Cisco Application Policy Infrastructure Controller Release Notes, Release 6.0(4)
Available Languages
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- US/Canada 800-553-2447
- Worldwide Support Phone Numbers
- All Tools
Feedback
Feedback
Introduction
The Cisco Application Centric Infrastructure (ACI) is an architecture that allows the application to define the networking requirements in a programmatic way. This architecture simplifies, optimizes, and accelerates the entire application deployment lifecycle. Cisco Application Policy Infrastructure Controller (APIC) is the software, or operating system, that acts as the controller.
This document describes the features, issues, and limitations for the Cisco APIC software. For the features, issues, and limitations for the Cisco NX-OS software for the Cisco Nexus 9000 series switches, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 16.0(4).
For more information about this product, see "Related Content."
| Date |
Description |
| September 30, 2024 |
In the Virtualization Compatibility Information section, added:
● support for VMware vSphere 8.0.
|
| May 1, 2024 |
In the Miscellaneous Compatibility Information section, added:
● 4.3.2.240009 CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3) and UCS C225 M6 (APIC-L4/M4)
|
| April 8, 2024 |
In the Miscellaneous Compatibility Information section, added:
● If you are using Cisco Nexus 9500 switches in the ACI-mode with the N9K-SUP-A or N9K-SUP-A+ supervisor, because of increased memory usage associated with scalability enhancements in the Cisco ACI 6.0(4c) release, do not install Cisco ACI 6.0(4c) in your Cisco ACI fabrics. We are working on an optimization in a near-future Cisco ACI 6.0 maintenance release that will allow the N9K-SUP-A and N9K-SUP-A+ supervisors to operate in a normal memory condition. Contact your Cisco account team for additional information.
|
| January 10, 2024 |
Release 6.0(4c) became available. |
| Product Impact |
Feature |
Description |
| Base functionality |
Support for associating a static VLAN pool to a VMM domain |
You can now associate a static or dynamic VLAN pool to a VMM domain. In earlier releases, only a dynamic VLAN pool was supported. For more information, see the "Cisco ACI Virtual Machine Networking" chapter of the Cisco ACI Virtualization Guide, Release 6.0(x). |
| Support for control plane MTU policy values smaller than 1,500 bytes |
You can now configure the control plane MTU policy to set the fabric and in-band management MTU of the APIC to the control plane MTU when the control plane MTU is configured for less than 1,500 bytes. For more information, see the "Basic Operations" chapter of the Cisco APIC System Management Configuration Guide, Release 6.0(x). |
|
| Cisco ACI Multi-Site support for vzAny PBR and L3Out-to-L3Out PBR use cases |
This release allows you to enable the following new use cases for policy-based redirect (PBR) Multi-Site:
● One-arm firewall insertion
● One-arm load balancer insertion
For more information, see the
Cisco Nexus Dashboard Orchestrator Configuration Guide for ACI Fabrics, Release 4.2(x).
|
|
| Supported for stretching a non-vPC L3Out SVI across remote leaf switches |
You can now stretch a non-vPC L3Out SVI across remote leaf switches. For more information, see the "Tenant Routed Multicast" chapter of the Cisco APIC Layer 3 Networking Configuration Guide, Release 6.0(x). |
|
| Ease of Use |
Streamlined navigation and editing of the stat collection threshold from a TCA fault |
When the Cisco APIC generates a threshold crossing alert (TCA) fault, the GUI now enables you easily to go to the screen for editing the stat collection threshold. |
| Security |
RSA key 307 and 4096 support on X.509 certificates |
Cisco APIC now supports RSA key 307 and 4096 on X.509 certificates. |
For the new hardware features, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 16.0(4).
Changes in Behavior
For the changes in behavior, see the Cisco ACI Releases Changes in Behavior document.
