Release Notes for Cisco DNA Center, Release 2.3.3.x
This document describes the features, limitations, and bugs for Cisco DNA Center, Release 2.3.3.x.
For links to all of the guides in this release, see Cisco DNA Center 2.3.3 Documentation.
Change History
The following table lists changes to this document since its initial release.
Date | Change | Location |
---|---|---|
2024-02-22 |
Added the open bug CSCwh06255. |
|
2024-02-06 |
Noted that in 2.3.3.0, Cisco TrustSec (CTS) role-based enforcement is now the same for SD-Access edge nodes and border nodes. In earlier releases, CTS role-based enforcement is configured globally on SD-Access edge nodes only. |
|
2023-11-01 |
Added the Resolved Bugs table for the 2.3.3.7-72328-HF5 hot fix. |
|
Updated the list of packages for 2.3.3.7-72328-HF5. |
||
2023-10-20 |
Added a limitation about the site hierarchy for a Rogue and aWIPS report. |
|
2023-10-12 |
Added the Resolved Bugs table for the 2.3.3.7-72328-HF4 hot fix, which includes CSCwe15923 with a modified fix for explicit restart of etcd containers. This hook explicitly restarts the etcd container if it’s still using the old etcd certificate that was renewed before an upgrade to 2.3.3.7. |
|
2023-09-29 |
Added the open bug CSCwh58183 for 2.3.3.7. |
|
2023-09-27 |
Updated the list of packages in 2.3.3.7. |
|
Added the open bugs CSCwe28523 and CSCwe42201. |
||
2023-09-22 |
Added the resolved bug CSCwe15923, which is fixed as a hook for 2.3.3.7. If you renewed your etcd certificate after upgrading to 2.3.3.7, the fix installed by the hook handles the certificate renewal for 2.3.3.7. |
|
2023-08-18 |
Added a limitation about custom applications. |
|
2023-08-03 |
Added the open bug CSCwh15353. |
|
2023-08-01 |
Previously, the Cisco DNA Center Release Notes and the Cisco DNA Center Platform Release Notes were separate. Now, they are combined into a single release note; the Cisco DNA Center platform content has been consolidated into this document. |
— |
2023-07-06 |
Noted that if you run Cisco DNA Center in IPv6 mode, wireless controller provisioning is not supported. |
|
2023-06-26 |
Added the open bug CSCwf73998. |
|
2023-06-07 |
Noted that if you run Cisco DNA Center in IPv6 mode, LAN automation is not supported. |
|
2023-04-19 |
Added the list of packages in the latest version of Cisco DNA Center 2.3.3.7. |
|
Added the resolved bug CSCwe44726, which is resolved when you install the latest 2.3.3.7 package version for the Automation – Base package. |
||
2023-03-09 |
Added the list of packages in Cisco DNA Center 2.3.3.7. |
|
Added the Resolved Bugs table for 2.3.3.7. |
||
Added the open bugs CSCwb66336, CSCwc74941, CSCwe27538, CSCwe36755, CSCwe42329, and CSCwe47539. |
||
Added a limitation about In-Service Software Upgrade (ISSU). |
||
2022-12-20 |
Added the list of packages in Cisco DNA Center 2.3.3.6. |
|
Added the Resolved Bugs table for 2.3.3.6. |
||
Added the open bugs CSCwc37682 and CSCwd92491. |
||
2022-11-08 |
Added CSCvy63072 to the Resolved Bugs table for 2.3.3.0. |
|
2022-09-30 |
Added the list of packages in Cisco DNA Center 2.3.3.5. |
|
Added the Resolved Bugs table for 2.3.3.5. |
||
Added the open bugs CSCwc85038 and CSCwd12685. |
||
2022-08-03 |
Added the list of packages in Cisco DNA Center 2.3.3.4. |
|
Added the Resolved Bugs table for 2.3.3.4. |
||
2022-07-06 |
Added the list of packages in Cisco DNA Center 2.3.3.3. |
|
Added the Resolved Bugs table for 2.3.3.3. |
||
Added the open bug CSCwc34451. |
||
2022-06-03 |
Added a link to the new features in Cisco DNA Center 2.3.2, which is a Commercial Availability release. The features in 2.3.2.x are rolled up to 2.3.3.x. |
|
2022-06-01 |
Added the list of packages in Cisco DNA Center 2.3.3.1. |
|
Added the Resolved Bugs table for 2.3.3.1. |
||
2022-04-26 |
Initial release. |
— |
Upgrade to the Latest Cisco DNA Center Release
For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.
Before you upgrade, run the Audit & Upgrade Readiness Analyzer (AURA) precheck. AURA is a command-line tool that performs health, scale, and upgrade readiness checks for Cisco DNA Center and the fabric network. For more information, see Enhanced Visibility into Cisco DNA Center Using AURA.
Package Versions in Cisco DNA Center, Release 2.3.3.x
To download Cisco DNA Center software, go to https://software.cisco.com/download/home/286316341/type.
Package Name | Release 2.3.3.7 | Release 2.3.3.6 | Release 2.3.3.5 | Release 2.3.3.4 | Release 2.3.3.3 | Release 2.3.3.1 | Release 2.3.3.0 | |||
---|---|---|---|---|---|---|---|---|---|---|
Release Build Version |
||||||||||
Release Version |
2.3.3.7-72328-HF5 |
2.3.3.7-72328-HF4 |
2.3.3.7.72328 |
2.3.3.7.72323 |
2.3.3.6.70045 |
2.3.3.5.70134 |
2.3.3.4.72142 |
2.3.3.3.72139 |
2.3.3.1.72077 |
2.3.3.0.70399 |
System Updates | ||||||||||
System |
1.7.858 |
1.7.828 |
1.7.769 |
1.7.717 |
1.7.717 |
1.7.639 |
1.7.620 |
|||
System Commons |
2.1.518.62248 |
2.1.518.62240 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
Package Updates |
||||||||||
Access Control Application |
2.1.518.62248 |
2.1.518.62240 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
AI Endpoint Analytics |
1.7.702 |
1.7.702 |
1.7.702 |
1.7.658 |
1.7.658 |
1.7.658 |
1.7.626 |
|||
AI Network Analytics |
2.9.28.422 |
2.9.27.414 |
2.9.24.406 |
2.9.21.398 |
2.9.21.398 |
2.9.21.398 |
2.9.18.376 |
|||
Application Hosting |
1.9.02309170357 |
1.9.02212150812 |
1.9.02210071514 |
1.9.02209020733 |
1.9.02205130731 |
1.9.02205130731 |
1.9.02205130731 |
1.9.02204011423 |
||
Application Policy |
2.1.518.170095 |
2.1.518.170077 |
2.1.517.117025 |
2.1.515.117391 |
2.1.512.170103 |
2.1.512.170103 |
2.1.511.170079 |
2.1.510.117310 |
||
Application Registry |
2.1.518.170095 |
2.1.518.170077 |
2.1.517.117025 |
2.1.515.117391 |
2.1.512.170103 |
2.1.512.170103 |
2.1.511.170079 |
2.1.510.117310 |
||
Application Visibility Service |
2.1.518.170095 |
2.1.518.170077 |
2.1.517.117025 |
2.1.515.117391 |
2.1.512.170103 |
2.1.512.170103 |
2.1.511.170079 |
2.1.510.117310 |
||
Assurance - Base |
2.3.3.591 |
2.3.3.586 |
2.3.3.584 |
2.3.3.529 |
2.3.3.463 |
2.3.3.382 |
2.3.3.382 |
2.3.3.380 |
2.3.3.307 |
|
Assurance - Sensor |
2.3.3.581 |
2.3.3.526 |
2.3.3.375 |
2.3.3.375 |
2.3.3.375 |
2.3.3.375 |
2.3.3.289 |
|||
Automation - Base |
2.1.518.62248 |
2.1.518.62240 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60889 |
Automation - Intelligent Capture |
2.1.518.62248 |
2.1.518.62240 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
Automation - Sensor |
2.1.518.62248 |
2.1.518.62240 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
Cisco DNA Center Global Search |
1.8.1.10 |
1.8.1.10 |
1.8.1.10 |
1.8.1.10 |
1.8.1.10 |
1.8.1.10 |
1.8.1.8 |
|||
Cisco DNA Center Platform |
1.8.1.159 |
1.8.1.158 |
1.8.1.147 |
1.8.1.137 |
1.8.1.120 |
1.8.1.120 |
1.8.1.110 |
1.8.1.96 |
||
Cisco DNA Center UI |
1.7.1.349 |
1.7.1.341 |
1.7.1.339 |
1.7.1.326 |
1.7.1.326 |
1.7.1.303 |
1.7.1.289 |
|||
Cisco Identity Services Engine Bridge |
2.1.518.1015 |
2.1.517.1015 |
2.1.515.450 |
2.1.512.417 |
2.1.512.417 |
2.1.511.416 |
2.1.510.408 |
|||
Cisco Umbrella |
2.1.518.592104 |
2.1.517.590035 |
2.1.515.590102 |
2.1.514.592341 |
2.1.512.592304 |
2.1.511.592265 |
2.1.510.590230 |
|||
Cloud Connectivity - Contextual Content |
2.4.1.338 |
2.4.1.338 |
2.4.1.338 |
2.4.1.322 |
2.4.1.322 |
2.4.1.322 |
2.4.1.308 |
|||
Cloud Connectivity - Data Hub |
1.8.43 |
1.8.43 |
1.8.43 |
1.8.33 |
1.8.33 |
1.8.27 |
1.8.25 |
|||
Cloud Connectivity - Tethering |
2.30.1.72 |
2.30.1.72 |
2.30.1.72 |
2.30.1.71 |
2.30.1.71 |
2.30.1.71 |
2.30.1.66 |
|||
Cloud Device Provisioning Application |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
||
Command Runner |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
||
Device Onboarding |
2.1.518.62248 |
2.1.518.62240 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
Disaster Recovery |
2.1.518.360011 |
2.1.517.360009 |
2.1.515.360031 |
2.1.514.360024 |
2.1.512.360019 |
2.1.511.360013 |
2.1.510.36055 |
|||
Disaster Recovery—Witness Site |
2.1.518.370008 |
2.1.517.37002 |
2.1.515.37015 |
2.1.512.370012 |
2.1.512.370012 |
2.1.511.370006 |
2.1.510.37026 |
|||
Group-Based Policy Analytics |
2.3.3.35 |
2.3.3.35 |
2.3.3.35 |
2.3.3.32 |
2.3.3.32 |
2.3.3.32 |
2.3.3.29 |
|||
Image Management |
2.1.518.62248 |
2.1.518.62240 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
Machine Reasoning |
2.1.518.212109 |
2.1.517.210046 |
2.1.515.210125 |
2.1.514.212433 |
2.1.512.212427 |
2.1.511.212382 |
2.1.510.210344 |
|||
NCP - Base |
2.1.518.62248 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
|
NCP - Services |
2.1.518.62248 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
|
Network Controller Platform |
2.1.518.62248 |
2.1.518.62240 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
Network Data Platform - Base Analytics |
1.8.503 |
1.8.339 |
1.8.339 |
1.8.239 |
1.8.239 |
1.8.239 |
1.8.239 |
1.8.229 |
||
Network Data Platform - Core |
1.8.513 |
1.8.447 |
1.8.447 |
1.8.396 |
1.8.326 |
1.8.326 |
1.8.290 |
1.8.256 |
||
Network Data Platform - Manager |
1.8.244 |
1.8.244 |
1.8.244 |
1.8.244 |
1.8.244 |
1.8.217 |
1.8.189 |
|||
Network Experience Platform - Core |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
||
Path Trace |
2.1.518.62248 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
|
RBAC Extensions |
2.1.518.1920001 |
2.1.517.1900001 |
2.1.515.1900002 |
2.1.512.1920014 |
2.1.512.1920014 |
2.1.511.1920010 |
2.1.510.1900009 |
|||
Rogue and aWIPS |
2.5.0.28 |
2.5.0.20 |
2.5.0.20 |
2.5.0.20 |
2.5.0.20 |
2.5.0.20 |
2.5.0.20 |
|||
SD-Access |
2.1.518.62248 |
2.1.518.62240 |
2.1.518.62181 |
2.1.518.62180 |
2.1.517.60110 |
2.1.515.60238 |
2.1.514.62231 |
2.1.512.62187 |
2.1.511.62139 |
2.1.510.60908 |
Stealthwatch Security Analytics |
2.1.518.1092102 |
2.1.517.1090044 |
2.1.515.1090110 |
2.1.514.1092349 |
2.1.512.1092334 |
2.1.511.1092294 |
2.1.510.1090258 |
|||
Support Services |
2.1.518.880004 |
2.1.517.880012 |
2.1.510.880029 |
2.1.510.880029 |
2.1.510.880029 |
2.1.510.880029 |
2.1.510.880029 |
|||
System Remediation |
1.0.2 |
— |
— |
— |
— |
— |
— |
— |
||
Wide Area Bonjour |
2.4.514.75204 |
2.4.514.75204 |
2.4.511.75063 |
2.4.511.75063 |
2.4.511.75063 |
2.4.511.75063 |
2.4.510.75231 |
New and Changed Information
New and Changed Features in Cisco DNA Center
Feature | Description | ||
---|---|---|---|
Dynamic Channel Assignment (DCA) Validation |
DCA channel support is based on the regulatory domain of the device. During AP provisioning with an RF profile selected, out of all the DCA channels configured on the RF profile only the supported channels as per the country code are considered and the unsupported channels are ignored. You can view the list of unsupported channels in the AP preprovision summary window. |
||
Enhancements to AP Location Configuration |
During AP provisioning and AP Plug and Play (PnP) onboarding, Cisco DNA Center doesn't configure the assigned site as the AP location. You can configure the AP location using the Configure Access Points workflow. |
||
Enhancements to Authentication using AAA Server for Wireless Networks |
Effective with this release, you must configure an AAA server for an SSID to push the authentication configuration for the SSID. If an AAA server is not configured for the SSID, Cisco DNA Center pushes the aaa authentication dot1x default local command to the wireless controller and the default method list that points to local authentication is mapped to the SSID. |
||
Enhancements to Default Configuration of Fast Transition Over Distributed Systems for SSIDs |
Effective with this release, fast transition over a distributed system (Over the DS check box) is disabled by default for SSIDs for guest and enterprise wireless networks. |
||
Enhancements to Editing RF Profiles |
Effective with this release, when you update an RF profile that is already provisioned on a wireless controller and AP, you can reprovision either the wireless controller or AP. Wireless controller reprovisioning also pushes the RF profiles updates to the devices and AP reprovisioning is not necessary. If the you don't need the RF profile updates during the wireless controller reprovisioning, you can check the Skip AP Provision check box |
||
Enhancements to RF Profiles |
Effective with this release, for Cisco Catalyst 9800 Series Wireless Controllers, disabling a radio band on the RF profile doesn't disable the Admin status of the respective radios on all APs that use the RF profile. Instead, Cisco DNA Center disables the Admin status of the corresponding RF profile.
