Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 7.5.102.0
Controller and Access Point Platforms
Controller Platforms Supported
Access Point Platforms Supported
Controller Platforms Not Supported
Software Release Support for Access Points
Upgrading to Controller Software Release 7.5.102.0
Upgrading to Controller Software Release 7.5.102.0 (GUI)
Special Notes for Licensed Data Payload Encryption on Cisco Wireless LAN Controllers
Downloading and Installing a DTLS License for an LDPE Controller
Upgrading from an LDPE to a Non-LDPE Controller
Interoperability With Other Clients in 7.5.102.0
Features Not Supported on Controller Platforms
Features Not Supported on Cisco 2500 Series Controllers
Features Not Supported on WiSM2 and Cisco 5500 Series Controllers
Features Not Supported on Cisco Flex 7500 Controllers
Features Not Supported on Cisco 8500 Controllers
Features Not Supported on Cisco Virtual Wireless Controllers
Features Not Supported on Mesh Networks
FCC Safety Compliance Statement
Obtaining Documentation and Submitting a Service Request
These release notes describe what is new in this release, instructions to upgrade to this release, and open and resolved caveats for this release. Unless otherwise noted, all of the Cisco Wireless LAN controllers are referred to as controllers, and all of the Cisco lightweight access points are referred to as access points or Cisco APs.
For more information about compatibility with the other wireless products and their releases, see:
http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
These release notes contain the following sections:
The section contains the following subsections:
The following controller platforms are supported in this release:
The following access point platforms are supported in this release:
http://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78_461543.html
http://www.cisco.com/c/en/us/products/collateral/routers/887-integrated-services-router-isr/data_sheet_c78_459542.html
http://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-613481.html
http://www.cisco.com/c/en/us/products/collateral/routers/880-3g-integrated-services-router-isr/data_sheet_c78_498096.html
http://www.cisco.com/c/en/us/products/collateral/routers/880g-integrated-services-router-isr/data_sheet_c78-682548.html
http://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html
Note The AP802 is an integrated access point on the Next Generation Cisco 880 Series ISRs.
Note Before you use an AP802 series lightweight access point with controller software release 7.5.102.0, you must upgrade the software in the Next Generation Cisco 880 Series ISRs to Cisco IOS 151-4.M or later releases.
The following controller platforms are not supported:
This section provides a brief description of what is new in Release 7.5. For more information about instructions on how to configure these features, see the Cisco Wireless LAN Controller Configuration Guide, Release 7.5 (hereafter referred to as the configuration guide) at
http://www.cisco.com/c/en/us/support/wireless/5500-series-wireless-controllers/products-installation-and-configuration-guides-list.html
Some important points to note:
– If you downgrade from Release 7.5.102.0 to an earlier controller software release and you connect the Cisco AP3600 with the 802.11ac module to the controller, the Cisco AP3600 works as expected, but the 802.11ac is not visible. When you upgrade to Release 7.5.102.0 again, all the 802.11ac parameters are set to default values.
– When FlexConnect APs switch to standalone mode (WAN link down), the 802.11ac clients move to the 802.11n radio and the 802.11ac module is disabled. When WAN link comes up, the 802.11ac module is enabled and the 802.11ac clients will move back to the 802.11ac radio.
– The LED scheme for Cisco AP3600 has changed to reflect the presence of the 802.11ac module. When you enter a command to locate an AP, the AP LEDs now flash the red and green lights as opposed to the blue light previously.
For more information about the 802.11ac module on Cisco AP3600, see:
http://www.cisco.com/c/en/us/products/wireless/aironet-3600-series/relevant-interfaces-and-modules.html
For more information about configuring the 802.11ac parameters, see the “Configuring 802.11ac Parameters” section in the configuration guide.
The UNII-2 Extended channels in 5470-5725 (excluding 5600 to 5650) are supported.
The following are the complete set of channels in the 5-GHz bandwidth with –Z:
– 5470 to 5725 (excluding 5600 to 5650)
For more information, see the Declaration of Conformity at:
http://www.cisco.com/web/dofc/1087946.pdf
http://www.cisco.com/c/en/us/support/wireless/aironet-700-series/tsd-products-support-series-home.html
The Cisco SFP-10G-LR module supports a link length of 10 kilometers (6.2 miles) on a standard single-mode fiber (SMF, G.652).
A new submenu, DNS has been added to the Security > AAA > RADIUS and the Security > AAA > TACACS+ menus, which you can use to get RADIUS or TACACS+ IP information from the DNS server.
Note DNS is disabled by default.
For more information about configuring DNS, see the “Configuring RADIUS” and “ Configuring TACACS+” sections in the configuration guide.
– Get the interface details by entering this command:
– Ping from an interface of your choice by entering this command:
– On the controller CLI, enter the show ap summary command.
– On the controller GUI, choose Wireless > All APs.
You can view the IP address of the AP when you see the client summary:
– On the controller CLI, enter the show client summary command.
– On the controller GUI, choose Monitor > Clients.
Output that is similar to the following is displayed:
Similarly, you can exclude the lines that match a given string by entering the grep exclude command.
The search string is case sensitive. Use single-quotes (‘ ’) if your string contains spaces.
The search string cannot contain only wild cards (*, ?, and so on). However, you can include wild cards along with the search string that contains other text. For example, if you want to see all the information that starts with the string ‘Sys’ in the output of the show sysinfo command, enter this command:
Note The search match counts all lines of the output of the command.use the grep command to print only the lines that match a pattern. This is useful when the output of certain show commands is lengthy and you have to scroll multiple times to get to the information that you need.
1. On the controller GUI, choose WLANs.
2. On the WLANs page that is displayed, click Change Filter.
3. In the Search WLANs dialog box that is displayed, select the Profile Name check box and enter wlan* in the adjacent text box.
The wildcard option is available for all menus that have the Change Filter option:
– Monitor > Access Points > Radios > 802.11a/n/ac | 802.11b/g/n | Dual-Band Radios
– Monitor > Cisco CleanAir > 802.11a/n/ac | 802.11b/g/n > Interference Devices
– Monitor > Cisco CleanAir > 802.11a/n/ac | 802.11b/g/n > Air Quality Report
– Wireless > Access Points > All APs
(MAC Address, AP Name, AP Model)
– Wireless > Access Points > Radios > 802.11a/n/ac | 802.11b/g/n
In this release, the mesh APs can ping and be pinged even before they are associated with the controller.
Deauthenticate a client by entering this command:
Note It is not possible to configure this enhancement on the controller GUI.
In the earlier releases, you could configure Telnet only for all local management users at the global level. By default, all the local management users were allowed to use Telnet to connect to the controller.
Now, the Telnet Authority Management feature is enabled only after you enable Telnet globally. By default, all Telnet user capability is in an enabled state.
Also, the SSH connection behavior is not affected by the Telnet Authority Management feature.
For more information, see the “ Configuring Telnet Privileges for Selected Management Users” section in the configuration guide.
The licensing information overrides the configured value if the configured number of APs is greater than that is allowed in the license.
You must reboot the controller after you change the configured number of APs supported.
For more information, see the “ Configuring the Maximum Number of Access Points Supported” section in the configuration guide.
The Cisco 2500 Series, Cisco 5500 Series, Cisco WiSM2, or the Cisco 5760 Wireless LAN Controller functions as a mobility controller with the Cisco Catalyst 3850 switch. The mobility controller is part of a hierarchical architecture that consists of a mobility agent and a mobility oracle.
For more information, see the “Configuring New Mobility” chapter in the configuration guide.
Note The epings are not available in Cisco 5500 Series WLC when New Mobility is enabled.
– Redundancy ports can operate over a Layer 2 connection (multiple intermediate switches or routers). Therefore, a direct connection is not required.
– A client stateful switchover (SSO) across geographical locations is supported. Clients that are not in Run state are removed after the switchover. During a stateful switchover of a client (client SSO), the information of the client is synchronized with the standby controller when the client associates with the controller, or is configured. Clients that are fully authenticated, that is, clients that are in the Run state, are synchronized with the peer controller. The data structures of clients are synchronized based on the client state. Clients that are in a transient state are dissociated after a switchover.
For more information, see the “Configuring Local Policies” section in the configuration guide.
The Application Visibility and Control Protocol Pack (AVC Protocol Pack) is a compressed file that contains multiple Protocol Description Language (PDL) files and a manifest file. A set of required protocols can be loaded, which helps AVC to recognize additional protocols for classification on your wireless network. The manifest file gives information about the protocol pack, such as the protocol pack name, version, and information about the available PDLs in the protocol pack.
http://www.cisco.com/c/en/us/support/wireless/5500-series-wireless-controllers/products-installation-and-configuration-guides-list.html
– The processing of Multicast DNS (mDNS) service advertisements and mDNS query packets are enhanced to support Location Specific Services (LSS). All valid mDNS service advertisements that are received by the controller are tagged with the MAC address of the AP that is associated with the service advertisement from the service provider while inserting the new entry into the service provider database. The response formulation to the client query filters the wireless entries in the service provider database using the MAC address of the AP associated with the querying client.
LSS applies only to wireless service provider database entries. There is no location awareness for wired service provider devices.
– In Release 7.4, a configured service was learned from wired or wireless devices and there was no option to restrict the learning to only wired devices or only wireless devices or both types of devices. In this release, you can configure a service to filter inbound traffic that is based on its origin and is either wired or wireless. All the services that are learned from the mDNS AP are treated as wired. When the learn origin is wired, the LSS cannot be enabled for the service because LSS applies only to wireless services.
– In Release 7.4, there was a limit of 100 service providers per service type. In this release, this restriction is removed. However, there is a global service provider limit per controller model as shown in this table:
– You can configure up to 50 MAC addresses per service; these MAC addresses are the service provider MAC addresses that require priority. This guarantees that any service advertisements originating from these MAC addresses for the configured services are learned even if the service provider database is full by deleting the last nonpriority service provider from the service that has the highest number of service providers. When you configure the priority MAC address for a service, there is an optional parameter called ap-group, which allows only wired service providers to associate a sense of location to the wired service provider devices. When a client mDNS query originates from the ap-group, the wired entries with priority MAC and ap-group are looked up and those entries are listed first in the aggregated response.
