Cisco Application Policy Infrastructure Controller Release Notes, Release 3.2(10)

Available Languages

Download Options

  • PDF
    (593.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub
    (61.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)
    (109.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 28, 2021

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (593.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub
    (61.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)
    (109.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 28, 2021
 

 

Introduction

The Cisco Application Centric Infrastructure (ACI) is an architecture that allows the application to define the networking requirements in a programmatic way. This architecture simplifies, optimizes, and accelerates the entire application deployment lifecycle. Cisco Application Policy Infrastructure Controller (APIC) is the software, or operating system, that acts as the controller.

This document describes the features, issues, and limitations for the Cisco APIC software. For the features, issues, and limitations for the Cisco NX-OS software for the Cisco Nexus 9000 series switches, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 13.2(10).

For more information about this product, see "Related Content."

Date

Description

May 1, 2024

In the Miscellaneous Compatibility Information section, removed the older CIMC releases to reduce the clutter.

August 1, 2022

In the Miscellaneous Compatibility Information section, added:

  4.2(2a) CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3)
  4.1(2k) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2)

July 8, 2022

Release 3.2(10g) became available; there are no changes to this document for this release. See the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 13.2(10) for the changes in this release.

April 4, 2022

In the Open Issues section, added bug CSCvy47145.

March 21, 2022

In the Miscellaneous Compatibility Information section, added:

  4.1(3f) CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3)

February 23, 2022

In the Miscellaneous Compatibility Information section, added:

  4.1(2g) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2)

November 2, 2021

In the Miscellaneous Compatibility Information section, added:

  4.1(3d) CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3)

August 6, 2021

Release 3.2(10f) became available. Added a resolved issue for this release.

August 4, 2021

In the Open Issues section, added bug CSCvy30453.

July 26, 2021

In the Miscellaneous Compatibility Information section, the CIMC 4.1(3c) release is now recommended for UCS C220/C240 M5 (APIC-L3/M3).

March 11, 2021

In the Miscellaneous Compatibility Information section, for CIMC HUU ISO, added:

  4.1(3b) CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3)

Changed:

  4.1(2b) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2) and M5 (APIC-L3/M3)

To:

  4.1(2b) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2

February 27, 2021

Release 3.2(10e) became available.

New Software Features

Feature

Description

N/A

There are no new features in this release.

New Hardware Features

For the new hardware features, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 13.2(10).

Changes in Behavior

For the changes in behavior, see the Cisco ACI Releases Changes in Behavior document.

Open Issues

Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Exists In" column of the table specifies the 3.2(10) releases in which the bug exists. A bug might also exist in releases other than the 3.2(10) releases.

Bug ID                    

Description

Exists in          

CSCuu17314

CDP is not enabled on the management interfaces for the leaf switches and spine switches.

3.2(10e) and later

CSCvd43548

The stats for a given leaf switch rule cannot be viewed if a rule is double-clicked.

3.2(10e) and later

CSCvd66359

The Port ID LLDP Neighbors panel displays the port ID when the interface does not have a description. Example:  Ethernet 1/5, but if the interface has description, the Port ID property shows the Interface description instead of the port ID.

3.2(10e) and later

CSCve84297

A service cannot be reached by using the APIC out-of-band management that exists within the 172.17.0.0/16 subnet.

3.2(10e) and later

CSCvf70362

This enhancement is to change the name of "Limit IP Learning To Subnet" under the bridge domains to be more self-explanatory.

Original :

    Limit IP Learning To Subnet: [check box]

Suggestion :

    Limit Local IP Learning To BD/EPG Subnet(s): [check box]

3.2(10e) and later

CSCvg00627

A tenant's flows/packets information cannot be exported.

3.2(10e) and later

CSCvg35344

Requesting an enhancement to allow exporting a contract by right clicking the contract itself and choosing "Export Contract" from the right click context menu. The current implementation of needing to right click the Contract folder hierarchy to export a contract is not intuitive.

3.2(10e) and later

CSCvg70246

When configuring an L3Out under a user tenant that is associated with a VRF instance that is under the common tenant, a customized BGP timer policy that is attached to the VRF instance is not applied to the L3Out (BGP peer)  in the user tenant.

3.2(10e) and later

CSCvg81020

For strict security requirements, customers require custom certificates that have RSA key lengths of 3072 and 4096.

3.2(10e) and later

CSCvh52046

This is an enhancement to allow for text-based banners for the Cisco APIC GUI login screen.

3.2(10e) and later

CSCvh54578

For a client (browser or ssh client) that is using IPv6, the Cisco APIC aaaSessionLR audit log shows "0.0.0.0" or some bogus value.

