correctly configured to minimize error logging.
- CSCsi62915—Static IP wireless devices are not shown on the controller until they send a packet. The IP address information should appear on the MAC Filtering > Details page of the controller GUI and in the output of the show run-config CLI command.
Workaround: To see static IP wireless devices in the controller's local MAC filter list, enter a CLI command similar to the following:
config macfilter add 00:01:02:03:04:05 3 200 "test prt" 192.168.200.10
- CSCsi72324—A service port with IP address 0.0.0.0 responds to an ARP for the AP-manager interface.
Workaround: Unplug the service port and reconfigure it on the correct subnet.
- CSCsi72767—A script runs each time you generate a dependency file, which makes the build very slow.
- CSCsj03124—RLDP behavior is inconsistent when initiated from a Cisco 1250 series access point.
Workaround: Use access points other than the 1250 when RLDP needs to be used.
- CSCsj06245—Portions of the output of the show tech-support CLI command might be formatted incorrectly, making the information difficult to read.
- CSCsj14255—Sometimes the multicast stream to wireless clients stops, and the upstream router does not receive IGMP reports. This problem occurs when there are multiple IGMP requests on the same VLAN and the controller responds only to the last query or when simultaneous IGMP queries are sent from more than five VLANs and the controller responds to only the first five.
- CSCsj14304—With IGMP snooping enabled, MGIDs are assigned to reserved multicast addresses.
Workaround: Use an upstream ACL if packets with reserved multicast addresses need to be blocked.
- CSCsj17054—A misleading message appears on the controller GUI when you upload software or certificates.
Workaround: Ignore the message and choose the correct options to upload files on the controller.
- CSCsj29501—When the session slot or telnet command times out on the supervisor on the Cisco WiSM and you try to log in again, any character that you enter is duplicated.
Workaround: Use a direct console connection to the Cisco WiSM.
- CSCsj44861—An access point might transmit neighbor messages when it is not connected to a controller.
- CSCsj54064—The downstream throughput is low when using a long packet size with ACLs on the 4400 series controller and the Catalyst 3750G Wireless LAN Controller Switch.
- CSCsj59237—The traffic stream metric (TSM) packet count is not reported correctly.
- CSCsj59441—Channel information for a rogue access point does not appear on the rogue access point report.
Workaround: Enable the rogue access point trap for the registered controllers or view the channel information on the controller.
- CSCsj61649—Whenever a log analysis report is generated on a CCXv5 client using WCS, the DHCP and AAA logs are swapped.
Workaround: Use the controller CLI to view this information.
- CSCsj67447—When you use the controller GUI to modify an existing (or newly created) guest LAN and you choose an ingress interface that is already in use, no error appears. The error that appears on the CLI should also appear on the GUI: “ Ingress interface is in use by some other guest lan.”
- CSCsj85329—The controller GUI should explain how the password changes with RADIUS compatibility mode. The RADIUS server names help users match to their type of RADIUS server, but the server types should be explained:
– Cisco ACS—In the RADIUS access-request packet, the username is the client MAC address, and the password is the client MAC address.
– Free RADIUS—In the RADIUS access-request packet, the username is the client MAC address, and the password is the controller’s shared secret with the RADIUS server.
– Other—In the RADIUS access-request packet, the username is the client MAC address, and the password is not sent in the RADIUS access-request packet.
- CSCsj87925—The controller GUI netmask for an ACL accepts arbitrary values.
Workaround: Enter a valid netmask.
- CSCsj88889—WGB and wired WGB clients are shown using different radios.
- CSCsj88990—Rogue access point client information shown for the access point does not match the client information from the Rogue Client Details link.
Workaround: View the current rogue client information from the controller.
- CSCsj96589—Using the MAC address from the label on an 1131 or 1242 access point in the debug mac addr command produces limited debug output.
- CSCsj97900—The call admission control (CAC) TSPEC is not traffic shaping and allows a new call setup when the physical data rate is higher than one single data rate configured on the controller.
Workaround: Follow the instructions in the VoWLAN deployment guide to enable a realistic higher data rate for the Cisco 7921 phone and turn on the supported rate as recommended.
- CSCsk01633—The EAPOL key message is truncated with an invalid replay counter.
- CSCsk08401—The formatting for the config paging ? CLI command needs to be corrected.
- CSCsk08707—The 1250 series access points receive console error messages indicating that the primary discover decode failed.
- CSCsk12420—Sometimes a 1000 series access point does not accept the DHCP offer from a Catalyst 3750 switch.
- CSCsk17001—When a guest LAN with a blank ingress interface name is added to the controller, the application fails with an SNMP exception message.
Workaround: Use the controller CLI to configure a guest LAN. You might need to delete a previous guest LAN if it has a blank ingress interface configured on it and then recreate it. By default, the ingress interface is blank.