– In Release 7.4, the controller could learn the mDNS services that are visible only on the network. In this release, the mDNS AP feature allows the controller to have visibility of wired service providers, which are on VLANs that are not visible to the controller. You can configure any AP as an mDNS AP to allow the AP to forward mDNS packets to the controller. VLAN visibility at the controller is achieved by APs that forward the mDNS advertisements to the controller. The mDNS packets between the AP and the controller are forwarded through a CAPWAP data tunnel that is similar to mDNS packets from a wireless client. Only CAPWAP v4 tunnels are supported. APs can be in either access port or the trunk port to learn the mDNS packets from the wired side and forward them to the controller.
– Multicast DNS stateful switchover (mDNS SSO) is part of the Client SSO where mDNS configuration on an active controller is synchronized with the standby controller. Synchronization of mDNS AP information is not required.
For more information, see the “Configuring Multicast DNS” section in the configuration guide.
Cisco Virtual Wireless Controller on Cisco Service-Ready Engine (SRE) or UCS-E |
For more information, see the “ Configuring Authentication for Sleeping Clients” section in the configuration guide.
– In the earlier releases, you had to configure security policies manually. In this release, you can choose a security level that is defined in the system for your rogue policy. The available options are: Low, High, Critical, and Custom (default).
– In the earlier releases, the unicast deauthentication messages were sent at broadcast rates. The lowest supported rate was 1 Mbps on a 2.4-GHz band and 6 Mbps on a 5-GHz band. In this release, you can choose to optimize the rate to use the best rate for the target rogue. The AP selects the best rate based on rogue RSSI.
– In the earlier releases, you could validate rogue clients against AAA. This required you to statically enter each valid client MAC address into AAA. In this release, you can validate the rogue clients against the Cisco Mobility Services Engine.
– In the earlier releases, access points in the local mode and the monitor mode, and FlexConnect access points in the connected mode could be used to contain rogues. However, FlexConnect access points that moved to the standalone mode stopped containing rogues. In this release, FlexConnect access points that move to the standalone mode continue to contain rogues. They also apply the policy that is received from the controller.
– In the earlier releases, you had to manually define how many APs must be used to contain rogues. This depended on the time and location. In this release, you can configure the controller to automatically assign the number of APs to contain rogues. For each rogue to be contained, the controller calculates the available number of APs based on rogue RSSI and the AP utilization level and channel, and then dynamically selects the number of APs to use.
– In the earlier releases, you could create rogue policy rules based on SSID, but the SSID had to be an exact match. In this release, you can create rogue policy rules based on wildcard SSID, where the rule is enforced by any SSID that contains the wildcard SSID string. You can configure up to 25 wildcard rule per rogue rule.
– In the earlier releases, if a rogue that was already classified by a rule, then the rogue was not classified again. In this release, this behavior is enhanced to allow reclassification of rogues based on the priority of the rogue rule. The priority is determined by using the rogue report that is received by the controller.
– In the earlier releases, when you configure rogue policy rules, you could set the state to Alert, Internal, or External. In this release, you can also set the state to Delete. If a rogue device matches a rule, the alarm is silently deleted from the controller database. No trap is sent to Cisco Prime Infrastructure. This helps you to delete unwanted AP or ad hoc entries in the controller, which you do not want to be alerted about, thus avoiding the unnecessary action of adding the MAC address to a friendly or ignore list.
For more information about the rogue policy enhancements, see the “Managing Rogue Devices and Classifying Rogue Access Points” sections in the configuration guide.
– In the earlier releases, CAPWAP control was encrypted by default and CAPWAP data was encapsulated, but not encrypted by default. In the virtual controllers, the option to encrypt data traffic for specific APs was not present. In this release, DTLS data encryption between APs and virtual controller is supported. Without Data DTLS, the average virtual controller throughput is about 200 Mbps. With all the APs using Data DTLS, the average virtual controller throughput is about 100 Mbps.
For Cisco 600 Series OEAP to associate with Cisco Virtual Wireless LAN Controller, follow these steps: First, configure the OEAP to associate with a physical controller that is using Release 7.5 and download the corresponding AP image. Next, configure the OEAP so that the OEAP does not associate with the physical controller again; for example, you can implement an ACL in the network to block CAPWAP between the OEAP and the physical controller. Next, configure the OEAP to associate with the Cisco Virtual Wireless LAN Controller.
– You can now assign rate limiting to client traffic. You can configure rate limiting at the QoS profile level or the WLAN level. The WLAN configuration overrides the QoS profile-level configuration.
Rate limiting is enforced at the AP level. It is not possible to enforce rate limiting at the virtual controller level because per client downstream rate limiting is not supported for central switching WLANs when traffic is terminated at the virtual controller.
Per client downstream rate limiting is supported if the virtual controller is a foreign controller tunneling traffic to another controller platform, for example, a Cisco 5500 Series Wireless LAN Controller.
– In the earlier releases, you could use the FlexConnect AP for local authentication using LEAP and EAP-FAST. In this release, additional options are provided using which you can also use EAP-TLS and PEAP.
EAP-TLS and PEAP are supported in the FlexConnect APs that are in the standalone mode and when local authentication is enabled on a WLAN.
FlexConnect APs perform 802.1X authentication on the AP itself using the local RADIUS server.
When EAP-TLS and PEAP are enabled, regardless of the authentication method, up to 100 clients per radio are supported.
– In the earlier releases, you could configure WLAN-to-VLAN mapping for FlexConnect APs. However, it was not possible to apply WLAN-to-VLAN mapping to several FlexConnect APs that belonged to a FlexConnect group. In this release, you can configure a WLAN-to-VLAN mapping to a FlexConnect group, thereby configuring the mapping for all the APs in the FlexConnect group.
The individual AP settings have precedence over the FlexConnect group and global WLAN settings. The FlexConnect group settings have precedence over global WLAN settings.
The AP-level configuration is stored in Flash; WLAN and FlexConnect group configurations are stored in RAM.
When an AP moves from one controller to another, the AP can keep its individual VLAN mappings. However, the FlexConnect group and global mappings will be from the new controller.
– In the earlier releases, you could have a per client access control list (ACL) in a centrally switched traffic. In this release, this feature has been enhanced to support ACL for local switching traffic with both central and local authentication. Client ACL is returned from AAA on successful client Layer 2 authentication as part of Airespace RADIUS attributes. As the Airespace RADIUS attribute is an ACL name, the ACL must be already present on the FlexConnect AP.
In downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In upstream traffic, the client ACL is applied first and then the VLAN ACL is applied.
– In Release 7.4, AAA could override individual client bandwidth contract, in the downstream direction, for the APs in the local mode and the FlexConnect APs with central switching. AAA override allows for configuration of per client rate limiting for downstream traffic for UDP (real-time) and TCP (data) traffic. Both the average rate and the burst rate can be configured. In this release, this feature is enhanced to support FlexConnect APs with local switching.
– In Release 7.4, the 802.11w standard for Management Frame Protection was introduced and supported on all the 802.11n-capable APs. In this release, this feature has been enhanced to support FlexConnect APs. The following scenarios are supported: central authentication and local authentication; local switching and central switching; key is maintained when the AP switches from the connected to the standalone mode and then back to the connected mode if there is no change on the WLAN in the controller; key is maintained when HA SSO becomes effective. Besides these, both flat and new mobility are supported.
This feature is supported on all controller platforms including Cisco Virtual Wireless LAN Controller and Cisco Flex 7500 Series Wireless LAN Controller.
Note This feature is not supported on Cisco AP1130 and Cisco AP1240.
– The point-to-point protocol over the Ethernet (PPPoE) submode on FlexConnect access points, that was supported until Release 7.4, is not supported in this release.
– With this release, the FlexConnect access points support client load balancing.
– Central external web authentication is supported.
– You are not required to force the mobility type as PMIPv6 on a WLAN. Instead, you can enable AAA override, and the AAA server can send the PMIPv6 attributes to the client.
Configure the framed IPv6 AAA attributes for RADIUS accounting request packets by entering this command:
config wlan radius_server acct framed-ipv6 { address | prefix | both } wlan-id
Note At present, the IPv6-framed-address attribute value is encoded with a dummy attribute number of 190 because the Internet Engineering Task Force (IETF) is yet to define a value.
If your network contained various Cisco-licensed devices, you could use the Cisco License Manager (CLM) to manage all of the licenses using a single application. CLM was a secure client/server application that managed Cisco software licenses network wide.
The license agent was an interface module that ran on the controller and mediated between CLM and the controller’s licensing infrastructure. CLM could communicate with the controller using various channels, such as HTTP, Telnet, and so on.
Note If, after an upgrade to Release 7.5.102.0, you prefer to retain the previous tag values, you must disable the networks and configure the tag values manually.
Table 4 lists the controller software releases that support specific Cisco access points. The First Support column lists the earliest controller software release that supports the access point. For access points that are not supported in ongoing releases, the Last Support column lists the last release that supports the access point.
Note Third-party antennas are not supported with Cisco indoor accesss points.
Note The Cisco 3600 Access Point was introduced in 7.1.91.0. If your network deployment uses Cisco 3600 Access Points with release 7.1.91.0, we highly recommend that you upgrade to 7.2.103.0 or a later release. |
|||
-A and N: 4.1.190.1 or 5.2 or later1 |
|||
This issue occurs when HA is enabled and when you try to upgrade from Release 7.3.x to Release 7.5.102.0.
b. Upgrade the individual controllers to Release 7.5.102.0.
c. Pair up the controllers after they are upgraded.
This issue will not occur in future releases as the new images have the bug fixes and design changes, which will avoid this issue.
a. Enter the following commands:
b. After the reboot, press Esc on the console, and use the boot menu to select Release 7.5.
c. After booting on Release 7.5, set back the primary boot, and save the configuration by entering the following command:
In Release 7.5.102.0, when the WLAN is locally switched, you must use the config wlan flexconnect learn-ipaddr wlan-id { enable | disable } command. When the WLAN is centrally switched, you must use the config wlan learn-ipaddr-cswlan wlan-id { enable | disable } command.
Note Bootloader upgrade is not required if FIPS is disabled.
– Ensure that your TFTP server supports files that are larger than the size of the controller software release 7.5.102.0. Some TFTP servers that support files of this size are tftpd32 and the TFTP server within the Prime Infrastructure. If you attempt to download the 7.5.102.0 controller software and your TFTP server does not support files of this size, the following error message appears: “TFTP failure while storing in flash.”