Feature Deprecation and End of Support Notice
The following features will no longer be supported starting with the Cisco ACI 6.0(6) release:
● CloudSec encryption
● Cisco ACI vRealize 8 plug-in
Open Issues
Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Exists In" column of the table specifies the 6.0(4) releases in which the bug exists. A bug might also exist in releases other than the 6.0(4) releases.
| Bug ID |
Description |
Exists in |
| A SPAN session with the source type set to "Routed-Outside" goes down. The SPAN configuration is pushed to the anchor or non-anchor nodes, but the interfaces are not pushed due to the following fault: "Failed to configure SPAN with source SpanFL3out due to Source fvIfConn not available". |
6.0(4c) and later |
|
| Traffic from an endpoint under a remote leaf switch to an external node and its attached external networks is dropped. This occurs if the external node is attached to an L3Out with a vPC and there is a redistribution configuration on the L3Out to advertise the reachability of the external nodes as direct-attached hosts. |
6.0(4c) and later |
|
| - Traffic gets disrupted across a vPC pair on a given encapsulation. OR - EPG flood in encapsulation gets blackholed on a given encapsulation. OR - STP packets received on an encapsulation on a given port are not forwarded on all the leaf switches where the same EPG/same encapsulation is deployed. |
6.0(4c) and later |
|
| This is added functionality for upgrade show command. 1. acidiag show postupgrade -service <dme> -> This gives details for dmes and which shard still have pending postUpgradeCb. 2.acidiag show postupgrade -service <dme> -shard <shard_id> -> This gives the details of log path for the dmes and shard for which postUpgradeCb has been completed. |
6.0(4c) and later |
|
| There is general slowness when an application contacts the Cisco APIC cluster through the REST API. The same slowness is experienced when accessing using the Cisco APIC GUI. |
6.0(4c) and later |
|
| When using two different host profiles (for example UCS C-Series and UCS B-Series) to deploy NSX, the uplink policy will be different for the host profiles. In this case, using one uplink profile with two policies might cause traffic disruption for a non-default teaming policy. |
6.0(4c) and later |
|
| 1. Go to Tenant > Application Profile > Topology. 2. Drag and drop a contract. Problem 1: No pop up displays. Drag and drop an EPG icon, then cancel the create view. Problem 2: The pop up remains open. |
6.0(4c) and later |
|
| A GOLF spine switch advertises the bridge domain prefixes to a GOLF peer in multiple VRF instances. |
6.0(4c) and later |
|
| During upgrade "deserialization error" is seen on APIC 1 PD. |
6.0(4c) and later |
|
| Deleting and re-adding RedirectDest with a different IP address, but the same MAC address, generates the following error: "Same virtual MAC is provided for different RedirectDest". |
6.0(4c) and later |
|
| Enhancement - show apic upgrade complete only after postUpgradeCb is done |
6.0(4c) and later |
|
| When viewing a Post Update Delta Analysis, one of the outputs is a searchable Audit Log. Normally this log should be populated with any user driven adds, changes or delete actions in the time between pre and post analysis. The audit log is rendered but only shows entries that are used by whatever credentials NDI uses to access a given APIC cluster (i.e those credentials used when you first add a site to NDI and need to authenticate to that site's APIC for the very first time). |
6.0(4c) and later |
|
| Audit logs under System > History > Audit Logs are limited to the current logged in user. Only the user with the username admin can see the audit logs from all users, but other users despite having admin privileges cannot see the audit logs from other users. The audit logs under Tenants are visible to every user. |
6.0(4c) and later |
|
| After rebooting all Cisco APICs at the same time, none of the apps are running and fault F3254 displays in the system. Nomad status output shows "no servers". |
6.0(4c) and later |
|
| When using the OpenStack integration, the Cisco APIC VMM Manager process may consume more memory than is available and then end. |
6.0(4c) and later |
|
| Cisco APIC apps container processes gets restarted on a vAPIC platform due to OOM during some triggers on a scale setup. Note: This does not affect DMEs or any core APIC functionality. |
6.0(4c) and later |
|