- CSCsk22861—An MGID entry is not cleared from the access point when IGMP snooping is disabled.
- CSCsk49157—When you change the session timeout of a WLAN that is using a backend RADIUS authentication server, any existing client that is using that WLAN shows its reauthentication timeout as infinite, even though there is a finite time after which reauthentication occurs.
- CSCsk49200—The hybrid-REAP local switching option should be removed for wired guest LANs.
- CSCsk49282—The guest LAN and WLAN are not clearly differentiated.
- CSCsk50477—The BCAST_Q_ADD_FAILED message contains typographical errors.
- CSCsk60655—The default frequency value in the intrusion detection system (IDS) file should be equal to or greater than the maximum deauthentication packets sent by an access point.
- CSCsk63047—Dynamic transmit power control (DTPC) does not work on Cisco1240 series access points in WGB mode.
- CSCsk68117—U-APSD state changes on a client device are not updated on the controller.
Workaround: Reboot the access point, or disassociate the client from the controller and then reassociate it.
- CSCsk74050— If you configure an ACL name with 32 characters, the ACL override fails during roaming.
Workaround: Use ACL names with up to 31 characters.
- CSCsk78264—A change in the RF domain name takes effect only after a reboot.
Workaround: Reboot the controller after changing the RF domain name.
- CSCsk79382—CCXv4 and CCXv5 clients receive an Adjacent Access Point Report from the controller even though this report should be sent only to CCXv2 and CCXv3 clients.
- CSCsk83426—A hybrid-REAP access point does not reauthenticate after entering standalone mode.
- CSCsk85091—If Rogue Location Detection Protocol (RLDP) is enabled on the controller, you may see radio reset messages on the access point console. There may also be a brief interruption in client traffic flow.
Workaround: Disable RLDP.
- CSCsk86536—The wrong error message appears when you change country channels with the 802.11a radio enabled.
- CSCsl01005—Sometimes bandwidth contracts do not take effect. If a user who has bandwidth restrictions logs in and logs out and then another user who does not have bandwidth restrictions logs in, the bandwidth restrictions are not removed immediately.
Workaround: Reassociate the user between logout of the old user and login of the new user.
- CSCsl03097—When a hybrid-REAP access point in standalone mode is on the DFS channel, the access point’s radio goes down if a radar event occurs on its operating channel.
Workaround: Wait until the access point’s connectivity to the controller recovers, or reboot the access point.
- CSCsl04281—The show run-config command might truncate access point neighbor information in a large environment.
Workaround: To reduce the occurrence of this issue, disable paging using the config paging disable command.
- CSCsl11352—The console output in software release 4.2 does not indicate which controller an access point joins when you add it to your network.
Workaround: On the access point console, right after you see the “ Press Return to get started” message, enter enable mode (the default password is Cisco), and enter this debug command:
debug ip udp
The output shows all UDP packets sent and received by the access point.
- CSCsl16445—When an access point radio status is down due to lack of CDP response from a neighboring switch, the controller reports Cause=Unknown. However, it should report Cause=Waiting for CDP response.
Workaround: None; this issue is cosmetic.
- CSCsl24600—The 1000 series access points might experience multiple “Watch Exception” errors.
- CSCsl40018—The hybrid-REAP design and deployment guide incorrectly implies that you can configure NAT on both the hybrid-REAP and controller sides of the network link. In reality, NAT is supported only on the access point side of the network link. The hybrid-REAP design and deployment guide is available at this URL:
- CSCsl41764—An access point should send a neighbor list to its clients as soon as it accepts the association.
- CSCsl42328—The controller should not allow you to use the IP address of the gateway as the interface address.
Workaround: Make sure that the interface IP address and gateway IP address are different.
- CSCsl47720—The link test report for a CCX client generated using the controller GUI does not provide enough information.
Workaround: Use the controller CLI. It always provides the correct link test report, except in cases of a CCX client connected to a hybrid-HREAP access point broadcasting a centrally switched WLAN.
- CSCsl48639—An IP address can be configured on a dynamic interface on a controller when that IP address has already been assigned to another device on the network.
Workaround: Check the ARP table on the switch to see if the IP address is bound to a MAC address on the network that is not the controller MAC address.
- CSCsl48776—Controllers sometimes incorrectly forward SSC authentication requests to a RADIUS server.
- CSCsl52445—The internal web authentication page on the controller accepts up to 2,047 characters, but the internal web authentication page in WCS accepts only 130 characters.
Workaround: If you need to enter more than 130 characters on the internal web authentication page, use the controller interface instead of WCS.
- CSCsl67177—The Catalyst Express 500 (CE500) might lose connectivity to a 4400 series controller when one port of the portchannel is shut down.
Workaround: Unplug and then plug in both Etherchannel links on the CE500 or the controller. Plug in or unplug any device on the CE500.