3.2(10e) and later

CSCvi20535

When a VRF table is configured to receive leaked external routes from multiple VRF tables, the Shared Route Control scope to specify the external routes to leak will be applied to all VRF tables. This results in an unintended external route leaking. This is an enhancement to ensure the Shared Route Control scope in each VRF table should be used to leak external routes only from the given VRF table.

3.2(10e) and later

CSCvi82903

When authenticating with the Cisco APIC using ISE (TACACS), all logins over 31 characters fail.

3.2(10e) and later

CSCvi95657

On modifying a service parameter, the Cisco APIC sends 2 posts to the backend. The first post deletes all of the folders and parameters. The second post adds all of the remaining modified folders and parameters to the backend. These 2 posts will disrupt the running traffic.

3.2(10e) and later

CSCvj09453

The actrlRule is has the wrong destination.

3.2(10e) and later

CSCvj56726

The connectivity filter configuration of an access policy group is deprecated and should be removed from GUI.

3.2(10e) and later

CSCvk04072

There is no record of who acknowledged a fault in the Cisco APIC, nor when the acknowledgement occurred.

3.2(10e) and later

CSCvk18014

The action named 'Launch SSH' is disabled when a user with read-only access logs into the Cisco APIC.

3.2(10e) and later

CSCvm56946

Support for local user (admin) maximum tries and login delay configuration.

3.2(10e) and later

CSCvm83669

There is a VLAN overlapping scenario. After configuring new static ports and a physical domain under an existing EPG, there is a Layer 2 loop. This issue is due to an FD VLAN encapsulation mismatch on two leaf switches.

3.2(10e) and later

CSCvn07827

Permament License Reservation (PLR) fails after upgrading to a Cisco APIC 4.0 release.

3.2(10e) and later

CSCvo24284

Fault delegates are raised on the Cisco APIC, but the original fault instance is already gone because the affected node has been removed from the fabric.

3.2(10e) and later

CSCvp01778

Access policy resolutions reveal unexpected results due to the existence of connectivity filters that are hidden from the UI. Depending on the VLANs tied to the AEPs/domains, this can result in unexpected outages as VLANs are pulled and 'invalid path' faults are flagged.

3.2(10e) and later

CSCvp24142

The Nginx process generates cores on the switches and the process will restart automatically. The core file from the switches gets collected and moved to the APIC, which drains the memory. You might need to remove the collected core files manually from the APIC to free up space.

3.2(10e) and later

CSCvp26694

A leaf switch gets upgraded when a previously-configured maintenance policy is triggered.

3.2(10e) and later

CSCvp62048

New port groups in VMware vCenter may be delayed when pushed from the Cisco APIC.

3.2(10e) and later

CSCvq39922

Specific operating system and browser version combinations cannot be used to log in to the APIC GUI.

Some browsers that are known to have this issue include (but might not be limited to) Google Chrome version 75.0.3770.90 and Apple Safari version 12.0.3 (13606.4.5.3.1).

3.2(10e) and later

CSCvq57942

In a RedHat OpenStack platform deployment running the Cisco ACI Unified Neutron ML2 Plugin and with the CompHosts running OVS in VLAN mode, when toggling the resolution immediacy on the EPG<->VMM domain association (fvRsDomAtt.resImedcy) from Pre-Provision to On-Demand, the encap VLANs (vlanCktEp mo's) are NOT programmed on the leaf switches.

This problem surfaces sporadically, meaning that it might take several resImedcy toggles between PreProv and OnDemand to reproduce the issue.

3.2(10e) and later

CSCvq63415

Disabling dataplane learning is only required to support a policy-based redirect (PBR) use case on pre-"EX" leaf switches.  There are few other reasons otherwise this feature should be disabled.  There currently is no confirmation/warning of the potential impact that can be caused by disabling dataplane learning.

3.2(10e) and later

CSCvq74727

When making a configuration change to an L3Out (such as contract removal or addition), the BGP peer flaps or the bgpPeerP object is deleted from the leaf switch.  In the leaf switch policy-element traces, 'isClassic = 0, wasClassic =1' is set post-update from the Cisco APIC.

3.2(10e) and later

CSCvq80820

A previously-working traffic is policy dropped after the subject is modified to have the "no stats" directive.

3.2(10e) and later

CSCvq88632

This is an enhancement request for allowing DVS MTU to be configured from a VMM domain policy and be independent of fabricMTU.

3.2(10e) and later

CSCvr19693

When configuring local SPAN in access mode using the GUI or CLI and then running the "show running-config monitor access session<session>" command, the output does not include all source span interfaces.

3.2(10e) and later

CSCvr30815

vmmPLInf objects are created with epgKey's and DN's that have truncated EPG names ( truncated at ".").