– If you are upgrading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable.
Bootloader Menu for 5500 Series Controllers:
Bootloader Menu for Other Controller Platforms:
Enter 1 to run the current software, enter 2 to run the previous software, enter 4 (on a 5500 series controller), or enter 5 (on another controller platform) to run the current software and set the controller configuration to factory defaults. Do not choose the other options unless directed to do so.
Note See the Installation Guide or the Quick Start Guide for your controller for more details on running the bootup script and power-on self-test.
With the backup image stored before rebooting, be sure to choose Option 2: Run Backup Image from the boot menu to boot from the backup image. Then, upgrade with a known working image and reboot the controller.
config network ap-discovery nat-ip-only { enable | disable }
– enable — Enables use of NAT IP only in a discovery response. This is the default. Use this command if all APs are outside of the NAT gateway.
– disable —Enables use of both NAT IP and non-NAT IP in a discovery response. Use this command if APs are on the inside and outside of the NAT gateway; for example, Local Mode and OfficeExtend APs are on the same controller.
Note To avoid stranding APs, you must disable AP link latency (if enabled) before you use the disable option for the config network ap-discovery nat-ip-only command. To disable AP link latency, use the config ap link-latency disable all command.
– You can predownload the AP image.
– For FlexConnect access points, use the FlexConnect AP upgrade feature to reduce traffic between the controller and the AP (main site and the branch). For more information about the FlexConnect AP upgrade feature, see the Cisco Wireless LAN Controller FlexConnect Configuration Guide.
Note Predownloading a 7.5.102.0 version on a Cisco Aironet 1240 access point is not supported when upgrading from a previous controller release. If predownloading is attempted to a Cisco Aironet 1240 access point, an AP disconnect will occur momentarily.
– Delete all WLANs that are mapped to interface groups and create new ones.
– Ensure that all WLANs are mapped to interfaces rather than interface groups.
– Enable or disable link aggregation (LAG)
– Enable a feature that is dependent on certificates (such as HTTPS and web authentication)
– Add a new license or modify an existing license
– Increase the priority for a license
– Install vendor device certificate
– Install Web Authentication certificate
Step 1 Upload your controller configuration files to a server to back them up.
Note We highly recommend that you back up your controller’s configuration files prior to upgrading the controller software.
Step 2 Follow these steps to obtain the 7.5.102.0 controller software:
a. Click this URL to go to the Software Center:
https://software.cisco.com/download/navigator.html
b. Choose Wireless from the center selection window.
c. Click Wireless LAN Controllers.
The following options are available:
– Integrated Controllers and Controller Modules
d. Depending on your controller platform, click one of the above options.
e. Click the controller model number or name. The Download Software page is displayed.
f. Click a controller software release. The software releases are labeled as follows to help you determine which release to download:
g. Click a software release number.
h. Click the filename ( filename.aes).
j. Read Cisco’s End User Software License Agreement and then click Agree.
k. Save the file to your hard drive.
l. Repeat steps a. through k. to download the remaining file.
Step 3 Copy the controller software file ( filename.aes) to the default directory on your TFTP, FTP, or SFTP server.
Step 4 (Optional) Disable the controller 802.11a/n and 802.11b/g/n networks.
Note For busy networks, controllers on high utilization, or small controller platforms, we recommend that you disable the 802.11a/n and 802.11b/g/n networks as a precautionary measure.
Step 5 Disable any WLANs on the controller.
Step 6 Choose Commands > Download File to open the Download File to Controller page.
Step 7 From the File Type drop-down list, choose Code.
Step 8 From the Transfer Mode drop-down list, choose TFTP, FTP, or SFTP.
Step 9 In the IP Address text box, enter the IP address of the TFTP, FTP, or SFTP server.
Step 10 If you are using a TFTP server, the default values of 10 retries for the Maximum Retries text field, and 6 seconds for the Timeout text field should work correctly without any adjustment. However, you can change these values if desired. To do so, enter the maximum number of times that the TFTP server attempts to download the software in the Maximum Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the software in the Timeout text box.
Step 11 In the File Path text box, enter the directory path of the software.
Step 12 In the File Name text box, enter the name of the software file ( filename.aes).
Step 13 If you are using an FTP server, follow these steps:
a. In the Server Login Username text box, enter the username to log on to the FTP server.
b. In the Server Login Password text box, enter the password to log on to the FTP server.
c. In the Server Port Number text box, enter the port number on the FTP server through which the download occurs. The default value is 21.
Step 14 Click Download to download the software to the controller. A message appears indicating the status of the download.
Step 15 After the download is complete, click Reboot.
Step 16 If prompted to save your changes, click Save and Reboot.
Step 17 Click OK to confirm your decision to reboot the controller.
Step 19 For Cisco WiSM2 on the Catalyst switch, check the port channel and reenable the port channel if necessary.
Step 20 If you have disabled the 802.11a/n and 802.11b/g/n networks in (Optional) Disable the controller 802.11a/n and 802.11b/g/n networks., reenable them.
Step 21 To verify that the 7.5.102.0 controller software is installed on your controller, click Monitor on the controller GUI and look at the Software Version field under Controller Summary.
Datagram Transport Layer Security (DTLS) is required for all Cisco 600 Series OfficeExtend Access Point deployments to encrypt data plane traffic between the APs and the controller. You can purchase Cisco Wireless LAN Controllers with either DTLS that is enabled (non-LDPE) or disabled (LDPE). If DTLS is disabled, you must install a DTLS license to enable DTLS encryption. The DTLS license is available for download on Cisco.com.
Important Note for Customers in Russia
If you plan to install a Cisco Wireless LAN Controller in Russia, you must get a Paper PAK, and not download the license from Cisco.com. The DTLS Paper PAK license is for customers who purchase a controller with DTLS that is disabled due to import restrictions but have authorization from local regulators to add DTLS support after the initial purchase. Consult your local government regulations to ensure that DTLS encryption is permitted.
Note Paper PAKs and electronic licenses available are outlined in the respective controller datasheets.
Step 1 Download the Cisco DTLS license.
a. Go to the Cisco Software Center at this URL:
https://tools.cisco.com/SWIFT/LicensingUI/Home
b. On the Product License Registration page, choose Get New > IPS, Crypto, Other Licenses.
c. Under Wireless, choose Cisco Wireless Controllers (2500/5500/7500/8500/WiSM2) DTLS License.
d. Complete the remaining steps to generate the license file. The license file information will be sent to you in an e-mail.
Step 2 Copy the license file to your TFTP server.
Step 3 Install the DTLS license. You can install the license either by using the controller web GUI interface or the CLI:
Management > Software Activation > Commands > Action : Install License
license install tftp ://ipaddress /path /extracted-file
After the installation of the DTLS license, reboot the system. Ensure that the DTLS license that is installed is active.
Step 1 Download the non-LDPE software release:
a. Go to the Cisco Software Center at this URL:
http://www.cisco.com/cisco/software/navigator.html?mdfid=282585015&i=rm
b. Choose the controller model from the right selection box.
c. Click Wireless LAN Controller Software.
d. From the left navigation pane, click the software release number for which you want to install the non-LDPE software.
e. Choose the non-LDPE software release: AIR-X-K9-X-X.X.aes
g. Read Cisco’s End User Software License Agreement and then click Agree.
h. Save the file to your hard drive.
Step 2 Copy the controller software file ( filename.aes) to the default directory on your TFTP or FTP server.
Step 3 Upgrade the controller with this version by following the instructions from Copy the controller software file (filename.aes) to the default directory on your TFTP, FTP, or SFTP server. through To verify that the 7.5.102.0 controller software is installed on your controller, click Monitor on the controller GUI and look at the Software Version field under Controller Summary. detailed in the “Upgrading to Controller Software Release 7.5.102.0” section.
This section describes the interoperability of the version of controller software with other client devices.
Table 6 describes the configuration used for testing the clients.
Open, WEP, PSK (WPA and WPA2), 802.1X (WPA-TKIP and WPA2-AES) (LEAP, PEAP, EAP-FAST, EAP-TLS) |
|
Connectivity, traffic, and roaming between two access points |
Table 7 lists the client types on which the tests were conducted. The clients included laptops, handheld devices, phones, and printers.
This section lists the features that are not supported in the following platforms:
Note The features that are not supported on Cisco WiSM2 and Cisco 5500 Series Controllers are also not supported on Cisco 2500 Series Controllers.
Note Directly connected APs are supported only in Local mode.
Note You can replicate this functionality on a 5500 series controller by creating an open WLAN using an ACL.
Note For Cisco 7500 Series controllers, it is not necessary to configure an AP-manager interface. The management interface acts like an AP-manager interface by default, and the access points can join on this interface.
Note IPv6 client bridging and Router Advertisement Guard are supported.
Note An AP associated with the controller in local mode should be converted to FlexConnect mode or Monitor mode, either manually or by enabling the autoconvert feature. On the Flex 7500 controller CLI, enable the autoconvert feature by entering the config ap autoconvert enable command.
Note FlexConnect local switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect access points do not limit traffic that is based on IGMP or MLD snooping.
Note FlexConnect local switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect access points do not limit traffic that is based on IGMP or MLD snooping.
Note Outdoor AP in FlexConnect mode is supported.
The following sections lists Open Caveats and Resolved Caveats for Cisco controllers and lightweight access points for version 7.5.102.0. For your convenience in locating caveats in Cisco’s Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation might be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
https://tools.cisco.com/bugsearch/
To become a registered cisco.com user, go to the following website:
https://tools.cisco.com/IDREG/guestRegistration.do?locale=en_US
Table 8 lists the open caveats in the 7.5.102.0 controller software release.
Symptom : Platinum 802.1p tagging changed to 5. Condition : Platinum 802.1p is tagged at 6 and an upgrade was performed to Release 7.5.102.0. Workaround : Disable the networks and change the Platinum 802.1p tagging back to 6. |
|
Symptom : When upgrading from Release 7.3.x to Release 7.5.102.0, the primary controller gets upgraded while the secondary controller does not get upgraded because of an error of application timeout while transferring the image from the primary controller to the secondary controller. This causes the controllers to go to maintenance mode when rebooting after upgrade because of image mismatch. Conditions : This issue occurs when HA is enabled and when you try to upgrade from Release 7.3.x to Release 7.5.102.0. 2. Upgrade the individual controllers to Release 7.5.102.0. 3. Pair up the controllers after they are upgraded. Further Problem Description : This issue will not occur in future releases as the new images have the bug fixes and design changes, which will avoid this issue. |
|
Symptom : Controller using Release 7.3.112.0, configured for new mobility, reverted to old mobility after upgrading to Release 7.5, even though Release 7.5 supports new mobility.