- CSCsl70043—When a client device connects to a secure EAP WLAN and immediately switches to an open WLAN, the access point sends a status 12 association response (which is normal) but sends it from the wrong MAC address and BSSID.
Workaround: On the controller CLI, enter config network fast-ssid-change to allow the client devices to connect without incident.
- CSCsl79765—When connected to a controller, 1230 series access points containing AIR-MP31G radios sometimes disable the radios and report that no channel is available.
Workaround: Contact Cisco TAC for more information. A Cisco internal-only procedure can be used to update missing environment variables and burn them into a cookie.
- CSCsl19319—If you create a local user profile on the GUI of a 2106 controller with the WLAN profile "any WLAN" and then edit the profile, the following error message appears: "Error in setting WLAN ID for user." However, your change is applied.
Workaround: Delete the local user profile and create a new one with the updated password or description or define a WLAN profile for the user.
- CSCsl95615—When a master controller exists on the network, an access point that is joined to a secondary or tertiary controller keeps going back to discovery.
Workaround: Disable the master controller mode.
- CSCsm03461—A command is needed to show the ER image or bootloader version that is currently running as well as the one that will be installed on the next bootup. Currently, the bootloader is used to verify if an ER image or bootloader upgrade is successful. However, not all controllers include the bootloader in the ER image.
Workaround: Install the Cisco Unified Wireless Network Controller Boot Software 126.96.36.199 ER.aes file, which contains a new bootloader. A successful transfer and upgrade of the ER file indicates that the ER file has been updated properly.
- CSCsm08623—If the config paging disabled CLI command is entered on the controller, the output of the show msglog command is periodically interrupted with the “Would you like to display the next 15 entries?” prompt.
- CSCsm25943—The meaning of the following error message on the controller is not clear. This message does not necessarily imply that any actual “ARP poisoning” is occurring. Rather, this message appears when a WLAN is configured for DHCP Required and a client (after associating to this WLAN) transmits an ARP message without first using DHCP. The client is unable to send or receive any data traffic until it performs DHCP through the controller.
DTL-1-ARP_POISON_DETECTED: STA [00:01:02:0e:54:c4, 0.0.0.0] ARP (op 1) received with invalid SPA 192.168.1.152/TPA 192.168.0.206
Workaround: Perform the following steps:
a. Determine whether you want to force your wireless clients to perform DHCP first, after associating, before they can send IP packets.
- If you do, then disable DHCP Required, and you will not encounter this problem.
- If you do not, then configure all clients to use DHCP.
b. If the client is configured for DHCP but sometimes still sends IP packets after associating without performing DHCP, then perform the following:
- Verify that the client eventually does perform DHCP without undergoing an unacceptable outage. If the outage before performing DHCP is acceptable, then you can ignore this message.
- If the client never does perform DHCP after associating, then it can never pass Layer 3 traffic. In this case, either determine how to change the client’s behavior so that it always performs DHCP after associating, or simply accept that this client does not work in this application or reconsider your decision to use DHCP Required.
- CSCsm32845—The Guest LAN parameter on the Interfaces > Edit page of the controller GUI might cause confusion for users because the guest LAN is used for interfaces involved in wired guest LANs, not for wireless guest WLANs.
- CSCsm40870—The following error message should be reworded:
Jan 24 15:20:55.374 apf_80211.c:2552 APF-4-ASSOCREQ_PROC_FAILED: Failed to process an association request from00:13:ce:37:8b:ff. WLAN:2, SSID:TMDInternal-WPA. mobile in exclusion list or marked for deletion
The message should read as follows:
ASSOCREQ_PROC_FAILED: Failed to process an association request from 00:13:ce:37:8b:ff. WLAN:2, SSID:TMDInternal-WPA. Mobile excluded or marked for deletion.
- CSCsm40903—Additional information is needed for the following message: “claspam_lrad.c:1626 LWAPP-6-PORTMAP_ERR: Failed to obtain multicast port map for interface 4, using default index (50).”
- CSCsm40906—The following message appears on the 2106 controller when multicast is disabled: “claspam_lrad.c:1626 LWAPP-6-PORTMAP_ERR: Failed to obtain multicast port map for interface 4, using default index (50).” No multicast messages should appear when multicast is disabled.
- CSCsm65043—1240 series access points might stop accepting new clients. In this case, the show controller d1 command shows the following:
Beacon Flags: 0; Beacons are disabled; Probes are disabled
Workaround: Reboot the access point.
- CSCsm71573—When the following message appears, it fills up the entire message log:
mm_listen.c:5078 MM-3-INVALID_PKT_RECVD: Received an invalid packet from 10.0.x.x. Source member:0.0.0.0. source member unknown.