3.2(10e) and later

CSCvr36851

Descending option will not work for the Static Ports table. Even when the user clicks descending, the sort defaults to ascending.

3.2(10e) and later

CSCvr38278

When using AVE with Cisco APIC, fault F0214 gets raised, but there is no noticeable impact on AVE operation:

descr: Fault delegate: Operational issues detected for OpFlex device: ..., error: [Inventory not available on the node at this time]

3.2(10e) and later

CSCvr85515

When trying to track an AVE endpoint IP address, running the "show endpoint ip x.x.x.x" command in the Cisco APIC CLI to see the IP address and checking the IP address on the EP endpoint in the GUI shows incorrect or multiple VPC names.

3.2(10e) and later

CSCvr94614

There is a minor memory leak in svc_ifc_policydist when performing various tenant configuration removals and additions.

3.2(10e) and later

CSCvr96785

Configuring a static endpoint through the Cisco APIC CLI fails with the following error:

Error: Unable to process the query, result dataset is too big

Command execution failed.

3.2(10e) and later

CSCvr98638

When migrating an AVS VMM domain to Cisco ACI Virtual Edge, the Cisco ACI Virtual Edge that gets deployed is configured in VLAN mode rather than VXLAN Mode.  Because of this, you will see faults for the EPGs with the following error message:

"No valid encapsulation identifier allocated for the epg"

3.2(10e) and later

CSCvs03055

While configuring a logical node profile in any L3Out, the static routes do not have a description.

3.2(10e) and later

CSCvs10076

An error is raised while building an ACI container image because of a conflict with the /opt/ciscoaci-tripleo-heat-templates/tools/build_openstack_aci_containers.py package.

3.2(10e) and later

CSCvs16565

An endpoint is unreachable from the leaf node because the static pervasive route (toward the remote bridge domain subnet) is missing.

3.2(10e) and later

CSCvs21834

Randomly, the Cisco APIC GUI alert list shows an incorrect license expiry time.Sometimes it is correct, while at others times it is incorrect.

3.2(10e) and later

CSCvs29366

For a DVS with a controller, if another controller is created in that DVS using the same host name, the following fault gets generated: "hostname or IP address conflicts same controller creating controller with same name DVS".

3.2(10e) and later

CSCvs29556

When logging into the Cisco APIC using "apic#fallback\\user", the "Error: list index out of range" log message displays and the lastlogin command fails. There is no operational impact.

3.2(10e) and later

CSCvs32589

In Cisco ACI Virtual Edge, there are faults related to VMNICs. On the Cisco ACI Virtual Edge domain, there are faults related to the HpNic, such as "Fault F2843 reported for AVE | Uplink portgroup marked as invalid".

3.2(10e) and later

CSCvs47757

The plgnhandler process crashes on the Cisco APIC, which causes the cluster to enter a data layer partially diverged state.

3.2(10e) and later

CSCvs48552

When physical domains and external routed domains are attached to a security domain, these domains are mapped as associated tenants instead of associated objects under Admin > AAA > security management > Security domains.

3.2(10e) and later

CSCvs55753

A Cisco ACI leaf switch does not have MP-BGP route reflector peers in the output of "show bgp session vrf overlay-1". As a result, the switch is not able to install dynamic routes that are normally advertised by MP-BGP route reflectors. However, the spine switch route reflectors are configured in the affected leaf switch's pod, and pod policies have been correctly defined to deploy the route reflectors to the leaf switch. Additionally, the bgpPeer managed objects are missing from the leaf switch's local MIT.

3.2(10e) and later

CSCvs57061

In a GOLF configuration, when an L3Out is deleted, the bridge domains stop getting advertised to the GOLF router even though another L3Out is still active.

3.2(10e) and later

CSCvs66244

The CLI command "show interface x/x switchport" shows VLANs configured and allowed through a port. However, when going to the GUI under Fabric > Inventory > node_name > Interfaces > Physical Interfaces > Interface x/x > VLANs, the VLANs do not show.

3.2(10e) and later

CSCvs76244

The tmpfs file system that is mounted on /data/log becomes 100% utilized.

3.2(10e) and later

CSCvs78996

The policy manager (PM) may crash when use testapi to delete MO from policymgr db.

3.2(10e) and later

CSCvs81881

The Cisco APIC PSU voltage and amperage values are zero.

3.2(10e) and later

CSCvs81907

SNMP does not respond to GETs or sending traps on one or more Cisco APICs despite previously working properly.

3.2(10e) and later

CSCvt00796

The policymgr DME process can crash because of an OOM issue, and there are many pcons.DelRef managed objects in the DB.

3.2(10e) and later

CSCvt07565

The eventmgr database size may grow to be very large (up to 7GB). With that size, the Cisco APIC upgrade will take 1 hour for the Cisco APIC node that contains the eventmgr database.