|
||
Enhancements to Site Tags, Policy Tags, and AP Zone Provisioning |
Site tags, policy tags, and AP zone provisioning have the following enhancements:
|
Feature | Description | ||
---|---|---|---|
2D Wireless Maps Enhancements |
|
||
3D Wireless Maps Enhancements |
|
||
AP Configuration Workflow Enhancements |
You can configure an AP even if it is not assigned to a site. You can configure the following AP parameters:
You can configure the following radio parameters:
|
||
Application Hosting Enhancements |
You can validate the HTTPS credentials provided for the device during the device readiness check. |
||
AP Provisioning Change for XOR Radio Role |
With Cisco DNA Center 2.3.3.0 or later, when you provision any AP that has XOR radio (for example, Cisco 2800, 3800, and so on) with an RF profile that has 2.4 GHz disabled, Cisco DNA Center changes the XOR radio role to 5 GHz manual.
|
||
AP Refresh Across Cisco Wireless Controllers |
You can perform an AP refresh when the old AP and new AP are connected to different Cisco Wireless Controllers. You can perform an AP refresh even if the old AP is not provisioned. |
||
AP Zones |
You can add AP zones to a network profile for wireless devices. You can use AP zones to associate different SSIDs and RF profiles for a set of APs on the same site. |
||
Assign Device Roles and Tags to Software Images |
You can assign device roles and tags to a software image to indicate that the software image is marked as golden. When both the device tags and device roles are assigned to a software image, the device tags take precedence. |
||
Central Web Authentication Using Third-Party AAA Server for Guest Wireless Networks |
You can now configure Central Web Authentication (CWA) using a third-party AAA server while creating SSIDs for guest wireless networks. |
||
Cisco Device Hardware, Software, and Module End of Life (EoX) Status |
Cisco DNA Center shows alerts for the devices that are scanned for EoX alerts. The EoX Status column in the Inventory table shows the number of EoX alerts. |
||
Cisco DNA Center Insights |
You can subscribe to Cisco DNA Center Insights, which contains product announcements, network highlights, information about your network performance, and more. The Cisco DNA Center Insights publication is sent in PDF format to the email address that you specify. |
||
Control Endpoint Spoofing |
The Control Endpoint Spoofing feature provides granular policy control by providing network information other than just the MAC address of an endpoint. |
||
Create Port Group |
You can group device ports based on an attribute or rule. |
||
Credential Status |
The Credential Status column in the Inventory table shows the device credential status for devices that are configured. Click See Details to view details about the credentials. |
||
Custom Policy Tags |
You can configure policy tags for Cisco Catalyst 9800 Series Wireless Controllers using the advanced settings while creating network profiles for wireless devices. |
||
Custom Template for Day 0 Onboarding Without Site Selection |
If you have not assigned the device to a site, you must choose a template to claim the device. |
||
Design the Network Hierarchy |
You can now search the network hierarchy using the Site Name and Site Type filter criteria. |
||
FIPS 140-2 Support |
Software images are compliant with the Federal Information Processing Standard (FIPS). If FIPS mode is enabled in Cisco DNA Center, you cannot import images from a URL. Import images from your computer or cisco.com. |
||
FIPS mode is supported only in a new installation of Cisco DNA Center. If you are upgrading from an earlier release, FIPS mode is not supported. |
|||
In a FIPS deployment, you cannot enable external authentication. |
|||
FIPS mode is not supported for the Cisco Wide Area Bonjour application. In a FIPS deployment, you cannot install the Cisco Wide Area Bonjour application from the Cisco DNA Center GUI or CLI. |
|||
FIPS mode has the following impact on the export and import of map archives. If FIPS mode is enabled:
If FIPS mode is disabled:
|
|||
FIPS Support for Endpoint Analytics |
When FIPS mode is enabled in Cisco DNA Center, some of the functions related to Endpoint Analytics are unavailable in the Cisco DNA Center GUI. |
||
Generate Compliance Audit Report |
You can get a consolidated compliance report that shows the compliance status of the devices in your network. |
||
Integrate Cisco AI Endpoint Analytics with Talos Intelligence |
Talos Intelligence is a comprehensive threat-detection network. Talos detects and correlates threats in real time. By integrating Cisco AI Endpoint Analytics with Talos, you can flag endpoints in your network that are connecting to malicious IP addresses. |
||
Manage System Beacon |
You can highlight switches in the Cisco DNA Center inventory by using a system beacon. System beacon supports the following devices:
|
||
Manage Your Inventory |
In the Inventory window, if you choose the Default view from the Focus drop-down list, the Inventory table displays only the Device Name, IP Address, Device Family, and MAC Address of listed devices. |
||
NAS ID Configuration |
You can configure network access server identifiers (NAS IDs) for SSIDs for enterprise and guest wireless networks. |
||
QoS Settings for Wireless Networks |
You can choose one of the following QoS settings for the primary traffic while creating SSIDs for enterprise and guest wireless networks:
|
||
Return Material Authorization (RMA) Support for New Devices |
RMA Workflow support is extended for the following:
|
||
RMA Support |
Zero-touch onboarding of replacement device through PnP is supported for fabric and LAN automation devices. |
||
Schedule Group-Based Access Control Policy Updates |
You can save policy changes immediately or schedule an update at a specific time. You can view the status of the scheduled tasks in .If the Cisco DNA Center Automation Events for ITSM (ServiceNow) bundle is enabled, the Save Now option is disabled, and only the Schedule Later option is enabled for Group-Based Access Control policy changes. Note that the scheduled task must be approved in IT Service Management (ITSM) before the scheduled time. |
||
Schedule Recurring Events for APs |
You can schedule recurring events for AP and radio parameters in the AP configuration workflow. |
||
Sync Updates for Software Images |
You can synchronize the information of software images from cisco.com for all the managed devices in Cisco DNA Center. |
||
Troubleshoot Unmonitored Devices |
Using the MRE workflow, you can troubleshoot unmonitored devices or the devices that do not show Assurance data. |
||
Troubleshoot Wireless Client Issues |
Using the MRE workflow, you can troubleshoot wireless client issues. |
||
URL-Based Access Control List |
You can create IP-based and URL-based postauthentication access control lists (ACLs) for your network. |
||
View All Discoveries |
The new Discoveries table in Cisco DNA Center shows details of all the discovery jobs and provides options to rediscover and delete discovery jobs. |
||
View Image Update Workflow |
You can view the progress of software image update tasks. Cisco DNA Center shows the status of each task that is associated with the Distribution and Activation operations and the amount of time taken to complete each operation. |
New and Changed Features in Cisco DNA Assurance
Feature | Description |
---|---|
RF Simulator |
Using the AI RF Simulator, you can simulate changes to the current RF profile configurations and visualize the projected outcome against the enhanced RRM dashlets on the Enhanced RRM dashboard. |
Trend View Enhancement for Wireless Clients in Client Dashboard |
In the Client Health Summary, the trend view of wireless clients is enhanced. The radial bar chart provides the distribution of clients that failed to onboard, and the reason for the onboarding failure. |
Feature | Description |
---|---|
Additional AP Radio Channel Utilization Metrics Added to the AP Radio Comparison View |
In the Device 360 window, you can compare AP radios by the following additional KPIs:
|
AP Mesh: Information Added to Device 360 Window |
In the Device 360 window, you can view mesh AP information in the Mesh tab. |
Cisco AI Network Analytics: 6-GHz Radio Support |
Cisco AI Network Analytics supports 6-GHz RF for the following functionalities:
|
Cisco AI Network Analytics: Peer Comparison KPIs |
The Peer Comparison supports the following KPIs:
|
Cisco AI Network Analytics: Roaming KPIs in Network Heatmaps |
The Network Heatmaps supports the following roaming KPIs:
|
Cisco SD-Access: LISP and Pub/Sub Session |
SD-Access Health supports LISP and Pub/Sub session monitoring in the fabric sites. These KPIs are part of Fabric Site, SD-Access Transit, Transit Control Plane, and Device health calculations. |
Cisco SD-Access: Transits and Peer Networks |
You can monitor the health of the Transits and Peer Networks in the SD-Access Health dashboard. |
Client Dashboard Enhancements |
In the Assurance Client dashboard, the Client Devices dashlet includes Tracked Client, which allows you to track clients and notify them when they are detected in the network. |
Device Events |
Before this release, events were shown only in the Device window. Now, the Events dashboard provides a more contextual view of device events. Instead of having to search for events triggered by devices that are connected to other devices involved in an event, Assurance provides these details for you. |
Intel Analytics Support |
In the Client 360 window, under Detail Information, the Intel Connectivity Analytics tab is newly added. This tab is only available for devices supported by Intel wireless adapters. |
New AP Radio Down Issue |
A new Radio Down issue is added to the AP issues. The Radio Down issue is triggered when a radio goes down. Supported radio frequencies are 2 GHz, 5 GHz, and 6 GHz. |
New AP Radio Traffic Utilization Chart |
In the AP 360 window, under Detail Information in the RF tab, you can view a new chart called Traffic Utilization. This chart includes receive (Rx) and transmit (Tx) traffic utilization information. In addition, Rx and Tx traffic utilization information has been added to the Channel Utilization chart. |
Path Trace Enhancements |
Path trace results include the average processing delay of ACLs, tunneling, and queues, and the reason for a packet drop decision. |
Application Health |
Starting in 2.3.3.0, in the Assurance Application Health dashboard, most of the dashlets display the application health data only for the Business Relevant Applications. Some of the dashlets display the Business Irrelevant and Default applications. |
New and Changed Features in Cisco DNA Center Platform
Feature | Description | ||||||
---|---|---|---|---|---|---|---|
New API Features |
|||||||
Cisco DNA Center System API |
The Cisco DNA Center platform supports the following System API to authorize one or more devices:
To access the new System API, click the menu icon and choose . Expand the Cisco DNA Center System drop-down list. |
||||||
Cisco SD-Access API |
This Cisco DNA Center platform release supports new options in the SDA API to get, add, and delete the list of Cisco SD-Access devices:
To access the new SDA API, click the menu icon and choose . Expand the Connectivity drop-down list and choose SDA. |
||||||
Devices API |
The Cisco DNA Center platform Devices API support is extended for voice VLAN to perform devices operations:
The Cisco DNA Center platform Devices API also supports the following rouge and aWIPS APIs:
To access the new Devices API, click the menu icon and choose . Expand the Know Your Network drop-down list and choose Devices. |
||||||
New ITSM Integration Features |
|||||||
Cisco Software-Defined Access Integration with ITSM (ServiceNow) |
With this release, the Cisco Software-Defined Access integration with ServiceNow monitors and publishes fabric events that require fabric role updates for security or other operational triggers to an ITSM (ServiceNow) system. It also allows you to trigger or schedule a synchronization between Cisco DNA Center devices and the ServiceNow CMDB system. For more information, see Configure the Cisco SD-Access Integration with ITSM (ServiceNow) in the Cisco DNA Center ITSM Integration Guide. |
||||||
New Reports |
|||||||
End-of-Life Data Report |
This release supports a new End of Life (EoX) report category and EoX Data report. The EoX Data report provides detailed information about network devices and the end of life alerts that were detected on them from the previous scan.