- CSCsm79901—Wired clients attached to a workgroup bridge (WGB) are retaining the previous IP address after the WGB obtains a new IP address. As a result, the wired client stops sending traffic to the infrastructure network.
Workaround: Release and renew the DHCP IP address manually on the WGB wired client.
- CSCsm80423—The controller cannot block Layer2 multicast traffic.
- CSCsm82725—Clients are able to connect to the Internet without authenticating when using web authentication and port 53 on a proxy server.
- CSCsm84952—When you configure wired and wireless guest WLANs on two controllers, a wired guest user obtains an IP address but does not always receive the web authentication page or cannot login properly. Additionally, a reattempt by the wired client might result in obtaining an IP address from the other controller, causing the client to appear to have been handed an IP address from each controller.
Workaround: Disable the wired guest WLAN on one of the controllers and enable it as needed. Using an external DHCP server might resolve this issue as well.
- CSCsm88913—Removing a mobile client on Anchor WLC GUI causes ARP look-up failure if the client associates with a dynamic interface.
- CSCsm89253—The controller should log a message if it sends “Telnet is not allowed on this port” to Telnet clients.
- CSCsm94702—When the controller is configured through the service port, the VLAN ID and port information do not appear in the output of the show int summary CLI command.
- CSCsm96105—The controller does not pass traffic to a client device with a MAC address beginning with 00:00:00:00. This issue occurs with both WGB and wireless clients.
- CSCsm98659—The clcCdpGlobalEnable SNMP variable cannot be set on the controller unless there is at least one access point present on the controller. This creates problems when trying to add a new controller to WCS. When you create a new controller template on WCS and set the Global CDP on APs value to false, the template cannot be pushed out to any controller that does not have an access point associated to it.
Workaround: Add an access point to the controller. Then you can add the controller to WCS or change the CDP parameter.
- CSCso02340—The controller might report a different power level than is actually used by the access point if you change the channel from one supporting one transmit power to another supporting a different transmit power.
Workaround: Reapply the power configuration.
- CSCso07457—When the controller downloads a file using FTP, WCS shows the previous transfer state as the intermediate state, which is different from the final transfer state.
- CSCso10678—On rare occasions, a 4400 series controller might hang when you upgrade the software to a later release.
Workaround: Reboot the controller or wait some time to clear this condition.
- CSCso28323—Clients might fail to associate to an 1130 series access point configured for WPA1 AES-CCMP and optional MFP.
- CSCso31067—Some clients might experience failures during upstream-only prioritized traffic on 802.11a, despite radio resource management (RRM) features being disabled.
- CSCso31640—When you downgrade a 2100 series controller from software release 5.1 to software release 188.8.131.52, any hybrid-REAP groups configured on the controller are lost after the downgrade.
Workaround: None. You must reconfigure the hybrid-REAP groups.
- CSCso38808—When a CCXv5 client associates to a WLAN that has Aironet IE extensions enabled, the client information table contains no information.
- CSCso60597—If a 1250 series access point is configured for 20-MHz channel width and is then placed into sniffer mode, you cannot change the channel width to Above 40 MHz or Below 40 MHz. If the access point is configured for Above 40 MHz or Below 40 MHz before it is placed into sniffer mode, you can change the channel width to 20 MHz but not to a 40-MHz setting.
Workaround: Return the access point to local mode in order to modify the channel width settings. Then return it to sniffer mode. This process requires a minimum of two reboots of the access point.
- CSCso69011—After config paging disable is entered to disable page scrolling, the show interface summary command still shows a "paging" prompt, which could break customer scripts.
- CSCso69016—After config paging disable is entered to disable page scrolling, the show traplog command still shows a "paging" prompt, which could break customer scripts.
- CSCso79135—After an initial reboot of the Cisco WiSM or after the online insertion and removal (OIR) of the Cisco WiSM line card, the output of the show wism status CLI command on the Catalyst 6500 series switch shows that the service port is down, even if it is pingable. Wireless functionality is not impacted.
Workaround: Follow these steps:
a. Enter this CLI command on the Cisco WiSM to remove the service VLAN: no wism service-vlan vlan_id.
b. Enter this command to OIR the Cisco WiSM: hw-module module slot reset.
c. Enter this CLI command to add the service VLAN again: wism service-vlan vlan_id.
- CScsq06451—If you configure a guest LAN and map the ingress interface to a guest LAN interface, you cannot change the mapping to None using the controller GUI.
Workaround: Use this CLI command to change the mapping to None: config guest-lan ingress-interface 1 none.
- CSCsq09590—The client details on the controller GUI and CLI show a session timeout of 0 and a reauthentication timeout of infinite when you connect. However, after the client roams to another access point on the controller, the session timeout remains at 0, but the reauthentication timeout shows 1800 regardless of the timeout configured on the controller. This issue occurs when the controller is configured for WPA2+802.1X with no AAA override.