In rare cases, this could lead to a failed upgrade process, as it times out while working on the large database file of the specified controller.

3.2(10e) and later

CSCvt13978

VPC protection created in prior to the 2.2(2e) release may not to recover the original virtual IP address after fabric ID recovery. Instead, some of vPC groups get a new vIP allocated, which does not get pushed to the leaf switch. The impact to the dataplane does not come until the leaf switch had a clean reboot/upgrade, because the rebooted leaf switch gets a new virtual IP that is not matched with a vPC peer. As a result, both sides bring down the virtual port channels, then the hosts  behind the vPC become unreachable.

3.2(10e) and later

CSCvt19061

Updating the interface policy group breaks LACP if eLACP is enabled on a VMM domain. If eLACP was enabled on the domain,  Creating, updating, or removing an interface policy group with the VMM AEP deletes the basic LACP that is used by the domain.

3.2(10e) and later

CSCvt37066

When migrating an EPG from one VRF table to a new VRF table, and the EPG keeps the contract relation with other EPGs in the original VRF table. Some bridge domain subnets in the original VRF table get leaked to the new VRF table due to the contract relation, even though the contract does not have the global scope and the bridge domain subnet is not configured as shared between VRF tables. The leaked static route is not deleted even if the contract relation is removed.

3.2(10e) and later

CSCvt40736

The login history of local users is not updated in Admin > AAA > Users > (double click on local user) Operational > Session.

3.2(10e) and later

CSCvt55566

In the Cisco APIC GUI, after removing the Fabric Policy Group from "System > Controllers > Controller Policies > show usage", the option to select the policy disappears, and there is no way in the GUI to re-add the policy.

3.2(10e) and later

CSCvt87506

SSD lifetime can be exhausted prematurely if unused Standby slot exists

3.2(10e) and later

CSCvt93482

The per feature container for techsupport "objectstore_debug_info" fails to collect on spines due to invalid filepath.

Given filepath: more /debug/leaf/nginx/objstore*/mo | cat

Correct filepath: more /debug/spine/nginx/objstore*/mo | cat

TAC uses this file/data to collect information about excessive DME writes.

3.2(10e) and later

CSCvu01452

The MD5 checksum for the downloaded Cisco APIC images is not verified before adding it to the image repository.

3.2(10e) and later

CSCvu12092

AVE is not getting the VTEP IP address from the Cisco APIC. The logs show a "pending pool" and "no free leases".

3.2(10e) and later

CSCvu21530

Protocol information is not shown in the GUI when a VRF table from the common tenant is being used in any user tenant.

3.2(10e) and later

CSCvu39569

The following error is encountered when accessing the Infrastructure page in the ACI vCenter plugin after inputting vCenter credentials.

"The Automation SDK is not authenticated"

VMware vCenter plug-in is installed using powerCLI. The following log entry is also seen in vsphere_client_virgo.log on the VMware vCenter:

/var/log/vmware/vsphere-client/log/vsphere_client_virgo.log

 [ERROR] http-bio-9090-exec-3314       com.cisco.aciPluginServices.core.Operation                        

sun.security.validator.ValidatorException: PKIX path validation failed:

java.security.cert.CertPathValidatorException: signature check failed

3.2(10e) and later

CSCvu49644

A tunnel endpoint doesn't receive a DHCP lease. This occurs with a newly deployed or upgraded Cisco ACI Virtual Edge.

3.2(10e) and later

CSCvu50088

When trying to assign a description to a FEX downlink/host port using the Config tab in the Cisco APIC GUI, the description will get applied to the GUI, but it will not propagate to the actual interface when queried using the CLI or GUI.

3.2(10e) and later

CSCvu62465

For an EPG containing a static leaf node configuration, the Cisco APIC GUI returns the following error when clicking the health of Fabric Location:

Invalid DN topology/pod-X/node-Y/local/svc-policyelem-id-0/ObservedEthIf, wrong rn prefix ObservedEthIf at position 63

3.2(10e) and later

CSCvu74566

There is a BootMgr memory leak on a standby Cisco APIC. If the BootMgr process crashes due to being out of memory, it continues to crash, but system will not be rebooted. After the standby Cisco APIC is rebooted by hand, such as by power cycling the host using CIMC, the login prompt of the Cisco APIC will be changed to localhost and you will not be able to log into the standby Cisco APIC.

3.2(10e) and later

CSCvv25475

After a delete/add of a Cisco ACI-managed DVS, dynamic paths are not programmed on the leaf switch and the compRsDlPol managed object has a missing target. The tDn property references the old DVS OID instead of the latest value.# moquery -c compRsDlPol

3.2(10e) and later

CSCvv62861

A leaf switch reloads due to an out-of-memory condition after changing the contract scope to global.