1. Enter the following commands: 2. After the reboot, press Esc on the console, and use the boot menu to select Release 7.5. 3. After booting on Release 7.5, revert to the primary boot, and save the configuration by entering the following command: |
|
Symptom : With maximum that is 64 IPv4 or IPv6 rules configured on the controller, and no Layer 2 ACL rules configured, web authentication clients are passing traffic in Web-auth required state. The issue is not seen with 63 rules configured. This issue occurs only when there is no ACL rule match. 1. Only with maximum (64) IPv4 or IPv6 rules 2. No Layer 2 ACL rules configured on the client or WLAN 3. Web authentication clients in Web-auth required state |
|
Symptom : While doing SSH to controller, it is sometimes denied with “Sorry, telnet is not allowed on this port.” If a retry is attempted immediately, the SSH connection is accepted. No changes are seen in between. Condition : SSH connection is done from a different Layer 3 network. |
|
Symptom : An 802.11n AP does not downshift rates for retries when Low Latency MAC is enabled. The AP sends 3 retransmissions, but the data rate for the retransmissions is the same data rate at which the initial packet was sent. Condition : Using an 802.11n AP with Low Latency MAC enabled. Workaround : Do not enable Low Latency MAC. Update : The Low Latency MAC feature has been removed, for 802.11n APs, through CSCtc73527. |
|
Symptom : FlexConnect: Reached the limit on the association ID for AP. 1. Client 1 is associated to the controller with AID =1 on SSID x. 2. Client 1 sends 802.11 Auth frame on SSID y; at this point AID = 1 is freed at the AP. Auth frames are not honored at the controller; and the controller is not informed. 3. No association frame arrives from client 1 at SSID 2. 4. Client 2 associates with the AP and gets AID = 1. 5. AP updates the controller about client 2 and AID = 1; now, the controller adds duplicate entries and increments the count (controller already has client 1 AID = 1). Counter gets incremented and reaching 256. It is due to the network conditions at the customer site in which the 802.11 authentication frames are sent (sometimes on different WLAN), but is not followed by association frames. |
|
Symptom : When a port in a LAG goes down and then comes back up, the controller does not send a UP trap via SNMP. Condition : Distribution ports are configured in a LAG, and an SNMP trap receiver is configured. Workaround : Look in the traplog on the controller (using the show traplog command on the controller CLI) for the UP trap. Further Problem Description : An attempt was made to fix this bug through CSCto58101, by delaying the transmission of the UP trap by 40 seconds. This attempted fix was implemented in Release 7.0.220.0; however, it caused the side effect that a dead port is not removed from the LAG (CSCtw56190, CSCtu13807), and therefore the CSCto58101 fix was rolled back in Release 7.0.230.0. |
|
Symptom : Specific to Cisco Flex 7500 and 8500 Series Wireless LAN Controllers: While booting up, the following error message is displayed on the attached monitor or on serial console:
"All the disks from your previous configuration are gone. If this is an unexpected message, then please power off your system and check your system and check your cables to ensure all disks are present.
When the Space Bar is pressed, the system could not boot from the disk. Condition : Cisco Flex 7500 and 8500 Series Wireless LAN Controllers. This system went through an accidental power interruption; that is, the power plug was pulled while the system was operational. After a reboot, the RAID card could not find its configuration in the Flash memory and therefore it could not boot. Workaround : When this situation is encountered, you must enter the RAID management tool: WebBIOS. There are two versions of this tool: one that uses extensive menus and requires an attached monitor, and another that is based on the command lines (CLI). The CLI version of the tool can be accessed from the serial console. A prompt for this is visible on a serial console right after the error message is displayed. 1. Enter the CLI version of the WebBIOS utility by pressing CTRL+Y and then enter the following command: Further Problem Description : When the Space Bar is pressed, the system could not boot from the disk. During the boot process, the LSI WebBIOS loads as expected and shows two physical disks, but no virtual disks. It appears that it lost the RAID configuration that was present in the system. The system went through an accidental power interruption, that is the power plug was pulled while the system was operational). After reboot, the RAID card could not find its configuration in the Flash memory and therefore it could not boot. The Flash configuration was affected due to the power interruption. The RAID card keeps a backup of the configuration on the hard drives. However, when the card loses the configuration information that is present in the Flash, it does not automatically pick up the backup configuration information from the hard drives. The information on the hard drives is considered a “foreign configuration” that requires user intervention. At this time, the system waits for you to take action. Note that all the data on the hard drives are still intact. |
|
Symptom : After upgrading to Release 7.2, SSH connection to a controller sometimes fails randomly; a prompt for username is displayed, and then SSH is closed from the controller side. After several attempts in a row, the SSH connection is successful. |
|
Symptom : Web Authentication on MAC Filter Failure authentication might sporadically fail. Condition : Controller using Release 7.0.116.0 or Release 7.0.230.0. Free RADIUS Server authentication for MAC authentication configured with default 1-second access-rejec. Clients might fail to get redirected to the web authentication splash page for authentication attempt, and remain in the ‘DHCP Required’ state. Workaround : Configure Free RADIUS access-reject response timer to zero. |
|
Symptom : If you use the clear ap config or the clear all config command on the controller CLI, under Set to Factory Defaults in the controller GUI, on an indoor AP that has been configured for the mesh (Bridge) mode, the AP remains in the Bridge mode. Condition : An indoor AP (such as an AIR-LAP1042) that has been configured for mesh. 1. Remove the IOS_STATIC_AP_MODE environmental variable from the AP. This can be done on the console by reloading the AP, escaping into the boot loader, and entering the bootloader command Copy flash:env_vars from the AP to a TFTP server and edit the file to remove the IOS_STATIC_AP_MODE line, and copy the file back. 2. Clear the AP configuration. When the AP reboots, it should be back to factory defaults. |
|
Symptom : The change (enable/disable) in admin mode of the ports on Cisco Flex 7500 Series and Cisco 8500 Series Wireless LAN Controllers is not updated on upstream switch. Condition : Disable/enable admin mode of the ports on Cisco Flex 7500 Series and Cisco 8500 Series Wireless LAN Controllers. Workaround : Instead of enabling or disabling port admin from the controller, make it shut/no shut from upstream switch. |
|
Symptom : Inter-SPG roam failures when MC (Cisco 2500 Series Wireless LAN Controller) goes down and comes back. Condition : Negative test case. MC is down and then comes back. |
|
Symptom : Cisco 5508 Wireless LAN Controller fails to boot. SYS LED - Blinking Amber and ALM LED = OFF. Condition : Console logging set to debugging and high rate of console logs are generated while you reboot the controller. Workaround : Do not set console logging to debugging and reboot the controller at the same time, or send the debug output to an SSH/Telnet session, which is also a lower impact to the CPU. |
|
Symptom : A wireless web authentication client might be unable to authenticate to the network. When the client opens a browser, the window is blank. With the debug web-auth redirect command in effect, messages similar to the following might be displayed:
*webauthRedirect: Oct 10 16:36:30.715: %EMWEB-3-PARSE_ERROR: parse error after reading. bytes parsed = 0 and bytes read = 189
Condition : The HTTP GET from the client comes at the controller in multiple TCP segments. Workaround : Reconfigure your network and the TCP/IP stack of the client to ensure that the HTTP GET comes in a single segment. One example of client software that is known to introduce TCP segmentation behavior that triggers this bug is AnyConnect Web Security 3.0.3054. |
|
Symptom : Cisco WiSM2 is unreachable, unable to ping. All APs drop from the controller, and unable to ping the Management interface's gateway (via console) at the time of failure. Failure condition recovers on its own typically within minutes. Condition : Cisco WiSM2 using Release 7.3.101.0. Buffer pool leak messages are printed in the message log around the time of the failure as follows:
*broffu_SocketReceive: Oct 20 07:31:15.291: #BROFFU-0-DP_BUFFER_POOL_LOW_DETECTED: broffu_fp_dapi_cmd.c:5060 Warning: DP Early PacketBuffer low detected. DP1 PacketBuffer=26105(<?26200) WQE=102318(<?26200) *broffu_SocketReceive: Oct 20 07:31:15.291: #BROFFU-0-DP_BUFFER_POOL_LOW_DETECTED: broffu_fp_dapi_cmd.c:5060 Warning: DP Early PacketBuffer low detected. DP0 PacketBuffer=26025(<?26200) WQE=102322(<?26200)
|
|
Symptom : Cisco AP3600 remains in the ‘ap:’ mode when there is a power outage, requiring manual boot. Condition : When there was a power outage, there is a possibility of AP remaining in the boot mode. Workaround : On the AP console, enter the flash_init and boot commands to get the AP working again. |
|
Symptom : Access points are assigned to channels with lower maximum powers. Condition : Varying power levels in different channels of the new access points. The controller detects more neighbors with high RSSIs on channels with higher power. |
|
Symptom : The system stopped working on management user form post manipulation. Condition : Field content/count is modified Further Information : Form needs administrative access rights to be accessed. Management from wireless is disabled by default and has to be explicitly enabled. This can minimize exposure on the wireless side. |
|
Symptom : In a VMWare ESX cluster, when migrating a virtual controller from one host to another via vMotion, the virtual controller management might become unreachable for 15 to 30 seconds, which may cause APs to transition to the standalone mode temporarily and prevent centrally switched WLANs from communicating. Condition : The management interface of a virtual controller is configured with a 802.1q VLAN tag communicating through a virtual switch network configured with VLAN (4095 ALL) in promiscuous network; per virtual controller deployment guide. VMware network can be configured to “Notify Switches” causing RARP to be sent on VMs tagged interface for updating neighbors with CAM table seamlessly during vMotion transition. This is transparent to the VM. In the virtual controller deployment, hosts cannot know the virtual controller’s management or other interface 802.1q tags; therefore, RARP is delivered untagged. This prevents CAM tables from learning MAC update on proper VLAN ID and therefore a loss of communication to the virtual controller. Workaround : Communication is established as soon as the virtual controller “generates or egresses” traffic through the new host after a vMotion event. No known workaround. |
|
Symptom : Client entry is seen on multiple controllers even when not anchored to the controller or part of its mobility group. Condition : Foreign to Foreign Roaming might cause it in the scenario when the 2 (Export) Foreigns are mobility peers of each other, but (Export) Anchor is mobility peer of only the first (Export) Foreign. |
|
1. In Cisco 5508 Wireless LAN Controller, use MAC Filtering authentication. 2. On the controller GUI, choose Security > AAA > RADIUS > Authentication, and define more than 1 RADIUS server. 3. Choose Security > AAA > MAC Filtering and set RADIUS Compatibility Mode as Free RADIUS. 4. In the WLAN settings, check MAC Filtering, select the authentication server, which is defined in Step 1 and also has index number 1. 5. Choose Security > AAA > RADIUS > Authentication and delete the RADIUS server, which has index number 1. In the WLAN settings, select the authentication server, which has an index number other than 1. In this scenario, client authentication fails. Workaround : Choose Security > AAA > RADIUS > Authentication and define a dummy RADIUS server, which has the index as 1. |
|
Symptom : A controller functioning as a DHCP server with large DHCP scopes might stop servicing DHCP client requests. |
|
Symptom : Controller sends a message after 90 days of an AP associating with the controller, that the APs should be moved to a primary controller. Condition : A HA-SKU controller is used as a secondary controller in an N1 configuration and an AP has associated with the controller. |
|
Symptom : Controller stops communicating with CAM with SNMPv3. 2. Add controller to CAM with SNMPv3 (should have authorization and authentication passwords). |
|
Symptom : The controller software was downgraded from Release 7.5 to Release 7.0.240.0 using SFTP, configuration was saved, and controller was rebooted. Immediately after rebooting the controller, the transfer download start command was entered. The controller stopped working. Condition : This is a defect in Release 7.0.x. This is specific to SFTP downgrade procedure, and it does not apply to other mechanisms. Workaround : If the mode is changed to TFTP or FTP upon reboot, then the controller works as expected. |
|
Symptom : Controller stops working intermittently. Condition : Web pass through clients anchored from foreign controller to anchor controller. Controller became unresponsive randomly. |
|
Symptom : First client that connects to an incorrect interface without an available subnet to assign will not work as expected. Condition : Multiple interfaces as part of an interface group with a client attempting to use an interface that has run out of available IP addresses in the relevant subnet to assign to this client. Workaround : Manually deauthenticate the client so that it can associate on a different interface to be assigned an IP address. |
|
Symptom : When AP fails over from the primary controller to the secondary controller, the client protocol displays 802.11b, which was originally 802.11g. Condition : AP is in FlexConnect local switching mode. Controller using Release 7.3.112.0. |
|
Symptom : Clients are not able to associate. Condition : Release 7.3, Cisco 5500 Series Wireless LAN Controller with FlexConnect and NAT/PAT AP IP. |
|
Symptom : The FT and LT detection time for an alarm is ahead or later than the AP clock. This is causing a delay in Cisco NCS to detect the alarm.