To access the EoX Data report, click the menu icon and choose . In the Report window, choose EoX Data. For more information about EoX Data, see the Cisco DNA Center Platform User Guide. |
||||||
License Historical Usage Report |
This release supports a new License Historical Usage report that provides the detailed information about historical data of license usage.
|
||||||
Network Device Compliance Report |
This release supports a new Compliance report category and Network Device Compliance report. The Network Device Compliance report provides the compliance status of individual network devices. With this report, you can get complete visibility of your network.
To access the Network Device Compliance report, click the menu icon and choose . In the Report window, choose Network Device Compliance. For more information about Network Device Compliance report, see the Cisco DNA Center Platform User Guide. |
||||||
Unique Client and User Summary Report |
This release supports a new Unique Client and User Summary report that provides detailed information about Unique Clients, Unique Users, Unique AP, Average Client per AP, Breakdown by Protocol, Breakdown by Vendor, SSID, and VLAN.
|
||||||
Worst Interferer Report |
This release supports a new Worst Interferers report that provides detailed information about interferers detected by AP radios.
|
||||||
New Reports Features |
|||||||
New Reports GUI Features |
The Cisco DNA Center platform support is extended for the following enhancements in the AP Radio report:
For more information about creating reports, see the Cisco DNA Center Platform User Guide. |
New and Changed Features in Cisco DNA Automation
Feature | Description |
---|---|
Certificate Signing Request (CSR) Enhancement |
You can do the following in the Certificate Signing window:
|
Compliance Audit for Network Devices |
You can see if your network device contains a specific configuration. If that configuration is missing, Cisco DNA Center alerts you and then remediates the compliance problem. The workflow is as follows:
|
Configure AAA VLAN Name Override for FlexConnect Deployments on Cisco AireOS Controller |
For the AAA VLAN override settings, you can configure VLAN ID and VLAN name mapping for a specific FlexConnect profile on the window. |
Configure System Settings |
In this release, Cisco DNA Center supports the following enhancements in the System Configuration:
Cisco DNA Center also allows you to retain or delete the licensed smart account users and their associated historical data. |
Learning of AAA VLAN Override from Cisco AireOS Wireless Controller and Cisco Catalyst 9800 Series Wireless Controller with Pre-existing Infrastructure |
Using the Learn Device Configuration workflow, you can learn about VLAN configurations from Cisco AireOS Wireless Controllers and Cisco Catalyst 9800 Series Wireless Controllers with pre-existing infrastructure. |
Learning of Mesh Configurations from Cisco Wireless Controller with Pre-existing Infrastructure |
Using the Learn Device Configuration workflow, you can learn mesh configurations from Cisco Wireless Controllers with pre-existing infrastructure and map them back to the Cisco DNA Center wireless design. |
Manage Licenses |
You can view the historical trends for all purchased and consumed license consumptions in CSSM on a daily, weekly, and monthly basis. CSSM stores the historical information up to one year. |
Support for 300 APs per FlexConnect Site Tag |
You can create and provision 300 APs per FlexConnect site tag on the Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Series Switches release 17.8 or later. |
Support for 6-GHz Radio Parameters on APs |
Using the Configure Access Points workflow, you can configure 6-GHz radio parameters on APs. |
Support for Cisco OEAP Configuration on Existing Infrastructure |
You can configure Cisco Office Extend Access Point (OEAP) settings along with AP authorization lists on the existing infrastructure. |
Support for Dual-Band (XOR) Radio Parameters |
You can configure dual-band (XOR) radio parameters on the following APs from Cisco DNA Center:
|
New and Changed Features in Cisco Software-Defined Access
Feature | Description | ||
---|---|---|---|
Bridge-Network Virtual Machine Policy Enforcement |
In the bridge mode, all virtual machines are connected by a bridge and each virtual machine (VM) is assigned a unique IP address. Every bridge-network virtual machine is individually authenticated and authorized by the Cisco SD-Access network. In addition, this release of Cisco DNA Center supports segmentation, profiling, and Assurance of wireless bridge-network virtual machines. For information on enabling Bridge Mode VM for a wireless IP pool, see the Cisco DNA Center User Guide.
|
||
Daisy Chaining Support on the Cisco Catalyst 9000 Series Switches that are configured as Extended Nodes |
Cisco Catalyst 9200, 9200CX, 9200L, 9300, 9300L, 9400, 9500, and 9500H Series switches that operate Cisco IOS XE 17.8.1 (or later releases) can be configured in a daisy chain of Extended Nodes, Policy Extended Nodes, and Supplicant-based Extended Nodes. Consider the following when you deploy the Cisco Catalyst 9000 Series switches in a daisy chain topology:
|
||
Support for Mixed Type Extended Nodes in a Daisy Chain |
You can now connect the Cisco Industrial Ethernet (IE) switches as a mix of extended node and policy extended node in a daisy chain. Consider the following guidelines before connecting the policy extended node-capable IE devices in a daisy chain:
|
Feature | Description | ||
---|---|---|---|
Advertise LAN Automation Summary Route to BGP |
In this release of Cisco DNA Center, if you choose to, LAN Automation can advertise the summary route for the IP pool into BGP on the primary and peer devices. A new entry in the LAN Automation Status > Summary window of the Cisco DNA Center GUI displays whether the route advertisement is enabled. |
||
Border Node Preference Option in Fabric Site |
Cisco DNA Center now provides you with an option to select a border node for your network traffic. If you have more than one border node in your fabric site, you can set a priority value for each border node. Traffic is routed through the border node that has the highest priority. Priority values range from 1 to 10 (1 is the highest priority and 10 is the lowest). By default (if you do not set the priority value), the border node is assigned a priority value of 10. If you do not set border node priority value, traffic is load balanced across the border nodes. The priority value set for a border node is applicable to all the virtual networks that are handed off from that border node. Border priority is supported for both unicast and multicast traffic. If an SD-Access Transit interconnects the fabric sites, an external border node with the highest priority is chosen to send traffic to external networks. Border node priority is supported on both LISP/BGP-based and LISP Pub/Sub-based fabric sites. |
||
Cisco Catalyst 9000 Series Switches with Cisco DNA Essentials License Configured as an Extended Node |
Cisco DNA Center can now onboard a Cisco Catalyst 9000 Series switch with a Cisco DNA Essentials license as an SD-Access Extended Node. A factory-default Cisco Catalyst 9200, 9200CX, 9200L, 9300, 9300L, 9400, 9500, and 9500H Series switch that operates Cisco IOS XE 17.8.1 (or later releases) with a Cisco DNA Essentials license is configured as an extended node if it is connected to a fabric edge node. If you upgrade the license level to Cisco DNA Advantage, the Cisco DNA Center GUI gives you an option to configure the device as a policy extended node. See “Upgrade an Extended Node to Policy Extended Node” in the Cisco DNA Center User Guide. Consider the following license combinations on the Cisco Catalyst 9000 series devices:
|
||
Cisco Industrial Ethernet (IE) Switches with Cisco DNA Essentials License Configured as Extended Node |
Cisco Catalyst IE3200, IE3300, IE3400, IE3400H, and IE9300 Series switches, and the IE4000, IE4010, and IE5000 Series switches, with Cisco DNA Essentials license, are onboarded as SD-Access extended node. When you connect any of these factory-default switches with the Cisco DNA Essentials license to an edge node, SD-Access automation configures the switch as an extended node. If you upgrade the license level of a switch to Cisco DNA Advantage, the Cisco DNA Center GUI gives you an option to convert the switch to a policy extended node. See “Upgrade an Extended Node to Policy Extended Node” in the Cisco DNA Center User Guide. Consider the following license combinations on the IE devices:
|
||
Cisco SD-Access and Cisco ACI Integration |
In this release, Cisco DNA Center adds support for integration of Cisco SD-Access and Cisco ACI. This integration securely connects the campus network with the data center network to provide end-to-end visibility and policy integration. This integration is under limited availability. For more information, see Cisco SD-Access and Cisco ACI Integration. |
||
Cisco SD-Access and ITSM Integration |
In this release, Cisco DNA Center enables you to control and manage the operations of Cisco SD-Access application through ITSM (ServiceNow). Cisco SD-Access and ITSM integration primarily monitors and manages the role assignment for a device in a fabric, thus ensuring that a wrong device is not added to or removed from the fabric. The following Cisco SD-Access workflows are managed through ServiceNow:
To configure Cisco SD-Access integration with ITSM, see the Cisco DNA Center ITSM Integration Guide, Release 2.3.3. |
||
Cisco SD-Access User Interface Enhancements |
|
||
Create a Layer 2 Virtual Network |
You can now create a Layer 2 virtual network without associating a Layer 3 virtual network. Traffic within the same VLAN is handled by the Layer 2 virtual network. The Cisco DNA Center GUI provides an option to hand off only a Layer 2 virtual network. This release of Cisco DNA Center supports the creation of Layer 2 virtual network only in an SD-Access wired deployment. |
||
Overlapping IP Pools Across Virtual Networks |
Cisco DNA Center allows you to choose overlapping IP pools across virtual networks for a fabric site.
|
||
SD-Access-as-code |
This release introduces APIs that help in developing customized workflows for fabric operations. Such workflows reduce the overall time to create, change, and delete fabric sites and deliver consistent outcomes for each fabric-configuration step. SD-Access-as-code enhances the fabric operations, including the essential Day-0 and Day-N tasks in creating a fabric site and enabling multicast within a site. |
||
Streamlined Cisco TrustSec Workflows for Edges and Borders |
Effective with this release, CTS role-based enforcement is now the same for SD-Access edge nodes and border nodes. In earlier releases, CTS role-based enforcement is configured globally on SD-Access edge nodes only. In earlier releases, for SD-Access border nodes:
In this release, for SD-Access border nodes:
|
||
View REP Ring Status |
The Cisco DNA Center GUI now has a view option to check the status of a REP ring. This option displays the status of the devices in the REP ring and also warns if it detects a segment failure. For information on how to check the REP ring status, see the "View REP Ring Status" procedure in the Cisco DNA Center User Guide. |
Device Role | Product Family | Part Number | Description |
---|---|---|---|
Border Node Control Plane Node Edge Node Supplicant-Based Extended Node |
Cisco Catalyst 9300 Series switches |
C9300LM-48UX-4Y C9300LM-48U-4Y C9300LM-48T-4Y C9300LM-24U-4Y |
You can provision the Cisco Catalyst 9300 Series switch as a border node, control plane node, and edge node. It is onboarded as an extended node when it is in factory-default state and connected to an edge node. |
Edge Node Extended Node Policy Extended Node |
Cisco Catalyst Industrial Ethernet 9300 Rugged Series switches (IE9300) |
IE-9310-26S2C IE-9320-26S2C |
You can provision an IE9300 device as an edge node. When configured as an edge node, IE9300 can scale up to 32 virtual networks. You can configure an IE9300 device as an extended node or a policy extended node by connecting it to an edge node. When connected to an edge node, an IE9300 device is assigned a role based on its license level. If the device is at the Cisco DNA Essentials license level, it is onboarded as an extended node. If the device is at the Cisco DNA Advantage license level, it is onboarded as a policy extended node. |
Edge Node Extended Node Policy Extended Node Supplicant-Based Extended Node |
Cisco Catalyst 9200 Series switches |
9200CX-8P-2X2G |
You can provision the Cisco Catalyst 9200 Series switch as an edge node. It is onboarded as an extended node when it is in factory-default state and connected to an edge node. |
Extended Node |
Cisco Catalyst Industrial Ethernet 3200 Rugged Series switches (IE3200) |
IE-3200-8T2S-E IE-3200-8P2S-E |
IE3200 is onboarded as an extended node when it is in factory-default state and connected to an edge node. |
New and Changed Features in Interactive Help
Feature | Description |
---|---|
New Walkthroughs |
Added the following walkthroughs:
|
New Features in the Previous Release
To learn about the new features in the previous release, Cisco DNA Center 2.3.2, see New and Changed Information. Cisco DNA Center 2.3.2 is a Commercial Availability release. The features in 2.3.2.x are rolled up to 2.3.3.x.
