Release Notes for Cisco Catalyst 9800 Series Wireless Controller, Cisco IOS XE Cupertino 17.9.x
Introduction to Cisco Catalyst 9800 Series Wireless Controllers
The Cisco Catalyst 9800 Series Wireless Controllers comprise next-generation wireless controllers (referred to as controller in this document) built for intent-based networking. The controllers use Cisco IOS XE software and integrate the radio frequency (RF) capabilities from Cisco Aironet with the intent-based networking capabilities of Cisco IOS XE to create a best-in-class wireless experience for your organization.
The controllers are enterprise ready to power your business-critical operations and transform end-customer experiences:
-
The controllers come with high availability and seamless software updates that are enabled by hot and cold patching. This keeps your clients and services up and running always, both during planned and unplanned events.
-
The controllers come with built-in security, including secure boot, run-time defenses, image signing, integrity verification, and hardware authenticity.
-
The controllers can be deployed anywhere to enable wireless connectivity, for example, on an on-premise device, on cloud (public or private), or embedded on a Cisco Catalyst switch (for SDA deployments) or a Cisco Catalyst access point (AP).
-
The controllers can be managed using Cisco Catalyst Center, programmability interfaces, for example, NETCONF and YANG,or web-based GUI or CLI.
-
The controllers are built on a modular operating system. Open and programmable APIs enable the automation of your day zero to day n network operations. Model-driven streaming telemetry provides deep insights into your network and client health.
The controllers are available in multiple form factors to cater to your deployment options:
-
Catalyst 9800 Series Wireless Controller Appliance
-
Catalyst 9800 Series Wireless Controller for Cloud
-
Catalyst 9800 Embedded Wireless Controller for a Cisco Switch
Note |
All the Cisco IOS XE programmability-related topics on the controllers are supported by DevNet, either through community-based support or through DevNet developer support. For more information, go to https://developer.cisco.com. |
What's New in Cisco IOS XE Cupertino 17.9.6
There are no new features in this release.
What's New in Cisco IOS XE Cupertino 17.9.5
Feature Name |
Description and Documentation Link |
---|---|
Cloud Monitoring for Catalyst Controllers |
The Cloud Monitoring for Catalyst Controllers feature helps to monitor Wireless Controllers using the Meraki dashboard. Currently, this feature is in a limited customer beta and is not supported by Cisco TAC. For more information on this feature, see Cloud Monitoring for Catalyst. For further help, contact the following mailerlist: c9800-dashboard-monitoring@external.cisco.com |
Modified Trustpoints for Secure Unique Device Identity (SUDI) Certificates |
From Cisco IOS XE 17.9.5 onwards, the following changes have been introduced for trustpoints:
|
What's New in Cisco IOS XE Cupertino 17.9.4a
There are no new features in this release. This release provides a fix for CSCwh87343: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability. For more information, see Security Advisory: cisco-sa-iosxe-webui-privesc-j22SaA4z.
What's New in Cisco IOS XE Cupertino 17.9.4
Feature Name |
Description and Documentation Link |
||
---|---|---|---|
ROW Support for UAE Country |
From this release, ROW domain country code United Arab Emirates (AE) is supported on Cisco Catalyst IW9167E Heavy Duty Access Points. |
||
Product Analytics |
This feature allows for the collection of non-personal usage device systems information for Cisco products, which helps in continuous product improvements. This feature is supported on the Cisco Catalyst 9800 Series Wireless Controllers (9800-80, 9800-40, 9800-L, and 9800-CL). You can use the the pae command to enable or disable this feature. The following commands are introduced as part of this feature:
Important: Cisco is constantly striving to advance our products and services. Knowing how you use our products is key to accomplishing this goal. To that end, Cisco will collect device and licensing Systems Information through Cisco Smart Software Manager (CSSM) for product and customer experience improvement, analytics, and adoption. Cisco processes your data in accordance with the General Terms and Conditions, the Cisco Privacy Statement and any other applicable agreement with Cisco. To modify your organization’s preferences for device and licensing systems information, use the paecommand. See Cisco Catalyst 9800 Series Wireless Controller Command Reference → pae. Additional information on this feature can be found here . |
What's New in Cisco IOS XE Cupertino 17.9.3
Feature Name |
Description and Documentation Link |
||
---|---|---|---|
Cisco Catalyst IW9167E Heavy Duty Access Point |
Cisco Catalyst IW9167E Heavy Duty Access Point is supported from this release and can operate as a Wi-Fi 6 AP or Cisco Ultra-Reliable Wireless Backhaul. |
||
Site Load Balancing |
This feature allows you to specify a site load for better load balancing. For more information, see the Chapter Enhanced Site Tag-Based Load Balancing. |
||
Support for KVM/SUSE version 15 SP3 with Cisco Catalyst 9800-CL in Private Cloud |
Limited support to SDA Wireless deployments for Cisco Catalyst 9800-CL running on KVM/SUSE version 15 SP3. |
||
Wave 1 Access Points |
Support for the following Wave 1 APs are reintroduced from this release.
For more information on support for Wave 1 APs, see the FAQ. |
What's New in Cisco IOS XE Cupertino 17.9.2
Feature Name |
Description and Documentation Link |
||
---|---|---|---|
AP Fallback to Controllers Using AP Priming Profile |
This feature helps to configure primary, secondary, and tertiary controllers for a group of APs matching regular expression (regex) or for an individual AP using priming profiles. The following commands are introduced:
For more information, see the Chapter AP Fallback to Controllers Using AP Priming Profile. |
||
Country Compliance Support for Cisco Catalyst 9136 Series Access Points and Cisco Catalyst 916x Series Access Points |
An additional 75 countries are supported in Cisco Catalyst 916x Series Access Points and Cisco Catalyst 9136 Series Access Points. For more information about the list of countries that are supported, see the Chapter Regulatory Compliance Domain. |
||
IPv6 Address Tracking for Wireless Clients |
Until Cisco IOS XE 17.9.1, the controller supported a maximum of eight IPv6 addresses per wireless client. After eight IPv6 addresses were learnt for a wireless client, the controller dropped that wireless client's data traffic coming with new IPv6 source addresses. However, in Cisco IOS XE 17.9.2, the controller allows data traffic of the wireless clients coming with new IPv6 source addresses even after eight addresses have been learnt for respective wireless clients. The controller continues to learn new IPv6 addresses of the wireless clients from the wireless clients' control traffic (IPv6 NS/NA and DHCPv6), but keeps track of only a maximum of eight addresses (the latest) per wireless client.
The following command is supported: wireless ipv6 nd ns-forward For more information, see the Chapter IPv6 Client IP Address Learning. |
||
Support for Cisco Catalyst 9162I Series Wi-Fi 6E Access Points |
From Cisco IOS XE Cupertino 17.9.2, Cisco Catalyst 9162I Series Wi-Fi 6E Access Points are supported. |
||
Support for Terminal Doppler Weather Radar Channels 120, 124, 128 for -E Regulatory Domain |
Terminal Doppler Weather Radar (TDWR) channels 120, 124, and 128 for the -E regulatory domain are supported in the following APs:
|
||
UNII-3 Band on ROW Regulatory Domain for UK Cisco Catalyst 9136I and Cisco Wireless 916xI Access Points |
From Cisco IOS XE Cupertino 17.9.2, UNII-3 channels are enabled for the country code GB under the -ROW domain on the Cisco Catalyst 9136I and Cisco Wireless 916xI access points. The maximum Tx power on these non-Dynamic Frequency Selection (DFS) channels is 23dBm. This feature is enabled automatically after you upgrade to Cisco IOS XE Cupertino 17.9.2. Use the show controllers dot11Radio command to verify the channel list information after the upgrade. |
||
Wi-Fi Protected Access 3 Simultaneous Authentication of Equals Hash-to-Element Support with Identity PSK |
From Cisco IOS XE Cupertino 17.9.2, the iPSK passphrase is supported for SAE H2E authentication in local mode. During client SAE authentication, the Identity Preshared Key (iPSK) passphrase configured in the client authorization policy in the RADIUS server replaces the one in WLAN profile. Hence, the use of unique preshared keys for individuals is considered as a more secure and granular authentication scheme than using a common key for all the users in WLAN. If iPSK passphrase is not configured in the authorization policy, SAE H2E falls back to the passphrase in the WLAN profile. For more information, see the Chapter Wi-Fi Protected Access 3. |
||
VMware vSphere vMotion Support |
VMware vSphere vMotion is supported on the Cisco Catalyst 9800 Wireless Controller for Cloud. For more information, see https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-wireless-controllers-cloud/218438-verify-support-vmware-vsphere-vmotion-wi.html#anc6 and https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-cl-wireless-controller-cloud/nb-06-cat9800-cl-wirel-cloud-dep-guide-cte-en.html. |
MIBs
The following MIB is newly added or modified:
-
CISCO-ENVMON-MIB
What's New in Cisco IOS XE Cupertino 17.9.1
Feature Name |
Description and Documentation Link |
||
---|---|---|---|
802.11r Fast Transition for SAE (FT-SAE) Authenticated Clients |
From this release, the Fast Transition supports SAE-based Fast Roaming along with PMK caching. The following command is introduced:
For more information, see the chapter 802.11r BSS Fast Transition. |
||
Access Points Survey Mode Support in Cisco Catalyst 9136 Series Access Points, Cisco Catalyst 9164 Series Wi-Fi 6E Access Points, and Cisco Catalyst 9166 Series Wi-Fi 6E Access Points |
In this release, you can use the ap-type survey command to switch the AP to the survey mode. The AP GUI is also enhanced to support the survey mode. This feature is supported on Cisco Catalyst 9136 Series APs, Cisco Catalyst 9164 Series Wi-Fi 6E APs, and Cisco Catalyst 9166 Series Wi-Fi 6E APs. For more information, see the chapter Access Points Survey Mode. |
||
Authentication and Accounting Support for Both Radius and TACACS+ Servers for Standby Unit in an SSO Pair |
From this release, Authentication and Accounting is supported on RADIUS and TACACS+ servers for standby HA unit using RMI interface:
For more information, see the chapter Redundancy Management Interface. |
||
BLE Concurrent Scanning and Beaconing |
From this release, BLE concurrent scanning and beaconing is supported on Cisco Catalyst Wi-Fi 6 APs in basic mode or Cisco IOx mode. The BLE radio on an AP can stop a scan for beacon transmission, and return to the scan after completing the beacon transmission. For more information, see the chapter Cisco Hyperlocation. |
||
Chargeable User Identity in RADIUS Accounting |
Chargeable User Identity (CUI) is a unique identifier for a client visiting a network. This attribute can be used as an alternative for the client’s username as part of the authentication process. The following command is introduced:
For more information, see the chapter RADIUS Accounting. |
||
Cisco AI-Enhanced RRM Supports Wi-Fi 6E |
From this release, the Cisco's AI-Enhanced RRM feature in Cisco DNA Center supports Wi-Fi 6E. For more information, see the chapter Radio Resource Management. |
||
CleanAir Pro Scanning Support in 2.4-GHz and 5-GHz Bands |
The CleanAir Pro Scanning feature monitors and reports the different categories of non-Wi-Fi interference in the 2.4-GHz and 5-GHz bands. The following commands are introduced:
For more information, see the chapter CleanAir. |
||
Concurrent Radio Support for Workgroup Bridge Wireless Clients on Cisco Catalyst Access Points |
From this release onwards, Workgroup Bridge supports one radio for uplink (backhaul) connectivity and another radio for serving wireless clients. This feature is supported on Cisco Catalyst 9105 APs, Cisco Catalyst 9115 APs, and Cisco Catalyst 9120 APs. The following commands are introduced on the AP console:
For more information, see the chapter Workgroup Bridges. |
||
Configuring mDNS Location-Based Filtering Using Location Group |
From this release, the AP grouping for mDNS is extended to include AP locations. The following commands are introduced:
For more information, see the chapter Multicast Domain Name System. |
||
Configuring the AP Console |
This feature allows you to configure the AP console from the controller. The following command is introduced:
For more information, see the chapter Configuring the AP Console. |
||
Flexible Radio Assignment Support in Cisco Catalyst 9166I Series Wi-Fi 6E Access Points |
From this release onwards, the dual-band radio in Cisco Catalyst 9166I Series Wi-Fi 6E Access Points offers the ability to serve either in 5-GHz or 6-GHz band, as monitor or sniffer on the same AP. The following commands are introduced:
For more information, see the chapter Cisco Flexible Radio Assignment. |
||
High Availability Deployment for Application Centric Infrastructure (ACI) Network |
This feature avoids interleaving traffic between the old and new active controller using the following functionalities:
The following commands are introduced:
For more information, see the chapter High Availability. |
||
Interim Accounting |
From this release, the no accounting-interim command is introduced under the policy profile to disable interim accounting. For more information, see the chapter Interim Accounting. |
||
Link Layer Discovery Protocol Support in Standby Controller |
From this release, the Link Layer Discovery Protocol (LLDP) process is supported in both active and standby controllers. The following commands are introduced:
For more information, see the chapter Link Layer Discovery Protocol. |
||
Logging Web UI-Based Configuration Changes in TACACS+ Server |
This feature logs all the configuration changes made in the controller's UI. For more information, see the chapter Web UI Configuration Command Accounting in TACACS+ Server. |
||
Management Mode Migration in Cisco Catalyst 916x Series Wi-Fi 6E Access Points (CW9164 and CW9166) |
From this release onwards, in Cisco Catalyst 916x APs (CW9164 and CW9166) you can migrate management modes between DNA Management Mode (controller based) and Meraki Management Mode, depending on the requirement. The following commands are introduced:
For more information, see the chapter Management Mode Migration in Cisco Catalyst 916x Series Wi-Fi 6E Access Points. |
||
Mesh Backhaul RRM Support |
From this release onwards, RRM DCA runs on mesh backhaul in auto mode, when you configure the wireless mesh backhaul rrm auto-dca command. For APs that do not have dedicated (RHL) radios, DCA is triggered by running commands in privileged EXEC mode. Mesh RRM DCA runs in the background for RHL radio enabled APs. The following commands are introduced:
For more information, see the chapter Mesh Access Points. |
||
Mutual Authentication for gRPC Telemetry |
A new gRPC TLS profile that contains a pair of trustpoints was added to the telemetry configuration so that a client ID certificate can be specified for mutual authentication. This new profile can be used instead of the trustpoint containing the server CA certificate when configuring the receiver profile. The trustpoint containing the server CA certificate is now configured as part of the gRPC TLS profile. For more information, see the Programmability Configuration Guide. |
||
Quality of Service Gaps and Fixes in Cisco Catalyst 9800 Series Wireless Controllers |
This feature addresses the gaps in the existing metal policy implementation with reference to RFC 8325. With this enhancement, the existing hard-coded policy-maps and class-maps associated with each metal policy is modified as per RFC 8325, so that upstream and downstream ceiling is achieved. For more information, see the chapter Quality of Service. |
||
Regulatory Domain Reduction |
From Cisco IOS XE Cupertino 17.9.1, more countries are added to the Rest of the World (RoW) domain. For more information, see the chapter Regulatory Compliance Domain. |
||
Rogue Detection Enhancements on Cisco Catalyst 9164 and 9166 Series Wi-Fi 6E Access Points |
In this release, the rogue detection and containment functionality is enhanced to handle dual 5-GHz configuration on Cisco Catalyst 9164 Series Wi-Fi 6E APs and Cisco Catalyst 9166 Series Wi-Fi 6E APs. |
||
Rogue Full Scale Quotas and Priorities |
The Rogue Full Scale Quotas and Priorities feature helps you to improve the scalability, performance, manageability, and serviceability of rogue APs. The following commands are introduced:
For more information, see the chapter Managing Rogue Devices. |
||
RUM Report Throttling |
For all topologies where the product instance initiates communication, the minimum reporting frequency is throttled to one day. This means the product instance does not send more than one RUM report a day. The affected topologies are: Connected Directly to CSSM, Connected to CSSM Through CSLU (product instance-initiated communication), CSLU Disconnected from CSSM (product instance-initiated communication), and SSM On-Prem Deployment (product instance-initiated communication). This resolves the problem of too many RUM reports being generated and sent for certain licenses. It also resolves the memory-related issues and system slow-down that was caused by an excessive generation of RUM reports. You can override the reporting frequency throttling, by entering the license smart sync command in privileged EXEC mode. This triggers an on-demand synchronization with CSSM or CSLU, or SSM On-Prem, to send and receive any pending data. RUM report throttling also applies to the Cisco IOS XE Amsterdam 17.3.6 and later releases of the 17.3.x train, and Cisco IOS XE Bengaluru 17.6.4 and later releases of the 17.6.x train. From Cisco IOS XE Cupertino 17.9.1, RUM report throttling is applicable to all subsequent releases. |
||
Site-Based Rolling AP Upgrade in N+1 Networks |
The Site-Based Rolling AP Upgrade in an N+1 Network feature allows you to perform a staggered upgrade of APs in each site in an N+1 deployment. The following commands are introduced:
For more information, see the chapter Site-Based Rolling AP Upgrade in an N+1 Network. |
||
Site-Based Rolling AP Upgrade using Netconf/YANG Models |
From Cisco IOS XE Cupertino 17.9.1, you can use NETCONF/YANG models to configure site-based APSP and N+1 hitless software upgrade. For more information, see the Programmability Configuration Guide at: https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-xe-17/products-installation-and-configuration-guides-list.html For more information on the YANG models, see the Cisco IOS XE Programmability Configuration Guide and YANG Data Models on Github at: https://github.com/YangModels/yang/tree/master/vendor/cisco/xe. You can contact the Developer Support Community for NETCONF/YANG features at: |
||
Support 6-GHz radio for Canada |
In this release, Canada (CA) is added to the list of countries supporting 802.11 6-GHz radio band. |
||
Support for Cisco Catalyst 9164I Series Wi-Fi 6E Access Points and Cisco Catalyst 9166I Series Wi-Fi 6E Access Points |
From this release onwards, Cisco Catalyst 9164I Series Wi-Fi 6E Access Points and Cisco Catalyst 9166I Series Wi-Fi 6E Access Points are supported. |
||
Support for RFC 5580 Location Attributes in the Controller |
This feature uses the RFC 5580 location attributes to convey location-related information for authentication and accounting exchanges. The following commands are introduced:
For more information, see the chapter Configuring RFC 5580 Location Attributes. |
||
VLAN Group to Support DHCP and Static IP Clients |
The VLAN Group to Support DHCP and Static IP Clients feature aims to handle the network access of clients whose static IP address is not a part of the VLAN's IP list. For more information, see the chapter VLAN Groups. |
||
Walkme for Usage and Troubleshooting |
The following new workflows have been implemented:
|
||
Wireless Rogue Channel Width Support |
In this release, the Wireless Rogue Channel Width feature is supported. Rogue channel width changes are implemented at the TDL level. Because the telemetry child table cannot be accessed by Cisco DNA Center because of the TDL limitation, all radio band information is now available in the top-level table. Telemetry data can be validated through the SSH Netconf console to check the correct radio band with channel width values. |
||
TrustSec Support in Cisco Catalyst Wi-Fi 6 Access Points |
From this release onwards, Cisco Catalyst Wi-Fi 6 Access Points support TrustSec feature with the controller.