| APIC apps container processes get restarted on a vAPIC platform due to OOM during some triggers on a scale setup. This does not affect DMEs or any core APIC functionality. |
6.0(4c) and later |
|
| Starting from a Cisco ACI fabric running release 4.2(7w) or earlier with UCSM integration configured and functional, upgrading to a release after 5.2 and re-enabling the UCSM integration application triggers the inventory sync and the VLANs that were programmed are removed. |
6.0(4c) and later |
|
| Additional entries of svcredirRsBackupDestAttMo and svcredirRsDestAttMo are created in a leaf switch. This can impact the traffic hash and can lead to traffic drop. |
6.0(4c) and later |
|
| None of the apps run in a Cisco APIC cluster. The F1419 fault (Service consul failed) displays in the system and the consul service does not run. |
6.0(4c) and later |
|
| Cluster formation fails after cleaning up cleanActiveApicList on APIC1 and clean rebooting the APIC after doing an RMA of APIC1. |
6.0(4c) and later |
|
| The fault F3227 "ACI failed processing an already accepted configuration change" continuously gets raised |
6.0(4c) and later |
|
| A Cisco ACI switch can spend hours to complete the bootstrap process. At the worst, the expected completion time should be about 90 minutes. |
6.0(4c) and later |
|
| An upgraded Cisco APIC may attempt the second upgrade to same version and assume itself as APIC 1, which can cause all Cisco APICs to stop the postUpgradeCb process, which stops the upgrade. |
6.0(4c) and later |
|
| After upgrading, the Cisco APIC cluster is diverged and policymgr is down and repeatedly crashing on one Cisco APIC. |
6.0(4c) and later |
|
| There are packet drops between the pods. |
6.0(4c) and later |
|
| When running release version 6.0(3e), the policymgr service can crash after pushing an Ansible configuration. Multiple core files get generated on APIC 2, which prevents the deployment any configuration, including a single L3Out push from the GUI. Fault F4367 and 576 configurations transactions get queued in transaction for more than 2 minutes.Rebooting APIC 2 and APIC 3 results in APIC 1 generating a core 3 times with policymgr as well while APIC 2 is shutdown. |
6.0(4c) and later |
|
| After a reboot is triggered, any of the Cisco APICs take around 1 hour to reach the cluster fully fit status and the affected DME is ifc_observer. During the issue, there is non-optimal leader for some shards for the service ifc_observer, which it clears after 30 minutes. |
6.0(4c) and later |
|
| "External Control Peering" and "External Intersite Control Peering" are not displayed in "Node Association" in the infra tenant L3Out when using only eBGP as the IPN underlay protocol. Users can check the options in this location: Tenants > infra > Networking > L3Outs > (L3Out that is used in IPN) > Logical Node Profiles > (Logical Node Profile of node-XXXX) > Configured Nodes > topology/pod-Y/node-XXXX. The node ID is XXXX and the pod ID is Y. |
6.0(4c) and later |
|
| ACI switches show in maintenance with the CLI command "acidiag fnvread" on Cisco APIC, but they show "normal" in vsh and even top. System also shows In service. - Switches do not show up in the GUI nor API for configurations, as APIC vectors it as in maintenance. This severely impacts the ability to make changes. - Switches may continue to work normally even though no new configurations can be made on them. |
6.0(4c) and later |
|
| The Cisco APIC bootmgr or appliance director allows an incorrect attribute/value update to be received in LLDP TLV due to miscabling. |
6.0(4c) and later |
|
| Changing in the name of the remote-destination group stops the sending of syslog messages to the remote destination. Changing the port number or forwarding facility does not affect the sending of the messages. Only when the name is changed does the leaf switch stop sending the syslog messages. Enabling and disabling the policy does not resume the sending of the messages. |
6.0(4c) and later |
|
| After creating a SAML provider on the Cisco APIC and a login domain, then choosing option to Validate SAML Metadata, the following error is shown: Oops! Something went wrong Please try and reload the page.If the problem persists, contact Cisco TAC for assistance in resolving the issue and provide the following error report |
6.0(4c) and later |
|
| A user can only see the tenant and access policies assigned to nodes. This user can also configure an application profile in the tenant with "create application profile", but cannot see the application profile after configuring it. The user was created by following the procedure in the following document: |