3.2(10e) and later

CSCvy30453

For a Cisco ACI fabric that is configured with fabricId=1, if APIC3 is replaced from scratch with an incorrect fabricId of "2," APIC3's DHCPd will set the nodeRole property to "0" (unsupported) for all dhcpClient managed objects. This will be propagated to the appliance director process for all of the Cisco APICs. The process then stops sending the AV/FNV update for any unknown switch types (switches that are not spine nor leaf switches). In this scenario, commissioning/decommissioning of the Cisco APICs will not be propagated to the switches, which causes new Cisco APICs to be blocked out of the fabric.
Another symptom is that the "acidag fnvread" command's output has a value of "unknown" in the role column.

3.2(10e) and later

CSCvy47145

A leaf switch experiences an SDKHAL crash when a summary route is added that is a host IP address in the subnet instead of the actual subnet boundary. Example: 10.10.10.1/24 summary address is entered instead of 10.10.10.0/24.

This summary route is added after a policy prefix for the actual subnet (10.10.10.0/24) is created.

The SDK hal crash will also result in other DME/process crashes for ipfib, epmc, aclqos, and eltmc.

A Cisco ACI leaf switch will install the subnet IP address as shown below, but it will not advertise this to the peer. A proper subnet is advertised to the peer router.

10.10.10.1/24, ubest/mbest: 1/0

    *via , null0, [220/0], 00:02:38, ospf-default, discard, tag 4294967295

3.2(10e) and later

CSCvy68494

Installation fails with versions releases earlier than 3.2(10) if the SSD is larger than 490G.

3.2(10e) and later

Resolved Issues

Bug ID                    

Description

Fixed in          

CSCvy68494

Installation fails with versions releases earlier than 3.2(10) if the SSD is larger than 490G.

3.2(10f)

CSCvf65506

Deleting a vPC does not clean up the allocated IP address from DHCPD DME.

3.2(10e)

CSCvp26599

When the VTEP IP address is changed on Cisco ACI Virtual Edge, a new ODev object gets created, but the old ODev is not deleted and the old ODev becomes stale. Due to this, the endpoints are still shown under the stale ODev. As a result, the traffic is impacted for those endpoints that are under the stale ODev.

Also, if a new Cisco ACI Virtual Edge comes up and happens to have the same VTEP IP address as the old ODev, the traffic will also be impacted behind the new Cisco ACI Virtual Edge. This is because the stale VTEP entry still exists on the leaf switch, and the leaf switch will reject the traffic saying "tunnel IP already exists" (bounce entry).

3.2(10e)

CSCvr96785

Configuring a static endpoint through the Cisco APIC CLI fails with the following error:

Error: Unable to process the query, result dataset is too big

Command execution failed.

3.2(10e)

CSCvr98399

The Cisco APIC cluster gets diverged.

3.2(10e)

CSCvs47757

The plgnhandler process crashes on the Cisco APIC, which causes the cluster to enter a data layer partially diverged state.

3.2(10e)

CSCvt15235

When the SSD file system (used by the Cisco APIC database) becomes read-only, the upgrade utility should catch such issues and abort the upgrade. This would allow the user to see the upgrade failure and triage the issue.  Currently, upgrade utility continues the data conversion and eventually reboots, which causes all configurations to be lost.

3.2(10e)

CSCvt31814

The VMM endpoint data plane verification function does not work well when a blade switch is in the middle. This might cause an unexpected DVS detach, or the VMM EPG VLAN might be removed on the leaf switch interface.

3.2(10e)

CSCvv08969

After a Cisco APIC upgrade from a pre-4.0 release to a post-4.0 release, connectivity issues occur for devices behind Cisco Application Virtual Edge Switches running on VMWare.

3.2(10e)

CSCvv21218

There is a potential traffic loss for a virtual machine that is migrated using the Encrypted vMotion functionality.

3.2(10e)

Known Issues

Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Exists In" column of the table specifies the 3.2(10) releases in which the bug exists. A bug might also exist in releases other than the 3.2(10) releases.

Bug ID                    

Description

Exists in          

CSCuo52668

The Cisco APIC does not validate duplicate IP addresses that are assigned to two device clusters. The communication to devices or the configuration of service devices might be affected.

3.2(10e) and later

CSCuo79243

In some of the 5-minute statistics data, the count of ten-second samples is 29 instead of 30.

3.2(10e) and later

CSCuo79250

The node ID policy can be replicated from an old appliance that is decommissioned when it joins a cluster.

3.2(10e) and later

CSCup47703

The DSCP value specified on an external endpoint group does not take effect on the filter rules on the leaf switch.