Workaround: Use the show pmk-cache mac_address CLI command to see the timeout.
- CSCsq11933—The controller GUI should show additional client counters, such as device type, rates, current, supported rates, power save, connection-related statistics, and APSD-related information.
- CSCsq13610—WCS allows special characters in the primary, secondary, and tertiary controller names and access point names, but the controller does not, making the overall behavior inconsistent.
Workaround: Do not use special characters in the primary, secondary, and tertiary controller names and access point names when you configure them on the controller.
- CSCsq14310—If the Allow AAA Override option is enabled for a WLAN, the guest role might not be applied for the local net user.
Workaround: Disable the Allow AAA Override option.
- CSCsq14326—A 4400 series controller using a Cisco ACS as a TACACS+ server does not log these CLI commands into the ACS:
– config hreap group name add
– config hreap group name ap add 00:1c:58:34:40:cc
– config hreap group name ap add 00:1a:a1:3f:07:08
– config hreap group name delete
- CSCsq14833—When using VLSM, if the fourth octet of the management IP address is the same as the fourth octet of the broadcast address of another interface on the controller, the controller does not respond to access point discoveries.
Workaround: Change the IP address of the management interface.
- CSCsq19324—If you enter a long value for the access control list (ACL) name on the Access Control Lists page of the controller GUI and click Apply, the value appears in HTML text below the ACL Name field.
- CSCsq19472—Cisco Compatible Extensions RM measurements are inaccurate if beacon, channel load, frame, and noise histograms are triggered together.
Workaround: Trigger the RM measurements one at a time.
- CSCsq21956—An error occurs when you create a guest user and then try to edit the guest user’s parameters such as lifetime, role, and so on through the controller GUI.
Workaround: Use the controller CLI to edit the guest user’s parameters.
- CSCsq23594—When a CCXv5 request is manually sent to a CCXv5 client, an emergency log message is written to the log and sent to any configured syslog servers.
- CSCsq25129—A controller software upgrade might fail with a Nessus scan running.
Workaround: Stop the Nessus scan and reboot the controller.
- CSCsq26051—When a Cisco terminal server connects to the controller but the user is not logged in through the console, the controller might hang after a reboot.
Workaround: Remove the console connection cable from the Cisco terminal server.
- CSCsq26491—The show ap uptime CLI command might contain some bogus values.
- CSCsq29243—When you configure the 802.11h channel switch mode, you should be able to enter only 0 or 1, but you can enter any value.
- CSCsq30821—When a WLAN is configured on two controllers using web authentication and the WLAN is on a different VLAN on each controller, web authentication can be bypassed if a client roams from one controller to another controller and then back to the first controller.
Workaround: Make sure that any WLAN spanning two controllers using web authentication is on the same VLAN on both controllers.
- CSCsq31622— An SNMP error occurs when you enable voice and video parameters on the controller using WCS.
Workaround: Disable all WMM-enabled WLANs and enable voice and video parameters.
- CSCsq32038—The config interface CLI command allows up to 31 characters to be entered for the interface name. It should allow up to 32 characters.
- CSCsq34262—A traceback might occur if you include three controllers in the same mobility group and enable a dynamic interface on all of them.
Workaround: Reset the controller.
- CSCsq35402—After you upgrade the controller to software release 184.108.40.206, the following error message appears on the console of the Cisco WiSM controllers: “Mon May 19 12:56:44 2008: dtlARPProtoRecv: Invalid ARP packet!”
- CSCsq35574—The Authorityid and the server key do not accept a value of 17 or greater.
- CSCsq35590—If you change a 1240 series access point’s country of operation from Spain to the U.S., tracebacks might occur while the access point joins the controller.
Workaround: None; you can safely ignore the tracebacks.
- CSCsq37810—If you add a controller to WCS and later reboot the controller, WCS does not receive the trap for a cold start, which prevents it from pushing the configuration back to the controller.
Workaround: Manually push the configuration from WCS.
- CSCsq38075—If you change a 1240 series access point’s country of operation to Spain, tracebacks might appear on the access point console.
Workaround: None; you can safely ignore the tracebacks.
- CSCsq38700—If you change the power level on an access point radio while clients are associated to the access point, the controller might display DOWN for the operational status of that radio. However, clients continue to pass traffic and function properly.
- CSCsq47493—The cLReapApVlanId is not being updated on the controller, and the API is not throwing any exception to indicate that it has not been set.
Workaround: First change the native VLAN ID. Then change the cLReapApVlanId.
- CSCsq55045—The IAPP-3-MSGTAG015 and other controller IAPP messages are not documented or documented inadequately.
Workaround: None. The CAPWAP packet message format is documented in the IETF draft.