6.0(4c) and later |
|
| Tech support did not include manifest.json. Due to the difference in the name of device as per the "topsystem" and "hostname" commands, the code that is responsible for generating manifest file tracebacked and failed. This is an issue in tech support component. |
6.0(4c) and later |
|
| log_bin_decode crashes on distinguished name decoding failures. |
6.0(4c) and later |
|
| REST API can be used to configure static ports for nodes that are restricted in by a node rule. |
6.0(4c) and later |
|
| Altering the IP SLA policy for an IP SLA track member led to the crashing of switches. |
6.0(4c) and later |
|
| A16GB fixed spine switch has high memory usage and is running 64-bit switch image. |
6.0(4c) and later |
|
| Fault F4144 will not clear from the Cisco APIC even with matching dhcpPool and Fabric Node Vector information. |
6.0(4c) and later |
|
| The F0413 PSU fault is not reported by SMART callhome. The tcpdump command on the leaf switch does not show SMTP messages being sent for this fault for which the PSU was removed. |
6.0(4c) and later |
|
| The entity ID set within the SAML provider in the APIC GUI is not the same as the SAML request sent through to IDP. |
6.0(4c) and later |
|
| SAML authentication fails when using the HTTPS Proxy 5.2 image. |
6.0(4c) and later |
|
| The physical domain is removed from an EPG when the CLI is used to remove all static path configurations from the EPG. |
6.0(4c) and later |
|
| The Cisco APIC bootstrap gets stuck on the "A start job is running for oob-network" job startup after configuring the OOB IP address. |
6.0(4c) and later |
|
| The way sam.config is generated after upgrading is different in the 6.0(2) release and later. In the 6.0(2) release and later, ACI only updates the necessary fields in the sam.config [main] section and keeps the remainder of the property as it is. The kafkaInternalTopic field is not updated, which causes the moss and KSM container to fail to start. |
6.0(4c) and later |
|
| Cannot delete a static node's management address. |
6.0(4c) and later |
|
| There are stale hvExtPl objects due to the hvsExtPol managed object not being cleaned up when an EPG is deleted. Fault F1606 is raised, but has no operational impact: desc :Fault delegate: Operational issues detected on portgroup error: Cannot find an EPG policy in the domain for the port group. |
6.0(4c) and later |
Resolved Issues
Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Fixed In" column of the table specifies the 6.0(4) release in which the bug was first fixed.
| Bug ID |
Description |
Fixed in |
| For strict security requirements, customers require custom certificates that have RSA key lengths of 3072 and 4096. |
6.0(4c) |
|
| Support for local user (admin) maximum tries and login delay configuration. |
6.0(4c) |
|
| The GIPo address is only visible on APIC 1 when using the command "cat /data/data_admin/sam_exported.config". The command output from the other APICs outputs do not show the GIPo address. |
6.0(4c) |
|
| When deploying a service graph, the dialog does not list all bridge domains for the provider connector. This issue is observed when you enter or edit the bridge domain name in the consumer connector field. After this, the provider connector will only list the bridge domain that is selected by the consumer connector field. |
6.0(4c) |
|
| A Cisco APIC that was previously part of the Cisco APIC cluster will not rejoin the cluster after the reload, decommission, and commission process. |
6.0(4c) |
|
| Initially, a switch node upgrade fails with the error "The requested URL returned error: 404 Not Found." After a few minutes, the switch downloads the image from the Cisco APIC. |
6.0(4c) |
|
| The NICC app image fails to load. |
6.0(4c) |
|
| An ACI deployment using an fvnsVlanInstP with allocMode="static" couldn't be used in a vmmDomP, because is blocked via validation. This can lead to the need to create a alternate fvnsVlanInstP of type dynamic covering the same vlans as the static pool, and then reference the vmmDomP and the physDomP in the EPG, leading to overlapping vlan domains. ACI has well known limitations connected to overlapping vlan domains, notably CSCwa90084. |
6.0(4c) |
|
| After configuring syslog using TCP on port 59500, the logit was sent out normally and netstat showed that it was established. However, after aborting the connection from the syslog server side, the TCP connection went from ESTABLISHED to CLOSE_WAIT and disappeared from the APIC side. |