3.2(10e) and later

CSCup79002

The hostname resolution of the syslog server fails on leaf and spine switches over in-band connectivity.

3.2(10e) and later

CSCuq21360

Following a FEX or switch reload, configured interface tags are no longer configured correctly.

3.2(10e) and later

CSCur39124

Switches can be downgraded to a 1.0(1) version if the imported configuration consists of a firmware policy with a desired version set to 1.0(1).

3.2(10e) and later

CSCur71082

If the Cisco APIC is rebooted using the CIMC power reboot, the system enters into fsck due to a corrupted disk.

3.2(10e) and later

CSCus15627

The Cisco APIC Service (ApicVMMService) shows as stopped in the Microsoft Service Manager (services.msc in control panel > admin tools > services). This happens when a domain account does not have the correct privilege in the domain to restart the service automatically.

3.2(10e) and later

CSCut51929

The traffic destined to a shared service provider endpoint group picks an incorrect class ID (PcTag) and gets dropped.

3.2(10e) and later

CSCuu09236

Traffic from an external Layer 3 network is allowed when configured as part of a vzAny (a collection of endpoint groups within a context) consumer.

3.2(10e) and later

CSCuu61998

Newly added microsegment EPG configurations must be removed before downgrading to a software release that does not support it.

3.2(10e) and later

CSCuu64219

Downgrading the fabric starting with the leaf switch will cause faults such as policy-deployment-failed with fault code F1371.

3.2(10e) and later

CSCva32534

Creating or deleting a fabricSetupP policy results in an inconsistent state.

3.2(10e) and later

CSCva60439

After a pod is created and nodes are added in the pod, deleting the pod results in stale entries from the pod that are active in the fabric. This occurs because the Cisco APIC uses open source DHCP, which creates some resources that the Cisco APIC cannot delete when a pod is deleted.

3.2(10e) and later

CSCva86794

When a Cisco APIC cluster is upgrading, the Cisco APIC cluster might enter the minority status if there are any connectivity issues. In this case, user logins can fail until the majority of the Cisco APICs finish the upgrade and the cluster comes out of minority.

3.2(10e) and later

CSCva97082

When downgrading to a 2.0(1) release, the spines and its interfaces must be moved from infra L3out2 to infra L3out1. After infra L3out1 comes up, delete L3out2 and its related configuration, and then downgrade to a 2.0(1) release.

3.2(10e) and later

CSCvb39702

No fault gets raised upon using the same encapsulation VLAN in a copy device in tenant common, even though a fault should get raised.

3.2(10e) and later

CSCvg41711

In the leaf mode, the command "template route group <group-name> tenant <tenant-name>" fails, declaring that the tenant passed is invalid.

3.2(10e) and later

CSCvg79127

When First hop security is enabled on a bridge domain, traffic is disrupted.

3.2(10e) and later

CSCvg81856

Cisco ACI Multi-Site Orchestrator BGP peers are down and a fault is raised for a conflicting rtrId on the fvRtdEpP managed object during L3extOut configuration.

3.2(10e) and later

CSCvh76076

The PSU SPROM details might not be shown in the CLI upon removal and insertion from the switch.

3.2(10e) and later

CSCvh93612

If two intra-EPG deny rules are programmed—one with the class-eq-deny priority and one with the class-eq-filter priority—changing the action of the second rule to "deny" causes the second rule to be redundant and have no effect. The traffic still gets denied, as expected.

3.2(10e) and later

CSCvj90385

With a uniform distribution of EPs and traffic flows, a fabric module in slot 25 sometimes reports far less than 50% of the traffic compared to the traffic on fabric modules in non-FM25 slots.

3.2(10e) and later

CSCvq39764

When you click Restart for the Microsoft System Center Virtual Machine Manager (SCVMM) agent on a scaled-out setup, the service may stop. You can restart the agent by clicking Start.

3.2(10e) and later

CSCvr57103

The CiscoAVS_4.10-5.2.1.SV3.4.10-pkg  package has signature issues during installation.

3.2(10e) and later

N/A

In a multipod configuration, before you make any changes to a spine switch, ensure that there is at least one operationally "up" external link that is participating in the multipod topology. Failure to do so could bring down the multipod connectivity. For more information about multipod, see the Cisco Application Centric Infrastructure Fundamentals document and the Cisco APIC Getting Started Guide.

3.2(10e) and later

N/A

With a non-english SCVMM 2012 R2 or SCVMM 2016 setup and where the virtual machine names are specified in non-english characters, if the host is removed and re-added to the host group, the GUID for all the virtual machines under that host changes. Therefore, if a user has created a micro segmentation endpoint group using "VM name" attribute specifying the GUID of respective virtual machine, then that micro segmentation endpoint group will not work if the host (hosting the virtual machines) is removed and re-added to the host group, as the GUID for all the virtual machines would have changed. This does not happen if the virtual name has name specified in all english characters.