- CSCsq65895—If a DHCP server is not configured on a WLAN or interface, the config dhcp proxy enable CLI command returns the following message, even if all WLANs do not require DHCP: “Some WLAN configurations are inconsistent with the new configuration of the DHCP Proxy. Please check the message log ('show msglog') for details.”
Workaround: Configure a valid (or dummy) DHCP address on the WLAN or interface.
- CSCsq74144—The controller does not show the channel on which an access point in sniffer mode is sniffing. It shows only the last channel on which the access point was broadcasting in local mode.
- CSCsq78560—You can configure port mirroring on 4400 series controllers although this feature is not supported on those controllers.
Workaround: Do not use port mirroring on 4400 series controllers.
- CSCsq83787—The port mirroring feature is not implemented on 4400 series controllers and should be removed. This is a legacy feature on 4000 series controllers and is no longer supported.
- CSCsq83810—STP commands should be removed from the controller GUI and CLI. They are no longer supported and might cause undesired effects when interacting with PSVT.
- CSCsr02316—Some SNMPSet operations show a successful status even though the controller is truncating the string.
Workaround: Set a shorter value for the string.
- CSCsr44439—The web authentication page does not load on the browser when the client connects through a wired guest VLAN on a controller running software release 220.127.116.11.
- CSCsr45163—When IPv6 clients move from an access point group or VLAN to a new access point group or VLAN, they lose connectivity because all traffic is forwarded to the old VLAN.
Workaround: Configure the clients with a static IPv6 address.
- CSCsr53764—When workgroup bridges (WGBs) are installed on a train and clients joined to the WGBs are running some type of application, the WGBs roam very quickly between access points, and some wired clients might become stuck at a specific access point.
Workaround: Reset the WGBs, enter the clear bridge command on the WGBs, or wait for the WGBs to roam back to the access point where the client is stuck.
- CSCsr58532—The following error message might appear on 2106 controllers: “sim_config.c:194 SIM-3-INTFGET_GIG_ETH_FAIL: Failed to get the interface number of the Gigabit Ethernet Port.”
- CSCsr63100—The controller’s message log sometimes fills with “sysapi.c:160 SYSTEM-3-SYSAPI_ERR” messages after dump-low-level debugs are run.
- CSCsr72091—The radio resource management (RRM) feature in controller software release 18.104.22.168 is not providing consistent results from coverage hole events and channel assignments.
- CSCsr89694—On Cisco WiSM controllers running software release 22.214.171.124, trap logs are generated indicating that the control path between two random mobility members is down. About 10 to 20 minutes later the control path comes back up.
- CSCsu03464—The input radio statistics are incorrect on a 1250 series access point running software release 126.96.36.199.
- CSCsu04143—The radio resource management (RRM) process on the controller can start allocating all available timers, until the controller is unable to register new timers for other processes.
Workaround: Reset the controller.
- CSCsu07730—When you try to configure a network address for the AP-manager on a 4400 series controller, an “Invalid IP” error message sometimes appears.
- CSCsu09424—A 2100 series controller might reboot when you attempt to upgrade the software from a 4.2 release to a 5.2 release.
- CSCsu24197—Users need the ability to limit the number of associations per access point or WLAN on the controller.
- CSCsu31680—The AIRESPACE-SWITCHING-MIB contains a missing entry for 188.8.131.52.4.1.14184.108.40.206.5.
- CSCsu40636—The access point sometimes violates the CTS duration when receiving a U-APSD trigger frame. Instead of waiting for a few milliseconds to protect an upcoming link exchange, it simply transmits the trigger frame.
Workaround: Configure the client to carry through medium reservation time in subsequent frames.
- CSCsu40720—The following message might appear on the controller console without further explanation:
Thu Sep 4 20:58:24 2008: mmMfpRequestedState: *** FIXME: Need to update BSSID state distributed to APs for 00:1E:4A:E0:00:A0 radio 1
- CSCsu44722—The following invalid error message appears when you enable IPv6 for a mobility-anchor-enabled WLAN: “Cannot enable IPv6-bridging when DHCP Address Assignment is enabled for WLAN.” You can safely ignore these messages.
- CSCsu47888—The crash file or controller console should show whether a core dump was generated following a crash and successfully uploaded to a TFTP server.
- CSCsu50080—When you enable web authentication pass-through with email input selected, the controller allows any text to be entered rather than verifying that the email address has been entered in a valid address format.
- CSCsu52837—Preauthenticated clients cannot reach web-authenticated clients on the same WLAN.
- CSCsu72717—The name is corrupted in the interrupt session of the Cisco WiSM controller’s crash file.
- CSCsu76295—If you try to manage a controller without web authentication by configuring the pre-authentication ACL to allow traffic in both directions, you cannot reach the management interface. You can access the management interface only after web authentication.
- CSCsu80604—The memory monitor configuration returns to default values after the controller reboots.
- CSCsu84498—The transmit diversity for multicast-broadcast packets is not alternating on the 1240 series access point’s antenna ports.