6.0(4c) |
|
| The system time does not reflect the daylight saving time adjustments done in Egypt for releases prior to 5.3(1) and 6.0(4). |
6.0(4c) |
|
| There is a delay in the download and programming of policies on a node. |
6.0(4c) |
|
| When using the "add controllers" API with 3 or more nodes in the payload, the API can timeout in some cases. |
6.0(4c) |
|
| Fault code F1414 is triggered and cleared manually. After certain time, the fault is triggered again. This issue occurs when using the syslog server FQDN. |
6.0(4c) |
|
| When attempting to authenticate using the CLI or HTTPS to an APIC running release 6.0(2h), any of the APICs in the cluster will randomly fail authentication one out of three times, and sometimes two out of three times. The CLI or GUI presents an "access denied" error, causing the user to believe a password may have been entered incorrectly. However, when this error occurs, a packet capture reveals that the APIC never sources an authentication request to the TACACS server. |
6.0(4c) |
|
| Ingress and egress packet statistics can be viewed for VM and host in a Nutanix domain. For certain time stamps, the "MAX" packet count for the ingress and egress packet is shown incorrectly. |
6.0(4c) |
|
| Disabling resilient hashing removes the backup PBR policy selection drop-down list. Upon clicking the Submit button, the following error displays: "Error: 400 - RsBackupPol can be created only if resilient hash is enabled" |
6.0(4c) |
|
| The override vPC interface policy does not consistently take precedence over a the regular vPC interface policy. Upon a leaf switch reload, its random which policy takes precedence, and accordingly the VLANs get programmed. If the override or regular AEP is missing the relevant domain association/VLANs, then those VLANs are not programmed, which causes outages. |
6.0(4c) |
|
| Even after logging out from the Cisco APIC, the JSON Web Token (JWT) remains valid for about 10 minutes. |
6.0(4c) |
|
| An outage occurred because traffic coming from the TEPs was dropped by the receiving leaf switches with INFRA_ENCAP_SRC_TEP_MISS. |
6.0(4c) |
|
| The "panic: runtime error: invalid memory address or nil pointer dereference." Error occurred and then F1419 (Service kron failed on apic) was raised. |
6.0(4c) |
|
| Inter-pod/Inter-site BGP peer is incorrectly marked as "manual,wan" under the BGP for the peer managed object of a spine switch. |
6.0(4c) |
|
| SMU switch image download can get stuck. |
6.0(4c) |
|
| The "show running config" command does not work in the APIC CLI and generates the following errors: Error while processing mode: interface Error while processing mode: leaf Error while processing mode: configure Error: ERROR occurred: <class 'xml.etree.ElementTree.ParseError'>, not well-formed (invalid token): line 1, column 51242, File "/mgmt/opt/controller/yaci/yaci/_cfg.py", line 18, in _execute_func subCmd.runningConfig(ctx, **kwargs) |
6.0(4c) |
|
| When upgrading an APIC, the "from" version is displayed as "to" version in the event record. |
6.0(4c) |
|
| With the current GUI flow it is difficult to identify which monitoring policy is causing a fault and how to adjust its threshold when monitoring an object. |
6.0(4c) |
|
| When a non-default OOB management EPG is configured and a default one is removed from the configuration, the default EPG will be recreated automatically after a fabric upgrade. This is causes fault F0523 "Configuration failed for EPG default due to Not Associated With Management Zone". |
6.0(4c) |
|
| The ACI VMM Tags tab returns "the server returned unintelligible response" message even though the tag is retrievable using the CLI. |
6.0(4c) |
|
| In scale setups, when there are more than the usual number of objects and if the user tries to load the Capacity Dashboard page, the page times out. A few queries that are hit from the browser and the page become stuck for few seconds. |
6.0(4c) |
|
| The API call /mqapi2/deployment.query.json?mode=getvmmCapInfo that is done against the Cisco APICs by an external management system takes too long to process. |
6.0(4c) |
|
| When the Cisco APICs use Direct Connect to CSSM, running the "show license usage" command on APIC 1, 2, or 3 shows ACI_LEAF_ESS_10G 6 in use. When APICs 2 and 3 are restarted, this output is unchanged. When APIC 1 is restarted, the output becomes "No Licenses in use" on APICs 1, 2, and 3. The "Registering for Smart Licensing with Direct Connect to CSSM Using the GUI" process has to be done again. |