Deprecated Features
Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS) provisioning use cases are deprecated. The option to provision an NFV profile has been removed from the Cisco DNA Center GUI. However, image upgrade of NFV is still supported. Also, you can still manage NFVIS devices in Cisco DNA Center by adding them manually or through Plug and Play.
Cisco DNA Center Compatibility Matrix
For information about devices, such as routers, switches, wireless APs, NFVIS platforms, and software releases supported by each application in Cisco DNA Center, see the Cisco DNA Center Compatibility Matrix.
Cisco SD-Access Compatibility Matrix
For information about Cisco SD-Access hardware and software support for Cisco DNA Center, see the Cisco Software-Defined Access Compatibility Matrix. This information is helpful for deploying Cisco SD-Access.
Compatible Browsers
The Cisco DNA Center GUI is compatible with the following HTTPS-enabled browsers:
-
Google Chrome: Version 93 or later.
-
Mozilla Firefox: Version 92 or later.
We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.
Note |
For an upgrade to Cisco DNA Center 2.3.3, we recommend that you use Chrome, not Firefox. |
Supported Firmware
Cisco Integrated Management Controller (Cisco IMC) versions are independent from Cisco DNA Center releases. This release of Cisco DNA Center has been validated only against the following firmware:
-
Cisco IMC Version 3.0(3f) and 4.1(2g) for appliance model DN1-HW-APL
-
Cisco IMC Version 4.1(3d) for appliance model DN2-HW-APL
-
Cisco IMC Version 4.1(3d) for appliance model DN2-HW-APL-L
-
Cisco IMC Version 4.1(3d) for appliance model DN2-HW-APL-XL
Cisco DNA Center Scale
For Cisco DNA Center scale numbers, see the Cisco DNA Center Data Sheet.
IP Address and FQDN Firewall Requirements
To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through an existing network firewall, see "Required Internet URLs and Fully Qualified Domain Names" in the "Plan the Deployment" chapter of the Cisco DNA Center Installation Guide.
About Telemetry Collection
Telemetry data is collected by default in Cisco DNA Center, but you can opt out of some data collection. The data collection is designed to help the development of product features and address any operational issues, providing greater value and return on investment (ROI). Cisco collects the following categories of data—Cisco.com ID, System, Feature Usage, Network Device Inventory, and License Entitlement. See the Cisco DNA Center Data Sheet for a more expansive list of data that we collect. To opt out of some of the data collection, contact your Cisco account representative and the Cisco TAC.
Supported Hardware Appliances
Cisco delivers Cisco DNA Center in the form of a rack-mountable, physical appliance. The following versions of the Cisco DNA Center appliance are available:
-
First generation
-
44-core appliance: DN1-HW-APL
-
-
Second generation
-
44-core appliance: DN2-HW-APL
-
44-core promotional appliance: DN2-HW-APL-U
-
56-core appliance: DN2-HW-APL-L
-
56-core promotional appliance: DN2-HW-APL-L-U
-
112-core appliance: DN2-HW-APL-XL
-
112-core promotional appliance: DN2-HW-APL-XL-U
-
Installing Cisco DNA Center
You can install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco DNA Center Installation Guide for information about installation and deployment procedures.
Note |
Certain applications, such as Group-Based Policy Analytics, are optional applications that are not installed on Cisco DNA Center by default. If you need any of the optional applications, you must manually download and install the packages separately. For more information about downloading and installing a package, see "Manage Applications" in the Cisco DNA Center Administrator Guide. |
Support for Cisco Connected Mobile Experiences
Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) Release 10.6.2 or later. Earlier versions of Cisco CMX are not supported.
Caution |
While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password. |
Plug and Play Considerations
The following sections provide details of plug and play support.
General Feature Support
Plug and Play supports the following features, depending on the Cisco IOS software release on the device:
-
AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains the aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.
-
Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)
Secure Unique Device Identifier Support
The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:
-
Cisco routers:
-
Cisco Catalyst IR 1800 Series with software release Cisco IOS XE 17.5.1 and later
-
Cisco ISR 1100 Series with software release Cisco IOS XE 16.6.2
-
Cisco ISR 4000 Series with software release Cisco IOS XE 3.16.1 or later, except for the ISR 4221, which requires release Cisco IOS XE 16.4.1 or later
-
Cisco ASR 1000 Series (except for the ASR 1002-x) with software release Cisco IOS XE 16.6.1
-
-
Cisco switches:
-
Cisco Catalyst 3850 Series with software release Cisco IOS XE 3.6.3E or Cisco IOS XE 16.1.2E or later
-
Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, Cisco IOS XE 3.7.3E, or Cisco IOS XE 16.1.2E or later
-
Cisco Catalyst 4500 Series with Supervisor 8L-E with software release Cisco IOS XE 3.8.1E or later
-
Cisco Catalyst 4500 Series with Supervisor 9-E with software release Cisco IOS XE 3.10.0E or later
-
Cisco Catalyst 9300 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst 9400 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst 9500 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst IE3300 Series with software release Cisco IOS XE 16.10.1e or later
-
Cisco Catalyst IE3400 Series with software release Cisco IOS XE 16.11.1a or later
-
-
NFVIS platforms:
-
Cisco ENCS 5400 Series with software release 3.7.1 or later
-
Cisco ENCS 5104 with software release 3.7.1 or later
-
Note |
Devices that support SUDI have two serial numbers—the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:
|
Management Interface VRF Support
Plug and Play operates over the device management interface on the following platforms:
-
Cisco routers:
-
Cisco ASR 1000 Series with software release Cisco IOS XE 16.3.2 or later
-
Cisco ISR 4000 Series with software release Cisco IOS XE 16.3.2 or later
-
-
Cisco switches:
-
Cisco Catalyst 3650 Series and 3850 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst 9300 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst 9400 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst 9500 Series with software release Cisco IOS XE 16.6.1 or later
-
4G Interface Support
Plug and Play operates over a 4G network interface module on the following Cisco routers:
-
Cisco 1100 Series ISR with software release Cisco IOS XE 16.6.2 or later
-
Cisco Catalyst IR 1800 Series
Configure Server Identity
To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center. You can generate a new certificate signing request (CSR) from . For more information, see "Update the Cisco DNA Center Server Certificate" in the Cisco DNA Center Administrator Guide.
The SAN requirement applies to devices running the following Cisco IOS releases:
-
Cisco IOS Release 15.2(6)E2 and later
-
Cisco IOS Release 15.6(3)M4 and later
-
Cisco IOS Release 15.7(3)M2 and later
-
Cisco IOS XE Denali 16.3.6 and later
-
Cisco IOS XE Everest 16.5.3 and later
-
Cisco IOS Everest 16.6.3 and later
-
All Cisco IOS releases from 16.7.1 and later
The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:
-
For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.
-
For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.
-
For DNS discovery, set the SAN field to the Plug and Play hostname, in the format pnpserver.domain.
-
For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.
If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a Network Address Translation (NAT) router, this public IP address must be included in the SAN field of the server certificate.
If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.
We recommend that you include multiple SAN values in the certificate, if discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you include both, set the FQDN as the first SAN value, followed by the IP address.
If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the Plug and Play process.
Note |
The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field. |
Bugs
Open Bugs
The following table lists the open bugs in Cisco DNA Center for this release.
Bug Identifier | Headline |
---|---|
Cisco DNA Center pushes the command "automate-tester username dummy ignore-acct-port probe-on" as part of its standard Cisco SD-Access configuration. Cisco DNA Center pushes the "automate-tester" configuration so that the device sends periodic RADIUS requests to the RADIUS server. The server is marked as Up if the device receives a response; the server is marked as Down if the device doesn't receive a response. It doesn't matter whether the user exists in Cisco ISE, because the device merely looks for a response from the RADIUS server, regardless of whether authentication succeeds or fails. If the corresponding Cisco ISE authentication policy uses the "Drop" action instead of the default "Access-Reject" action when the user does not exist, the AAA server might get marked as Dead when Cisco ISE drops the packet (because the dummy user does not exist on Cisco ISE). This in turn could affect CTS operation, and the following log is generated every minute:
|
|
In the Web UI, there is no option to enable FIPS. |
|
For extended nodes, a resync after reload returns a NETCONF connection failure error. |
|
In a day-N deployment, a tunnel does not come up in some data center locations. The Cisco Catalyst 9300x supports a unique source and destination over the tunnel. Bringing up multiple tunnels with the same data center is not supported. To work around this problem, bring up only one tunnel per data center. |
|
AP zone configuration and custom policy tag configuration on the APs are lost when AI-enhanced RRM is enabled on buildings from Cisco DNA Center. APs get configured with the Cisco DNA Center auto-generated policy tags. |
|
When you unsubscribe an event, Cisco DNA Center platform displays the Subscription already exists error. |
|
After Cisco DNA Center is deregistered from the cloud, Talos IP Reputation cannot be disabled. |
|
A maglev-registry failure occurs due to a TLS issue; unable to load the private key. The Maglev registry hangs in CrashLoopBackOff state. Because the maglev-registry pod is in a crash loop, other pods don't start, because they can't retrieve their container image. An orange banner appears on the Cisco DNA Center GUI with the message, "Assurance services have been temporarily disrupted. The system is working to restore this functionality." The following error is generated:
|
|
In a non-SDA environment, the CTS authorization list is not configured on the Cisco Catalyst 9800-CL. The show environment-data command returns blank output. |
|
Applications are unable to receive messages from RabbitMQ. When you log in to the RabbitMQ management GUI and open the respective exchange, queue bindings are shown intermittently; otherwise, the display is empty. |
|
Cisco DNA Center inventory reports generated for recurring are assigned with the incorrect time. |
|
Cisco DNA Center does not push the audit log because the audit logs subscription shows only syslog servers when using the webhook destination server. |
|
The health score for the border router goes down on the Assurance Device 360 window. The border router cannot register an EID to the local map server. |
|
Assurance data is missing in the dashboard after a disaster recovery (DR) failover due to stack overflow. |
|
In a DR deployment, the IPsec tunnel fails to establish after you upgrade to Cisco DNA Center 2.3.3 from an earlier release like 2.2.2.x or 2.2.3.x. The problem is due to missing kernel modules. |
|
After upgrading from Cisco DNA Center 2.2.3.5 to 2.3.3.4, sensor SSID (CiscoSensorProvisioning) provisioning fails with the following error:
There is no impact to other SSIDs. |
|
Upgrading from Cisco DNA Center 2.3.3.3-72139 to 2.3.3.4-72142 fails with the following error:
|
|
While using Mozilla Firefox, when user clicks on 'Choose a file', the files with extensions .cer and .pem are grayed out and not allowed for upload, even though it is an acceptable file. format. To workaround this problem, use Google Chrome instead of Mozilla Firefox to upload PKI cert. Another workaround is to drag and drop the file into the upload box instead of browsing via the GUI directly for Firefox. |
|
When you generate a security advisory report for global location, Cisco DNA Center generates report with no data. |
|
DR failover fails with |
|
Wired client path trace fails with the error |
|
|
|
Destination email top-level domain cannot exceed 6 characters. |
|
When you integrate Cisco DNA Center and ServiceNow, the API call to ServiceNow in Integration Slow Summary fails. |
|
After upgrading to version 2.3.3.5, event notification emails are not being sent from Cisco DNA Center and the event runtime logs display the following error message:
|
|
LLDP packets aren’t forwarded to clients on Layer 2 flooding-enabled VLAN ports. |
|
In a Cisco DNA Center disaster recovery setup, the MongoDB replication may fail with a conflict error. The log from the dr-mongodb-replicator service displays an error similar to the following:
Other data (such as wireless maps and SWIM images) is missing after the failover. |
|
After upgrading from Cisco DNA Center 2.3.3.5 to 2.3.3.7, existing AP site tag failures occur before reprovisioning embedded wireless controllers and APs. |
|
After upgrading to Cisco DNA Center 2.3.3.7 in a three-node cluster, collector-snmp goes to crashloop. |
|
After upgrading Cisco DNA Center from 2.3.3.5 to 2.3.3.6, the appliance goes into a constant reboot loop. The key_manager.service indicates that TPM is in lockout mode. |
|
After upgrading from Cisco DNA Center 2.2.2.9 to 2.3.3.7 on fabric in a box (FIAB) site, empty fabric SAVE pushes a bunch of unwanted CLIs to the box. |
|
When you search for client details using the client user name, the result is visible in the log but does not reflect on the User Interface. |
|
Application upgrade from Cisco DNA Center 2.2.3 to 2.3.3 fails with the following error:
|
|
After powering down a node in a Cisco DNA Center High Availability environment, the node's CLI inaccurately displays some services in the |
|
AP name mismatch between the wireless controller and the connected Cisco Catalyst 9300 Series switch. |
|
After updating the AAA settings of an AAA server in Cisco DNA Center, the NAD entries update in Cisco ISE for the managed network devices. |
|
When you update the protocol pack to version 67 in Cisco DNA Center, the update fails. |
Resolved Bugs
Cisco DNA Center 2.3.3.7-72328-HF5 Hot Fix
The following table lists the resolved bugs in the Cisco DNA Center 2.3.3.7-72328-HF5 hot fix.