- CSCsu84629—The 1250 series access points change from maximum uniform transmit power back to maximum transmit power on neighbor discovery packets.
- CSCsu86627—The controller currently issues commands to transmit single neighbor discovery packets. However, the controller should issue bursts of neighbor discovery packets to access point radios in order to force radio transmit power control loops to settle at new power settings.
- CSCsu89905—The following error message might appear on a controller running software release 220.127.116.11 during boot-up:
dtl_cfg.c:714 DTL-3-CALLBACK_PROC_FAILED: Callback for command:26 failed for user port: 0/0/x
- CSCsu90052—The following error message might appear on 4400 series controllers: “sim_config.c:194 SIM-3-INTFGET_GIG_ETH_FAIL: Failed to get the Interface number of the Gigabit Ethernet Port.”
Workaround: Clear the configuration and reconfigure the controller.
- CSCsu90074—The following error message might appear on the controller at boot-up: “sim.c:272 SIM-3-INVALID_PORT: Using invalid port number. Port out of range. Port # 0.”
- CSCsu90097—The following error message might appear on the controller: “spam.c:449 LWAPP-2-SEM_CREATE_ERR: Could not create semaphore for notifying AP registration.”
- CSCsu90112—The following error message appears on the controller at boot-up, even though symmetric mobility tunneling is disabled: “dtl_ds.c:428 DTL-3-DSNET_CONF_FAILED: Unable to set symmetric mobility tunneling to enabled on Distribution Service interface.”
Workaround: Clear the controller configuration and reconfigure the controller.
- CSCsu98641—The core-dump configuration does not show in the running configuration on the Cisco WiSM.
- CSCsv18730—Controllers sometimes unicast an ARP check to the default gateway every 5 to 7 seconds rather than using the configured ARP timeout interval.
- CSCsv76513—On a 2100 series controller, the WLANs for the 802.11a and 802.11b/g access point radios might show the same BSSID while the same access point on a 4400 series controller shows the correct BSSIDs.
- CSCsv79885—If you initially enter an incorrect mobility group name, the Edit All feature does not save the new mobility group name.
Workaround: Delete the mobility member and re-enter it with the correct name.
- CSCsw25810—When you use the GUI to configure a RADIUS server for a wired guest LAN on a controller running software release 18.104.22.168, a browser error might occur.
Workaround: Use the controller CLI to configure the RADIUS server.
- CSCsw45913—The wrong access control list (ACL) might be applied when the AAA override option is enabled.
Workaround: Disable the AAA override option.
- CSCsw53035—When a controller running software release 22.214.171.124 (with hybrid-REAP local switching and hybrid-REAP VLAN mode enabled) sends a ping reply to a wireless client, the destination MAC address is the client MAC address. As a result, the Layer 3 switch cannot transfer the ping reply packet.
- CSCsw93671—Packets sourced from the service port are sent from the controller even when the service port is not connected to the network.
- CSCsx05502—A guest-access anchor controller stops forwarding traffic to the wired clients.
Workaround: Reset the PC card on the client.
- CSCsx07443—WCS traffic stream metrics reports sometimes show the packet loss ratio (PLR) at 100000%. It should be less than or equal to 100%.
- CSCsx41062—Controllers sometimes reject valid NTP packets and label them spurious.
Workaround: Use a Cisco router as your NTP server.
- CSCsx50408—LWAP DOS Attack trap messages sometimes fail to record the source MAC address.
- CSCsx51635—On controllers, DHCP proxy is enabled by default, but it should be disabled by default.
Workaround: Use the config dhcp proxy disabled command to disbale DHCP proxy on the controller.
- CSCsx53685—Output of the show run-config p config CLI command always displays default values for Power Type/Mode.
- CSCsx60265—802.11b clients might experience poor performance with 1130 and 1240 series access points.
- CSCsx64115—If you clear the configuration for a 4400 series controller and then reset the controller without saving the configuration, the following error log appears on the controller console: “dtlArpRequest: Cannot send an ARP reply to 00:0B:85:32:58:C0.”
- CSCsx67133—The 4.2 controller software includes some mesh configuration options in the GUI and CLI even though the 4.2 software does not support mesh access points.
Workaround: Ignore the mesh options in 4.2.x software releases, or upgrade the controller software if you require mesh support.
- CSCsx70686—When you enable RLDP on the controller, the radio interfaces on 1250 series access points are sometimes disabled, and the radios stop sending beacons and probes.
Workaround: Disable RLDP and reset the access point.
- CSCsx73649—1140 series access points join the controller, drop off, and then join again repeatedly, and appear on the controller GUI.
- CSCsx75375—Controllers sometimes fail to display an error message when you save a configuration without entering a name for the configuration.