|
||
Zero Wait Dynamic Frequency Selection |
When an access point (AP) moves to Dynamic Frequency Selection (DFS) channel, a service outage can occur. This feature helps to avoid service outages in regulatory domains. As of now, the US and Europe are the only supported domains. For more information, see the chapter Dynamic Frequency Selection. |
Feature Name |
GUI Path |
---|---|
802.11r Fast Transition for SAE Authenticated Clients |
|
Additional Client Information on Client 360 View |
|
Configuring the AP Console |
|
Flexible Radio Assignment Support in Cisco Catalyst 9166I Series Wi-Fi 6E Access Points |
|
Management Mode Migration in Cisco Catalyst 916x Series Wi-Fi 6E Access Points (CW9164 and CW9166) |
|
Site-based Rolling AP Upgrade in N+1 Networks |
|
MIBs
The following MIBs are newly added or modified:
-
AIRESPACE-WIRELESS-MIB
-
CISCO-LWAPP-AP-MIB
-
CISCO-LWAPP-MOBILITY-MIB
-
CISCO-LWAPP-RF-MIB
-
CISCO-LWAPP-RRM-MIB
-
CISCO-LWAPP-SI-MIB
-
CISCO-LWAPP-TAGS-MIB
-
CISCO-LWAPP-WLAN-MIB
-
CISCO-LWAPP-WLAN-SECURITY-MIB
Behavior Changes
-
The Cisco Centralized Key Management (CCKM) feature is being deprecated from Cisco IOS XE Dublin 17.10.x.
-
The J2 country code is not supported for Japan. Use J4 as country code for Japan, instead of J2.
-
The following commands are effective only in service-peer mode:
For information on service-peer, see the Understanding Local Area Bonjour for Wireless FlexConnect Mode section in the chapter Configuring Local Area Bonjour for Wireless FlexConnect Mode.
-
query-response
-
sdg-agent
-
service-announcement-count
-
service-announcement-timer
-
service-mdns-query
-
service-query-count
-
service-query-timer
-
service-receiver-purge
-
active-response
-
-
If wireless multicast is disabled in service-peer mode, the mDNS packets are sent to each CAPWAP interface. If wireless multicast and multicast tunnel are enabled, the mDNS packets are sent over multicast tunnel.
-
The install commands cannot be executed if there is any unsaved configuration with or without the prompt-level option.
-
If location is not specified in the service policy, the location is considered from the global mDNS gateway. By default, the global mDNS gateway location is defined as lss .
-
When country is configured in the AP profile, you cannot override it using the per-AP country configuration.
-
You cannot see 802.1x passwords in cleartext from this release because they are encrypted. If you downgrade to an earlier image that doesn't support an encrypted password, the APs will get stuck and repeatedly fail the dot1x authentication due to wrong credentials. You will need to disable 802.1x on the AP switch port to allow the AP to join the controller before setting the cleartext password.
-
The output of the following show commands are updated:
-
show ap dot11 cleanair device type
-
show ap name dot11 cleanair device
-
show ap dot11 5ghz SI device type
-
show ap name dot11 SI device
-
-
The following commands are introduced:
-
ap name dot11 24ghz cleanair
-
ap name dot11 5ghz cleanair
-
ap name dot11 6ghz cleanair
The following commands are deprecated:
-
ap name dot11 24ghz slot cleanair
-
ap name dot11 5ghz slot cleanair
-
ap name dot11 dual-band cleanair band
-
ap name dot11 ap name dot11 dual-band slot cleanair band
-
ap name dot11 dual-band cleanair band
-
ap name dot11 ap name dot11 dual-band slot cleanair band
-
ap name dot11 ap name dot11 dual-band slot cleanair
-
ap name dot11 rx-dual-band slot cleanair band
-
ap name dot11 rx-dual-band slot cleanair
-
-
Information on FIPS is added to the output of the AP show security system state command.
-
Device analytics reports are cached for five minutes before they are made available through the show wireless client mac stats pc-analytics command.
-
TLS 1.3 is supported for HTTPS communication on web administration from this release onwards.
-
The following table describes the deprecated and replaced show commands:
Table 7. Deprecated and Replaced Show Commands Deprecated Commands
Replaced Commands
show ap persona meraki capability summary
show ap management-mode meraki capability summary show ap persona meraki change summary
show ap management-mode meraki change summary
show ap persona meraki failure summary
show ap management-mode meraki failure summary
-
The ap name <ap-name> persona meraki [force] [noprompt] command is deprecated and replaced with ap name <ap-name> management-mode meraki [force] [noprompt] command.
-
The USB port in the AP profile is disabled by default.
If you are using Cisco IOx application with USB dongles, re-configure the USB port in the AP profile on reload, to ensure that the USB port is enabled before the APs join.
For more information about the workaround, see the details in CSCvz07021.
-
Controller communicates with the dnaservices.com for Product Analytics and Automatic Frequency Coordination (AFC). Even when DNS is not configured in the controller, the controller uses the hardcoded DNS server. Even when Product Analytics is disabled for AFC, the controller still tries to reach the dnaservices.com.
Note
This applies from Cisco IOS XE Cupertino 17.9.4 release onwards.
-
From Cisco IOS XE Cupertino 17.9.5 release onwards, the Product Analytics is enabled by default.
For more information about Product Analytics, see Wireless Product Analytics FAQ.
-
From Cisco IOS XE Cupertino 17.9.5 release onwards, both internal and external APs in NAT deployments must use different AP join profiles when CAPWAP Discovery Private and Public are enabled separately. This is applicable to APs upgraded to Cisco IOS XE Dublin 17.12.x and later.
-
If you have configured CISCO_IDEVID_SUDI trustpoint in your configuration, you will need to replace it with CISCO_IDEVID_CMCA3_SUDI to avoid client connection and AP join issues. The reason for this change being the CISCO_IDEVID_SUDI changed from SW-SUDI certificate in previous releases to HW-SUDI certificate. The processing of HW-SUDI certificate is much slower than the SW-SUDI. Here, CISCO_IDEVID_CMCA3_SUDI is the new SW-SUDI certificate.
Note
This applies from Cisco IOS XE Cupertino 17.9.3 release onwards.
-
-
If Slot 0 is dual-band, execute the following command:
ap name <ap-name> dot11 dual-band shutdown
-
If Slot 0 is not dual-band, execute the following command:
ap name <ap-name> dot11 24ghz shutdown
-
Interactive Help
The Cisco Catalyst 9800 Series Wireless Controller GUI features an interactive help that walks you through the GUI and guides you through complex configurations.
You can start the interactive help in the following ways:
-
By hovering your cursor over the blue flap at the right-hand corner of a window in the GUI and clicking Interactive Help.
-
By clicking Walk-me Thru in the left pane of a window in the GUI.
-
By clicking Show me How displayed in the GUI. Clicking Show me How triggers a specific interactive help that is relevant to the context you are in.
For instance, Show me How in Configure > AAA walks you through the various steps for configuring a RADIUS server. Choose Configuration> Wireless Setup > Advanced and click Show me How to trigger the interactive help that walks you through the steps relating to various kinds of authentication.
The following features have an associated interactive help:
-
Configuring AAA
-
Configuring FlexConnect Authentication
-
Configuring 802.1X Authentication
-
Configuring Local Web Authentication
-
Configuring OpenRoaming
-
Configuring Mesh APs
Note |
If the WalkMe launcher is unavailable on Safari, modify the settings as follows:
|
Important Notes
-
To migrate public IP address from 16.12.x to 17.x. ensure that you configure the service internal command. If you do not configure the service internal command, the IP address does not carry forward.
-
The Cisco Aironet 2800 and 3800 APs do not reset an interface (to clear any Ethernet interface physical layer issues) if the Dynamic Host Configuration Protocol (DHCP) does not resolve the IP address within a certain duration.
Supported Hardware
The following table lists the supported virtual and hardware platforms. (See Supported PIDs and Ports for the list of supported modules.)
Platform |
Description |
---|---|
Cisco Catalyst 9800-80 Wireless Controller |
A modular wireless controller with up to 100-GE modular uplinks and seamless software updates. The controller occupies a 2-rack unit space and supports multiple module uplinks. |
Cisco Catalyst 9800-40 Wireless Controller |
A fixed wireless controller with seamless software updates for mid-size to large enterprises. The controller occupies a 1-rack unit space and provides four 1-GE or 10-GE uplink ports. |
Cisco Catalyst 9800-L Wireless Controller |
The Cisco Catalyst 9800-L Wireless Controller is the first low-end controller that provides a significant boost in performance and features. |
Cisco Catalyst 9800 Wireless Controller for Cloud |
A virtual form factor of the Catalyst 9800 Wireless Controller that can be deployed in a private cloud (supports VMware ESXi, Kernel-based Virtual Machine [KVM], Microsoft Hyper-V, and Cisco Enterprise NFV Infrastructure Software [NFVIS] on Enterprise Network Compute System [ENCS] hypervisors), or in the public cloud as Infrastructure as a Service (IaaS) in Amazon Web Services (AWS), Google Cloud Platform (GCP) marketplace, and Microsoft Azure. |
Cisco Catalyst 9800 Embedded Wireless Controller for Switch |
The Catalyst 9800 Wireless Controller software for the Cisco Catalyst 9000 switches brings the wired and wireless infrastructure together with consistent policy and management. This deployment model supports only Software Defined-Access (SDA), which is a highly secure solution for small campuses and distributed branches. |
The following table lists the host environments supported for private and public cloud.
Host Environment |
Software Version |
---|---|
VMware ESXi |
|
KVM |
|
AWS |
AWS EC2 platform |
NFVIS |
ENCS 3.8.1 and 3.9.1 |
GCP |
GCP marketplace |
Microsoft Hyper-V |
Windows Server 2019, and Windows Server 2016 (Version 1607) with Hyper-V Manager (Version 10.0.14393) |
Microsoft Azure |
Microsoft Azure |
The following table lists the supported Cisco Catalyst 9800 Series Wireless Controller hardware models.
The base PIDs are the model numbers of the controller.
The bundled PIDs indicate the orderable part numbers for the base PIDs that are bundled with a particular network module. Running the show version , show module , or show inventory command on such a controller (bundled PID) displays its base PID.
Note that unsupported SFPs will bring down a port. Only Cisco-supported SFPs (GLC-LH-SMD and GLC-SX-MMD) should be used on the route processor (RP) ports of C9800-80-K9 and C9800-40-K9.
Controller Model |
Description |
---|---|
C9800-CL-K9 |
Cisco Catalyst Wireless Controller as an infrastructure for cloud. |
C9800-80-K9 |
Eight 1/10-Gigabit Ethernet SFP or SFP+ ports and two power supply slots. |
C9800-40-K9 |
Four 1/10-Gigabit Ethernet SFP or SFP+ ports and two power supply slots. |
C9800-L-C-K9 |
|
C9800-L-F-K9 |
|
The following table lists the supported SFP models.