3.2(10e) and later

N/A

A query of a configurable policy that does not have a subscription goes to the policy distributor. However, a query of a configurable policy that has a subscription goes to the policy manager. As a result, if the policy propagation from the policy distributor to the policy manager takes a prolonged amount of time, then in such cases the query with the subscription might not return the policy simply because it has not reached policy manager yet.

3.2(10e) and later

N/A

Cisco ACI vCenter Plug-in: Uninstall is not working; remains present in the GUI. After you uninstall the Cisco ACI vCenter Plug-in, it remains visible in the VMware vCenter UI. Restart the VMware vCenter Server to update the UI.

3.2(10e) and later

N/A

When there are silent hosts across sites, ARP glean messages might not be forwarded to remote sites if a 1st generation ToR switch (switch models without -EX or -FX in the name) happens to be in the transit path and the VRF is deployed on that ToR switch, the switch does not forward the ARP glean packet back into the fabric to reach the remote site. This issue is specific to 1st generation transit ToR switches and does not affect 2nd generation ToR switches (switch models with -EX or -FX in the name). This issue breaks the capability of discovering silent hosts.

3.2(10e) and later

Virtualization Compatibility Information

This section lists virtualization compatibility information for the Cisco APIC software.

·         For a table that shows the supported virtualization products, see the ACI Virtualization Compatibility Matrix.

·         For information about Cisco APIC compatibility with Cisco UCS Director, see the appropriate Cisco UCS Director Compatibility Matrix document.

·         If you use Microsoft vSwitch and want to downgrade to Cisco APIC Release 2.3(1) from a later release, you first must delete any microsegment EPGs configured with the Match All filter.

·         This release supports the following additional virtualization products:

Product

Supported Release

Information Location

Microsoft Hyper-V

2016 Update Rollup 1, 2, 2.1, and 3

N/A

VMM Integration and VMware Distributed Virtual Switch (DVS)

6.5 and 6.7

Cisco ACI Virtualization Guide, Release 3.2(x)

Hardware Compatibility Information

This release supports the following Cisco APIC servers:

Product ID

Description

APIC-L1

Cisco APIC with large CPU, hard drive, and memory configurations (more than 1000 edge ports)

APIC-L2

Cisco APIC with large CPU, hard drive, and memory configurations (more than 1000 edge ports)

APIC-L3

Cisco APIC with large CPU, hard drive, and memory configurations (more than 1200 edge ports)

APIC-M1

Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1000 edge ports)

APIC-M2

Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1000 edge ports)

APIC-M3

Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1200 edge ports)

 

The following list includes general hardware compatibility information:

·         For the supported hardware, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 13.2(10).

·         Contracts using matchDscp filters are only supported on switches with "EX" on the end of the switch name. For example, N9K-93108TC-EX.

·         When the fabric node switch (spine or leaf) is out-of-fabric, the environmental sensor values, such as Current Temperature, Power Draw, and Power Consumption, might be reported as "N/A." A status might be reported as "Normal" even when the Current Temperature is "N/A."

·         Switches without -EX or a later designation in the product ID do not support Contract filters with match type "IPv4" or "IPv6." Only match type "IP" is supported. Because of this, a contract will match both IPv4 and IPv6 traffic when the match type of "IP" is used.

The following table provides compatibility information for specific hardware:

Product ID

Description

N2348UPQ

To connect the N2348UPQ to Cisco ACI leaf switches, the following options are available:

·         Directly connect the 40G FEX ports on the N2348UPQ to the 40G switch ports on the Cisco ACI leaf switches

·         Break out the 40G FEX ports on the N2348UPQ to 4x10G ports and connect to the 10G ports on all other Cisco ACI leaf switches.

Note: A fabric uplink port cannot be used as a FEX fabric port.

N9K-C9348GC-FXP

This switch does not read SPROM information if the PSU is in a shut state. You might see an empty string in the Cisco APIC output.

N9K-C9364C-FX

Ports 49-64 do not supporFut 1G SFPs with QSA.

N9K-C9508-FM-E

The Cisco N9K-C9508-FM-E2 and N9K-C9508-FM-E fabric modules in the mixed mode configuration are not supported on the same spine switch.

N9K-C9508-FM-E2

The Cisco N9K-C9508-FM-E2 and N9K-C9508-FM-E fabric modules in the mixed mode configuration are not supported on the same spine switch.

The locator LED enable/disable feature is supported in the GUI and not supported in the Cisco ACI NX-OS switch CLI.