LCAVIAX014-2AD1#show capwap am alarm 54 capwap_am_show_alarm = 54 <A id='139266813'> <AT>54</AT> <FT>2013/03/12 23:37:44</FT> <LT>2013/03/12 23:38:07</LT> <DT>2013/03/01 21:59:47</DT> <SM>D0:57:4C:08:FB:B2-g</SM> <SNT>1</SNT> <CH>1</CH> <FID>0</FID> pAlarm.bPendingUpload = 0 LCAVIAX014-2AD1# LCAVIAX014-2AD1#show clock *21:59:18.983 UTC Tue Mar 12 2013 In NCS we will not see the alarm until the actual AP time matches the time reported in the FT.
Condition : Cisco 5500 Series Wireless LAN Controller using Release 7.0.235.3; Cisco AP3500 wIPS ELM mode; Cisco MSE 3350 using Release 7.0.201.204. |
|
Symptom : At times, Cisco AP3500 causes issues such as wireless client being unable to associate with the AP, unable to use telnet to connect to the AP, show command output being very slow. It seems to be a memory leak issue. |
|
1. Load the virtual controller with Release 7.4 or Release 7.5. 2. Reset the system and press Esc key 3. In the boot options, select Change Active Boot Image. Issue: Virtual controller is loading with the older active image, but it should load with the new or changed active image. Condition : Bootloader image change. Workaround : Use config boot commands to change the image order. |
|
1. Create a normal ACL with the name ‘pre-webauth’. 3. Create a webauth WLAN and map the ‘pre-webauth’ ACL name to the WLAN webauth preauth ACL 4. Create a FlexConnect ACL with the name ‘pre-webauth’. 6. Controller does not allow the operation and displays an error message as follows: “Error! ACL is in use.” Condition : ACL and FlexConnect ACL with the same name. Workaround : Delete the ACL and create again with the different name. |
|
Symptom : Cisco WiSM2 stops working at Reaper Reset: Task “BootP” missed software watchdog. |
|
Symptom : The config flexconnect group flex-group multicast overridden-interface enable command is needed to enable multicast on AAA overridden interfaces. The command works if there are no spaces in the FlexConnect group name and then you do not have to use quotes in the command. When you have a FlexConnect group name that has spaces in it, then the command needs to use quotes to enclose the group name. The command does not work when quotes are used, thereby rendering this command unusable for FlexConnect group names with spaces in them. |
|
Symptom : Clients on 802.11n rates might experience disconnection or data transfer issues when certain segment number orders are used. Condition : 802.11n, when client leading segment number is lower than the window (lower order). Workaround : For Apple devices, disable AQM in the Apple wireless driver. Disable A-MPDU. Further Information : A workaround is being implemented through CSCug65693. |
|
Symptom : Wireless clients are not reachable when set with static IP and with the VLAN pooling feature. Condition : Initially, the wireless client is allowed to get IP through DHCP and it got IP from one of the subnets (any one VLAN from the interface group) for instance subnet A. If the static IP is set from the same subnet (subnet A) that is used previously to get IP through DHCP, the client reaches the controller very well with static IP. But, when static IP is set with other subnets (other than A), it does not reach the controller. Workaround : In Release 7.2, we can disable and enable the WLAN once and the client entry is deleted. Now, set the static IP from any other subnet among the interfaces in the group and the controller will be reachable. This workaround will not work in Release 7.3 and later releases. |
|
Symptom : Apple devices such as iPads running Apple iOS 6.1.2 and 6.1.3 stop working for 5 seconds every 30 seconds. Client does not get disconnected from the wireless network or roam to another AP. Condition : Cisco 5508 Wireless LAN Controller using Release 7.3.112.0; guest anchoring set up with ISE WPA2/AES/802.1x. |
|
Symptom : When an AP stops working, the log file is not sent to the controller due to CAWAP queue being full. It seems like the incoming data rate is more than what the CAPWAP queue can handle.
RA045W02ALT430: *Apr 13 00:34:33.975: %CAPWAP-3-ERRORLOG: Queue already full. RA045W02ALT430: *Apr 13 00:34:33.975: %CAPWAP-3-ERRORLOG: Failed to send data transfer request. RA045W02ALT430: *Apr 13 00:34:33.975: %CAPWAP-3-ERRORLOG: Queue already full. RA045W02ALT430: *Apr 13 00:34:33.975: %CAPWAP-3-ERRORLOG: Failed to send data transfer request. RA045W02ALT430: *Apr 13 00:34:33.975: %CAPWAP-3-ERRORLOG: Queue already full. RA045W02ALT430: *Apr 13 00:34:33.975: %CAPWAP-3-ERRORLOG: Failed to send data transfer request. RA045W02ALT430: *Apr 13 00:34:33.979: %CAPWAP-3-ERRORLOG: Queue already full. RA045W02ALT430: *Apr 13 00:34:33.979: %CAPWAP-3-ERRORLOG: Failed to send data transfer request.
|
|
Symptom : Memory leak in EAP. Radio request process.
–Traceback = 195A30z 2758E0z 27BB40z 27BD90z 28A360z 275570z 27D78Cz C35128z 456530z 40734Cz 7B72 CAPWAP CLIENT -Traceback= 195A30z 2758E0z 27BB40z 27BD90z 28A360z 275570z 27D78Cz C35128z 8089D8z 8162F0z 806C58z 7DDC %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x28A35C, alignment 0 CAPWAP CLIENT -Traceback= 195A30z 2758E0z 27BB40z 27BD90z 28A360z 275570z 27D78Cz C35128z 8089D8z 8162F0z 806C58z 7DDC %SYS-2-MALLOCFAIL: Memory allocation of 6000 bytes failed from 0x30D6AC, alignment 0 CAPWAP CLIENT -Traceback= 195A30z 2758E0z 27C964z 30D6B0z 301314z 2AF628z 4C5634z 4DBCA4z 4DBE64z EEAFCz F52DCz F5AA8z CAPWAP CLIENT -Traceback= 195A30z 2AF8D8z 4C5634z 4DBCA4z 4DBE64z EEAFCz F52DCz F5AA8z 8169D0z 7FF130z 805088z 8065CCz %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x28A35C, alignment 0
|
|
Symptom : Controller sends keep active alive message as a wired packet instead of wireless. Condition : When the controller sends the keep alive as a wired packet, the ISE drops it because of license issues. |
|
Symptom : Cisco WiSM2 stops working and then reboots (bcastReceiveTask 1332). |
|
Symptom : Disabled SSID is being broadcast by a 2.4-GHz radio. Condition : SSID was created and disabled previously; this is a very rare occurrence, and only seen once; never reproduced in lab. |
|
Symptom : A Cisco AP might stop transmitting traffic after several days with a switchport speed/duplex micsonfiguration. Condition : Cisco AP2610 associated with a controller using Release 7.3.112.0. The default Ethernet interface of Cisco AP2600 is set to auto/auto; switchport: duplex full/speed 100. Workaround : Correct the speed/duplex misconfiguration (should match on the AP and switchport). |
|
Symptom : Status LED on Cisco AP1552 in the local mode is blinking green when working in normal operation. |
|
Symptom : After reenabling HA, post HA disable, the secondary unit rebooted with Reason: Standby timeout. Three attempts were made to reproduce the same issue, but without success. Condition : HA is disabled through GUI and no additional configuration change were attempted. The secondary unit rebooted and came up as active. After resetting both the primary and the secondary controller, the controllers pair up. Workaround : Low frequency/impact issue. Controllers will pair up and work after a reboot. |
|
Symptom : AP rebooted, log information was provided. |
|
Symptom : Release 7.3 introduced subinterface on the local mode APs. Condition : Customer requests a method to disable this on all APs because it is generating errors in the scripts. |
|
Symptom: Ascom phone stops receiving voice packets. Condition: 802.11n in use; Voice traffic QoS markings are lost on downstream direction. |
|
Symptom: Cisco AP702 is seen as an Impersonator. Condition: Cisco AP702 is seen as an Impersonator in controller trap logs. |
|
Symptom: Clients are unable to connect to SNMP NAC SSID with an error message as follows:
“Unable to process out-of-band login request from MAC and IP Addr [device-filter]. Cause: OOB clientMAC and IP Addr not found.”
|
|
Symptom: Push a profile for autocontaining a device. If this fails for any reason, the mitigation status on Cisco Prime Infrastructure displays the following message:
Failed to start containment on device '34:a8:4e:d3:f7:a0'. Action failed due to 'Unable to contain the device.