SFP Name |
C9800-80-K9 |
C9800-40-K9 |
C9800-L-C-K9 |
C9800-L-F-K9 |
---|---|---|---|---|
DWDM-SFP10G-30.33 |
Supported |
Supported |
— |
— |
DWDM-SFP10G-61.41 |
Supported |
Supported |
— |
— |
FINISAR-LR – FTLX1471D3BCL 1 |
Supported |
Supported |
— |
Supported |
FINISAR-SR – FTLX8574D3BCL |
Supported |
Supported |
— |
Supported |
GLC-BX-D |
Supported |
Supported |
Supported |
Supported |
GLC-BX-U |
Supported |
Supported |
Supported |
Supported |
GLC-EX-SMD |
Supported |
Supported |
— |
— |
GLC-LH-SMD |
Supported |
Supported |
Supported |
— |
GLC-SX-MMD |
Supported |
Supported |
Supported |
Supported |
GLC-T |
Supported |
— |
Supported |
— |
GLC-TE |
Supported |
Supported |
Supported |
Supported |
GLC-ZX-SMD |
Supported |
Supported |
Supported |
Supported |
QSFP-100G-LR4-S |
Supported |
— |
— |
— |
QSFP-100G-SR4-S |
Supported |
— |
— |
— |
QSFP-40G-BD-RX |
Supported |
— |
— |
— |
QSFP-40G-ER4 |
Supported |
— |
— |
— |
QSFP-40G-LR4 |
Supported |
— |
— |
— |
QSFP-40G-LR4-S |
Supported |
— |
— |
— |
QSFP-40G-SR4 |
Supported |
— |
— |
— |
QSFP-40G-SR4-S |
Supported |
— |
— |
— |
QSFP-40GE-LR4 |
Supported |
— |
— |
— |
SFP-10G-AOC10M |
Supported |
Supported |
— |
— |
SFP-10G-AOC1M |
Supported |
Supported |
— |
— |
SFP-10G-AOC2M |
Supported |
Supported |
— |
— |
SFP-10G-AOC3M |
Supported |
Supported |
— |
— |
SFP-10G-AOC5M |
Supported |
Supported |
— |
— |
SFP-10G-AOC7M |
Supported |
Supported |
— |
— |
SFP-10G-ER |
Supported |
Supported |
— |
— |
SFP-10G-LR |
Supported |
Supported |
— |
Supported |
SFP-10G-LR-S |
Supported |
Supported |
— |
Supported |
SFP-10G-LR-X |
Supported |
Supported |
— |
Supported |
SFP-10G-LRM |
Supported |
Supported |
— |
Supported |
SFP-10G-SR |
Supported |
Supported |
— |
Supported |
SFP-10G-SR-S |
Supported |
Supported |
— |
Supported |
SFP-10G-SR-X |
Supported |
Supported |
— |
Supported |
SFP-10G-ZR |
Supported |
Supported |
— |
— |
SFP-H10GB- ACU10M |
Supported |
Supported |
— |
Supported |
SFP-H10GB- ACU7M |
Supported |
Supported |
— |
Supported |
SFP-H10GB- CU1.5M |
Supported |
Supported |
— |
Supported |
SFP-H10GB-CU1M |
Supported |
Supported |
— |
Supported |
SFP-H10GB-CU2.5M |
Supported |
Supported |
— |
Supported |
SFP-H10GB-CU2M |
Supported |
Supported |
— |
Supported |
SFP-H10GB-CU3M |
Supported |
Supported |
— |
Supported |
SFP-H10GB-CU5M |
Supported |
Supported |
— |
Supported |
Optics Modules
The Cisco Catalyst 9800 Series Wireless Controller supports a wide range of optics. The list of supported optics is updated on a regular basis. See the tables at the following location for the latest transceiver module compatibility information:
https://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
Network Protocols and Port Matrix
Source |
Destination |
Protocol |
Destination Port |
Source Port |
Description |
---|---|---|---|---|---|
Any |
Cisco Catalyst 9800 Series Wireless Controller |
TCP |
22 |
Any |
SSH |
Any |
Cisco Catalyst 9800 Series Wireless Controller |
TCP |
23 |
Any |
Telnet |
Any |
Cisco Catalyst 9800 Series Wireless Controller |
TCP |
80 |
Any |
HTTP |
Any |
Cisco Catalyst 9800 Series Wireless Controller |
TCP |
443 |
Any |
HTTPS |
Any |
Cisco Catalyst 9800 Series Wireless Controller |
UDP |
161 |
Any |
SNMP Agent |
Any |
Any |
UDP |
5353 |
5353 |
mDNS |
Any |
Cisco Catalyst 9800 Series Wireless Controller |
UDP |
69 |
69 |
TFTP |
Any |
DNS Server |
UDP |
53 |
Any |
DNS |
Any |
Cisco Catalyst 9800 Series Wireless Controller |
TCP |
830 |
Any |
NetConf |
Any |
Cisco Catalyst 9800 Series Wireless Controller |
TCP |
443 |
Any |
REST API |
Any |
WLC Protocol |
UDP |
1700 |
Any |
Receive CoA packets. |
AP |
Cisco Catalyst 9800 Series Wireless Controller |
UDP |
5246 |
Any |
CAPWAP Control |
AP |
Cisco Catalyst 9800 Series Wireless Controller |
UDP |
5247 |
Any |
CAPWAP Data |
AP |
Cisco Catalyst 9800 Series Wireless Controller |
UDP |
5248 |
Any |
CAPWAP MCAST |
AP |
Cisco Catalyst Center |
TCP |
32626 |
Any |
Intelligent capture and RF telemetry |
AP |
AP |
UDP |
16670 |
Any |
Client Policies (AP-AP) |
Cisco Catalyst 9800 Series Wireless Controller |
Cisco Catalyst 9800 Series Wireless Controller |
UDP |
16666 |
16666 |
Mobility Control |
Cisco Catalyst 9800 Series Wireless Controller |
SNMP |
UDP |
162 |
Any |
SNMP Trap |
Cisco Catalyst 9800 Series Wireless Controller |
RADIUS |
UDP |
1812/1645 |
Any |
RADIUS Auth |
Cisco Catalyst 9800 Series Wireless Controller |
RADIUS |
UDP |
1813/1646 |
Any |
RADIUS ACCT |
Cisco Catalyst 9800 Series Wireless Controller |
TACACS+ |
TCP |
49 |
Any |
TACACS+ |
Cisco Catalyst 9800 Series Wireless Controller |
Cisco Catalyst 9800 Series Wireless Controller |
UDP |
16667 |
16667 |
Mobility |
Cisco Catalyst 9800 Series Wireless Controller |
NTP Server |
UDP |
123 |
Any |
NTP |
Cisco Catalyst 9800 Series Wireless Controller |
Syslog Server |
UDP |
514 |
Any |
SYSLOG |
Cisco Catalyst 9800 Series Wireless Controller |
NetFlow Server |
UDP |
9996 |
Any |
NetFlow |
Cisco Catalyst 9800 Series Wireless Controller |
Cisco Connected Mobile Experiences (CMX) |
UDP |
16113 |
Any |
NMSP |
Cisco Catalyst Center |
Cisco Catalyst 9800 Series Wireless Controller |
TCP |
32222 |
Any |
Device Discovery |
Cisco Catalyst Center |
Cisco Catalyst 9800 Series Wireless Controller |
TCP |
25103 |
Any |
Telemetry Subscriptions |
Supported APs
The following Cisco APs are supported in this release.
Indoor Access Points
-
Cisco Catalyst 9105AXI Access Points
-
VID 04 or later - supported from 17.9.2
-
VID 03 or earlier - supported in all 17.9.x releases
-
-
Cisco Catalyst 9105AXW Access Points
-
VID 02 or later - supported from 17.9.2
-
VID 01 or earlier - supported in all 17.9.x releases
-
-
Cisco Catalyst 9115AX (I/E) Access Points
-
Cisco Catalyst 9117AXI Access Points
-
Cisco Catalyst 9120AX (I/E) Access Points
-
VID 07 or later - supported from 17.9.2
-
VID 06 or earlier - supported in all 17.9.x releases
-
-
Cisco Catalyst 9120AXP Access Points
-
Cisco Catalyst 9130AX (I/E) Access Points
-
VID 03 or later - supported from 17.9.2
-
VID 02 or earlier - supported in all 17.9.x releases
(For information about Cisco Catalyst 9105, 9120, or 9130 Access Points version support, see the Field Notice 72424.)
-
-
Cisco Catalyst 9136I Access Points
-
Cisco Catalyst 9162I Series Access Points - supported from 17.9.2
-
Cisco Catalyst 9164I Series Access Points
-
Cisco Catalyst 9166I Series Access Points
-
Cisco Aironet 1800I, 1815 (I/W), 1830 (I), 1840 (I), and 1850 (I/E) Access Points
-
Cisco Aironet 2800 (I/E) Series Access Points
-
Cisco Aironet 3800 (I/E/P) Series Access Points
-
Cisco Aironet 4800 Series Access Points
Support is reintroduced for the following APs from 17.9.3:
-
Cisco Aironet 1570 Series Access Points
-
Cisco Aironet 1700 Series Access Points
-
Cisco Aironet 2700 Series Access Points
-
Cisco Aironet 3700 Series Access Points
Outdoor Access Points
-
Cisco Aironet 1540 Series Access Points
-
Cisco Aironet 1560 Series Access Points
-
Cisco Industrial Wireless 3700 Series Access Points
-
Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Point
-
Cisco 6300 Series Embedded Services Access Point
-
Cisco Catalyst 9124AX (I/D) Access Points
-
Cisco Catalyst IW9167 (E) Heavy Duty Access Point - supported from 17.9.3
Integrated Access Points
-
Integrated Access Point on Cisco 1100 ISR (ISR-AP1100AC-x, ISR-AP1101AC-x, and ISR-AP1101AX-x)
Network Sensor
-
Cisco Aironet 1800s Active Sensor
Pluggable Modules
-
Wi-Fi 6 Pluggable Module for Industrial Routers
Supported Access Point Channels and Maximum Power Settings
Supported access point channels and maximum power settings on Cisco APs are compliant with the regulatory specifications of channels, maximum power levels, and antenna gains of every country in which the access points are sold. For more information about the supported access point transmission values in Cisco IOS XE software releases, see the Detailed Channels and Maximum Power Settings document at https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-xe-17/products-technical-reference-list.html.
For information about Cisco Wireless software releases that support specific Cisco AP modules, see the "Software Release Support for Specific Access Point Modules" section in the Cisco Wireless Solutions Software Compatibility Matrix document.
Compatibility Matrix
The following table provides software compatibility information. For more information, see Cisco Wireless Solutions Software Compatibility Matrix
Cisco Catalyst 9800 Series Wireless Controller Software |
Cisco Identity Services Engine |
Cisco Prime Infrastructure |
Cisco AireOS-IRCM Interoperability |
Cisco Catalyst Center |
Cisco CMX |
---|---|---|---|---|---|
Cupertino 17.9.6 |
3.3 3.2 3.1 3.0 2.7 2.6 2.4 |
3.10.2 |
8.10.196.0 8.10.190.0 8.10.183.0 8.10.182.0 8.10.181.0 8.10.171.0 8.10.162.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.5.176.2 8.5.182.104 |
11.0 10.6.3 |
|
Cupertino 17.9.5 |
3.3 3.2 3.1 3.0 2.7 2.6 2.4 |
3.10.2 |
8.10.196.0 8.10.190.0 8.10.183.0 8.10.182.0 8.10.181.0 8.10.171.0 8.10.162.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.5.176.2 8.5.182.104 |
11.0 10.6.3 |
|
Cupertino 17.9.4a |
3.3 3.2 3.1 3.0 2.7 2.6 2.4 |
3.10.2 |
8.10.196.0 8.10.190.0 8.10.185.0 8.10.183.0 8.10.182.0 8.10.181.0 8.10.171.0 8.10.162.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.5.176.2 8.5.182.104 |
11.0 10.6.3 |
|
Cupertino 17.9.4 |
3.3 3.2 3.1 3.0 2.7 2.6 2.4 |
3.10.2 |
8.10.183.0 8.10.182.0 8.10.181.0 8.10.171.0 8.10.162.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.5.176.2 8.5.182.104 |
11.0 10.6.3 |
|
Cupertino 17.9.3 |
3.3 3.0 2.7 2.6 2.4 |
3.10.2 |
8.10.183.0 8.10.182.0 8.10.181.0 8.10.171.0 8.10.162.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.5.176.2 8.5.182.104 |
11.0 10.6.3 |
|
Cupertino 17.9.2 |
3.3 3.0 2.7 2.6 2.4 |
3.10.2 |
8.10.183.0 8.10.182.0 8.10.181.0 8.10.171.0 8.10.162.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.5.176.2 8.5.182.104 |
11.0 10.6.3 |
|
Cupertino 17.9.1 |
3.3 3.0 2.7 2.6 2.4 |
3.10 MR1 |
8.10.181.0 8.10.171.0 8.10.162.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.5.176.2 8.5.182.104 |
11.0 10.6.3 |
GUI System Requirements
The following subsections list the hardware and software required to access the Cisco Catalyst 9800 Controller GUI.
Processor Speed |
DRAM |
Number of Colors |
Resolution |
Font Size |
---|---|---|---|---|
233 MHz minimum2 |
512 MB3 |
256 |
1280 x 800 or higher |
Small |
Software Requirements
Operating Systems:
-
Windows 7 or later
-
Mac OS X 10.11 or later
Browsers:
-
Google Chrome: Version 59 or later (on Windows and Mac)
-
Microsoft Edge: Version 40 or later (on Windows)
-
Safari: Version 10 or later (on Mac)
-
Mozilla Firefox: Version 60 or later (on Windows and Mac)
Note |
Firefox Version 63.x is not supported. |
The controller GUI uses Virtual Terminal (VTY) lines for processing HTTP requests. At times, when multiple connections are open, the default number of VTY lines of 15 set by the device might get exhausted. Therefore, we recommend that you increase the number of VTY lines to 50.
To increase the VTY lines in a device, run the following commands in the following order:
-
device# configure terminal
-
device(config)# line vty 50
A best practice is to configure the service tcp-keepalives to monitor the TCP connection to the device.
-
device(config)# service tcp-keepalives-in
-
device(config)# service tcp-keepalives-out
Before You Upgrade
Ensure that you familiarize yourself with the following points before proceeding with the upgrade:
-
When you upgrade from Cisco IOS XE Dublin 17.12.3 to 17.12.4 or Cisco IOS XE 17.15.1, the Cisco Catalyst Wi-Fi 6 APs fail to upgrade the AP image.
Workaround:
-
Reboot the impacted APs through the power cycle.
-
APs running Cisco IOS XE 17.9.3 might encounter issues when attempting to upgrade their software due to insufficient space in the /tmp directory. When the /tmp space on the AP becomes full, it prevents the download of the new AP image. In such instances, we recommend that you reboot the AP.
Caution |
During controller upgrade or reboot, if route processor ports are connected to any Cisco switch, ensure that the route processor ports are not flapped (shut/no shut process). Otherwise, it may lead to a kernel crash. |
Note |
|
Cisco Wave 2 APs may get into a boot loop when upgrading software over a WAN link. For more information, see: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220443-how-to-avoid-boot-loop-due-to-corrupted.html.
The following Wave 1 APs are not supported from 17.4 to 17.9.2, 17.10.x, 17.11.x, 17.13.x, 17.14.x, and 17.15.x:
-
Cisco Aironet 1570 Series Access Point
-
Cisco Aironet 1700 Series Access Point
-
Cisco Aironet 2700 Series Access Point
-
Cisco Aironet 3700 Series Access Point
Note |
|
-
From Cisco IOS XE Dublin 17.10.x, Key Exchange and MAC algorithms like diffie-hellman-group14-sha1, hmac-sha1, hmac-sha2-256, and hmac-sha2-512 are not supported by default and it may impact some SSH clients that only support these algorithms. If required, you can add them manually. For information on manually adding these algorithms, see the SSH Algorithms for Common Criteria Certification document available at: https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-secure-shell-algorithm-ccc.html
-
If APs fail to detect the backup image after running the archive download-sw command, perform the following steps:
-
Upload the image using the no-reload option of the archive download-sw command:
Device# archive download-sw /no-reload tftp://<tftp_server_ip>/<image_name>
-
Restart the CAPWAP process using capwap ap restart command. This allows the AP to use the correct backup image after the restart (reload is not required.)
Device# capwap ap restart
Caution
The AP will lose connection to the controller during the join process. When the AP joins the new controller, it will see a new image in the backup partition. So, the AP will not download a new image from the controller.
-
-
You might observe a high Confd CPU when full synchronization occurs between NETCONF datastore and Cisco IOS configuration. This behavior is normal and is triggered by the line vty command.
-
From Cisco IOS XE Cupertino 17.7.1 onwards, for Cisco Catalyst 9800-CL Wireless Controller, ensure that you complete Resource Utilization Measurement (RUM) reporting and ensure that the ACK is made available on the product instance at least once. This is to ensure that correct and up-to-date usage information is reflected in the Cisco Smart Software Manager (CSSM).
-
From Cisco IOS XE Amsterdam 17.3.1 onwards, the Cisco Catalyst 9800-CL Wireless Controller requires 16 GB of disk space for new deployments.
If you are upgrading to Cisco IOS XE Amsterdam 17.3.x from a previous release, resizing of disk space is not supported. If the current disk space is lesser than 16 GB, you need to redeploy the VM to meet the new disk space requirements.
-
Fragmentation lower than 1500 is not supported for the RADIUS packets generated by wireless clients in the Gi0 (OOB) interface.
-
Cisco IOS XE allows you to encrypt all the passwords used on the device. This includes user passwords and SSID passwords (PSK). For more information, see the "Password Encryption" section of the Cisco Catalyst 9800 Series Configuration Best Practices document.
-
While upgrading to Cisco IOS XE 17.3.x and later releases, if the ip http active-session-modules none command is enabled, you will not be able to access the controller GUI using HTTPS. To access the GUI using HTTPS, run the following commands in the order specified below:
-
ip http session-module-list pkilist OPENRESTY_PKI
-
ip http active-session-modules pkilist
-
-
Cisco Aironet 1815T OfficeExtend Access Point will be in local mode when connected to the controller. However, when it functions as a standalone AP, it gets converted to FlexConnect mode.
-
The Cisco Catalyst 9800-L Wireless Controller may fail to respond to the BREAK signals received on its console port during boot time, preventing users from getting to the ROMMON. This problem is observed on the controllers manufactured until November 2019, with the default config-register setting of 0x2102. This problem can be avoided if you set config-register to 0x2002. This problem is fixed in the 16.12(3r) ROMMON for Cisco Catalyst 9800-L Wireless Controller. For information about how to upgrade the ROMMON, see the Upgrading ROMMON for Cisco Catalyst 9800-L Wireless Controllers section of the Upgrading Field Programmable Hardware Devices for Cisco Catalyst 9800 Series Wireless Controllers document.
-
By default, the controller uses a TFTP block size value of 512, which is the lowest possible value. This default setting is used to ensure interoperability with legacy TFTP servers. If required, you can change the block size value to 8192 to speed up the transfer process, using the ip tftp blocksize command in global configuration mode.
-
We recommend that you configure the password encryption aes and the key config-key password-encrypt key commands to encrypt your password.