Note |
|
Bug Identifier | Headline |
---|---|
Event notification is not working correctly in the site selection. Related bug: CSCwf28290. |
|
The DHCP pool isn't created in the neighboring device after marking it for replacement in the fabric. |
|
The topology service crashes due to running out of memory, and there is a delay in loading fabric devices. |
|
When configuring a new event notification in Cisco DNA Center, the Try It feature for the subscribed event may return the following error:
|
|
The Device 360 windows for the wireless controller and APs connected to a site may display blank windows. |
|
After successfully completing the Return Material Authorization (RMA) workflow for an extended node—3560CX—the device hostname and device ID do not update in Cisco ISE. |
|
After adding a fabric in a box (FIAB) to a fabric, no other configuration preview operation is successful, such as the virtual network operations or removal from the fabric, due to the following error:
|
|
When attempting to install ThousandEyes Enterprise Agent onto devices using the Enable Apps on Switches workflow, no devices load when you select some sites. |
|
On the Inventory window, the topology view doesn't display connection links for the Meraki MR52 and MR53 cloud-managed APs due to no response from the Meraki dashboard application programming interface (API) v0. |
|
When you configure a webhook destination and REST channel, Cisco DNA Center allows you to configure only one event notification. The following error message displays when you try to create another event notification:
|
|
Auto resync may not work for SNMPv3 trap events because of the missing SNMPv3 engine ID; however, manual sync does work. |
|
On the Application Visibility window, devices aren't displaying for a site and the following error is displayed:
|
|
Software image data for some Meraki devices is missing in the Inventory window where Focus is set to Software Images. |
|
When adding a Layer 2-only pool to the fabric, the following error message may display:
|
|
When provisioning a wireless controller, it may fail with the following error message:
|
|
The Cisco DNA Center SWIM updates may become stuck in the "In Progress" state. The ongoing SWIM upgrade cannot be stopped or retriggered while it's in this state. |
|
The distribution of the ROM Monitor (ROMMON) package to an ISR4300 router is not successful even though the GUI displays it as being successful. |
|
The PKI configurations triggered during the Kong certificate change and fail. |
|
After a template is added to a network profile and a device is provisioned to use the assigned template, Cisco DNA Center reports the device as out of compliance and incorrectly highlights the CLI deviations in red as an open violation. |
|
Wireless endpoints in an anchored virtual network don't register to the anchor, multisite remote border, or guest control plane with the AireOS wireless controller, causing client connectivity issues including but not limited to DHCP and ICMP. |
|
Cisco DNA Center may incorrectly show disk failure issues on the System Health window when there are no issues. |
|
Provisioned devices are deleted if you try to delete the same set of devices again. |
|
For Cisco DNA Center 2.3.3.7, when two network profiles have multiple VLAN ID mappings on the same VLAN name, Cisco DNA Center displays the following error when provisioning a wireless controller:
|
|
The Enable Application Telemetry feature fails after upgrading to Cisco DNA Center 2.3.3.7-72328-HF4. |
Cisco DNA Center 2.3.3.7-72328-HF4 Hot Fix
The following table lists the resolved bugs in the Cisco DNA Center 2.3.3.7-72328-HF4 hot fix.
Note |
|
Bug Identifier | Headline |
---|---|
After running the Cisco DNA Center cleanup test, an ECA device cannot be removed from Cisco DNA Center. The following error is displayed:
|
|
The CPU and memory utilization should be inline with Grafana. The System Health Intent API (/diagnostics/system/performance) should show the correct data. |
|
During a power down of a network device on Cisco DNA Center, the DEVICE_UNREACHABLE issue is not populated until a resync occurs, either manually or by scheduled interval. |
|
If you have locations in United Kingdom islands, such as Isle of Man, Jersey, and Guernsey, and you create a site with that address and try to provision the wireless controller, the following error is displayed:
|
|
Cisco DNA Center SPF services may crash while previewing the configuration of a wireless controller provisioning. |
|
Under some conditions, a newly installed, autogenerated etcd certificate in Cisco DNA Center does not get activated. When the etcd certificate does not get activated, the system might become unresponsive and inaccessible through the GUI, ultimately discarding network telemetry and losing the management capability of Cisco DNA Center. This bug affects all 2.3.3.x releases but is resolved in the 2.3.3.7-72328-HF4 hot fix. For 2.3.3.6 and earlier, we recommend that you upgrade to 2.3.5.4 or 2.3.3.7 to take advantage of the fix. |
|
Executive Summary reports fail with the following error:
|
|
Device provisioning hangs at the Provision Device window. |
|
When onboarding new devices via LAN automation, Cisco DNA Center fails to automatically create Network Access Device (NAD) entries in Cisco ISE. |
|
Fabric provisioning may fail with an error that states that an IP address pool has intrasubnet routing enabled. This problem occurs when onboarding a new switch to an existing fabric, and a Layer 3-only IP address pool was created previously. |
|
Unsupported images are listed under the Cisco Catalyst 9200 Series Switches, which causes devices to go into ROMMON mode. |
|
In a scale setup with 16 real switches, 3000 Sapro switches, and 10,000 APs, the compliance state hangs in In Progress status. The GUI doesn't let you retrigger the compliance flow. |
|
You cannot save an RF profile in a Cisco DNA Center cluster that has been upgraded through a specific path (2.2.2.x > 2.3.3.x > 2.3.3.7 or 2.3.5.3). This problem occurs if an RF band was disabled in an RF profile in 2.2.2.x or earlier, and no operation happened on it in 2.3.3.x. The following error is displayed:
|
|
The reachability polling schedule from the database is removed if the refresh message is not processed. As a result, Cisco DNA Center doesn't poll for the reachability status of devices in the inventory. |
|
When trying to view the configuration preview in the Work Items window, the following message may appear:
Related bug ID: CSCwd75644. |
|
Cisco DNA Center blocks the ability for valid IP transit handoffs to be configured for any site, signaling the following error message:
This problem occurs with 2.3.3.7 or 2.3.5.3 if you are using a four-byte autonomous system number (ASN) and only under certain scenarios, as described below. Steps to reproduce: This problem occurs if you are on 2.3.3.7 or 2.3.5.3 and you attempt to create a new fabric border with an ASN that is greater than 65535. The following error message is logged:
This problem also occurs if:
|
|
The AP Claim workflow may leave APs configured with default site tags and location parameters. |
|
The GUI must allow you to enable the AP location configuration during the PnP process. |
|
LAN automation may fail for a Catalyst 9407R Sup1XL with a 40G port running IOS-XE 17.3.4. The 40G port connected to the seed device may go into an Inactive state when stopping LAN automation, causing a loss of connectivity. |
|
Cisco DNA Center's aca-controller-service may degrade into a CrashLoopBackOff state after a node reboot. |
|
During the PnP claim process, the AP location is shown as disabled, even though it is already enabled under the System Settings window. |
Cisco DNA Center 2.3.3.7
The following table lists the resolved bugs in Cisco DNA Center, Release 2.3.3.7.
Bug Identifier | Headline | ||
---|---|---|---|
Fragmented SNMP Get Bulk response, causing Inventory collection to fail. |
|||
Cisco DNA Center custom portal builder settings are not saved. |
|||
The wireless controller drops CoA packets sourced from PAN instead of PSN. |
|||
The Cisco DNA Center Smart Licensing window may not load as expected. The following error is shown:
The Cisco DNA Center License Manager service logs show the following error:
|
|||
Provisioning device fails with the following error:
|
|||
Device domain name check must be relaxed when comparing hostname with ThousandEyes Enterprise Agent portal. |
|||
After provisioning a Cisco Catalyst 9500 Series switch stack and fabric configuration, the state changes to "Managed Internal error" state. |
|||
After a new site is added to the primary controller, and then an AP is provisioned, the AP is down in the primary, and secondary controller provisioning is done. Then AP tags are not pushed to the secondary controller, and a tag mismatch occurs between the primary and secondary controllers. To work around this problem, reprovision the mismatched APs. |
|||
Unable to subscribe with Syslog to Assurance Event Id NETWORK-DEVICES-2-106. |
|||
New stack member not getting the closed auth config pushed down to its switchports. |
|||
When you configure ServiceNow for the first time, Configuring Basic ITSM (ServiceNow) CMDB Synchronization fails to initiate RestClient processing. |
|||
Third Party Device reported as Cisco Catalyst 9800-CL Wireless Controller for Cloud (C9800-CL-K9). |
|||
End clients cannot communicate outside, because |
|||
The AP refresh workflow fails with the following error:
|
|||
Wireless controller fails compliance with mismatch in "WLAN policy profile name" - PP uniqueness. |
|||
Provisioning task fails in the Cisco Catalyst 9000 Switch due to Cisco DNA Center trying to provision IOx interface TenGigabitEthernet4/0/48. |
|||
Unconfigured SSIDs seen in Assurance. |
|||
Service Entitlement check fails during image upgrade readiness check for devices in Inventory. |
|||
Telemetry provisioning failure occurs. |
|||
Layer 2 Handoff-configured VLANs are not persistent in the web interface. |
|||
Event notifications using Webex, REST, and email stop working after an upgrade. The user receives test email but not event emails. To work around this problem, do the following:
|
|||
AP provisioning getting failed as Cisco DNA Center pushing duplicate commands in sequential. |
|||
The device count is out of sync unless you toggle a role change to rerun the grouping hook. |
|||
Cisco DNA Center does not archive the device configuration after device provisioning or out-of-band changes. Configuration changes are not captured in the config drift timeline graph, as Cisco DNA Center is not notified about the configuration changes by syslog. |
|||
Static port assignment from fabric host onboarding page fails with the following error:
To work around this problem, do the following:
|
|||
Disabling a band on RF profile should disable the admin status on corresponding RF profile on Cisco Catalyst 9800 Series Wireless Controller. |
|||
In Cisco DNA Center, while creating a new Layer 3 virtual network, the VN comes up with an instance ID that is already in use. When trying to add the VN to the fabric, the following error is shown:
|
|||
Incorrect TLD length check for Cisco ISE FQDN. |
|||
Mozilla Firefox browser has issues displaying more than six SGTs in Cisco DNA Center GUI when changing views. |
|||
The GUI does not show the correct status for the OS Update status. As a result, the user cannot upgrade network devices with a Golden Image assigned using the Device-tag. |
|||
Removing an IP address segment from a site that already has fabric configured causes the fabric site to report the following error:
|
|||
After installing ThousandEyes on a switch, the following error is seen on the Cisco DNA Center GUI:
|
|||
Cannot upload the new KGV file integrity verification. |
|||
The file system shows 100% utilization. Postgres is over 230 GB in size. |
|||
AuditResource table in Postgres consuming 37G contributing to database size increase. |
|||
Scheduled report is not working for Catalyst 9000 Series devices through Cisco DNA Center. |
|||
Fabric provisioning of Cisco Catalyst 9200CX Series switches fails due to maximum supported VRFs reported as four. |
|||
AP group-related configurations are not pushed in implicit provisioning, which causes a wireless outage while resetting AAA inheritance. To work around this problem, review the configuration preview before clicking the Deploy button. |
|||
Addition of an IP address pool to a fabric zone fails at validation of device intent and shows the following error:
|
|||
An attempt to add a building in country "Democratic Republic of the Congo" fails with error message:
|
|||
Reprovision BAPI fails with the following error:
|
|||
Cisco DNA Center orchestrated app hosting gets disabled on the AP when the primary wireless controller is changed. |
|||
Cisco DNA Center shows slot 2 radio on Cisco Aironet 2800 Series Access Points. |
|||
Wired workstation client connected behind IP Phone shows up as IP_Phone in Client 360 view. |
|||
In a three-node cluster, device provisioning fails during port assignment in a Cisco SD-Access environment, during inventory provisioning, and when running a compliance check. The following error is shown:
|
|||
The kafka pod is unable to handle data and slows down with gaps in Assurance. |
|||
Performing Fabric RMA leads to Task stuck in "In Progress". |
|||
Flexconnect ACL getting repushed on every wireless controller provisioning with same entries. |
|||
After fabric port assignment on setups with port channel created on Cisco DNA Center 2.2.2.x or earlier without selecting the connected device type, the host onboarding provisioning fails. |
|||
Cannot upload a sensor certificate to Cisco DNA Center 2.3.3.4. |
|||
After configuring an external SNMP collector, Cisco DNA Center sends the SNMP trap payload field and SNMP trap address with the external SNMP collector IP. |
|||
Cisco AireOS Wireless Controller shows internal error after upgrade and inventory logs refer to PolicyDeviceType. |