N9K-C9508-FM-E2

This fabric module must be physically removed before downgrading to releases earlier than Cisco APIC 3.0(1).

N9K-X9736C-FX

The locator LED enable/disable feature is supported in the GUI and not supported in the Cisco ACI NX-OS Switch CLI.

N9K-X9736C-FX

Ports 29 to 36 do not support 1G SFPs with QSA.

Adaptive Security Appliance (ASA) Compatibility Information

This section lists ASA compatibility information for the Cisco APIC software.

·         This release supports Adaptive Security Appliance (ASA) device package version 1.2.5.5 or later.

·         If you are running a Cisco Adaptive Security Virtual Appliance (ASA) version that is prior to version 9.3(2), you must configure SSL encryption as follows:

(config)# ssl encryption aes128-sha1

Miscellaneous Compatibility Information

This release supports the following products:

Product

Supported Release

Cisco NX-OS

13.2(10)

Cisco AVS

5.2(1)SV3(3.31)

For more information about the supported AVS releases, see the AVS software compatibility information in the Cisco Application Virtual Switch Release Notes, Release 5.2(1)SV3(3.31).

Cisco UCS Manager

2.2(1c) or later is required for the Cisco UCS Fabric Interconnect and other components, including the BIOS, CIMC, and the adapter.

CIMC HUU ISO

  4.2(3e) CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3)
  4.2(3b) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
  4.2(2a) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
  4.1(3m) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
  4.1(3f) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
  4.1(3d) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
  4.1(3c) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
  4.1(2m) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2)
  4.1(2k) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
  4.1(2g) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
  4.1(2b) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
  4.1(1g) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2) and M5 (APIC-L3/M3)
  4.1(1f) CIMC HUU ISO for UCS C220 M4 (APIC-L2/M2) (deferred release)
  4.1(1d) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
  4.1(1c) CIMC HUU ISO for UCS C220 M4 (APIC-L2/M2)
  4.0(4e) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
  4.0(2g) CIMC HUU ISO for UCS C220/C240 M4 and M5 (APIC-L2/M2 and APIC-L3/M3)
  4.0(1a) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
  3.0(4d) CIMC HUU ISO for UCS C220/C240 M3 and M4 (APIC-L2/M2)
  3.0(3f) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
  2.0(13i) CIMC HUU ISO
  2.0(9c) CIMC HUU ISO
  2.0(3i) CIMC HUU ISO

Network Insights Base, Network Insights Advisor, and Network Insights for Resources

For the release information, documentation, and download links, see the Cisco Network Insights for Data Center page.

For the supported releases, see the Cisco Data Center Networking Applications Compatibility Matrix.

 

·         This release supports the partner packages specified in the L4-L7 Compatibility List Solution Overview document.

·         A known issue exists with the Safari browser and unsigned certificates, which applies when connecting to the Cisco APIC GUI. For more information, see the Cisco APIC Getting Started Guide, Release 3.x.

·         For compatibility with Day-2 Operations apps, see the Cisco Data Center Networking Applications Compatibility Matrix.

Related Content

See the Cisco Application Policy Infrastructure Controller (APIC) page for the documentation.

The documentation includes installation, upgrade, configuration, programming, and troubleshooting guides, technical references, release notes, and knowledge base (KB) articles, as well as other documentation. KB articles provide information about a specific use case or a specific topic.

By using the "Choose a topic" and "Choose a document type" fields of the APIC documentation website, you can narrow down the displayed documentation list to make it easier to find the desired document.

You can watch videos that demonstrate how to perform specific tasks in the Cisco APIC on the Cisco Data Center Networking YouTube channel.

Temporary licenses with an expiry date are available for evaluation and lab use purposes. They are strictly not allowed to be used in production. Use a permanent or subscription license that has been purchased through Cisco for production purposes. For more information, go to Cisco Data Center Networking Software Subscriptions.

The following table provides links to the release notes, verified scalability documentation, and new documentation:

Document

Description

Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 13.2(10)

The release notes for Cisco NX-OS for Cisco Nexus 9000 Series ACI-Mode Switches.

Verified Scalability Guide for Cisco APIC, Release 3.2(9), Multi-Site, Release 1.2(5), and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.2(9)

This guide contains the maximum verified scalability limits for Cisco Application Centric Infrastructure (ACI) parameters for Cisco APIC, Cisco ACI Multi-Site, and Cisco Nexus 9000 Series ACI-Mode Switches.

Documentation Feedback

To provide technical feedback on this document, or to report an error or omission, send your comments to apic-docfeedback@cisco.com. We appreciate your feedback.

Legal Information

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2021-2024 Cisco Systems, Inc. All rights reserved.

Learn more