-
If the following error message is displayed after a reboot or system crash, we recommend that you regenerate the trustpoint certificate:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Use the following commands in the order specified below to generate a new self-signed trustpoint certificate:
-
device# configure terminal
-
device(config)# no crypto pki trustpoint trustpoint_name
-
device(config)# no ip http server
-
device(config)# no ip http secure-server
-
device(config)# ip http server
-
device(config)# ip http secure-server
-
device(config)# ip http authentication local/aaa
-
-
Do not deploy OVA files directly to VMware ESXi 6.5. We recommend that you use an OVF tool to deploy the OVA files.
-
Ensure that you remove the controller from Cisco Prime Infrastructure before disabling or enabling Netconf-YANG. Otherwise, the system may reload unexpectedly.
-
Unidirectional Link Detection (UDLD) protocol is not supported.
-
SIP media session snooping is not supported on FlexConnect local switching deployments.
-
The Cisco Catalyst 9800 Series Wireless Controllers (C9800-CL, C9800-L, C9800-40, and C9800-80) support a maximum of 14,000 leases with internal DHCP scope.
-
Configuring the mobility MAC address using the wireless mobility mac-address command is mandatory for both HA and 802.11r.
-
If you have Cisco Catalyst 9120 (E/I/P) and Cisco Catalyst 9130 (E) APs in your network and you want to downgrade, use only Cisco IOS XE Gibraltar 16.12.1t. Do not downgrade to Cisco IOS XE Gibraltar 16.12.1s.
-
The following SNMP variables are not supported:
-
CISCO-LWAPP-WLAN-MIB: cLWlanMdnsMode
-
CISCO-LWAPP-AP-MIB.my: cLApDot11IfRptncPresent, cLApDot11IfDartPresent
-
-
If you are upgrading from Cisco IOS XE Gibraltar 16.11.x or an earlier release, ensure that you unconfigure the advipservices boot-level licenses on both the active and standby controllers using the no license boot level advipservices command before the upgrade. Note that the license boot level advipservices command is not available in Cisco IOS XE Gibraltar 16.12.1s and 16.12.2s.
-
The Cisco Catalyst 9800 Series Wireless Controller has a service port that is referred to as GigabitEthernet 0 port.
The following protocols and features are supported through this port:
-
Cisco Catalyst Center
-
Cisco Smart Software Manager
-
Cisco Prime Infrastructure
-
Telnet
-
Controller GUI
-
DNS
-
File transfer
-
GNMI
-
HTTP
-
HTTPS
-
LDAP
-
Licensing for Smart Licensing feature to communicate with CSSM
-
Netconf
-
NetFlow
-
NTP
-
RADIUS (including CoA)
-
Restconf
-
SNMP
-
SSH
-
SYSLOG
-
TACACS+
-
-
During device upgrade using GUI, if a switchover occurs, the session expires and the upgrade process gets terminated. As a result, the GUI cannot display the upgrade state or status.
-
From Cisco IOS XE Bengaluru 17.4.1 onwards, the telemetry solution provides a name for the receiver address instead of the IP address for telemetry data. This is an additional option. During the controller downgrade and subsequent upgrade, there is likely to be an issue—the upgrade version uses the newly named receivers, and these are not recognized in the downgrade. The new configuration gets rejected and fails in the subsequent upgrade. Configuration loss can be avoided when the upgrade or downgrade is performed from Cisco Catalyst Center.
-
From Cisco IOS XE Bengaluru 17.4.1 onwards, session timeout under the policy profile is supported.
-
Communication between Cisco Catalyst 9800 Series Wireless Controller and Cisco Prime Infrastructure uses different ports:
-
All the configurations and templates available in Cisco Prime Infrastructure are pushed through SNMP and CLI, using UDP port 161.
-
Operational data for controller is obtained over SNMP, using UDP port 162.
-
AP and client operational data leverage streaming telemetry:
-
Cisco Prime Infrastructure to controller: TCP port 830 is used by Cisco Prime Infrastructure to push the telemetry configuration to the controller (using NETCONF).
-
Controller to Cisco Prime Infrastructure: TCP port 20828 is used for Cisco IOS XE 16.10.x and 16.11.x, and TCP port 20830 is used for Cisco IOS XE 16.12.x, 17.1.x and later releases.
-
-
-
To migrate public IP address from 16.12.x to 17.x. ensure that you configure the service internal command. If you do not configure the service internal command, the IP address does not get carried forward.
-
RLAN support with Virtual Routing and Forwarding (VRF) is not available.
-
When you encounter the SNMP error SNMP_ERRORSTATUS_NOACCESS 6, it means that the specified SNMP variable is not accessible.
-
We recommend that you perform a controller reload whenever there is a change in the controller's clock time to reflect an earlier time.
Note |
Before upgrading the Cisco Catalyst 9800-40 Series Wireless Controller image to Cisco IOS XE Cupertino 17.9.x using bundle mode, you must ensure that the ROMMON version is 17.7(3r) or later. For other platforms, such as Cisco Catalyst 9800-80 Series Wireless Controllers, you should upgrade to 17.3(3r) and for Cisco Catalyst 9800-L Series Wireless Controllers, we recommend that you upgrade the ROMMON version to 16.12(3r) or later. After the upgrade, you cannot downgrade to older ROMMON versions. |
Note |
The DTLS version (DTLSv1.0) is deprecated for Cisco Aironet 1800 based on latest security policies. Therefore, any new out-of-box deployments of Cisco Aironet 1800 APs will fail to join the controller and you will get the following error message:
To onboard new Cisco Aironet 1800 APs and to establish a CAPWAP connection, explicitly set the DTLS version to 1.0 in the controller using the following configuration:
Note that setting the DTLS version to 1.0 affects all the existing AP CAPWAP connections. We recommend that you apply the configuration only during a maintenance window. After the APs download the new image and join the controller, ensure that you remove the configuration. |
To upgrade the field programmable hardware devices for Cisco Catalyst 9800 Series Wireless Controllers, see Upgrading Field Programmable Hardware Devices for Cisco Catalyst 9800 Series Wireless Controllers.
Important |
Before you begin a downgrade process, you must manually remove the configurations which are applicable in the current version but not in older version. Otherwise, you might encounter an unexpected behavior. |
-
When you downgrade an AP from a higher version to Cisco IOS XE Amsterdam 17.3.x, the AP will not be accessible through SSH or the console due to the denial of the enable password, when the AP has not yet joined a controller. If the AP joins a controller, then the AP becomes accessible without any password denial.
Upgrade Path to Cisco IOS XE Cupertino 17.9.x
Current Software |
Upgrade Path for Deployments with 9130 or 9124 |
Upgrade Path for Deployments Without 9130 or 9124 |
---|---|---|
16.10.x |
—4 |
Upgrade first to 16.12.5 or 17.3.x and then to 17.9.x. |
16.11.x |
— |
Upgrade first to 16.12.5 or 17.3.x and then to 17.9.x. |
16.12.x |
Upgrade first to 17.3.5 or later or 17.6.x or later, and then to 17.9.x. |
Upgrade first to 17.3.5 or later or 17.6.x or later, and then to 17.9.x. |
17.1.x |
Upgrade first to 17.3.5 or later and then to 17.9.x. |
Upgrade first to 17.3.5 or later and then to 17.9.x. |
17.2.x |
Upgrade first to 17.3.5 or later and then to 17.9.x. |
Upgrade first to 17.3.5 or later and then to 17.9.x. |
17.3.1 to 17.3.4 |
Upgrade first to 17.3.5 or later or 17.6.x or later, and then to 17.9.x. |
Upgrade directly to 17.9.x. |
17.3.4c or later |
Upgrade directly to 17.9.x. |
Upgrade directly to 17.9.x. |
17.4.x |
Upgrade first to 17.6.x and then to 17.9.x. |
Upgrade directly to 17.9.x. |
17.5.x |
Upgrade first to 17.6.x and then to 17.9.x. |
Upgrade directly to 17.9.x. |
17.6.x |
Upgrade directly to 17.9.x. |
Upgrade directly to 17.9.x. |
17.7.x |
Upgrade directly to 17.9.x. |
Upgrade directly to 17.9.x. |
17.8.x |
Upgrade directly to 17.9.x. |
Upgrade directly to 17.9.x. |
8.9.x or any 8.10.x version prior to 8.10.171.0 |
Upgrade first to 8.10.171.0 or later, 17.3.5 or later, or 17.6.x or later, and then to 17.9.x. |
Upgrade directly to 17.9.x. |
8.10.171.0 and above |
Upgrade directly to 17.9.x. |
Upgrade directly to 17.9.x. |
Upgrading the Controller Software
This section describes the various aspects of upgrading the controller software.
For information on the upgrade process and the methods to upgrade the Cisco Catalyst 9800 Series Wireless Controller software, see the "Upgrading the Cisco Catalyst 9800 Wireless Controller Software" chapter of the Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide.
Finding the Software Version
The package files for the Cisco IOS XE software are stored in the system board flash device (flash:).
Use the show version privileged EXEC command to see the software version that is running on your controller.
Note |
Although the show version output always shows the software image running on the controller, the model name shown at the end of the output is the factory configuration, and does not change if you upgrade the software license. |
Use the show install summary privileged EXEC command to see the information about the active package.
Use the dir filesystem: privileged EXEC command to see the directory names of other software images that you have stored in flash memory.
Software Images
-
Release: Cisco IOS XE Cupertino 17.9.x
-
Image Names (9800-80, 9800-40, and 9800-L):
-
C9800-80-universalk9_wlc.17.09.x.SPA.bin
-
C9800-40-universalk9_wlc.17.09.x.SPA.bin
-
C9800-L-universalk9_wlc.17.09.x.SPA.bin
-
-
Image Names (9800-CL):
-
Cloud: C9800-CL-universalk9.17.09.x.SPA.bin
-
Hyper-V/ESXi/KVM: C9800-CL-universalk9.17.09.x.iso, C9800-CL-universalk9.17.09.x.ova
-
KVM: C9800-CL-universalk9.17.09.x.qcow2
-
NFVIS: C9800-CL-universalk9.17.09.x.tar.gz
-
Software Installation Commands
Cisco IOS XE, Cupertino, 17.9.x |
|||
---|---|---|---|
To install and activate a specified file, and to commit changes to be persistent across reloads, run the following command: device# install add file filename [activate |commit] To separately install, activate, commit, end, or remove the installation file, run the following command: device# install ?
|
|||
add file tftp: filename |
Copies the install file package from a remote location to a device, and performs a compatibility check for the platform and image versions. |
||
activateauto-abort-timer] |
Activates the file and reloads the device. The auto-abort-timer keyword automatically rolls back image activation. |
||
commit |
Makes changes that are persistent over reloads. |
||
rollback to committed |
Rolls back the update to the last committed version. |
||
abort |
Cancels file activation, and rolls back to the version that was running before the current installation procedure started. |
||
remove |
Deletes all unused and inactive software installation files. |
Licensing
The Smart Licensing Using Policy feature is automatically enabled on the controller. This is also the case when you upgrade to this release. By default, your Smart Account and Virtual Account in Cisco Smart Software Manager (CSSM) are enabled for Smart Licensing Using Policy. For more information, see the "Smart Licensing Using Policy" chapter in the Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide.
For a more detailed overview on Cisco Licensing, see cisco.com/go/licensingguide.
Interoperability with Clients
This section describes the interoperability of the controller software with client devices.
The following table lists the configurations used for testing client devices.
Hardware or Software Parameter |
Hardware or Software Type |
---|---|
Release |
Cisco IOS XE, Cupertino, 17.9.x |
Cisco Wireless Controller |
See Supported Hardware. |
Access Points |
See Supported APs. |
Radio |
|
Security |
Open, PSK (WPA2-AES), 802.1X (WPA2-AES) (EAP-FAST, EAP-TLS) WPA3 AKM 802.11ax |
RADIUS |
See Compatibility Matrix. |
Types of tests |
Connectivity, traffic (ICMP), and roaming between two APs |
The following table lists the client types on which the tests were conducted. Client types included laptops, hand-held devices, phones, and printers.
Client Type and Name |
Driver or Software Version |
||
---|---|---|---|
Laptops |
|||
Acer Aspire E 15 E5-573-3870 (Qualcomm Atheros QCA9377) | Windows 10 Pro (12.0.0.832) | ||
Apple Macbook Air 11 inch | OS Sierra 10.12.6 | ||
Apple Macbook Air 13 inch | OS High Sierra 10.13.4 | ||
Macbook Pro Retina | OS Catalina | ||
Macbook Pro Retina 13 inch early 2015 | OS Mojave 10.14.3 | ||
Macbook Pro OS X | OS X 10.8.5 | ||
Macbook Air | OS Sierra v10.12.2 | ||
Macbook Air 11 inch | OS X Yosemite 10.10.5 | ||
MacBook M1 Chip | OS Catalina | ||
Dell Inspiron 2020 Chromebook |
Chrome OS 75.0.3770.129 |
||
Google Pixelbook Go |
Chrome OS 97.0.4692.27 |
||
HP chromebook 11a |
Chrome OS 76.0.3809.136 |
||
Samsung Chromebook 4+ |
Chrome OS 77.0.3865.105 |
||
Dell Latitude (Intel AX210) | Windows 11 (22.110.x.x) | ||
Dell Latitude 3480 (Qualcomm DELL wireless 1820) | Win 10 Pro (12.0.0.242) | ||
Dell Inspiron 15-7569 (Intel Dual Band Wireless-AC 3165) | Windows 10 Home (21.40.0) | ||
Dell Latitude E5540 (Intel Dual Band Wireless AC7260) | Windows 7 Professional (21.10.1) | ||
Dell Latitude E5430 (Intel Centrino Advanced-N 6205) | Windows 7 Professional (15.18.0.1) | ||
Dell Latitude E6840 (Broadcom Dell Wireless 1540 802.11 a/g/n) | Windows 7 Professional (6.30.223.215) | ||
Dell XPS 12 v9250 (Intel Dual Band Wireless AC 8260 ) | Windows 10 Home (21.40.0) | ||
Dell Latitude 5491 (Intel AX200) | Windows 10 Pro (21.20.1.1) | ||
Dell XPS Latitude12 9250 (Intel Dual Band Wireless AC 8260) | Windows 10 Home | ||
Dell Inspiron 13-5368 Signature Edition | Windows 10 Home (18.40.0.12) | ||
FUJITSU Lifebook E556 Intel 8260 (Intel Dual Band Wireless-AC 8260 (802.11n)) | Windows 8 (19.50.1.6) | ||
Lenovo Yoga C630 Snapdragon 850 (Qualcomm AC 2x2 Svc) |
Windows 10 Home | ||
Lenovo Thinkpad Yoga 460 (Intel Dual Band Wireless-AC 9260) | Windows 10 Pro (21.40.0) | ||
|
|||
Tablets |
|||
Apple iPad 2021 | iOS 15.0 | ||
Apple iPad 7the Gen 2019 | iOS 14.0 | ||
Apple iPad MD328LL/A | iOS 9.3.5 | ||
Apple iPad 2 MC979LL/A | iOS 11.4.1 | ||
Apple iPad Air MD785LL/A | iOS 11.4.1 | ||
Apple iPad Air2 MGLW2LL/A | iOS 10.2.1 | ||
Apple iPad Mini 4 9.0.1 MK872LL/A | iOS 11.4.1 | ||
Apple iPad Mini 2 ME279LL/A | iOS 11.4.1 | ||
Apple iPad Mini 4 9.0.1 MK872LL/A | iOS 11.4.1 | ||
Microsoft Surface Pro 3 13 inch (Intel AX201) | Windows 10 (21.40.1.3) | ||
Microsoft Surface Pro 3 15 inch (Qualcomm Atheros QCA61x4A) | Windows 10 | ||
Microsoft Surface Pro 7 (Intel AX201) | Windows 10 | ||
Microsoft Surface Pro 6 (Marvell Wi-Fi chipset 11ac) | Windows 10 | ||
Microsoft Surface Pro X (WCN3998 Wi-Fi Chip) | Windows | ||
Mobile Phones |
|||
Apple iPhone 5 | iOS 12.4.1 | ||
Apple iPhone 6s | iOS 13.5 | ||
Apple iPhone 7 MN8J2LL/A | iOS 11.2.5 | ||
Apple iPhone 8 | iOS 13.5 | ||
Apple iPhone 8 Plus | iOS 14.1 | ||
Apple iPhone 8 Plus MQ8D2LL/A | iOS 12.4.1 | ||
Apple iPhone X MQA52LL/A | iOS 13.1 | ||
Apple iPhone 11 | iOS 15.1 | ||
Apple iPhone 12 | iOS 15.1 | ||
Apple iPhone 12 Pro | iOS 15.1 | ||
Apple iPhone 13 | iOS 15.1 | ||
Apple iPhone 13 Mini | iOS 15.1 | ||
Apple iPhone 13 Pro | iOS 15.1 | ||
Apple iPhone 14 | iOS 16 | ||
Apple iPhone 15 | iOS17 | ||
Apple iPhone SE MLY12LL/A | iOS 11.3 | ||
Apple iPhone SE | iOS 15.1 | ||
ASCOM i63 | Build v 3.0.0 | ||
ASCOM Myco 3 | Android 9 | ||
Cisco IP Phone 8821 |
11.0.6 SR1 |
||
Drager Delta | VG9.0.2 | ||
Drager M300.3 | VG2.4 | ||
Drager M300.4 | VG2.4 | ||
Drager M540 | DG6.0.2 (1.2.6) | ||
Google Pixel 3a |
Android 11 |
||
Google Pixel 4 |
Android 11 |
||
Google Pixel 5 |
Android 11 |
||
Google Pixel 6 |
Android 11 |
||
Huawei Mate 20 pro | Android 9.0 | ||
Huawei P20 Pro |
Android 10 |
||
Huawei P40 |
Android 10 |
||
LG v40 ThinQ | Android 9.0 | ||
One Plus 8 |
Android 11 |
||
Oppo Find X2 |
Android 10 |
||
Redmi K20 Pro |
Android 10 |
||
Samsung Galaxy S9+ - G965U1 |
Android 10.0 |
||
Samsung Galaxy S10 Plus |
Android 11.0 |
||
Samsung S10 (SM-G973U1) |
Android 11.0 |
||
Samsung S10e (SM-G970U1) |
Android 11.0 |
||
Samsung S20 Ultra |
Android 10.0 |
||
Samsung S21 Ultra 5G |
Android 11.0 | ||
Samsung Fold 2 |
Android 10.0 | ||
Samsung Note20 |
Android 10.0 |
||
Samsung G Note 10 Plus |
Android 11.0 |
||
Samsung Galaxy A01 |
Android 11.0 |
||
Samsung Galaxy A21 |
Android 10.0 |
||
Sony Experia 1 ii |
Android 11 |
||
Sony Experia |
Android 11 |
||
Xiaomi Mi 9T |
Android 9 |
||
Xiaomi Mi 10 |
Android 11 |
||
Spectralink 84 Series | 7.5.0.x257 | ||
Spectralink 87 Series | Android 5.1.1 | ||
Spectralink Versity Phones 92/95/96 Series | Android 10.0 | ||
Vocera Badges B3000n | 4.3.3.18 | ||
Vocera Smart Badges V5000 | 5.0.6.35 | ||
Zebra MC40 | Android 4.4.4 | ||
Zebra MC40N0 | Android 4.1.1 | ||
Zebra MC92N0 | Android 4.4.4 | ||
Zebra MC9090 | Windows Mobile 6.1 | ||
Zebra MC55A | Windows 6.5 | ||
Zebra MC75A | OEM ver 02.37.0001 | ||
Zebra TC51 | Android 6.0.1 | ||
Zebra TC52 | Android 10.0 | ||
Zebra TC55 | Android 8.1.0 | ||
Zebra TC57 | Android 10.0 | ||
Zebra TC70 | Android 6.1 | ||
Zebra TC75 | Android 10.0 | ||
Zebra TC8000 | Android 4.4.3 | ||
Printers | |||
Zebra QLn320 Mobile Printer | LINK OS 5.2 | ||
Zebra ZT230 IndustrialPrinter | LINK OS 6.4 | ||
Zebra ZQ310 Mobile Printer | LINK OS 6.4 | ||
Zebra ZD410 Industrial Printer | LINK OS 6.4 | ||
Zebra ZT410 Desktop Printer | LINK OS 6.4 | ||
Zebra ZQ610 Industrial Printer | LINK OS 6.4 | ||
Zebra ZQ620 Mobile Printer | LINK OS 6.4 | ||
Wireless Module |
|||
Intel 11ax 200 |
Driver v22.20.0 | ||
Intel AC 9260 |
Driver v21.40.0 | ||
Intel Dual Band Wireless AC 8260 |
Driver v19.50.1.6 |
||
Intel AX 210 |
Driver v22.110.x.x (or above) |
||
Samsung S21 Ultra |
Driver v20.80.80 |
||
QCA WCN6855 |
Driver v1.0.0.901 |
||
PhoenixContact FL WLAN 2010 |
Firmware version: 2.71 |
Issues
Issues describe unexpected behavior in Cisco IOS releases in a product. Issues that are listed as Open in a prior release are carried forward to the next release as either Open or Resolved.