|||
Time range setting is not persistent with refresh. |
|||
After a SWIM upgrade of a Cisco Catalyst 3850 two-stacked switch from INSTALL mode, only one member switch comes up after reboot in BUNDLE mode. From the Cisco DNA Center audit logs, it was observed that incorrect commands were pushed for INSTALL mode upgrade, causing this issue. |
|||
Under notifications in , one can see different sites when switching between viewing the notification configuration and the editing of the same configuration. |
|||
No preprovisioned tags or custom tags (Flex, PolicyTag, or SiteTag) are configured on the wireless LAN controller without an AP being part of that custom tag site. If there are any preprovisioned tags or custom tags without an AP (configured before upgrade) and upgraded to Cisco DNA Center 2.3.3.7, reprovisioning the wireless LAN controller then deletes those orphan custom tags. |
|||
Cisco AireOS controller HA switch over is not been reported as an issue in Assurance dashboard Device UI. |
|||
Unable to create a non-flex AP group if at least one flex-SSID is configured. |
|||
Add wireless controller through API call fails when the control plane in the fabric site is configured with Pub/Sub. |
|||
Cisco DNA Center doesn't recognize the variable in template and hence disregards the input every alternate attempt of the provisioning of composite template. |
|||
After upgrade to Cisco DNA Center 2.3.3.5, Cisco Wireless Controller provisioning fails with the following error:
|
|||
After removing and re-adding the sensors to Cisco DNA Center through PnP, the Network Hierarchy window does not show the filter option to add sensors on a map floor. |
|||
Provisioning a Catalyst 9800 controller fails with the following error:
|
|||
Need to disallow user provisioning nonfabric WLAN (locally switched) on fabric wireless controller. |
|||
Assign device to site for multiple devices/sites takes long time to update inventory page. |
|||
Cisco DNA Center is sending OOB AAA details during any change in AAA server. |
|||
Cisco DNA Center sends telemetry data to the cloud for all devices, instead of just the device configured for AI-Enhanced RRM. This problem occurs if the scale of devices on Cisco DNA Center is very large, and the compute resources run out on the cloud side. |
|||
Wireless provisioning creating tasks with incorrect task hierarchy. |
|||
When provisioning an OverExtend AP as a remote telework device, Cisco DNA Center is provisioning the AP with the private IP address of the wireless controller instead of NAT IP address of the wireless controller. |
|||
On a Cisco Catalyst 9800 wireless LAN controller, the CLI command show telemetry ietf subscription all detail shows many subscriptions as invalid with the following error:
The Cisco Catalyst 9800 Series Wireless Controller has a limit of 100 subscriptions, and Cisco Prime Infrastructure uses 90 of those 100 subscriptions. To work around this problem, remove the Prime Infrastructure subscriptions from the Cisco Catalyst 9800 Series Wireless Controller and repush the telemetry from Cisco DNA Center. |
|||
Device tracking will not be pushed down to new stack-member/module interfaces. |
|||
Cisco DNA Center is removing all the VLANs from all the VLAN groups and re-adding it back, which results in WLAN flap. |
|||
Inventory reports fails with the following error:
|
|||
When attempting to learn the config from a Cisco Catalyst 9800 Series Wireless Controller, user may receive the following error:
|
|||
Cisco DNA Center fails to enable application telemetry on wireless LAN controllers. The network-design service logs show the following error:
|
|||
Running LAN Automation for an Edge node connected to an Edge node does not reset the seed port. |
|||
After upgrading Cisco DNA Center and attempting to provision fabric or wireless controller, the operation fails with the following error:
|
|||
Wireless controller provisioning failed with dbm:wireless:Same WLAN ID 22 is already present in database. |
|||
After enabling features in fabric IP pools, provisioning failure occurs on fabric devices with the following error:
To work around this problem, enable the new fabric view, revert the change, and attempt to re-enable the desired feature. |
|||
Cisco DNA Center fails to add GPS Marker in the floor if units are in meters. |
|||
Adding a node on Cisco DNA Center 2.3.3.5 fails on an upgraded cluster. |
|||
After upgrading to Cisco DNA Center 2.3.3.5, the sticky-scheduler service is down on the Web UI. |
|||
Moving wireless functionality from one device to another requires GUI refresh even after successful provisioning. |
|||
SWIM internal calls get stuck during distribution or when triggering the image update workflow. The calls get stuck as they
reach out to the external proxy configured, which causes a |
|||
Unable to provision an AP on a single node. The following error is shown:
|
|||
Cisco DNA Center applies the wrong policy tags to APs on the Catalyst 9800 Series Wireless Controller. |
|||
Cisco Catalyst 9800 Series Wireless Controller provisioning fails with an NCSP11108 error after intra upgrade. |
|||
Guest policy update fails with an error from Cisco ISE. |
|||
Unable to mark a device for replacement in case of Class B or Class A networks. |
|||
Configuration preview fails for "Closed Authentication Mode Template Update" critical fix on the fabric page. |
|||
Old SMUs are not cleared when new golden image is selected in "Get software image details" API call. |
|||
When bulk sites are selected to create fabric zones, the wrong context is set for multiple devices, which causes multicast IP lookup to fail. As a result, provisioning fails for that device. To work around this problem, select one site at a time to create fabric zones. |
|||
Secondary controller flex profile is not detected for template automation. |
|||
Upon clicking the image family name in the Image Repository window, it is redirecting to . The image family name is displayed in the title, but no image is displayed under the image family window. It shows "No Image Found." |
|||
In a Cisco Catalyst 3850 Series Switch running in install mode, the base image gets deleted before the SMU is copied to the switch. |
|||
Provisioning a wireless controller may fail with the following error:
|
|||
When you try to onboard a switch to Cisco DNA Center via Plug and Play, onboarding fails with the following error:
|
Cisco DNA Center 2.3.3.6
The following table lists the resolved bugs in Cisco DNA Center, Release 2.3.3.6.
Bug Identifier | Headline |
---|---|
When adding a new device through Plug and Play, the process completes, and the State and Onboarding Progress show Provisioned. However, the following error message is displayed, and the device is not in the inventory:
To work around this problem, delete and re-enter all the global credentials (not just CLI, but also HTTP, SNMP, and so on). Then, retry the Plug and Play process. |
|
Software Image Management - Flash Cleanup causes |
|
1800S sensor may not be onboarded in Cisco DNA Center. During claim process, the following error is displayed:
|
|
Cannot delete the device key used in the subscriberparametermapaction table. |
|
During the software upgrade, the upgrade phase checks certificate validity. The certificate validity checks need a synchronized time source to configure the NTP server. The code which checks for higher jitter or offset values fails and results in upgrade failure. |
|
Due to container subnet overlap with internal pods default route, the communication from a pod to other pods, services or host does not work. This results in a pod continuous restarts. |
|
Cisco DNA Center assigning different site tags to APs in the same site. |
|
Provisioning a wireless controller may fail with Cisco DNA Center's network-programmer service running out if its allocated Java heap. |
|
Devices showing internal error due to |
|
Cisco DNA Center pushes QoS policy for incorrect SSID. |
|
If the system update fails at the post hook install phase, and the release upgrade is retried after the failure, the release upgrade proceeds directly to the application packages before installing the post system hooks completely. |
|
AP and wireless controller provisioning failing due to |
|
Cannot provision or delete wireless controller due to |
|
CoreDNS fails to resolve reverse lookups. |
|
Cisco DNA Center may fail to provision a wireless LAN controller if a compliance operation starts around the same time as the provisioning. This appears to cause the SPF service to exhaust its memory allocation. |
|
All the logs are not exporting to the syslog server. |
|
The golden image is not properly updated when more than one device type is selected in the same device family. |
|
While provisioning or updating telemetry settings on Cisco Catalyst 2960-Plus Series switches, Cisco DNA Center returns an error regarding configuring netflow, when netflow is not supported for the device. |
|
In policy extended nodes, the web interface under Fabric > Host Onboarding > Port Assignment has no option to assign SGT value to specific ports. |
|
Client global issue trigger does not work as expected in Cisco DNA Center. |
|
The wireless client is not deleted, which causes a huge client count stored in ES. |
|
Upgrading Cisco DNA Center from version 1.6.718 to 1.7.717 fails. The system shows the following error:
|
|
The device list does not match the device count. |
|
Cisco DNA Center incorrectly shows C1000-8P-2G-L as supported. |
|
While provisioning a wireless controller with an open SSID or an SSID without assigning AAA servers, Cisco DNA Center pushes the default accounting list. To work around this problem, remove the default accounting list configuration manually until the next Cisco DNA Center provisioning. |
|
After uploading a wireless floor map to Cisco DNA Center, the map does not populate within CMX. This is due to Cisco DNA Center sending an XML file rather than a JPG to CMX to display. |
|
The "Apply CLI credentials for site Global" task fails. |
|
Cisco DNA Center configures AP tags with default values, rather than the site tags configured in the Network Profile. |
|
Cisco Secure Firewall Management Center (FMC) and Firepower Threat Defense (FTD) devices show an internal error after adding FMC in inventory. |
|
Arbitrary file overwrite vulnerability. |
|
After upgrading from Cisco DNA Center to 2.3.3.4, the AP count fluctuates in the Assurance dashboard. The kafka service restarts continuously. |
|
After a power outage, the DR witness loses the configuration and restarts continuously. |
Cisco DNA Center 2.3.3.5
The following table lists the resolved bugs in Cisco DNA Center, Release 2.3.3.5.
Bug Identifier | Headline |
---|---|
After initiating an image upgrade for the Cisco Catalyst 9300 Series switch, the switch boots with the following error:
The Cisco Catalyst 9300 Series switch cannot be recovered. |
|
Provisioning single RF profile causes all the access points in the site to disjoin or join. |
|
Cisco DNA Center devices fail to sync with the following error:
|
|
Cisco DNA Center deleted some of the switch running image packages during image distribution from Splunk tool. |
|
Unable to provision AP, as postgres unable to find large object. |
|
Provisioning Cisco Wireless Controller fails due to |
|
Mismatch in AAA Key configuration, resulting in provision failure after existing deployment learn and provision. |
|
Cisco Catalyst 9300 Series stacked switch re-sync fails with "Internal Error" due to arpDetails_feature failure. |
|
Provisioning fails on Cisco Catalyst 9800 Series Wireless Controller due to Mobility configuration. |
|
Tri-radio mode gets enabled during AP provisioning on Cisco Wireless Controllers, which have APs that support Tri-radio mode. |
|
Disaster Recovery: File service does not delete the purged files from mongo. |
|
Some floors in Cisco DNA Center may not display a wireless heatmap, citing a |
|
Prime Data Migration tool with Cisco DNA Center: Maps migration failure for non-system campus with AP mapped to a floor. |
|
Disaster Recovery: Re-join operation fails when witness VM tries to reconnect to disaster recovery configuration after software upgrade. |
|
Device deletion from Cisco DNA Center's inventory fails, citing a foreign key constraint violation between vrf and ntpserverassociation. |
|
Cisco DNA Center may set an L3 VNID to zero for infrastructure segments when a wireless device is provisioned, which results in APs disassociating from the fabric network. |
|
Cisco DNA Center 2.3.3.3 assigns different site tags to APs in the same site. |
|
The wireless fabric control plane IP address gets removed from the Cisco Wireless Controller following implicit provisioning. |
|
Cisco DNA Center's Inventory service is unstable, leading to the inventory web page load slowly, or device synchronizations to take longer time to run. |
|
Cisco DNA Center GUI shows error messages when accessing network profile advanced settings and creating custom tags. |
Cisco DNA Center 2.3.3.4
The following table lists the resolved bugs in Cisco DNA Center, Release 2.3.3.4.
Bug Identifier | Headline |
---|---|
On Cisco DNA Center appliances with Disaster Recovery enabled, the Monitoring tab in the Disaster Recovery window displays mostly empty boxes for the Main, Recovery, and Witness sites, without the usual icons and connecting lines. Because of this, the status of the DR sites and connections is not visible by default on this window. |
|
After upgrading to Cisco DNA Center 2.3.3.3, provisioning a Cisco Wireless Controller with wireless fabric-enabled APs causes the fabric wireless to go down. This is due to the Cisco Wireless Controller disabling the SSIDs as a fabric-enabled SSID and then disabling the APs for fabric mode. The IP pools associated to the fabric SSIDs are also cleared from host onboarding. |
Cisco DNA Center 2.3.3.3
The following table lists the resolved bugs in Cisco DNA Center, Release 2.3.3.3.