This message should instead indicate the failure reason for auto containment. |
|
Symptom: As per the data sheet, the Cisco AP1600 should have 17 dBm of Tx power on 1 antenna and up to 22 with 3 antennas, as seen at http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1600-series/data_sheet_c78-715702.html It is lesser in reality. The show controller’s output shows that power level 1 is 13 dBm on 3 antennas (8 dBm per antenna). Comparing the show controller’s output with a Cisco AP3600e clearly shows that Cisco AP1600 has less Tx Power. Field tests also show that it has a much smaller coverage area. This is on 2.4 GHz. On 5 GHz, the power meets expectations. This was noted in the -E reg domain. Also, modifying the antenna gain has no effect at all on the Tx power. Condition: Controller using Release 7.4.100.0 with European regulatory domain in countries where the expected power level is 17. |
|
Symptom: It is specific to 'read-only' and 'lobby admin' users. If these users are prevented from accessing the controller due to successive failed attempts, the same users are able to logon to the controller through HTTP and, but cannot do any changes. However, it works as expected through SSH or Telnet; such users are not allowed to logon. |
|
Symptom: CleanAir sensor stops working and requires a reboot. |
|
Symptom : Client does not get IP address even if it permits all Layer 2 ACLs that are mapped to the WLAN. This occurs only with CS WLAN; LS works as expected. Condition : Cisco Virtual Wireless LAN Controller with central switching and Layer 2 ACL applied. |
|
Symptom: Controller reports a large number of stale client entries. Condition: Cisco Flex 7510 Wireless LAN Controller using Release 7.3.103.x with numerous clients. |
|
Symptom: Web authentication redirect fails when local switching is enabled on the WLAN. Manual redirect works. Redirect works when central switching is performed. Condition: Local switching enabled on the WLAN. Workaround: Add a dummy interface on the controller with IP assigned from the same VLAN, which is locally switched data VLAN for the client. VLAN identifier does not need to be the same, but IP address has to be. Also, it does not need be trunked to the controller. |
|
Symptom: On the controller, CleanAir status is “N/A” even if AP supports and enables CleanAir. Condition: There are two controllers and many APs (more than 30), non-HA configuration. Each AP is configured as Primary or Secondary WLC. The symptom may happen when changing the joining WLC due to power down or network problem, for example, when Primary goes down and all APs are joined to Secondary WLC or vice versa. Workaround: Disable and re-enable radio on that AP to recover CleanAir status on the controller. |
|
Symptom: FlexConnect AP does not delete Layer 2 ACL. Condition: When the AP moves from one controller to another controller, with the same WLAN on both the controllers but different Layer 2 ACL. |
|
Symptom: Controller might send accounting update with different framed IP address information. |
|
Symptom: In the controller default configuration, the RADIUS failover occurs when the controller sends RADIUS request packets with the same ID to the RADIUS server for 6 times with no response from the server. However, sometimes RADIUS failover occurs even if the number of requests is less than 6. |
|
Symptom: During WGB roaming test on FlexConnect local switching AP on Release 7.4.100.0, the following message is often observed on the AP CLI ( debug capwap client mgmt):
*May 22 11:24:34.559: capwap_ap_mgmt: delete mn 0d0d.0d0d.0d0d *May 22 11:24:34.559: capwap_ap_mgmt: Deleting PMK for 0d0d.0d0d.0d0d The station mac address is not present in the network neither as a wlan client, or wired WGB client.
Condition: Roaming test on FlexConnect local switching Cisco AP on Release 7.4.100.0. Debugging using the debug capwap client mgmt command. |
|
Symptom: Consecutive SNMP set commands for same MIB variable on the controller fails. Condition: When a MIB object is set on the controller using SNMP set command, it works at the first attempt. However, if the command is entered repeatedly, the following message is displayed: |
|
Symptom: In Export Anchor-Foreign scenario, in both Foreign to Foreign as well as fresh association to a Foreign, if packets are not reaching to Export Anchor due to network issues, then after three retries, there will not be any further exchange. The request will go to Export Anchor and the client will stay in that state until it moves out. Condition: Network issues between mobility peers. Workaround: None. Instead, fix the underlying connectivity issues. |
|
Symptom: After disabling the radio of a Cisco AP2600, it might become enabled after a reboot of the device. Condition: Cisco AP2600; controller using Release 7.4.100.0. |
|
Symptom: Client gets IPv6 address from a different VLAN. Condition: This is a combination of the following factors: 2. Client sending traffic from either static IP or previously allocated IP. 3. Client traffic is not matching the assigned VLAN received initially. This message shows when this occurs: Overriding interface of client from 'vlan20' to 'vlan30' within interface group 'vlan20-30'. |
|
Symptom: Client with static IP loses connectivity on session timeout. Condition: This occurs only if the following set of conditions are met: 1. Interface that the client gets from the interface group does not match the interface corresponding to the static IP. 2. Client gets VLAN overridden with the following message:
apfReceiveTask: May 28 12:48:28.066: 00:1a:70:a5:2f:bd Overriding interface of client from 'vlan20' to 'vlan30' within interface group 'vlan20-30' *apfReceiveTask: May 28 12:48:28.066: 00:1a:70:a5:2f:bd Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 20
This overriding is lost when PMK expires, and a new authentication takes place. This occurs even if the client is continuously sending traffic. Workaround: Either disable interface groups or set to DHCP required state. |
|
Symptom: Cisco AP loses FlexConnect interface configuration when the AP is rebooted from the standalone mode. Condition: Cisco AP moves to standalone mode and is power cycled. Workaround: Wait for the Cisco AP to associate with the controller. After the Cisco AP has reassociated with the controller, the Cisco AP pulls the configuration from the controller. |
|
Symptom: Using New Mobility, if the anchor controller for a client is lost, the traffic for the client might be locally terminated. Condition: Only on New Mobility (Cisco 5760 Wireless LAN Controller and Cisco Catalyst 3850 compatibility mode). This is not applicable to legacy mobility. Workaround: None for New Mobility; not present on legacy mobility scenarios. |
|
Symptom: WLAN FlexConnect local switching is disabled on the active secondary controller after an HA failover. It causes WLAN-VLAN mapping to be changed on AP. |
|
Symptom: When using Internet Explorer 10 as the browser to access the GUI of the controller, it is not possible to use any filter options for clients and APs. The filter pop-up box is not displayed. |
|
Symptom: Cisco 5508 Wireless LAN Controller stopped working on Reaper Reset: Task “LDAP DB Task 2” missed software watchdog. Condition: Reaper Reset: Task “LDAP DB Task 2” missed software watchdog. |
|
Symptom: With HA enabled Cisco 5508 Wireless LAN Controller set up with 430 real APs, the predownload was started on the 430 APs. Predownload was completed, but could not reset the system even after that. A message is displayed that says that the AP software upgrade is in progress, but remains unresponsive. Condition: High AP count, failed predownload. Workaround: Reboot the controller with the reset system forced command. |
|
Symptom: The output of the show redundancy summary command shows the following line regardless of its real SKU. Condition: Used the show redundancy summary command on: 1. Secondary system which is converted from the Primary system. |
|
Symptom: AP stopped working once and the log was found on the controller and TFTP server. Workaround: None. The AP will reset on its own. This was a one-time event and is still under investigation. |
|
Symptom: LEAP authentication fails for FlexConnect mode local authentication and local switching. Condition: Primary and secondary server added in a FlexConnect group and they are not reachable. Workaround: Delete primary and secondary servers. The client right away authenticates with the local AP database. This caveat has been tested in controller software version 7.4.100.60 and customer version 7.4.100.0. |
|
Symptom: AP radio may reset during FlexConnect state change. |
|
Symptom: AP stops working on low memory condition. This is a request to implement WDT crash trigger mechanism in a low memory scenario, before reaching a breaking point. |
|
Symptom: AP rebooted with log information provided. |
|
Symptom: Controller using Release 7.3 or Release 7.4 fails to authenticate One Time Password (OTP) users when there is an attempt to authenticate to the controller using TACACS+. The following debug output is displayed when the debug aaa tacacs enable command was entered on the controller CLI.
TPLUS_AUTHEN_STATUS_GETPASS auth_cont get_pass reply: pkt_length=25 processTplusAuthResponse: Continue auth transaction No auth response from: SERVER IP, retrying with next server Preparing message for retransmit. Decrypting first Forwarding request to SERVER IP port=4900 AUTH Socket closed underneath No auth response from: SERVER IP, retrying with next server Preparing message for retransmit. Decrypting first Forwarding request to SERVER IP port=4900 AUTH Socket closed underneath Exhausted all available servers for Auth/Author packet.