Note |
All incremental releases contain fixes from the current release. |
Cisco Bug Search Tool
The Cisco Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of an issue, click the corresponding identifier.
Open Caveats for Cisco IOS XE Cupertino 17.9.6
Caveat ID |
Description |
---|---|
Cisco Catalyst 9120 AP experiences radio crash in wlc_bmac_suspend_mac |
|
Interface VRRP Mac flaps between Active and Standby EWC |
|
EWC rogue syslogs are missing |
|
Split tunneling does not work in Cisco IOS XE 17.9.5 |
|
Controller sends multicast packets with previous WMI |
|
%EVENTLIB-3-CPUHOG is observed in Cisco IOS XE 17.12.2 |
|
Controller ends abnormally during an ISSU upgrade from Cisco IOS XE 17.3 to 17.12 |
|
Stale clients are observed in device-tracking database IP and MAC for webauth clients in FlexConnect central switching |
|
Cisco Aironet 2802 AP fails to send reassociation response or association request |
|
Device stops responding constantly when running specific UDN related commands |
|
Cisco Catalyst 9124 APs do not assign correct channels in 2.4-GHz |
|
FRA sets slot 2 to 6-GHz in Cisco Catalyst 9166 AP even when 6-GHz network is disabled |
|
Clients fail authentication due to 4-way handshake failure and IGTK error in M3 |
|
Local switching clients is assigned to Zone ID 0 when ip overlap is configured and FlexConnect VLAN central switching |
|
Client VLAN is retained after changing SSIDs if vlan-persistent is enabled |
|
The downstream multicast traffic is blocked for WGB wired client when WGB is associated with the controller |
|
Cisco Catalyst 9120AXI-S AP does not detect the RFIDs in Monitor mode |
|
Cisco Catalyst 9166D APs are unable to transmit NDP packets over the air |
|
Controller experiences unexpected reload with high wncd_x memory |
|
Controller running Cisco IOS XE 17.9.3 sends IGMP queries without controller IP address and MAC address |
|
Cisco Catalyst 9120 experiences memory leak in Cisco IOS XE 17.9.5 |
|
AP does not failover to the RADIUS server in Flexconnect Local Switching Local Authentication |
|
Standby controller is reloaded with reason EHSA standby down |
|
Controller sustained high CPU usage in wncd process |
|
Wireless clients are unable to receive the splash page and gets stuck due to webuth requirement |
|
Monitor - Client page is stuck in loading with a blue progress bar |
|
Controller as Foreign and 8540 as Anchor: Controller ends abnormally pointing to client_orch |
|
Controller experiences 4-way handshake failure with missing M1 packet |
|
Cisco Catalyst 91xx AP does not rotate awipsd.log causing an upgrade issue "tar: write error: No space left on device" |
|
Controller AP join issues are observed due to CPP stale entries caused by qos-template-bind childless objects |
Open Caveats for Cisco IOS XE Cupertino 17.9.5
Identifier |
Headline |
---|---|
FlexConnect setup fails to renew 4-way handshake when Pairwise Master Key (PMK) ID does not match. |
|
Controller reboots when handling Cisco Network Mobility Services Protocol (NMSP) Transport Layer Security (TLS) connection. |
|
Controller loses SUDI MIC trustpoint when upgrading from Cisco IOS-XE 17.6.4 to 17.9.4a via SDA. |
|
Controller with Cisco IOS-XE 17.9.3 sends Internet Group Management Protocol (IGMP) queries with a non-WLC IP address and MAC address. |
|
The load balancer server holds an incorrect AP IP address, and stale AP entries are observed. |
|
Security Group Tag (SGT) is not applied to wireless client in Software Defined-Access (SDA) fabric. |
|
Controller reloads unexpectedly due to Keymgmt: Failed to eapol key m1 retransmit failure. Max retries for M1 over . |
|
A client with a static IP is assigned to the wrong VLAN (vlan group) during roaming. |
|
Encrypted mesh pre-shared key changes each time the password encryption aes is applied. |
|
Cisco Catalyst 9120 AP drops the large frame downstream towards the wireless client. |
|
Controller experiences an unexpected reboot in DBM during the Flex VLAN list retrieval. |
|
Cisco Catalyst 9130 AP reloads unexpectedly due to kernel panic. |
|
Wired clients learn MAC address from the Cisco Catalyst 9124 MAP port. |
|
The MAC Authentication Bypass (MAB) is not initiated unless the controller deauthenticates the device. |
|
Cisco Catalyst 9115 APs join and disjoin repeatedly with traceback. |
|
Cisco Catalyst 9130 AP reloads unexpectedly resulting in kernel panic crash. |
|
Media stream feature does not work. |
|
Cisco Catalyst 9800-40 Wireless Controller reloads unexpectedly when Cisco IOS-XE 17.9.3 WNCD is down. |
|
APs connected to the same controller classify each other as rogue and generate an "AP Impersonation" threat warning. |
Open Caveats for Cisco IOS XE Cupertino 17.9.4a
From this release, the list of caveats is displayed using BST tool. When you click the BST link, it opens a separate window and lists the bugs sorted by severity. You can filter it further using the options in the tool.
Identifier |
Headline |
---|---|
Lobby admin page does not load in the controller. |
Click on the following link to view the other Open Caveats: BST Link
Open Caveats for Cisco IOS XE Cupertino 17.9.4
From this release, the list of caveats is displayed using BST tool. When you click the BST link, it opens a separate window and lists the bugs sorted by severity. You can filter it further using the options in the tool.
Click on the following link to view the Open Caveats: BST Link
Open Caveats for Cisco IOS XE Cupertino 17.9.3
Identifier |
Headline |
---|---|
Cisco Catalyst 9800 Series Controller/AireOS parity: Rejects clients with wrong PMKID when changing AKM from FT to dot1x to FT again. |
|
Mesh APs cannot associate to Root AP after disabling 'Backhaul Client Access' on IW9167EH Root AP. |
|
Client download to DP failed and floods the sytandby console with Traceback @cpp_wlclient_create. |
|
Flex WLAN provisioning is failing on C9800-CL hosted on Azure. |
|
EAP-TLS is failing for the wired clients behind MAP for Cisco 2800, 3800, 4800, 1562, 6300 series APs. |
|
Controller is not providing RSSI location data for some of the RFID tags in database. |
|
Controller is tracking stale entry due to anchored client getting IPv4 and IPv6 in different VLANs. |
|
Load average warning is displayed even when Cisco Catalyst 9800-80 Series Controller is healthy. |
|
Cisco Catalyst 9120AX AP kernel crash - PC is at rhb_del_interface+0xc. |
|
COS-APs are not encrypting EAP_ID_REQ after M1-M4 and not updating PMKID for dot1x OKC. |
|
Controller reloads unexpectedly after generating "wncd" core files. |
|
Controller reloads after failing to match the interface ID in the anchor message. |
|
Cisco Catalyst 9120 AP fails to forward traffic to wireless client for about 60 seconds. |
|
Cisco APs such as 2800, 3800, 4800, and 1562 are dropping upstream EAP packets. |
|
Cisco Catalyst 9164 and 9166 APs running Cisco IOS-XE 17.9.2 is facing DFS detections in all channels. |
|
Cisco Catalyst AX Series APs are decoding EAP request ID incorrectly. |
|
Controller reloads due to memory corruption when processing DHCP Reply Option82. |
|
Traceback and reload occurs after detecting a bad magic number in chunk header. |
|
Standby controller crashes while saving tbl QoS table. |
|
AID leak is observed in Flex COS APs. |
|
Unexpected reboot due WNCD. |
|
Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_REMOTE_MOBILITY_DELETE - Mobility Local. |
|
Radio firmware crash is observed due to a frozen rc queue. |
|
Cisco Catalyst 9105AXW AP is crashing. |
|
Clients stop passing traffic when there is a missing bandwidth limit AAA attribute on the controller. |
|
Cisco Catalyst 9130 AP: Packet loss is observed on Digital Signage device. |
|
Controller is re-marking SIP packets from CS3 to CS0 in upstream/downstream when voice cac is configured. |
|
Traceback is observed after provisioning controller from Cisco DNA Center. |
|
EWC time offset is not updated on GUI. |
|
IRCM Mobility client is deleted silently after a profile name mismatch. |
|
Cisco Catalyst 9105AXW AP and Cisco Aironet 1815W Flex RLAN AP does not apply VLAN in the ethernet port after AAA vlan override. |
|
AP crash is observed due to kernel panic (PC is at vfp_reload_hw+0x30/0x44). |
|
Cisco Catalyst 9105AX AP: Kernel panic crash is observed. |
|
Cisco Catalyst 9120 AP: Sending Msg:2 in mode:2 to hostapd failed. |
|
AP are not forwarding IGMPv3 query to wireless clients. |
|
APs are stuck in UBOOT. |
|
Controller is not sending GTK M5 packet to 8821 after FT roaming between wncds. |
|
Cisco Catalyst 9136 AP Kernel Panic: Unexpected reload csd_lock_wait+0x10/0x18. |
|
Cisco Catalyst 9120AX AP: Clients are continuously disconnecting if more than 10 clients are using MS TEAMS. |
|
Pubd crash is seen while performing ISSU upgrade from 17.3.7 to 17.9.3. |
Open Caveats for Cisco IOS XE Cupertino 17.9.2
Caveat ID |
Description |
---|---|
Cisco Aironet 3800 Access Point ends abnormally due to kernel panic. |
|
Cisco Aironet 1852 Access Point experiences radio firmware crash. |
|
Timeout during Direct Memory Access (DMA) transaction causes kernel panic in Access Point. |
|
Cisco Aironet 4800 Access Point experiences firmware radio crash in Cisco IOS-XE 17.3.5b release. |
|
Kernel panic crash observed when gRPC server process is executed. |
|
Cisco Catalyst 9124 Access Point AXI RSSI is 7 dBm to 8 dBm weaker at a distance compared to other Access Point models. |
|
Cisco Aironet 1815W Access Point crashes due to OOM when wcpd process hogs the memory. |
|
Cisco Catalyst 9130 Access Point displays different beacon data-rates for different Basic Service Set Identifiers (BSSIDs). |
|
Apple iOS devices are deleted due to IP Learn timeout. |
|
The N+1 High Availability setup for FlexConnect access points is not working. |
|
Cisco Catalyst 9120 Access Point crashes and reloads due to kernel panic. |
|
Kernel panic crash is observed when PC is at "cpuidle_not_available". |
|
Double bit ECC error causes the standby controller to reload. |
|
Cisco Catalyst 9105 Access Point experiences communication gaps when working as a workgroup bridge (WGB). |
|
Cisco Catalyst 9120 Access Point randomly displays high noise level in 5-GHz radio. |
|
Cisco Aironet 1815I Access Point reboots when PC is at edma_poll or LR is at dma_cache_maint_page. |
|
Wireless peers are unable to reach each other when passive client is enabled. |
|
Cisco Catalyst 9120 Access Point experiences CleanAir sensor crash. |
|
Access Points fail to view the backup image after using the "archive download-sw" command. |
|
Wireless client does not receive IPv6 RA from wired FlexConnect local Dynamic Host Configuration Protocol (DHCP). |
|
Cisco Catalyst 9130 Access Point experiences high latency or packet drops during TFTP. |
|
Cisco Catalyst 9120 Access Point drops M4 during four-way handshake. |
|
Dynamic Channel Allocation (DCA) debug in the controller does not display Slot 2 when nearby Access Point uses channel 36. |
|
Controller does not regularly send license sync report to Cisco Smart Software Manager (CSSM). |
|
Re-association request processing is delayed between the driver and wcp. |
Open Caveats for Cisco IOS XE Cupertino 17.9.1
Caveat ID |
Description |
---|---|
WPA TKIP client is unable to join due to mic error from client. |
|
Cisco Catalyst 9136 AP: Auto-RF on the controller is reporting lower interference when rogue is using 40/80 MHz bandwidth. |
|
Wireless AAA dynamic VLAN assignment: Clients cannot reach each other. |
|
Cisco Catalyst 9800-L: Multicast traffic is not forwarded from wireless system to wireless clients. |
|
Cisco AireOS 3800 series AP is crashing due to kernel panic. |
|
Cisco Catalyst 9136 AP: Traffic running on AP itself is seen as interference on adjacent channels. |
|
Cisco AireOS 3800 series AP: Radio crashes on Slot 0. |
|
Cisco AireOS 4800 series AP is sending upstream DHCP packets in CAPWAP when in FlexConnect local switching local DHCP. |
|
Stale entries in device-tracking database is causing false IP theft for IPv6 addresses. |
|
Cisco AireOS 1852 AP: Radio firmware crash is observed. |
|
Controller is deleting clients due to IP theft detection. |
|
Cisco Wireless 9164 AP crashes @ PC is at cnss_wait_for_fw_ready+0xd4/0x118. |
|
Cisco Catalyst 9105 AP: Crash is observed due to kernel panic. |
|
Cisco Catalyst 9800-L: Crash is observed with reason critical process wncd fault on rp_0_0 (rc=134). |
|
The AAA dashboard of Cisco DNA Centre does not display any AAA transaction data after the software upgrade. |
|
Cisco Catalyst 9136 AP does not receive the 6e SSID |
Resolved Caveats for Cisco IOS XE Cupertino 17.9.6
Caveat ID |
Description |
---|---|
SCB Mismatch - radio core is generated during longevity test with Cisco Catalyst 9105 AP |
|
CAPWAP session manager ends abnormally - config update fails when AP is in delete pending state |
|
Controller ends abnormally and signature displays a segmentation fault with IGMP snooping process |
|
Controller UI needs support for Webauth banner title or text delimiter input |
|
Cisco Catalyst 9130 AP experiences traffic loss and delays due to perceived channel utilization and interference |
|
Cisco Aironet 1852 or Cisco Catalyst 9115 AP ends abnormally due to Systemd critical process |
|
The 6-GHz radios from Cisco Catalyst 9136 AP report RF neighbors at very low levels |
|
Cisco Catalyst 9162 AP in FlexConnect mode constantly disjoins the controller in Cisco IOS XE Dublin 17.12.2 |
|
Cisco Catalyst 9130 and 9166 APs display high channel utilization with one single client connected |
|
Controller experiences memory leak in scale network when telemetry sends client events to Cisco DNA Center |
|
Cisco Catalyst 9124AXI AP ends abnormally when channel 36 is not supported in Jordan regulatory domain |
|
Controller uses incorrect username for show platform command when logging in to the GUI |
|
Kernel ends abnormally on multiple Cisco Catalyst 9130 AP in Cisco IOS XE 17.9.5 CCO image |
|
Authenticated APs support only EAP-TLS certificate renewal after the certificate validity has fully lapsed |
|
Enabling SRG OBSS PD on controller crashes only Cisco Catalyst 9166 series AP |
|
Transmission stuck issue is observed when radar is detected in Cisco Catalyst 9120 AP |
|
Multiple Cisco Catalyst 9166 APs reload with reload reason as Kernel Panic |
|
Not able to onboard Cisco Catalyst 9800-CL on Cisco DNA Spaces |
|
Cisco Aironet 1815 AP ends abnormally due to capwapd process |
|
AP to check DELETE_VAP_PAYLOAD CAPWAP payload sanity before blindly deleting |
|
Video traffic issue is observed in best-effort only for WGB wired clients |
|
Controller experiences multiple NMSP security protocol problems |
|
AP with SKC roam causes client deletion with reason INVALID_PMKID |
|
AX APs running IoT Application do not reset BLE interface after 100 attempts |
|