Bug Identifier | Headline |
---|---|
After editing an SSID previously configured in Cisco DNA Center, provisioning the Cisco Wireless Controller with the new information may fail with the following NETCONF error:
|
|
An error occurs while using the Cisco DNA Center business API connector on ServiceNow. |
|
The Switch 360 window shows incorrect interfaces from other devices. |
|
Unable to see any devices in the ThousandEyes App Hosting workflow window. The Manage tab shows already-installed devices, but no devices are displayed in the Install tab. |
|
Cisco DNA Center may fail to provision a Cisco Catalyst 9800 Series Wireless Controller. The following error is displayed:
|
|
Cisco DNA Center has issues with displaying scalable groups on the window. When you choose Assign SGT, the following message is displayed, and no SGTs are shown:
|
|
The Meraki dashboard and Firepower Management Center (FMC) show an internal error. |
|
Multiple devices display an internal error after upgrading Cisco DNA Center to 2.2.3.4. |
|
Port assignment in Host Onboarding does not work correctly for Cisco DNA Center 2.2.3.4. |
|
After upgrading to Cisco DNA Center 2.2.3.4, the provisioning service receives DEVICE_LINE_CARD_ADDITION events for nonfabric devices and provisions those devices automatically. The auto provisioning request message in the spf-service-manager log contains the following parameter:
Auto provisioning due to a DEVICE_LINE_CARD_ADDITION event is applicable for Cisco SD-Access deployments to automatically push dot1x security configurations to the ports added to fabric devices. |
|
Template provisioning of SNMP commands may fail due to special characters. |
|
After a Cisco DNA Center upgrade, the GBP record is missing in the service manager enablement. |
|
Vulnerabilities for Cisco DNA Center 2.2.2.8. |
|
Cisco Wireless Controller provisioning fails because the snapshot doesn't exist for the namespace. |
|
When importing Ekahau project files, Cisco DNA Center may display the obstacle types and attenuation values differently from what is configured in the Ekahau project. |
|
Unable to start LAN automation. The following error is displayed:
|
|
Cisco DNA Center reports in PDF format shows the Coordinated Universal Time (UTC) irrespective of selected timezone. |
|
Device provisioning on IE3x00 platforms fails with the following error:
|
|
Cisco 1800S sensors become unreachable and fail to auto register with Cisco DNA Center through the PnP flow. |
|
BPDU configurations keep pushing to the XTR switches even after the configurations are removed manually. |
|
The wirelessgrouping entry can't be deleted, which causes Cisco Wireless Controller provisioning failure. |
|
Software image management (SWIM) does not show an activation task even after successful image transfer. |
|
Switch provisioning fails with the following error:
|
|
Evaluation for Spring4Shell vulnerability (CVE-2022-22965). |
|
A few IP address pools in the virtual network may be removed from the LISP configuration of edge switches. |
|
Cisco DNA Center generates false DHCP issues for wireless clients connecting to an anchor cloud SSID. |
|
Application Hosting turns the interface value into date format. |
|
Unable to delete the multiple devices table snmpgroupversionsettings. |
|
Cisco DNA Center may reuse already assigned IP addresses during LAN automation. |
|
Disaster recovery failover hangs after you click the Pause button. |
Cisco DNA Center 2.3.3.1
The following table lists the resolved bugs in Cisco DNA Center, Release 2.3.3.1.
Bug Identifier | Headline |
---|---|
For wireless endpoints connected as guest hosts via bridged VM, guest host IPs are not updated and guest hosts don't show as two separate endpoints with IP addresses. |
|
For Wide Area Bonjour, restoring a NIC-bonded cluster link in three-node HA sometimes causes Service Discovery Gateway (SDG) agents to remain in inactive status. In an operational three-node cluster running the Cisco Wide Area Bonjour application, when the cluster becomes operational with only two nodes after a node is lost from the cluster or a previously lost third node becomes operational due to manual administrative actions or network malfunction, the following issue may be seen sometimes for the Wide Area Bonjour service: The status of some SDG agents in the Wide Area Bonjour SDG dashlet, where the state of the affected SDG agents is Reachable, but Down. Wide Area Bonjour shows the status of the services learned from these affected SDG agents as inactive and doesn't process queries from these SDG agents. window may remain inactive, even if they were active before the incident. This issue is also reflected inRunning the show mdns controller summary command on any affected SDG agent switch shows the connection state as negotiating (although a ping to the controller IP from the interface is successful). This issue doesn’t affect the operation of any other service on Cisco DNA Center. |
|
Unable to delete any pool from an anchored virtual network that was created on an earlier release and then upgraded to Cisco DNA Center 2.2.3.4. |
|
When you try to add an anycast gateway to the inherited site, the following error message is generated:
This problem occurs only if the anycast gateway at the parent site is created in Cisco DNA Center 2.2.2 and then the same anycast gateway is added to the inherited site in Cisco DNA Center 2.3.3. In Cisco DNA Center 2.2.2, the anycast gateway at the parent site is created with common pool = true. When the same anycast gateway is added to the inherited site in Cisco DNA Center 2.3.3, it is created with common pool = false. If the anycast gateway at the parent site is created in Cisco DNA Center 2.3.3, the problem does not occur when adding the anycast gateway to the inherited site. |
|
L2VN border config removes cts enforcements for other VLANs. The condition is triggered when you have existing gateways present in the fabric and you then add one of the following:
|
|
CSCwb81079 |
A Cisco DNA Center upgrade from 2.2.3.5 to 2.3.3.0 hangs at 73%. |
Cisco DNA Center 2.3.3.0
The following table lists the resolved bugs in Cisco DNA Center, Release 2.3.3.0.
Bug Identifier | Headline |
---|---|
Cisco DNA Center may not display an IP address pool or subnet when you try to create a segment. The following errors are displayed:
|
|
After a disaster recovery (DR) failover, when you perform a trust re-establishment operation within 15 to 20 minutes, Cisco ISE cannot reconnect the Reader role to Cisco DNA Center. This problem applies only to Cisco DNA Center being brought back to a Reader role. |
|
When Cisco DNA Center attempts to configure Application Visibility and Control (AVC) to an eight-member stack of Catalyst 9000 switches, the process may fail with the following error:
|
|
Cisco DNA Center Inventory reports an internal error for Cisco Catalyst 9300 switches. |
|
While adding additional edge switches to an existing fabric, Cisco DNA Center may alter the AAA configuration of an existing Cisco Wireless Controller from TACACS to RADIUS. |
|
LAN automation fails with the following error when there are 31+ dummy pools:
|
|
All wireless controllers are implicitly configured when IP pools are assigned or removed from fabric WLANs on the Host Onboarding window. |
|
Adding and removing a fabric edge provisions wireless controllers randomly with different configurations. |
|
Unable to delete a segment from host onboarding. |
|
IP pools are not displayed in the host onboarding under a virtual network. |
|
A Cisco ISE node PSN added as a AAA server in Cisco DNA Center cannot be removed, even if no WLAN is using the node as AAA. |
|
Inconsistent results are shown for the site health API. |
|
CSCwa16652 |
Manually generated reports in Cisco DNA Center result in blank pages. |
Ekahau file import fails with the following API error:
|
|
Unable to start LAN automation due to the following error:
|
|
Supplicant-based extended node fails to onboard via Plug and Play when using the Cisco DNA Center-based onboarding flow. This behavior is seen when referencing the default ACL == AEN_MAB_ACL for use during onboarding. |
|
Device Discovery task gets stuck in RUNNING for a long time, clogging up the inventory service, which in turn disrupts loading of global credentials. |
|
When configuring integration of Cisco ISE with Cisco DNA Center, RADIUS is enabled by default, and the pxGrid connection to Cisco ISE is enabled. TACACS+ is not enabled by default. If you choose to enable TACACS+ and to also disable RADIUS, you must manually disable the pxGrid connection. Otherwise, the Cisco DNA Center System 360 windows shows the pxGrid state as Unavailable. |
|
Supplicant-based extended nodes toggle between inbuilt templates, resulting in error disabled. |
|
CTS credentials of the device are not in sync with the Cisco ISE NAD entry. |
|
Assurance Dashboard: Rogue on Wire reports with rogue clients with broadcast addresses (all F's) should be ignored while calculating rogue on wire. |
|
AP provisioning fails when AAA VLANs are defined and AP re-provisioning is attempted. |
|
User intent validation failure occurs when provisioning a wireless controller. |
|
Cisco DNA Center 2.2.2.8 displays 10+ Gbs interfaces with an interface speed of Catalyst Devices as 4,294,967,295. The interfaces on the device themselves display the correct speed. This is due to a limitation with the SNMP OID being used. Cisco DNA Center is using the ifSpeed OID (1.3.6.1.2.1.2.2.1.5). This OID has a limitation: If the bandwidth of the interface is greater than the maximum value reportable by this object, this object should report its maximum value (4,294,967,295) and ifHighSpeed must be used to report the interface's speed. |
|
NAC is not enabled via advanced SSID Model config when pushing to two Cisco Wireless Controllers at the same time. |
|
Cisco DNA Center may fail to create a trust-point when the system certificate contains ".local" or ".com.corp" in the common name. |
|
The LISP key banner push fails for wireless devices in Cisco DNA Center 2.2.2.x. |
|
A null pointer exception occurs while you try to access Show Task from the Image Repository window. |
|
The spf-service-manager-service does not start after an upgrade to Cisco DNA Center 2.1.2.7. |
|
Assurance Client Health window does not load when Client Data Rate dashlets are deleted. |
|
Cisco DNA Center provisioning fails with "NCSP10246 Internal error while attempting to transform". |
|
Template content only returns a specific value instead of the entire content. |
|
Download of latest KGV files fails due to a certificate change on tools.cisco.com. |
|
A Cisco Wireless Controller provisioning failure occurs due to an invalid $apMac configuration element. |
|
System Health displays stale pxGrid information after updating the FQDN information. |
|
Wireless controller provisioning fails with the following error:
|
|
Fabric edge provisioning fails if you use a single-digit VLAN ID with sgt during pool addition in a virtual network. |
|
During an attempt to activate the Cisco DNA Center Disaster Recovery system after registration, the DR activation workflow never completes. On the Main cluster, the "Configure active" flow completes properly, and the Main site moves to a "Waiting Standby Configuration" state. But on the "Configure standby" flow, the Configure replication step doesn't complete, leaving the Recovery site in the "Configuring Standby" state indefinitely. |
Guidelines and Limitations
Cloud Connectivity Through SSL Intercept Guidelines
Some Cisco DNA Center applications, such as the Cisco AI Network Analytics agent on the Cisco DNA Center appliance, require establishing a secure communication to the cloud, with mutual authentication using X.509 certificates.
In addition to direct connectivity, use of a proxy is also supported, as long as the SSL communication is terminated directly at the agent and cloud endpoint, without any SSL interception device in between.
Cloud connection through an SSL intercept device is not supported and might result in connectivity failures.
Backup and Restore Guidelines
-
You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.
-
After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose . From the Actions column, choose Edit corresponding to the server. Enter your Cisco ISE password to update.
-
After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands that are pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. See the individual network device documentation for information about the CLI commands to enter.
-
Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial collection after the restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.
-
Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.
-
You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.
Cisco ISE Integration Guidelines
-
ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access or in the certificates in Cisco DNA Center and Cisco ISE.
-
Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.
-
Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).
-
The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.
-
If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.
-
The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.
-
Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.
-
Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.
Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.
Device Onboarding Guidelines
For IE-3200-8P2S-E/A, IE-3200-8T2S-E/A, IE-3300-8P2S-E/A, and IE-3300-8T2S-E/A devices with Cisco IOS XE 17.8.1 or later, we recommend that you boot the devices in install mode before onboarding them.
If you upgrade an onboarded IE3200 or IE3300 device to Cisco IOS XE 17.8.1 or later, ensure that the device is in install boot mode before upgrading.
Upgrade Limitation
-
If you are upgrading to Cisco DNA Center and all the following conditions apply, the upgrade never starts:
-
Cisco ISE is already configured in Cisco DNA Center.
-
The version of Cisco ISE is not 2.6 patch 1, 2.4 patch 7, or later.
-
Cisco DNA Center contains an existing fabric site.
-
The number of DNS servers must not exceed three.