Condition: Controller using Release 7.3 or Release 7.4; TACACS+ used for Management User Authentication; OTP used for TACACS+; static passwords are not impacted. Workaround: Extend the TACACS+ Management Server Timeout value by entering these commands: 1. config tacacs auth disable server-index |
|
Symptom: Topology: 5500 (MC/GC) MA1 MA2. To reproduce the issue, perform the following tasks: 1. Get the mobility between all is up and make Cisco 5500 Series Wireless LAN Controller as GA. 2. Try to connect a client to MA1. Client gets IP, anchor-foreign relationship is formed. 3. Roam the client to MA2. It is observed that it goes to IP learn state. Condition: Roaming between two mobility agents with Cisco 5508 Wireless LAN Controller as MC/GC. |
|
Symptom: When there is a duplex mismatch between the Cisco AP1142 port and upper layer switch port, both the switch and the Cisco AP display a warning message that is similar to the following: The warning message is logged to the controller. However, when the controller is upgraded to Release 7.4.100.0, the warning message is not logged to the controller. Condition: This issue occurs only with Release 7.4.100.0, and not with Release 6.0.202.0. |
|
Symptom: Controller sends incorrect information for Rogue AP detection through traps. |
|
Symptom: Cisco 8510 Wireless LAN Controller does not show the config line after disabling DHCP proxy. The config dhcp proxy disable bootp-broadcast disable command using Release 7.4.100.60. Condition: This issue occurs only with the Cisco 8510 Wireless LAN Controller using Release 7.4.100.60. Workaround: Enter the line in the configuration file or modify the configuration directly on the controller through the CLI or GUI. |
|
Symptom: Cisco 5508 Wireless LAN Controller in HA configuration with two AAA servers in configuration sends TACACS+ authentication and authorization requests to different AAA servers. After some time, a user logging on through TACACS+ account to the controller is unable to logon because the controller sends authentication request to one AAA server, while at the same time and for the same user, the Authorization/Accounting request is sent to the second AAA server in the Authentication/Authorization servers list configuration on the controller. Condition: Controller with HA configuration. User logging on through TACACS+ account to the controller. Two or more AAA servers defined under controller TACACS+ authentication/authorization server list. |
|
Symptom: Cisco AP displays the %CAPWAP-3-ERRORLOG messages when the AP associates with the controller as follows:
%CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination. %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5. %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 172.22.170.1
|
|
Symptom: A wired device that scales behind a third-party bridge device fails to get an IP address. Condition: Third-party bridge is associating with an AP in H-REAP (FlexConnect) local switching mode and the controller is using a release that is later than the 7.0.116.0 release. |
|
Symptom: Beacon loss in Cisco AP1130. Condition: Random beacon drops are observed with Cisco AP1130 in FlexConnect mode. |
|
Symptom: The mesh topology is: RAP - MAP1 - MAP2 (all AP are 1522s, using 5-GHz backhaul). When MAP1 does not have Ethernet bridge client, then MAP2 connects to MAP1 and associates with the controller. However, when MAP1 has an Ethernet bridge client, then MAP2 fails to connect to MAP1 in order to associate with the controller. The authentication process between MAP2 and MAP1 is never completed in this case. The problem also appears regardless of the radio used for backhaul; that is both 5-GHz backhaul and 2-GHz backhaul. Condition: Applies to Cisco AP1520. Not applicable to Cisco AP1550. |
|
Symptom: Cisco WiSM2 stops working and then reboots. Condition: Cisco WiSM2 stops working when TPCv2 is in an enabled state. |
|
Symptom: On an HA pair, when the standby unit is active, it might display the evaluation license window showing the remaining time. Workaround: None needed. The HA unit will continue to work because the local licenses are not used for AP join validation. |
|
Symptom: False DFS detections related to client activity. Condition: Clients triggering DFS detections due to spurious emissions. Workaround: Use non-DFS channels. This bug is to track additional filtering for pulses generated by client activity. |
|
Symptom: SNMP query to Cisco Wireless LAN Controllers return noSuchName during device sync operation done from Cisco NCS. Condition: Random event while Telnet is enabled. Only seen at two sites. |
|
Symptom: WPAv1 with AES and WPAv2 with TKIP are not supported in the FlexConnect standalone mode, local authentication in the connected mode and CCKM fast-roaming in the connected mode. This limitation is documented only in Wireless LAN Controller 7.0 configuration guide. See http://www.cisco.com/en/US/partner/docs/wireless/controller/7.0/configuration/guide/c70hreap.html For Wi-Fi Protected Access version 2 (WPA2) in H-REAP standalone mode or local authentication in the connected mode or CCKM fast-roaming in the connected mode, only Advanced Encryption Standard (AES) is supported. For Wi-Fi Protected Access (WPA) in H-REAP standalone mode or local authentication in the connected mode or CCKM fast-roaming in the connected mode, only Temporal Key Integrity Protocol (TKIP) is supported. WPA2 with TKIP and WPA with AES is not supported in the standalone mode, local authentication in the connected mode, and CCKM fast-roaming in the connected mode. This is true for Release 7.2 and later releases. |
|
Symptom : AIR-CT5508-K9 reboots unexpectedly using Release 7.4.100.0 and as a result the “apfMsConnTask_5” task gets suspended. Condition: This issue occurs under normal conditions without any hardware or software configuration changes or network topology changes. |
|
Symptom : There are no debugs or logs to troubleshoot 10-GB interface issues on Cisco 8500 or 7500 Series Wireless LAN Controllers. Unable to determine the issues between switches and the controller. Condition: Cisco 8500 or 7500 Series Wireless LAN Controllers with 10-GB uplinks SFP. |
|
Symptom : When the client tries to connect to snooped domain (such as google.com), the debug message on access point is incorrectly referencing the use of the Virtual IP. Condition: Using DNS snooping ACLs with Release 7.3.x; enable DNS snooping on one of the ACLs for any domain (such as google.com). Enter the debug dot11 profiler events command on the AP and connect to a client that is assigned with that ACL. |
|
Symptom : With RF profile created, certain clients (for example, Blackberry devices) are not able to associate with the AP, and the controller rejects the association indicating invalid client data rates. Condition: Create an RF profile for the AP group, disable standard rates in the profile, and map the profile to an AP group. |
|
Symptom : Controller puts the client on Run state while the client is not actually authenticated by the RSA/RADIUS server using web authentication – PAP. Condition: This issue occurs when you use a two-factor authentication. Workaround : Do not use the two-factor authentication for web authentication because it is not supported on controllers. |
|
Symptom : Stale client entries are seen when the show dot11 associations command is entered on the Cisco Autonomous Access Points. Condition: This issue occurs when a client connects and passes by or when the client gets disconnected and the entry still remains on the AP. 1. Clear a particular client using the clear dot11 client client-MAC-addr command. |
|
Symptom : Default interface takes precedence over foreign VLAN mapping with AAA override. Condition: Configure a guest anchor solution. Enable foreign controller-interface mapping in the anchor. Enable AAA override in the WLAN. If the AAA server does not send any interface details, the anchor controller uses the default interface configuration for the WLAN to assign an IP address to the client. The precedence should fall to the foreign controller-interface mapping and then to the default interface in the WLAN. |
|
Symptom : MAP becomes unreachable through ICMP and displays memory allocation failures. Condition: This issue occurs in Cisco AP1552UE MAP with an IP camera connected. |
|
Symptom : Controller assigns an interface within a group to an invalid list even though a response was received by the DHCP server. Condition: This occurs when some clients insist on requesting an IP outside their connected interface range in a DHCP flood. For each request, the DHCP server responds with DHCP NAK, and the DHCP NAK is received by the controller and forwarded to the clients. |
|
Symptom : The client communication fails after a controller failover. Condition: A system consists of two controllers and a Cisco AP, where the Cisco AP is in FlexConnect Local Switching mode with VLAN support disabled. This issue occurs when the Cisco AP fails over from controller1 to controller2 and then fails over back from controller2 to controller1. |
|
Symptom : A Cisco 3500 Series access point stops responding under severe radio load. Condition: This issue occurs when several thousand clients attempt to use the access point at the same time, and when the affected Cisco APs are running an affected version of the software. This occurs due to an interrupt timing issue that is inherent to the CPU utilized in the Cisco APs. |
|
Symptom : Cisco AP3600 stops responding. Condition: This issue occurs when the Cisco AP is in FlexConnect mode and has continuous association and reassociation with clients having flapping WAN connection. |
|
Symptom : Cisco AP3500 experiences false radar detection. |
|
Symptom : Cisco NCS displays the “Table too large, possible agent loop” SNMP error message for bsnMeshNeighsTable. The controller sends too many rows to Cisco NCS due to which Cisco NCS SNMP polling stops responding. Condition: This issue occurs during an SNMP walk on bsnMeshNeighsTable for a controller using Release 6.0.199.4. |
|
Symptom : Cisco AP responds to an authentication request for a disabled BSSID. Condition: This issue occurs when the Cisco AP receives an authentication request from a client whose database is about to be deleted. |
|
Symptom : Image upgrade fails occasionally in an HA system. Even though the standby system is operational and in Standby Hot state, it does not show any activity when the image is downloaded, thereby causing failure in image transfer. Condition: This issue occurs in a Cisco 5508 Wireless LAN Controller and Cisco WiSM2 HA system. |
|
Symptom : The “WLAN with duplicate SSID and L2 security policy found.” error message is displayed during a change of WLAN configuration. Condition: This issue occurs when an attempt is made to change configuration of two similar WLANs that use the same Layer 2 and Layer 3 security, that is QoS, Bandselect. 1. Disable both WLANs from the controller GUI. 2. Make all WLAN configuration changes using the controller CLI and then enable the WLANs. 3. Delete and re-create the other WLAN from the controller GUI. |
|
Symptom : When enabling the mDNS profile on an interface group, the “Active WLAN using interface group. Disable WLAN first.” error message is displayed, if the interface group has already been mapped to a WLAN or an AP group. Condition: Using mDNS gateway on the interface group. 1. Remove the interface group and then add the group again. 2. Enable the mDNS profile on the interface group before using it. |
|
Symptom : FlexConnect Local Switching clients are unable to connect to some VLANs and get DHCP. Condition: After upgrading a Cisco Flex7510 Wireless LAN Controller to Release 7.4.100.60, clients associated to Cisco AP1242 are unable to connect to a FlexConnect Local Switching WLAN that is mapped to certain VLANs (301 is noted) in the AP's FlexConnect configuration. |
|
Symptom : Controller incompatibility behavior is observed on Change Of Authentication for RFC 3576 implementation. Condition: The attributes sent by the RADIUS server for the user session disconnect request are not acknowledged, when the RADIUS server sends a Change Of Authentication disconnect request. Workaround : The disconnect request is accepted when the following three AVP pair attributes are sent: 1. Calling-Station-ID MAC address of the device (lower case works) 3. Called-Station-ID (upper case MAC of AP SSID separated by colons). |
|
Symptom : A client’s first attempt to associate is unsuccessful; the second attempt is successful. Condition: Maximum number of clients per AP radio is configured on each Cisco AP1142. |