AP ends abnormally on dump mutx command |
|
Cisco Catalyst 9130 AP expereinces Kernel Panic with PC at _raw_spin_locK/LR wlan_objmgr_peer_try_get_ref |
|
AP traps are not updated to Cisco DNA Center when AP joins the controller with a misconfigured state |
|
Cisco Catalyst 91xx APs experience slow speeds after modifying WLAN configuration |
|
Controller local password policy does not take effect as expected for GUI login |
|
Controller experiences unexpected reset in wncmgrd with a scaled setup and managed by the Meraki Dashboard |
|
Cisco Catalyst 9120 AP|| Sending Msg:2 in mode:2 to hostapd failed |
|
Cisco Catalyst 9120 AP experiences Kernel Panic when PC is at wlc_bmac_suspend_mac_and_wait+0x3c/0x488 |
|
Controller experiences unexpected wncd process reboot due to assertion failure with invalid BSSID |
|
FlexConnect local switching APs do not work with Per client rate limit |
|
Cisco Catalyst 9120 CAPWAP restarts with radio crash on wlc_bmac_suspend_mac |
|
Cisco Catalyst 9120 APs crash and reload due to PSM microcode watchdog |
|
Cisco Catalyst 9115 AP ends abnormally on process capwapd |
|
RRM message mismatch is observed between controller and PI report. |
|
Controller does not send ADD mobile to AP after CoA is received and client is in ip learn state for dot1x SSID |
|
Active controller becomes ActiveRecovery when RP link is down in Cisco IOS XE 17.9 |
|
Cisco Catalyst 9120 AP experiences Kernel panic when PC is at wlc_bmac_suspend_mac_and_wait+0x3c/0x488 |
|
GTK is not plumbed to driver with a GTK rekey |
|
Controller accepts reserved IPv6 multicast address to be configured as Mobility Multicast IPv6 address |
|
Unexpected reboot occurs in the controller while collecting wireless client statistics |
|
Posturing flow does not work in the controller while PMF is optional |
|
AP does not delete the stale client entry and never responds back to the client dot11 authentication |
|
Cisco Catalyst 9800-40 Series Wireless Controller running Cisco IOS-XE 17.12.2 starts failing frequently |
|
AP ends abnormally due to kernel panic when PC is at wlc_txhinfo2bandunit |
|
Cisco Aironet 2800 AP is unable to set channels (52, 120, 124, 128) in AP2800-T domain |
|
Controller GUI displays incorrect number of clients attached in AP |
|
Cisco Catalyst 9124 or 9130 AP experiences Kernel crash due to mlme_vdev_subst_start_restart_progress_event |
|
New out-of-box Cisco Catalyst 9130, 9136, or 916x APs reboots continuously with 9300H upoe+ switch |
|
Controller ends abnormally due to CPU hog and watchdog timeout by IGMPSN process |
|
Controller ends abnormally due to Keymgmt: Failed to eapol key M1 retransmit failure. Maxium retries for M1 is over |
|
AP does not plumb keys after session timeout reauthentication |
|
Controller reboots due to high ODM memory consumption |
|
L3 Multicast packets are sent in native VLAN if VLAN ID is 1 in policy profile with AAA override Flex local switching |
|
Cisco Catalyst 9136 and 9164 APs OOM stops responding multiple times |
|
AP experiences load balancer server holding wrong IP address and stale AP entries |
|
APs not applying MGID for broadcast or multicast traffic AAA override for clients behind WGB |
|
RLAN configuration using Controller GUI sets 802.1x Timeout to invalid values |
|
Comtroller changes - Per client rate limit with flex connect local switching APs does not work |
|
An RSA keypair is configured in the trustpoint configuration when a EC keypair is selected while creating a trustpoint in the controller |
|
Cisco Catalyst 91xx APs Country for Radio Slot 0 or 2 displays Blank or NA |
|
False radar detection is observed in Cisco Catalyst 9105 and 9115 APs |
|
EWC image upgrade fails in Cisco Catalyst 9124 AP |
|
Syslogs timestamps does not match the internal clock of AP |
|
Cisco Catalyst 9105 AP experiences Kernel panic crash when PC is at wlc_ampdu_dotxstatus+0x5c/0x5cc |
|
Cisco Catalyst 9120 AP experiences Kernel Panic crash in PSM watchdog CS00012342194 |
|
The MAB cannot be initiated unless the device is deauthenticated |
|
Controller voice CAC bandwidth is not cleared |
|
Inventory displays 'Internal Error' for Controller in Catalyst Center |
|
Updating of IPv6 routes in AP when AP moves from one VLAN to another |
|
Cisco Catalyst 9120 AP experiences kernel panic when PC is at pci_generic_config_read + 0x34/0x20 |
|
Cisco Catalyst 9130AX APs in FlexConnect mode stops responding due to kernel panic. |
|
Cisco IOx application starts after reboot but never reaches RUNNING state |
|
APs disjoin the controller repeatedly with traceback |
|
The MAC address of wired clients are learnt from the Cisco Catalyst 9124 MAP port |
|
APs continue to use IP addresses after sending the DHCP release |
|
Controller reloads unexpectedly due to Cisco QuantumFlow Processor (QFP) ucode while updating the drop statistics |
|
Controller does not send RADIUS account message when client sends subsequent association request before client is moved to RUN |
|
Incorrect selection of APs in load balancing |
|
Pop-ups are not displayed correctly in dark mode in the controller |
|
URL filter allows only letters as the first character |
|
Controller reboots unexpectedly due to invalid QoS parameters |
|
AP stops responding due to wlc_bmac_tx_fifo_sync |
|
Controller does not send M1 packet when client reconnects after an EAP_TIMEOUT |
|
SNMP query with bsnAPIfTable OID fails for Cisco Catalyst 9166D APs |
|
LSC provisioning fails depending on the Subject Name Parameter values |
|
Controller displays tech X empty if previous sh tech X term length stop did not complete before SSH closed |
|
Kernel panic crash is observed in Cisco Catalyst 916x or 9130 APs |
|
AP does not update the MTU value for PMTU probe causing disconnection |
|
Cisco Catalyst 9115 APs intermittently stops transmitting the multicast traffic downstream |
|
Enables slow recovery by default instead of fast recovery for beacon stuck issue. |
|
FlexConnect AP with Client QoS policy changes WLAN-VLAN mapping without manual configuration change |
|
TI AP - BLE resets, connect or disconnect times out sometimes |
|
Native mode and Cisco IOx app both use IoT uart interface leading to continuous IoT chip resets |
|
The show ap summary output takes more than 6+ minutes to complete |
|
Cisco IOS XE 17.12.3 Fast transition-over-DS Re-association response fails with reason Unspecified Failure |
|
NBAR prints error logs in AP console or syslog server |
|
OIDs bsnAPIfStationCountOnRSSI and bsnAPIfStationCountOnSNR reports incorrect values in the controller |
|
Enhanced URL missing after Flex AP CAPWAP flap |
|
After assigning new WebAdmin cert, ewlc_cert_mgr, SafeC Validation: strncpy_s: does not have enough space |
|
Cisco Aironet 2800 AP experiences kernel panic crash when PC is at dumpFwLogs+0x438/0x540 |
|
MAP reflects back client unicast traffic in the wired port |
|
Cisco Aironet 1562 MAP does not join through the RAP using EAP and flex-bridge site tag |
|
Controller supports -E domain access points in Gabon |
|
Cisco Catalyst 9115 APs intermittently stops transmitting multicast traffic downstream |
|
Syntax errors in CISCO-LWAPP-DOT11-MIB |
|
AP capwapd.service fails due to watchdog timeout |
|
Redundancy details are not populated in GUI for EWC. |
|
Cisco Catalyst 9130AX AP experiences BLE 2.7.22 Advertising 0dBm TxPower and chip sync issue during firmware upgrade |
|
Controller might reload unexpectedly due to wncmgrd process fault |
|
Controller manual flow record parameters cause flow monitor to fail and unable to remove it |
|
Cisco Aironet 1815s AP reports high channel utilization in 5-GHz |
|
Controller reboots when handling NMSP TLS connection |
|
URL filter is not applied after an invalid configuration |
|
Standby does not take the active role after reloading the active controller with reload slot X |
|
Controller stops responding due to critical software exception |
|
APs in the same controller classify each other as Rogue and alert as a threat AP Impersonation |
|
Controller sends an invalid XML character (Unicode: 0x4) found in RPC response for ap-model |
|
Cisco Catalyst 91xx AP in FlexConnect does not advertise SAE H2E in beacons or probe response causing REASON_KEY_XCHNG_TIMEOUT |
|
AP needs to check the DELETE_VAP_PAYLOAD Capwap payload sanity before blindly deleting |
|
Cisco Catalyst 9300LM switch is not compatible with Cisco Aironet 1815 WAP + 7945G IP phone connected together in a port |
|
Loadbalancer server holds wrong AP IP address resulting in stale AP entries |
|
Cisco IOS XE 17.13: Cisco Catalyst 9120 AP experiences radio crash during Longevity run 17.13.0.101 |
|
Cisco Catalyst 9800-80 Wireless Controller is reloaded with reason "Critical process wncmgrd fault on rp_0_0 (rc=134)" |
|
Controller reboots due to RRM process fault |
|
Controller marked AAA Server Down after a switchover when using key 6 password encryption |
|
During controller switchover, a client using a static IP is assigned to the wrong VLAN. |
Resolved Caveats for Cisco IOS XE Cupertino 17.9.5
Identifier |
Headline |
---|---|
CSCwf92148 |
The Cisco Catalyst 9120 AP dual 5-GHz radio does not disable High Efficiency (HE) in slot 0, when 11AX and slot 1 HE are disabled in all the configured WLANs. |
Wireless AAA dynamic VLAN assignment - The wireless clients are unable to reach each other. |
|
Cisco Catalyst 9136I APs manufactured between April 2023 and September 2023 display incorrect temperature readings. |
|
Wireless clients fail to roam in FlexConnect central authentication with Pairwise Master Key ID (PMKID) mismatch. |
|
Cisco Catalyst 9120 AP radio 1 reloads unexpectedly. |
|
IP Theft is observed when zone ID is 0x00000000. |
|
WNCD reloads unexpectedly in the controller when modifying the RF tag mapping for a RLAN slot. |
|
Cisco Catalyst 9130AXI APs reload unexpectedly due to radio failure. |
|
Cisco Aironet 1562 MAP is unable to join the RAP using Extensible Authentication Protocol (EAP) and flex-bridge site tag. |
|
Cisco Catalyst 9130 APs calculate the management frame count differently across AP chipsets. |
|
Cisco Aironet 3800 AP experiences radio firmware crash. |
|
Cisco Catalyst 9800-CL Wireless Controller reloads unexpectedly. |
|
Cisco Catalyst 9105 AP experiences radio crash during longevity test. |
|
Apple iPhone SE third edition experiences roaming failure. |
|
Cisco Catalyst 9130 APs experience kernel panic after an upgrade to Cisco IOS-XE 17.6.6. |
|
Cisco Catalyst 9130 AXI-E AP does not join the controller with TZ country code. |
|
Controller does not forward the broadcast Address Resolution Protocol (ARP) request to the wireless client. |
|
Cisco Catalyst 1815 AP ends abnormally due to kernel panic in Cisco IOS-XE Cupertino 17.9.2. |
|
Controller does not send the LLC or XID spoofed frames after a mobility event. |
|
Cisco Catalyst 9130 or 9136 APs transmit data frames to a client in power save mode. |
|
AP experiences kernic panic when SCB is in delete pending state. |
|
Cisco Catalyst 9130 APs do not send DHCP offer and acknowledgement over radio interface to the client. |
|
Controller ends abnormally when the reload reason is Critical process radio resource management (RRM). |
|
Controller GUI does not allow modifying quality of service (QoS) policies when QoS SSID policy is not set in the policy profile. |
|
Wired clients behind Cisco Catalyst 9105 AP does not pass traffic. |
|
Cisco Aironet 1852 AP reloads unexpectedly due to radio failure. |
|
Cisco Aironet 2800, or 3800, or 4800, or 1560, or Cisco Catalyst 6300 APs do not send QoS data frames downstream. |
|
Antenna-a does not function properly when ab-Antenna is included in the configuration for Cisco Catalyst 9105, 9115, or 9120 APs. |
|
Cisco Wave 1 APs improve PMTU Discovery mechanism to honor the ICMP unreachable MTU value. |
|
Controller MIB file to include all coded integer values for cRFStatusLastSwactReasonCode object. |
|
Radio firmware ends abnormally in Cisco Catalyst 9162 and 9164 APs. |
|
Dataplane issue between the controller and AP causes the association request drop. |
|
Clients join using Pairwise Master Key (PMK) cache after Change of Authorization (CoA) and Access-Reject. |
|
Cisco Catalyst Center does not display the associated APs. |
|
Cisco Catalyst 9120 AP radio firmware and CAPWAP ends abnormally during scale longevitiy. |
|
Cisco Catalyst Center users view "No radios in the selected band" message in the floor map. |
|
Cisco Catalyst 9120 APs fail to onboard new client associations. |
|
Controller does not display the SNMP OID for AP location tag. |
|
Controller ends abnormally with wncd fault on rp_0_0. |
|
Mobile devices cannot prompt incorrect password in Cisco Catalyst 9130 AP after a change in Private Shared Key (PSK) SSID password. |
|
Cisco Catalyst 9120 AP ends abnormally due to kernel panic. |
|
Redundancy Management Interface (RMI) flaps with Closed transport communication channel message. |
|
Clients are unable to roam successfully and pass traffic in SDA environment. |
|
Controller ends abnormally while collecting wireless client statistics. |
|
Client loses network access after inter-WNCD roam. |
|
Cisco Catalyst 9800-L Wireless Controller GUI is stuck while loading the Monitoring > Wireless > AP Statistics > General page for a specific Cisco Aironet 3800 AP. |
|
Wireless client is deauthenticated after an idle timeout. |
|
Cisco Catalyst 9120 AP sends authentication response failures for a specific client MAC address. |
|
CAPWAP messages are queued for more than x seconds when client throttling is turned ON. |
|
Fabric AP and VXLAN tunnel are not updated after the switch virtual interface (SVI) MAC change. |
|
Controller running Cisco IOS-XE 17.9.3 sends IGMP queries without controller IP and MAC addresses. |
|
AP in FlexConnect mode as mDNS gateway does not respond correctly when Location Specific Services (LSS) filter is enabled in 5-GHz band. |
|
Controller ends abnormally during a database abort in WNCD process. |
|
Cisco Aironet 2800 AP in FlexConnect mode does not process the EAP-TLS fragmented packets beyond a delay of 50milliseconds. |
|
Radio 0 workgroup bridge (WGB) configuration is not backed up correctly during a TFTP backup configuration. |
|
Cisco Aironet 1832 AP with Cisco IOS-XE Cupertino 17.9.2 version ends abnormally due to kernel panic. |
|
Controller allows client reconnection after client deletion and Change of Authorization (CoA) termination. |
|
The show interface status command displays maximum link speed in the auto-negotiation port. |
|
Controller does not send 802.11r mobility payload when changing the wireless mobility group name. |
|
FastLocate feature is disabled automatically when Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is enabled. |
|
Controller GUI experiences privilege escalation vulnerability. |
|