Although the GUI does not indicate that the upgrade failed to start, the logs contain messages that are related to the upgrade failure.
To work around this problem, upgrade Cisco ISE to 2.6 patch 1, 2.4 patch 7, or later, and retry the Cisco DNA Center upgrade.
-
-
In-Service Software Upgrade (ISSU) is not supported in Cisco SD-Access deployments.
License Limitations
-
The Cisco DNA Center License Manager supports Smart Licensing only for wireless controller models that run Cisco IOS XE. The License Manager does not support Smart License registration of the Cisco 5500 Series AireOS Wireless Controller when the connection mode is smart proxy.
-
The Cisco DNA Center License Manager does not support the following operations under for Cisco IOS 17.3.2 and later:
-
Enable License Reservation
-
Update License Reservation
-
Cancel/Return License Reservation
-
Factory License Reservation
-
Fabric Limitations
-
IP address pools that are reserved at the area level are shown as Inherited at the building level in the Host Onboarding window if the fabric site is defined at the building level. If the fabric site is defined at the building level, you must reserve the IP address pools at the building level. If the fabric site is defined at the area level, you must reserve the IP address pools at the area level.
window. However, these IP address pools are not listed in theTo work around this issue, release and reserve the IP address pool at the same level (area or building) as the fabric site, or reconfigure the fabric site at the same level as the reserved IP address pool.
-
Cisco DNA Center does not support multicast across multiple fabric sites that are connected by an SD-Access transit network.
-
The IP-Directed Broadcast feature is supported over SD-Access transit only for unknown unicast traffic destined to silent hosts (that is, hosts present on the remote SD-Access site but not registered to the control plane). IP-Directed Broadcast over SD-Access transit does not support broadcast packets.
Existing Feature-Related Limitations
-
Cisco DNA Center cannot learn device credentials.
-
You must enter the preshared key (PSK) or shared secret for the AAA server as a part of the import flow.
-
Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.
-
Cisco DNA Center can learn the device configuration only one time per controller.
-
Cisco DNA Center can learn only one wireless controller at a time.
-
For site profile creation, only the AP groups with AP and SSID entries are considered.
-
Automatic site assignment is not possible.
-
SSIDs with an unsupported security type and radio policy are discarded.
-
For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.
-
The Cisco ISE server (AAA) configuration cannot be learned through existing device provisioning.
-
The authentication and accounting servers must have the same IP addresses for them to be learned through existing device provisioning.
-
When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.
-
A wireless conflict is based only on the SSID name and does not consider other attributes.
Wireless Limitations
-
If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP location before deploying the policy. Otherwise, the
Policy Deployment failed
message is displayed. -
During wireless provisioning, Cisco DNA Center deletes any rules with an index from 1 to 99 that are configured out-of-the box or through a template. Cisco DNA Center retains rules with an index of 100 or higher. If you want to use any out-of-the-box rules, use index 100 or higher.
AP Limitations
-
AP as a sensor is not supported in this release of Cisco DNA Center.
-
Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.
After provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.
-
Provisioning of 100 APs takes longer in this release as compared to 3 minutes in earlier releases. The amount of time varies depending on the
wr mem
time of the Cisco Catalyst 9800 Series Wireless Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices. -
In Cisco DNA Center 2.3.3.7, when you export the Inventory, the export file excludes APs. In earlier Cisco DNA Center releases, all devices in the Inventory are included in the export file.
-
When a wireless controller is in maintenance mode, all the associated APs are automatically placed in maintenance mode. However, you can't place the APs in maintenance mode individually if the associated wireless controller is not in maintenance mode.
Inter-Release Controller Mobility (IRCM) Limitation
The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.
IP Device Tracking on Trunk Port Limitation
Rogue-on-wire detection is impacted; Cisco DNA Center does not show all the clients connected to a switch through an access point in bridge mode. The trunk port is used to exchange all the VLAN information. When you enable IP device tracking on the trunk port, clients connected on the neighbor switch are also shown. Cisco DNA Center does not collect client data if the connected interface is a trunk port and the neighbor is a switch. As a best practice, disable the IP device tracking on the trunk port. Rogue-on-wire is not detected if IP device tracking is enabled on the trunk port. See Disabling IP Device Tracking for more information.
Encryption Limitation with SNMPv3
AES192 and AES256 encryption is not fully supported for SNMPv3 configuration. If you add devices with AES192 or AES256 encryption to Cisco DNA Center, Assurance data is not collected for those devices.
As a workaround, to collect Assurance data, add a device with AES128 encryption. Cisco DNA Center supports AES128 and gathers Assurance data for devices with AES128 encryption.
IPv6 Limitations
If you choose to run Cisco DNA Center in IPv6 mode:
-
Access Control Application, Group-Based Policy Analytics, SD-Access, and Cisco AI Endpoint Analytics packages are disabled and cannot be downloaded or installed.
-
Communication through Cisco ISE pxGrid is disabled because Cisco ISE pxGrid does not support IPv6.
-
LAN automation is not supported.
-
Wireless controller provisioning is not supported.
Cisco Plug and Play Limitations
-
Virtual Switching System (VSS) is not supported.
-
The Cisco Plug and Play mobile app is not supported with Plug and Play in Cisco DNA Center.
-
The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.
-
The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:
pnp startup-vlan <vlan_number>
Cisco Group-Based Policy Analytics Limitations
-
Cisco Group-Based Policy Analytics supports up to five concurrent requests based on realistic customer data. While it is desirable for GUI operations to respond within 5 seconds or less, for extreme cases based on realistic data, it can take up to 20 seconds. There is no mechanism to prevent more than five simultaneous requests at a time, but if it does happen, it might cause some GUI operations to fail. Operations that take longer than 1 minute time out.
-
Data aggregation occurs at hourly offsets from UTC in Cisco Group-Based Policy Analytics. However, some time zones are at a 30-minute or 45-minute offset from UTC. If the Cisco DNA Center server is located in a time zone with a 30-minute or 45-minute offset from UTC, and the client is located in a time zone with an hourly offset from UTC, or vice versa, the time ranges for data aggregation in Cisco Group-Based Policy Analytics are incorrect for the client.
For example, assume that the Cisco DNA Center server is located in California PDT (UTC-7) where data aggregations occur at hourly offsets (8:00 a.m., 9:00 a.m., 10:00 a.m., and so on). When a client located in India IST (UTC+5.30) wants to see the data between 10:00 to 11:00 p.m. IST, which corresponds to the time range 9:30 to 10:30 a.m. PDT in California, no aggregations are seen.
-
Group changes that occur within an hour are not captured. When an endpoint changes from one security group to another, Cisco Group-Based Policy Analytics is unaware of this change until the next hour.
-
You cannot sort the Security Group and Stealthwatch Host Group columns in the Search Results window.
-
You might see discrepancies in the information related to Network Access Device (including location) between Assurance and Cisco Group-Based Policy Analytics.
Application Telemetry Limitation
When configuring application telemetry on a device, Cisco DNA Center might choose the wrong interface as the source for NetFlow data.
To force Cisco DNA Center to choose a specific interface, add netflow-source
in the description of the interface. You can use a special character followed by a space after netflow-source
, but not before it. For example, the following syntax is valid:
netflow-source
MANAGEMENT netflow-source
MANAGEMENTnetflow-source
netflow-source MANAGEMENT
netflow-sourceMANAGEMENT
netflow-source & MANAGEMENT
netflow-source |MANAGEMENT
The following syntax is invalid:
MANAGEMENT | netflow-source
* netflow-source
netflow-source|MANAGEMENT
IP Address Manager Limitations and Workaround
-
Infoblox:
-
Infoblox does not expose a name attribute; therefore, the comment field in Infoblox is populated by the IP pool name during a sync.
-
For a pool import, the first 50 characters of the comment field are used. If there are spaces in the comments, they are replaced by underscores.
-
If an IP pool name is updated for an imported pool, the comments are overwritten and the new name is reflected.
-
-
BlueCat: There are no limitations identified with BlueCat integration at this time.
-
You might see the following error when editing an existing IPAM integration or when adding a new IPAM manager.
NCIP10283: The remote server presented a certificate with an incorrect CN of the owner
To correct this, regenerate a new certificate for IPAM and verify that any one of the following conditions are met:
-
No values are configured in SAN field of the certificate.
-
If a value is configured, the value and type (IP address or FQDN) must match the configured URL in the
window.
-
-
Cisco DNA Center supports integration with an external IPAM server that has trusted certificates. In the Cisco DNA Center GUI, under , you might see the following message:
NCIP10282: Unable to find the valid certification path to the requested target.
To correct this error for a self-signed certificate:
-
Using OpenSSL, enter one of the following commands to download the self-signed certificate, depending on your IPAM type. (You can specify the FQDN [domain name] or IP address in the command.)
openssl s_client -showcerts -connect Infoblox-FQDN:443
openssl s_client -showcerts -connect Bluecat-FQDN:443
-
From the output, use the content from ---BEGIN CERTIFICATE--- to ---END CERTIFICATE--- to create a new .pem file.
-
Go to Import, and upload the certificate (.pem file).
, click -
Go to
and configure the external IPAM server. (If the IPAM server is already configured, skip this step.)
To correct this error for a CA-signed certificate, install the root certificate and intermediate certificates of the CA that is installed on the IPAM, into the Cisco DNA Center trustpool ( ).
-
-
You might see the following error if a CA-signed certificate is revoked by the certificate authority:
NCIP10286: The remote server presented with a revoked certificate. Please verify the certificate.
To correct this, obtain a new certificate from the certificate authority and upload it to
. -
You might see the following error after configuring the external IPAM details:
IPAM external sync failed: NCIP10264: Non Empty DNAC parent pool <CIDR> exists in external ipam.
To correct this, do the following:
-
Log in to the external IPAM server (such as BlueCat).
-
Confirm that the parent pool CIDR exists in the external IPAM server, and remove all the child pools that are configured under that parent pool.
-
Return to the Cisco DNA Center GUI and reconfigure the IPAM server under .
-
-
You might see the following error while using IP Address Manager to configure an external IPAM:
NCIP10114: I/O error on GET request for "https://<IP>/wapi/v1.2/": Host name '<IP>' does not match the certificate subject provided by the peer (CN=www.infoblox.com, OU=Engineering, O=Infoblox, L=Sunnyvale, ST=California, C=US); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name '<IP>' does not match the certificate subject provided by the peer (CN=www.infoblox.com, OU=Engineering, O=Infoblox, L=Sunnyvale, ST=California, C=US) |
To correct this, do the following:
-
Log in to the external IPAM server (such as Infoblox).
-
Regenerate your external IPAM certificate with the common name (CN) value as the valid hostname or IP address. In the preceding example, the CN value is www.infoblox.com, which is not the valid hostname or IP address of the external IPAM.
-
After you regenerate the certificate with a valid CN value, go to
. -
Click Import and upload the new certificate (.pem file).
-
Go to
and configure the external IPAM server with the server URL as the valid hostname or IP address (as listed as the CN value in the certificate).
-
Reports Limitations
-
Reports with significant data can sometimes fail to generate in the Cisco DNA Center platform. If this occurs, we recommend that you use filters to reduce the report size to prevent such failures.
-
To generate a Rogue and aWIPS report, you must choose a site hierarchy that contains a maximum of 254 floors. If you choose a site hierarchy that contains 255 floors or more, the Rogue and aWIPS report fails to generate.
Custom Application Limitation
If a custom application is configured as a part of the default bucket, Cisco DNA Center doesn't push the configuration to the managed devices.
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.
Documentation Feedback
To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.
Related Documentation
We recommend that you read the following documents relating to Cisco DNA Center.
For This Type of Information... | See This Document... |
---|---|
Release information, including new features, limitations, and open and resolved bugs. |
|
Installation and configuration of Cisco DNA Center, including postinstallation tasks. |
|
Upgrade information for your current release of Cisco DNA Center. |
|
Use of the Cisco DNA Center GUI and its applications. |
|
Configuration of user accounts, security certificates, authentication and password policies, and backup and restore. |
|
Security features, hardening, and best practices to ensure a secure deployment. |
|
Supported devices, such as routers, switches, wireless APs, and software releases. |
|
Hardware and software support for Cisco SD-Access. |
|
Technical references and validated solutions. |
|
Use of the Assurance GUI. |
|
Use of the Cisco DNA Center platform GUI and its applications. |
|
Cisco DNA Center ITSM integration and support. |
|
Use of the Cisco Wide Area Bonjour Application GUI. |
|
Use of the Stealthwatch Security Analytics Service on Cisco DNA Center. |
|
Use of Rogue and aWIPS functionality to monitor threats in Cisco DNA Center. |
Cisco DNA Center Rogue Management and aWIPS Application Quick Start Guide |