- CSCsx75442—2106 controllers sometimes display this message during software upgrade:
Routine system resource notification.
You can safely ignore these messages.
- CSCsx75726—When DHCP proxy is enabled, controllers sometimes change the value in the siaddr field in the DHCP offer that is forwarded from the external DHCP server to the wireless client. Controllers change the value from the IP address of the external DHCP server to the virtual IP address of the controller. This change causes a delay when clients disassociate and then reassociate.
Workaround: Use the config dhcp proxy disabled command to disbale DHCP proxy on the controller.
- CSCsx75745—When you enter show route ummary on the controller CLI, the controller displays Genmask instead of subnetmask.
Workaround: On the controller GUI, click Controller > Network Routes to see the network route with subnetmask.
- CSCsx75872—When a client device connected to a workgroup bridge deauthenticates and then reauthenticates, it fails to receive an IP address through DHCP.
Workaround: Force the workgroup bridge to reauthenticate to the wireless LAN; the client devices connected to the workgroup bridge then successfully receive IP addresses.
- CSCsx96204—Controllers fail to mark disabled client devices as excluded.
- CSCsy03762—Local-Eap authentication fails the controller’s issuer check when the controller and client certificates are from the same SubCA.
Workaround: Disable these three controller settings:
– Check against CA certificates
– Verify certificate CN identity
– Check certificate date validity
- CSCsy15449—When you enable Validate Rogue Clients against AAA and you configure multiple RADIUS servers on the controller, the controller uses the second RADIUS server to validate the rogues.
- CSCsy15897—Off-channel scanning sometimes fails on 1232 series access points.
- CSCsy19477—When a guest user is logged in and logged out using web auth, inccorrect messages appear on the controller console.
- CSCsy30696—Wism controllers sometimes fail to receive an initial Service IP address through DHCP.
Workaround: Toggle the wism service-vlan [ vlan_id ] command.
- CSCsy31678—When you use the controller CLI to enter a fingerprint SHA value for the CIDS sensor, the fingerprint value does not appear on the controller GUI.
- CSCsy31942—4404 controllers add the incorrect 802.1p tag on uplink traffic sent with a bronze QoS profile.
- CSCsy32145—You can only configure HTTP/HTTPS globally on the controller.
- CSCsy37499—Controllers sometimes reboot unexpectedly at software task 0x10bb4ccc.
- CSCsy50470—The show wlan summary command is case-sensitive, but it should not be.
Workaround: Enter show wlan summary in lower-case letters on the CLI.
- CSCsy62007—Controllers sometimes drop the DHCP inform packet when a client device is in DHCP required state.
Workaround: Use the config dhcp proxy disabled command to disbale DHCP proxy on the controller.
- CSCsy71541—Controllers sometimes fail to clear TSPEC statistics when phones are associated to 1010 series access points.
- CSCsy79782—Controllers sometimes reset the uptime counter to zero when the uptime count reaches 497 days. When the counter resets to zero, client devices are disconnected.
Workaround: Reset the controller.
- CSCsy82585—2106 controllers fail to detect that a rogue access point is connected to the wired infrastructure.
- CSCsy83568—DHCP debug output does not contain mobility state information.
- CSCsy87329—When you enable WPA1 on the controller GUI, WPA2 is also sometimes enabled.
- CSCsy92080—External Webauth pages sometimes do not appear if the URL for the external page contains more than 64 characters.
Workaround: Use the controller CLI to configure Webauth and verify the configuration.
- CSCsy94826—The controller GUI limits your ability to change channel width on 1250 series access points. You must put Channel and Transmit Power into Custom mode, and the GUI allows you to change the channel width setting only to 40 MHz.
- CSCsy94911—When you try to delete a guest WLAN, the controller sometimes displays this message: “Anchors configured on WLAN - unable to delete WLAN entry,” even when no anchors are configured.
Workaround: Add an anchor to the guest WLAN and then delete the anchor; you can then delete the WLAN.
- CSCsy96551—When a PC tries to renew an IP address it had before (for example from home network), the controller’s internal DHCP server does not send an NAK frame. Instead the controller sends a DHCP ignore message and does not assign an IP address to the machine.
Workaround: Manually release and renew the IP address on the PC.
- CSCsy99807—RLDP sometimes fails to detect that Linksys 802.11n access points are wired to the infrastructure.
- CSCsy99905—RLDP consistently finds wired threats only when you use it manually.
- CSCsz03162—When a controller is configured to allow only 802.11g traffic, 802.11b client devices are able to successfully associate to an access point but cannot pass traffic.
Workaround: When you configure the controller for 802.11g traffic only, disable any channels (such as channel 14 in Japan) that allow associations from 802.11b client devices.
- CSCsz09498—When client devices trigger the auto-immune code on a controller, it can be difficult to determine how exactly the client device violated the auto-immune rules.