APs do not join the controller when CBAR is enabled. |
|
Controller experiences unexpected reload with "Critical process wncd fault on rp_0_0 (rc=134)". |
|
Cisco Catalyst 9120 AP in XOR mode is not updated in radio_oper_data database. |
|
Apple client does not connect to Flex WPA2+WPA3 SSID when Simultaneous Authentication of Equals (SAE) is enabled and Opportunistic Key Caching (OKC) is disabled. |
|
Controller does not send Gratuitous ARP (GARP) in IPv4 or Neighbor Advertisement (NA) in IPv6 for wireless client in RUN state after switchover. |
|
Cisco Catalyst 9105, 9115, and 9120 APs set the maximum transmit power level to -128dBm in Country IE. |
|
Wave1 APs in FlexConnect mode do not allow clients to connect and sends association-response failure after changing country code. |
|
Cisco Aironet 1830 or 1850 APs report false high channel utilization causing performance issues across 5-GHz band. |
|
Cisco Catalyst 9130AXI AP slot 1 does not announce HT(802.11an), VHT(802.11ax) and HE(802.11ax) capabilities when dual-radio is enabled. |
|
Cisco Aironet 1852 AP ends abnormally during throughput testing. |
|
Cisco Aironet 3800 AP experiences kernel panic with PC at skb_unlink+0x40/0x54. |
|
AP power profile status displays unexpected "Insufficient De-rating". |
|
Coverage Hole Detection reduces the transmission power in Slot 0 and 1 of AP. |
|
Controller sends incomplete Scalable Group Tag (SGT) information to Cisco ISE. |
|
Controller ends abnormally due to unexpected reload in the Wireless Network Controller Daemon (WNCd) process. |
|
The show wireless wps rogue ap detail command does not show the rogue client containment details. |
|
Cisco Catalyst 9115AX AP does not forward a part of the CAPWAP data packets to the uplink direction. |
|
2.4-GHz or 5-GHz radios stream both 2x2 when Cisco Catalyst 9120 AP is in critical condition. |
|
Controller GUI displays blank page after the User Login page. |
|
Controller supports -A domain access points in Guatemala (GT) country. |
|
The show wireless stats ap loadbalance summary command displays a negative value for joined or discovered APs. |
|
Cisco Catalyst 9130 AP experiences inconsistent transmission power levels advertised in Country information of beacon frames. |
|
AP reloads unexpectedly due to kernel panic when multicast DNS (mDNS) is enabled. |
|
Cisco Aironet 3800 AP reloads unexpectedly due to FIQ or NMI reset. |
|
Controller reloads unexpectedly when WNCd ends abnormally while processing the supported AP channels. |
|
Cisco Catalyst 9120 and 9115 APs unexpectedly disjoins from the controller and does not establish DTLS again. |
|
Cisco Catalyst 9120 AP ends abnormally due to kernel panic. |
|
Cisco Catalyst 9136 AP ends abnormally in Cisco IOS-XE Cupertino 17.9.4. |
|
New SSID arp0v0 is broadcasted only after a Cisco IOS-XE Cupertino 17.9.3 wireless upgrade. |
|
Apple devices are not deleted after sending Extensible Authentication Protocol (EAP) logoff messages. |
|
Controller reloads due to critical process WNCd fault. |
|
Controller IOSd ends abnormally in span_db_port_bl_to_port_list with an ERSPAN source update. |
|
Controller fails to create a Flex WLAN using the Basic Wireless Setup in public cloud. |
|
Cisco Catalyst 9130 AP does not honor the Unscheduled automatic power save delivery (U-APSD) trigger frame causing real-time protocol (RTP) stream disruption. |
|
Cisco Catalyst 9120 APs end abnormally due to kernel panic when PC is at _raw_spin_unlock. |
|
The change-of-authorization (CoA) server key appears blank in the controller GUI. |
|
Cisco Catalyst 9130 AP displays excessive CleanAir syslogs. |
|
Cisco Catalyst 9115 AP ends abnormally due to kernel panic. |
|
New clients fail to join when IO IDs are exhausted due to high volume of clients in webauth pending state. |
|
Disabling dynamic channel allocation (DCA) aggressive in 5-GHz does not take effect. |
|
Controller ends abnormally when it provisions multiple APs. |
|
Policy tag description are automatically deleted when deleting a WLAN from a location. |
|
Inconsistent transmission power levels advertised in Country information of beacon frame causes client-side issue. |
|
Clients fail to authenticate via 802.1x using EAP-TLS. |
|
Cisco Catalyst 9136 AP does not support Power over Ethernet (PoE) negotiations on both the ports. |
|
RADIUS server with fully qualified domain name (FQDN) does not update properly during Domain Name Service (DNS) periodic update. |
|
Cisco Aironet 1815 AP leaks RLAN VLAN traffic with looped port. |
|
URL filter is not applied after an invalid configuration. |
|
Cisco Catalyst 9124 AP sends incorrect duplex information through CDP. |
|
Clients performing inter-WNCD roaming using 802.11r fails due to invalid Pairwise Master Key (PMK) ID. |
|
Controller ends abnormally when performing an In-Service Software Upgrade (ISSU) upgrade. |
|
Cisco Catalyst 9130 AP fails to join the controller and sets Fast Transition data in BSSID after modifying the site tag. |
|
Cisco Wave 2 APs reboot repeatedly with Systemd critical process crash. |
|
Client gets stuck in authentication loop after an N+1 High Availability switchover. |
|
Controller reloads unexpectedly when CAPWAP window size is set to 0. |
|
Cisco Catalyst 9800-80 Wireless Controller ends abnormally after receiving analytics from AP. |
|
Controller GUI does not load the Lobby Admin page. |
|
WNCD process ends abnormally. |
|
Controller ends abnormally generating a system report with two core files (cpp_cp_svr and cpp-mcplo-ucode). |
|
Controller reloads unexpectedly due to segmentation fault in WNCd process. |
|
Cisco Aironet 2800 and Cisco Catalyst 9120 APs as supplicant cannot initiate the Extensible Authentication Protocol (EAP) process without a static IP address. |
|
Cisco Catalyst 9800-40 Wireless Controller ends abnormally after In-Service Software Upgrade (ISSU) upgrade to Cisco IOS-XE 17.9.x. |
|
Client traffic fails with N+1 when AP sends CLIENT_DEL_STOP_REASSOC. |
Resolved Caveats for Cisco IOS XE Cupertino 17.9.4a
Identifier |
Headline |
---|---|
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability For more information, see Security Advisory: cisco-sa-iosxe-webui-privesc-j22SaA4z. |
Resolved Caveats for Cisco IOS XE Cupertino 17.9.4
Identifier |
Headline |
---|---|
Cisco Catalyst 9105AXW APs do not recover after an upgrade. |
|
Controller remarks SIP packets from CS3 to CS0 in upstream or downstream when voice Channel Availability Check (CAC) is configured. |
|
Cisco Aironet 3800 AP reloads unexpectedly due to FIQ or NMI reset. |
|
Cisco Wave 2 APs: EAP-TLS fails for wired clients behind MAP. |
|
When Samsung device (Galaxy Tab S6 Lite - P610K) tries to associate with a Cisco AP, AP sends association rejected with status code 40. |
|
Device tracking stale entries are observed when FlexConnect and foreign anchor SSIDs use two different VLANs. |
|
Cisco Catalyst 9136I-ROW AP ends abnormally due to kernel panic. |
|
Client connected to flexconnect APs with profile policy is assigned to VLAN 1 instead of native VLAN. |
|
Cisco Catalyst 9115 AP stops sending traffic to the root AP after 60 seconds from its initial connection. |
|
The Cisco Catalyst 9120AXI 5-GHz radio AP remains operationally down when -A domain AP joins the controller for country Panama (PA). |
|
AP reloads unexpectedly due to CALLBACK FULL reset radio. |
|
Cisco Aironet 3800 AP radio reloads unexpectedly when the beacon is stuck. |
|
Controller reboots unexpectedly due to wncd process. |
|
Controller clears PMK ID when it fails to ressurect client entry upon N+1 AP failover. |
|
Controller might reboot due to memory corruption when processing DHCP Reply option 82. |
|
Cisco Wave 2 AP fails to forward traffic to wireless client for about 60 seconds in SDA fabric WLANs. |
|
Cisco Catalyst 9130 AP crashes due to radio recovery failure. |
|
Cisco Wave 2 AP Radio firmware reloads unexpectedly when RC queue is stuck. |
|
Controller does not send GTK M5 packet to Cisco IP Phone 8821 after fast transition roaming between wncds. |
|
Cisco Catalyst 9136 AP experiences mac-flap notification when interface speed is set to 1000. |
|
Cisco Catalyst 9115AX AP is unable to send beacons in 5-GHz radio. |
|
DHCP Option 82 is not added in WLAN with EoGRE tunnel when SVI interface is down. |
|
Cisco Catalyst 9164 and 9166 APs running Cisco IOS-XE 17.9.2 experiences DFS detections in all channels. |
|
CAWAP DATA tunnel is not formed between OEAP and controller after changing the public IP. |
|
Cisco Wave 2 AP do not encrypt EAP_ID_REQ after M1-M4 and update PMKID for dot1x Opportunistic Key Caching (OKC). |
|
Transmit Power Control (TPC) does not work as expected in the secondary radio operating in 5-GHz band. |
|
RRM crash is observed during bootup in the controller. |
|
Cisco Catalyst 9800-80 Wireless Controller - Syslog configuration does not reflect in the AP. |
|
Cisco Catalyst 9120 AP: Firmware crashed is observed when multicast and longevity is run with 80+ clients after 12 hours. |
|
Cisco Catalyst 9136 AP does not register with M2 response from client. |
|
Cisco Catalyst 9120 AP randomly crashes due to kernel panic. |
|
Cisco Catalyst 9162I AP radios experiences operational status down when AP is operating in 802.3af (default mode). |
|
Cisco Wave 2 APs drop upstream Extensible Authentication Protocol (EAP) packets. |
|
wncd reloads when creating an RRM client coverage in a large scale setup. |
|
Cisco Wave 2 APs do not send the DELETE reason to the controller resulting in stale entries. |
|
Crash is observed in standby controller while saving the QOS table to standby. |
|
Cisco Catalyst 9105AXW AP and Cisco Aironet 1815W Flex RLAN AP does not apply VLAN in the ethernet port after AAA VLAN override. |
|
Dynamic Channel Assignment (DCA) assigns wrong channels after Dynamic Frequency Selection (DFS) events. |
|
AP radio reloads unexpectedly when the beacon is stuck. |
|
wncd goes into infinite loop in customer network with 382 APs. |
|
Aeroscout T15e tags do not report the temp data due to extra bytes. |
|
Need an option to prioritize KeepAlives in the redundancy port for High Availability SSO deployment. |
|
The username is randomly missing for wireless 802.1x clients in the controller GUI or console. |
|
Cisco Catalyst 9105AXW AP detects large number of bad blocks. |
|
RRM process crashes while running Dynamic Channel Assignment (DCA) algorithm. |
|
WNCd reloads unexpectedly when accessing the Crimson database. |
|
Kernel panic is observed in Cisco Catalyst 9120 AP during Longevity test. |
|
Cisco Wave 2 APs in Flexconnect standalone mode disconnects clients on DHCP renewal every 18 minutes. |
|
Cisco Aironet 3802 AP experiences buffering when UP6 or voice traffic is less than 500ms after Spectralink phone roam causes audio issues. |
|
Controller does not respond to keepalive from AP after an AP disconnect. |
|
Wireless clients are unable to connect to Cisco Aironet 1830 AP after input or output error message. |
|
High channel utilization on 5-GHz radio when channel bonding is set to 40 MHz. |
|
Controller reloads unexpectedly. |
|
Cisco Catalyst 9800-L Series Wireless Controller displays last reload reason as 'reload' instead of "Critical process wncd fault". |
|
Controller deletes client. This could be triggered by CSCwd91054 fix. |
|
Client traffic fails after AP N+1 failover and policy update. |
|
Cisco Catalyst 9115 AP stops transmitting multicast traffic downstream. |
|
Active controller reboots when RP link comes up. |
|
Controller is sending high volume of messages matching 'brain: +(awk|sed)'. |
|
Controller is not providing Received Signal Strength (RSSI) location data for some of the RFID tags in database. |
|
Cisco Catalyst 9120 AP: Standardize calculation of management frame count across AP chipsets. |
|
VLAN group supports static IP clients when dot1x SSID have Security Group Tag (SGT) via AAA override. |
|
Cisco Catalyst 9105 AP reloads unexpectedly. |
|
Cisco Catalyst 9120 AP: Tx is stuck and AP does not respond to client's probe or authentication. |
|
Cisco Catalyst 9120 AP reloads unexpectedly due to radio firmware crash. |
|
Channel 165 is not allowed on Cisco Aironet 2800, 3800, 4800 APs. |
|
Client Data Rate chart is skewed by management rate rather than data rate. |
|
Cisco Catalyst 9800-L Series Wireless Controller crashes with last reload reason: Critical process wNCD fault on rp_0_0 (rc=139). |
|
Cisco Catalyst 9124AXI AP is not forwarding Remote LAN (RLAN) traffic to the upstream network. |
|
The controller undergoes a reload when the interface ID in the anchor message does not match. |
|
macOS Setup Assistant: Guest issue is observed. |
|
Cisco Wave 2 AP in flex N+1 failover mode doesn't transmit first CAPWAP data keepalive. |
|
The Cisco 2800, 3800, 4800, 1560, IW6300 series APs may not detect radar in the required levels after the CAC time. |
|
AP prevents a Protected Management Frame (PMF) Wi-Fi Protected Access Version 3 (WPA3) client from associating after the client initiates self-deauthentication. |
|
Cisco Wave 2 AP is leaking Network Address Translation (NAT) IP from iOX app. |
|
Cisco Catalyst 9130 AP fails to start CAPWAP as interface is reset every 52s during DHCP process. |
|
Cisco Catalyst 9120 AP: Root AP deauthenticates workgroup bridge (WGB) continuously after a roam. |
|
Controller is providing incorrect data for certain APs in response to the SNMP query bsnAPIfDot11BSSID. |
|
CAPWAP Maximum Transmission Unit (MTU) discovery issue is reported on APs. |
|
AP reloads unexpectedly when PC is at get_partial_node.isra. |
|
Rogue containment LRAD is not shown in the output of the show wireless wps rogue ap detail command. |
|
Cisco Catalyst 9130 AP advertises incorrect local power constraint value in management frames. |
|
Cisco Catalyst 9124 AP is not forwarding traffic to workgroup bridge (WGB) after a session timeout. |
|
Controller web UI menu displays cryptic feature names after upgrade. |
|
Controller crashes when running AP packet capture. |
|
The show wireless client summary detail command output is not showing all IPv6 addresses. |
|
The AP manager experiences a crash while performing an ISSU upgrade to version 17.9.3, leading to the controller entering a boot loop. |
|
Access points intermittently stop sending Internet Group Management Protocol (IGMP) membership report. |
|
AP LED flash is automatically turning on after a reboot. |
|
Enabling Application Visibility and Control (AVC) on wireless policy profiles containing special characters results in the web UI entering a hung state. |
|
The Inter-Release Controller Mobility (IRCM) client is deleted silently after a profile name mismatch. |
|
Revise the error message displayed during one-shot AP Service Pack (APSP) installation to enhance clarity. |
|