|
Symptom : Cisco Prime Infrastructure, Release 1.3, displays the “SNMP operation to Device failed Table too large, possible agent loop” error message when monitoring a Cisco AP or a client associated with the Cisco AP. Condition: This occurs when the SSID is set to FlexConnect Local Switching and the Cisco AP is set to Local AP Mode. |
|
Symptom : LDPE and non-LDPE controllers are allowed to form an HA pair. Cisco 600 Series OEAP fails to connect if the failover occurs from the LDPE to the non-LDPE controller. Condition: This issue occurs in an HA setup that has LDPE and non-LDPE controllers. |
|
Symptom : Intermittently, after a period of operation, clients are unable to associate with the radio of a Cisco AP. The Cisco AP continues to beacon, but when the client sends an 802.11 authentication frame, the Cisco AP fails to respond with an authentication response because the transmit queues of the radio are filled up. Condition: When the current use of the transmit queues is equal to the limit, the radio is unable to transmit. For example, in Cisco AP1242, enter the following command: 1. Write a script that monitors the usage of the radio transmit queues in each access points. If a radio is found whose transmit queue usage is nearing its limit, enter the following command: |
|
Symptom : The Cisco AP arranges its own bandwidth for SIP Phone, though it is not on the phone. |
|
Symptom : Cisco 5508 Wireless LAN Controller stops responding when a client is moved from a PMIPv6-enabled controller to a non-PMIPv6 enabled controller. |
|
Symptom : Client exclusion feature does not become effective. Condition: This issue occurs due to repeated 802.1x authentication failures. |
|
Symptom : Controller stops responding when AAA server pushes Cisco AV pair of url-redirect-acl longer than 32 characters. Condition: This issue occurs when the url-redirect-acl name is very long or when you put the URL in this Cisco-av-pair instead of the ACL name. Workaround : Use url-redirect-acl names which have less than 32 characters. |
|
Symptom : After adding WLAN to the AP group, it cannot be edited on the AP VLAN mapping page (FlexConnect mode). Condition: This issue occurs when you disable WLAN before adding it to the AP group. |
|
Symptom : DCA assigns radar frequencies or channels that are not supported by AP's radio, but present in the DCA list. Condition: This occurs when DCA is enabled in the 40-MHz mode or running on an AP set on 40 MHz. Workaround : Use 20 MHz and remove unsupported channels from the list. |
|
Symptom : Voice client fluctuates while passing voice traffic. Condition: Create an open SSID in a Cisco AP702 and add it to the d0 radio interface. Try to associate two voice clients and then initiate a call from one to another. |
|
Symptom : Location calibration fails indicating no data points were collected. Same setup works if you use other Cisco AP models (1140). Condition: This occurs if you do a location calibration, linear or by data points, in an area covered by Cisco AP2600 models. |
|
Symptom : Broadcast queue becomes full. Condition: This issue occurs when the wireless clients sends an IGMP report as soon as the query is sent by the controller. Workaround : Increase the IGMP query interval and timeout value. If the queue is full and the IGMP query is not processed on the first try, the stream will not be affected until no report is received over the timeout value. |
|
Symptom : Controller using Release 7.4.x stops responding. |
|
Symptom : HA upgrade fails with the following error message displayed: Condition: This issue occurs in an HA setup where the primary controller has a non-LDPE image and the secondary WLC has an LDPE image. Both the controllers have 7.4.100.0 software. |
|
Symptom : Controller stops responding. Condition: This issue occurs after you use the ap packet-dump feature. |
|
Symptom : RAP loses static channel on 5 GHz, and the 2.4-GHz channel gets set to static when configured for Auto. Condition: This issue occurs when you have the following settings: RAP-1: Set to Channel 100; 2.4 GHz = Auto RAP-2: Set to Channel 161. 2.4 GHz = Auto Both are initially joined with wired connection to the controller. When the RAP-1 Ethernet link is lost or goes down, it joins over wireless backhaul through RAP-2. When Ethernet connection is available, RAP-1 joins over Ethernet and gets set to channel 161 (remembers previous parents channel information) and 2.4 GHz gets set to static channel 11. Workaround : RAP Ethernet connection is never lost. If Ethernet connection is lost, RAP should not join another RAP. |
|
Symptom : During client authentication for a FlexConnect AP in the standalone mode, you will see that the Called-Station-ID attributes do not have the SSID information. Condition: This issue occurs in an AP that is configured for local RADIUS support. |
|
Symptom : FlexConnect Local Switching Local web authentication fails. Condition: This issue occurs when the controller using Release 7.4.100.0 performs local switching in a FlexConnect group. |
|
Symptom : Fast Transition roam fails between FlexConnect APs. Condition: This issue occurs when a client tries to roam using 802.11r Fast Transition between two FlexConnect APs. |
|
Symptom : When performing an SNMP walk to the controller, there is no response from the device. Condition: This issue occurs in FlexConnect controllers with a particular configuration. |
|
Symptom : This issue occurs only when MN devices send unicast ARP and the Cisco WLC does not respond to unicast ARP. Condition: This is applicable only to MN devices, which are sending unicast ARP. Workaround : As Apple Client unicast ARP, enter the following command to disable unicast ARP: |
|
Symptom : Wireless clients cannot receive broadcast packets after broadcast key rotation. Conditions : Dynamic WEP; Release 7.0.235.0, 7.2.110.0, and 7.3.101.0. Workaround : Enter the config advanced eap bcast-key-interval 86400 command in the middle of the night and then change security setting to WPA2. |
Table 9 lists the caveats that are resolved in the 7.5.102.0 controller software release.
This section contains important information to keep in mind when installing controllers and access points.
Warning This warning means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071
Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030
Warning Do not locate the antenna near overhead power lines or other electric light or power circuits, or where it can come into contact with such circuits. When installing the antenna, take extreme care not to come into contact with such circuits, as they may cause serious injury or death. For proper installation and grounding of the antenna, please refer to national and local codes (e.g. U.S.: NFPA 70, National Electrical Code, Article 810, Canada: Canadian Electrical Code, Section 54). Statement 280
Warning This product relies on the building’s installation for short-circuit (overcurrent) protection. Ensure that a fuse or circuit breaker no larger than 120 VAC, 15A U.S. (240 VAC, 10A international) is used on the phase conductors (all current-carrying conductors). Statement 13
Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground connector. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. Statement 1024
Warning Read the installation instructions before you connect the system to its power source. Statement 10
Warning Do not work on the system or connect or disconnect any cables (Ethernet, cable, or power) during periods of lightning activity. The possibility of serious physical injury exists if lightning should strike and travel through those cables. In addition, the equipment could be damaged by the higher levels of static electricity present in the atmosphere. Statement 276
Warning Do not operate the unit near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use. Statement 364
Warning In order to comply with radio frequency (RF) exposure limits, the antennas for this product should be positioned no less than 6.56 ft. (2 m) from your body or nearby persons. Statement 339
Warning This unit is intended for installation in restricted access areas. A restricted access area can be accessed only through the use of a special tool, lock and key, or other means of security. Statement 1017
Follow the guidelines in this section to ensure proper operation and safe use of the controllers and access points.
FCC Compliance with its action in ET Docket 96-8, has adopted a safety standard for human exposure to RF electromagnetic energy emitted by FCC-certified equipment. When used with approved Cisco Aironet antennas, Cisco Aironet products meet the uncontrolled environmental limits found in OET-65 and ANSI C95.1, 1991. Proper operation of this radio device according to the instructions in this publication results in user exposure substantially below the FCC recommended limits.
For your safety, and to help you achieve a good installation, read and follow these safety precautions. They might save your life!
1. If you are installing an antenna for the first time, for your own safety as well as others, seek professional assistance. Your Cisco sales representative can explain which mounting method to use for the size and type of antenna you are about to install.
2. Select your installation site with safety as well as performance in mind. Electric power lines and phone lines look alike. For your safety, assume that any overhead line can kill you.
3. Call your electric power company. Tell them your plans and ask them to come look at your proposed installation. This is a small inconvenience considering your life is at stake.
4. Plan your installation carefully and completely before you begin. Successfully raising a mast or tower is largely a matter of coordination. Each person should be assigned to a specific task and should know what to do and when to do it. One person should be in charge of the operation to issue instructions and watch for signs of trouble.
5. When installing an antenna, remember:
b. Do not work on a wet or windy day.
c. Do dress properly—shoes with rubber soles and heels, rubber gloves, long-sleeved shirt or jacket.
6. If the assembly starts to drop, get away from it and let it fall. Remember that the antenna, mast, cable, and metal guy wires are all excellent conductors of electrical current. Even the slightest touch of any of these parts to a power line completes an electrical path through the antenna and the installer: you!
7. If any part of an antenna system should come in contact with a power line, do not touch it or try to remove it yourself. Call your local power company. They will remove it safely.
8. If an accident should occur with the power lines, call for qualified emergency help immediately.
See the appropriate quick start guide or hardware installation guide for instructions on installing controllers and access points.
Note To meet regulatory restrictions, all external antenna configurations must be installed by experts.
Personnel installing the controllers and access points must understand wireless techniques and grounding methods. Access points with internal antennas can be installed by an experienced IT professional.
The controller must be installed by a network administrator or qualified IT professional, and the proper country code must be selected. Following installation, access to the controller should be password protected by the installer to maintain compliance with regulatory requirements and ensure proper unit functionality.
If you need information about a specific caveat that does not appear in these release notes, you can use the Cisco Bug Toolkit to find caveats of any severity. Click this URL to browse to the Bug Toolkit:
https://tools.cisco.com/bugsearch/
(If you request a defect that cannot be displayed, the defect number might not exist, the defect might not yet have a customer-visible description, or the defect might be marked Cisco Confidential.)
For the most up-to-date, detailed troubleshooting information, see the Cisco TAC website at this URL:
http://www.cisco.com/c/en/us/support/index.html
Click Product Support > Wireless. Then choose your product and Troubleshooting to find information on the problem you are experiencing.
For more information about the Cisco controllers, lightweight access points, and mesh access points, see these documents:
You can access these documents at this URL: http://www.cisco.com/c/en/us/support/index.html
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at:
http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.