Load average warning is displayed even when Cisco Catalyst 9800-80 Series Wireless Controller is healthy. |
|
Day 0 factory image for new out of the box Cisco Catalyst 9130 AP (VID03) does not contain iox.tar.gz. |
|
Controller is not plumbing IPv4 address in IP Source Guard (IPSG) datapath on Central Web Authentication (CWA) SSIDs for clients having single IPv4 address. |
|
Cisco Aironet 1815W AP crashes due to Out of Memory (OOM); WCPD is causing Out of Memory in 8.10.171.0 (MR7). |
|
The LEDs on the APs are sporadically changing to a white color. |
Resolved Caveats for Cisco IOS XE Cupertino 17.9.3
Identifier |
Headline |
---|---|
COS-APs are stuck in bootloop due to image checksum verification failure. |
|
FlexConnect client is intermittently unable to reconnect to an AP. |
|
Regular ASR support field is disabled for supporting clients. |
|
Cisco Aironet 3800 series AP crashes due to kernel panic (PC is at vfp_reload_hw+0x30/0x44). |
|
Cisco Catalyst AP 1852: Radio firmware crash is observed. |
|
Controller HA dual active scenario is observed when standby controller is reconnecting to HA pair. |
|
Cisco Catalyst 9124 MAP fails to connect to Cisco Aironet 1562 RAP after first reload of MAP. |
|
Cisco Aironet 4800 AP: Firmware radio crash is observed. |
|
Cisco Catalyst 9166I AP: Multiple cores are reported after image upgrade. |
|
Flash file system corruption is observed on AIR-CAP2702E-K-K9. |
|
Cisco Catalyst 9120 AP shows very high noise level on 5-GHz radio. |
|
Controller crash is observed on libewlc_client_dpath_svc.so. |
|
Cisco Catalyst 9166 AP: Radio-2 firmware crash is observed - Thread ID: 0x00000014 Thread name: WLAN_SCHED0;PC: 0x015dc73c. |
|
Cisco Catalyst 9300 Series Switch is not flushing remote MAC address after roaming to a local AP. |
|
Cisco Catalyst 9166 AP: XoR radio (slot-2); switching between 5-Ghz and 6-Ghz causes kernel panic. |
|
Cisco Aironet 1815I AP reboot: PC is at edma_poll / LR is at dma_cache_maint_page. |
|
PI 3.10.1: Associated APs with controller is showing interface "Half duplex". |
|
Memory leak is observed in wncd process when under load. |
|
Linux iosd crash on standby controller during reload of the Cisco Catalyst 9800-L Wireless Controller. |
|
802.11r re-auth failed due to invalid Pairwise Master Key ID (PMKID) while doing inter-WNCD roaming. |
|
AP Join issues reported due to stale client entries. |
|
Timer is not running state client not deleted by controller. |
|
Cisco Catalyst 9130 AP: Beacon with incorrect datarates - different rates for same slot on different BSSIDs. |
|
Inject path crash is observed on controller switch on IPv6_qos. |
|
CAPWAP wireless traffic is getting the same Security Group Tag (SGT) as the corresponding incoming wired traffic. |
|
Cisco Catalyst 9120 AP cannot operate in mGig when EEE is enabled on switchport. |
|
Cisco Catalyst 9120 AP: CleanAir sensor is crashing. |
|
Controller fails to update AP config with error "% Error: no ap_name exists". |
|
N+1 HA for FlexConnect is not working. |
|
Cisco Catalyst 9136 AP in sniffer mode suffers capwapd crash followed by join/disjoin loop. |
|
Cisco Catalyst 9120 AP: Kernel panic crash is observed. |
|
Cisco Aironet 2700 AP: Ignore CAPWAP_PAYLOAD: AP_LAN_CONFIG payload having invalid RLAN port enable value. |
|
Clients are getting deauth immediately after getting IP address in LWA+LocalSW+CentralAuth. |
|
Controller is not following the Dynamic Channel Assignment (DCA) sensitivity threshold. |
|
Wireless load balancing affinity incorrectly shows AP site tag as default-site. |
|
Redundancy fails during double bit ECC error |
|
Cisco Catalyst 9117 AP reloads unexpectedly due to kernel panic at console_unlock+0x320/0x3ac. |
|
AP reloads due to kernel panic - not syncing: softlockup: hung tasks. |
|
Cisco Catalyst 9130AXE AP with Dart connectors are stuck at channel 36. |
|
Cisco Catalyst 9105AXI AP is requesting 30 watts instead of 15.4 watts. |
|
IP Theft occurs due to stale client entries in the ODM database. |
|
License: Remove reporting interval (fixed 8 hours) and change Sync report to a user action. |
|
Controller is failing to update dynamic channel assignment (DCA) channels in radio resource management (RRM) are stuck. |
|
Cisco Aironet 3800 AP is consistently reporting high QoS Basic Set Service (QBSS) load. |
|
AIRESPACE-WIRELESS-MIB: bsnAPIfType OID documentation incomplete. |
|
AP is not initiating gRPC connection to Cisco DNA Center correctly after token expiry. |
|
Cisco Aironet 3802 AP: Kernel crash is observed. |
|
Wired clients behind workgroup bridge (WGB) are not getting IP address in anchor WLAN. |
|
Wave 2 APs: Systemd critical process crash - dnsmasq-host.service failed. |
|
Controller GUI logging buffer size display is incorrect. |
|
Cisco Catalyst 9130 AP is dropping EAP-TLS frames. |
|
Cisco Catalyst 9120 AP: Kernel panic is observed with PC is at pci_generic_config_read+0x34/0xa8. |
|
Cisco Catalyst 9136I AP: GRPC crash is observed. |
|
Cisco Catalyst 9120 AP fails EAP-TLS port authentication after Plug and Play (PnP) configuration is pushed. |
|
Cisco Catalyst 9800-80 Series Wireless Controller shows high CPU utilization in wncd with 200 APS due to WSA. |
|
SIGSEGV crash is observed when incrementing roaming statistics. |
|
Controller crashes due to netflow watchdog and observed CPU HOG in wncmgrd due to scale netflow. |
|
Cisco Catalyst 9136 AP: AP radios are going down if country code is set to RO. |
|
Cisco Catalyst 9105 OEAP: Personal SSID is not advertising HE IE in beacon. |
|
Wcpd crashes after reusing freed packets. |
|
Profile mismatch counter is not increasing. |
|
Cisco Aironet 3802 AP: Broadcasts different power values in beacon country IE. |
|
Cisco Catalyst 9130 AP: Radio firmware crash is observed. |
|
Cisco Aironet 1840 OEAP: Crash is observed due to radio failure. |
|
Wireless client are unable to communicate after session timeout when AP dropped once during the session. |
|
IOS AP image validation certificate failed/expired, causing AP join issues. |
|
Cisco Catalyst 9130 AP is not sending EAP_ID_RESP next assoc-req after PMF client tx deauth in middle of EAP handshake. |
|
Cisco Aironet 1830 AP: Wireless clients are unable to connect - "writing to fd 27 failed!". |
|
EWC: AP is not sending packets from wired interface to subnet 192.168.129.0/24. |
|
Adding static IP MAC binding to device tracking fails. |
|
Cisco Catalyst 9164 AP: Crash is observed on Radio 1. |
|
Cisco Catalyst 9115 AP: Crash is observed on Radio 1. |
|
Controller should not enable 2nd 5Ghz radio for 9124E with PoE+ (30W). |
|
Unable to login to controller GUI or CLI with the user created by Day 0 Wizard. |
|
The snmp-server host command is not filtering characters properly (Fails when name is e.g.TEST\). |
|
Poor reassociation behavior is observed between Spectralink 84xx series phones and Cisco Catalyst 9136 APs. |
|
Controller GUI cannot configure HA/SSO if wireless mgmt interface is not configured. |
|
EWC: Mesh ap factory reset mode cannot be set to EWC after converting it to CAPWAP and factory-reset. |
|
Crash is seen on "Critical process rrm fault on rp_0_0 (rc=139)". |
|
QoS Page is not loading when access control list (ACL) has double quote special character in the name. |
|
AP filter error in the controller GUI when add operation follows edit/view. |
|
Console Flood- check_dot1x_feature_status: config change or tams_init_not_done. |
|
Certificate failures observed when joining APs to Cisco Catalyst 9800 controller using CMCA III. |
|
Cisco Catalyst 9162 AP crashes due to radio failure. |
|
Cisco Catalyst 9166 APs are stuck in CAPWAP state. |
Resolved Caveats for Cisco IOS XE Cupertino 17.9.2
Caveat ID |
Description |
---|---|
Cisco Catalyst 9130 Access Point drops packets on-air for Phoenix WinNonlin application. |
|
Cisco Aironet 2802 and 3802 Access Points experience kernel panic crash when 8.10.151.0 image is executed. |
|
Cisco Catalyst 9120 Access Points send Authentication response frames to clients after long delays. |
|
Default credential does not work after factory reset in Cisco Aironet 1815 and 1832 Access Points. |
|
Conversion of Mobility Express Access Points from ME to CAPWAP mode using DHCP option 43 does not work. |
|
Cisco Catalyst 9130 Access Point sends incorrect channel list in out-of-band DFS event causing client connectivity issues. |
|
Cisco Aironet 2802 Access Point reloads unexpectedly on 8.10.171 release version. |
|
Cisco Catalyst 9120, 9115, and 9105 Access Points experience radio firmware crash with Cisco IOS-XE 17.3 or later releases. |
|
Cisco Aironet 3800 Access Points experience WCPd crash when running 17.3.1 image. |
|
An access point fails to forward packets when using 10.128.128.127 or 10.128.128.128 addresses. |
|
EAP-TLS clients behind the Mesh Access Point (MAP) experience authentication failure. |
|
Cisco Catalyst 9105AXW Access Point introduces latency when clients use RLAN ports. |
|
Cisco Wave 2 Access Points: CAPWAP MTU flapping occurs due to asymmetric MTU between Access Point to controller and vice-versa. |
|
CleanAir statistics are not visible in Cisco Catalyst 9130 Access Points when joined to EWC. |
|
Cisco Wave 2 Access Points in Local mode sends Address Resolution Protocol (ARP) requests to wireless clients from 10.128.128.128 IP address. |
|
Changing an Access Point site or policy tag to a Flex local switching set intermittently causes client connectivity failure to local web auth WLANs. |
|
Cisco Catalyst 9117 Access Point reloads unexpectedly due to kernel panic with "dp_print_host_stats" logs. |
|
Workgroup Bridge (WGB) with static IP loses IP address after multiple roams. |
|
CAPWAP flapping is observed when VRRPv3 is present in the network. |
|
Backslash "\" in the end of the RADIUS servers' shared secret is not allowed for FlexConnect groups configuration. |
|
Cisco Catalyst 9130 Access Point experiences kernel panic crash in Local mode when full data packet capture is enabled. |
|
Cisco Aironet 1832 Access Point crashes due to radio failure. |
|
Controller running Cisco IOS-XE 17.3.5a with Cisco Aironet 3800 Access Point in Flex local switching does not forward IP fragmented packets received with DF. |
|
Access Point stops transmitting UBPR in 6-GHz when it is active in 2.4-GHz or 5-GHz band. |
|
Wireless clients cannot reach each other as ARP resolution fails when performing dynamic VLAN assignment using AAA with SSID. |
|
Continuous wncmgrd CPUHOG traceback with scale Flexible NetFlow (FNF) mapping to policy profile results in 100% wncd utilization. |
|
Multicast data is not sent to clients and few Access Points are unable to join the controller. |
|
Client traffic fails when client roams between access points with a transition between dot11r and dot11i. |
|
High Availability split brain is observed due to multiple secondary addresses in the interface. |
|
Client fails to connect when protocol based Quality of Service (QoS) is configured. |
|
Controller experiences an unexpected reset resulting in a system report containing a wncd core file. |
|
Cisco Catalyst 9800-80 Wireless Controller crashes when using WLAN profile with 32 characters and disabled voice Channel Availability Check (CAC). |
|
Cisco Catalyst 9800 Wireless Controller - Link down due to local fault. |
|
Controller does not update Radio Frequency Identification (RFID) location properly. |
|
The AAA VLAN override is not considered with iPSK authentication and anchor WLAN. |
|
Few OIDs in CISCO-ENHANCED-MEMPOOL-MIB display "No instance after switchover" in Cisco IOS-XE 17.6.1. |
|
Controller does not send LLC or XID spoofed frames after a mobility event. |
|
Controller crashes intermittently due to wncd critical process failure. |
|
Radio Resource Management (RRM) startup mode gets triggered on every reboot as the controller does not keep track of the last state. |
|
Controller MAC filtering: WLAN profile column displays the WLAN name and description. |
|
Syslog "LISP RELIABLE REGISTRATION" needs to be enhanced. |
|
Restore configuration by HTTP mode does not work in EWC. |
|
Controller does not send LLC or XID spoofed frames after a mobility event. |
|
Cisco Catalyst 9300 switch interface generates RUM reports every 8 hours when AIR controller licenses are handled incorrectly. |
|
Access Points operate in disabled RF profile channels in Cisco IOS-XE 17.6.2 release version. |
|
Need to increase the 8 IP address limit in the controller datapath. |
|
Switch Integrated Security Features (SISF) crash is observed when handling the DHCP messages. |
|
Active chassis gets stuck during SSO failover in Cisco IOS-XE 17.9 release version. |
Resolved Caveats for Cisco IOS XE Cupertino 17.9.1
Caveat ID |
Description |
---|---|
Fast Transition capable Apple and Android clients are unable to authenticate with IPSK profile. |
|
High latency and packet drops are observed when associated to Cisco Catalyst 9130 AP. |
|
Cisco Aironet 1815T AP: OEAP kernel panic crash is observed. |
|
Cisco Aironet 3800 AP: Slot0 BSSID beacon frames are received on slot1 radio. |
|
Secondary controller crash is observed during redundancy switchover. |
|
6 GHz RRM: Channel-aware TPC is always on for 6 GHz TPC. |
|
Cisco Wireless 9166 AP crashed at ieee80211_mbssid_del_profile upon flapping WLAN. |
|
AP sends empty FlexConnect client cache payload to controller after successful client FT-SAE roam. |
|
Cisco Wave 2 AP: Able to do SSH to AP when AP SSH global config is disabled. |
|
Cisco Aironet 1832 AP reloads due to radio failure - Beacons are stuck on radio. |
|
Observed a crash while joining AP with name that already exists on controller. |
|
APP hosting segmentation doesnt work on Cisco Catalyst 9100 AP connected to a controller running 17.6.3. |
|
6 GHz radio: Frequent channel changes are observed due to high utilization. |
|
Memory leak is observed while deleting and adding mDNS rules. |
|
WGB ping gateway failed after wgb associate to ap in 2.4 GHz and trigger wgbwiredclient get ipv4. |
|
Cisco Aironet 3800 AP: Crash is observed due to led_core on ap. |
|
6 GHz: Beacon stuck + QBSS 100%; no recovery ap. |
|
Transmission power is not getting applied to Slot 1 on AP. |
|
Not able to login AP CLI with credentials in site survey mode. |
|
Unable to add AP location name on web UI with a space. |
|
Cisco Aironet 1815 and 1832 APs: Default credentials are not working after the factory reset. |
|
Controller does not accept Cisco Catalyst C91xx Series Access Points as TrustSec capable platform. |
Troubleshooting
For the most up-to-date, detailed troubleshooting information, see Troubleshooting TechNotes.
Related Documentation
-
MIB Locator to locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business results you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco DevNet.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.