6.0(4c) |
|
| After issuing the APIC CLI "replace-controller reset x" commands, the failover status of the active controller does not change to default when checking using the 'show controller' commands. |
6.0(4c) |
|
| The GUI does not display maxSpeed and direction information in the equipment view. |
6.0(4c) |
|
| The property tDn (Target Dn) of class ID, such as infraRsHPathAtt and fabricRsOosPath, does not have any validation in place. A user can enter by mistake the wrong target Dn, for example because of a typo, and the APIC accepts the configuration without any warnings. |
6.0(4c) |
|
| F1419 gets raised for the kron service. |
6.0(4c) |
|
| ACI pushes the VLANs from the old VLAN pool after changing the vNIC template in the UCSM. |
6.0(4c) |
|
| Decommission an APIC causes the message "the node configuration will be wiped out from controller" to display even though the controllers still retain the user configuration. |
6.0(4c) |
|
| 1. A spine switch consumes a ACI_LEAF_ESS_XF2 license, which results in the user having a negative count. However, a spine switch does not need license if the user bought it before 01/2024. 2. There is a discrepancy in the number of consumed licenses and the actual number of spine switches in a fabric. |
6.0(4c) |
|
| Following the RMA workflow for replacing an APIC results in the APIC always having ID 1. A user should instead use the Add node workflow from the existing cluster to add the RMAed node. |
6.0(4c) |
|
| If the CIMC is not available, out-of-band management cannot be used for BootX workflows for cluster bringup. The CIMC field should be optional so that if only OOB is configured, cluster bringup will still work. |
6.0(4c) |
|
| OpFlex OOM crashes in leaf switches. |
6.0(4c) |
|
| The SNMPD service failed on all Cisco APICs after configuring SNMPv3. |
6.0(4c) |
|
| The system resets due to a policyelem high availability policy reset. |
6.0(4c) |
|
| Flow telemetry information is not displayed for some nodes, and telemetry records are getting dropped in the NDI collector because the exporter ID does not match the value for the managed object collector ID. |
6.0(4c) |
|
| A Cisco APIC cannot be added to the cluster because the GUI rejects the ID if is not within the range of 1-7. The Initial Setup Configuration states that the fabric ID valid range is 1-128. |
6.0(4c) |
|
| An edmManagedNic or compManagedNic object may be mapped to the wrong server (compHv). |
6.0(4c) |
|
| Search Filters in Endpoint - Operational - Client Endpoints do not show up in the endpoint learning filter. |
6.0(4c) |
|
| Fault "F4142" is raised when there is inconsistency in FNV and the idmgr database. Even though the addrAssigner in FNV is set to 0 and the corresponding "identContextElement" managed object is missing from the idmgr database, the fault gets raised. |
6.0(4c) |
|
| When running "show running-config" from API CLI, the command takes several minutes to complete. Several thousand API requests are seen in access.log querying ptpRsProfile on every static path. |
6.0(4c) |
|
| In the following topology: Tenant 1: VRF 1 > EPG A, EPG B. There is an any-to-any Intra VRF instance contract and EPG A and B are providers for an inter-VRF instance contract. VRF 2 > L3Out or EPG. The VRF instance consumes the inter-VRF instance contract. Traffic will unexpectedly get sent to the wrong rule when inter-VRF instance traffic is flowing. |
6.0(4c) |
|
| Recent upgraded versions of SCP servers do not support some of the old ciphers or host key algorithms causing SCP to/from APIC to break. |
6.0(4c) |
|
| Navigating to FABRIC -> Inventory -> Pod1 -> Operational -> Routes -> IPv6 learned routes results in the following error message: Value is not specified for the argument 'undefined' |
6.0(4c) |
|
| In a mini ACI fabric, the physical APIC does not join the cluster after power cycling the entire setup. |
6.0(4c) |
|
| After upgrade to ACI 5.2(8), the custom SSL certificate is not installed in the Cisco APICs and the default self-signed SSL certificate is used instead. |
6.0(4c) |
|
| The Tech Support 2of3 was not getting collected for vAPIC properly which is the reason you see the size difference for 2of3 bw APIC and vAPIC. The other TS 1of3 and 3of3 are properly collected for vAPIC. |
6.0(4c) |
|
| The port channel connected to the APIC-hosted ESXi will be in a "FAIL" state, and the cluster will become diverged and the fault F0467 will be raised. |
6.0(4c) |
|
| In a remote leaf switch, when the initial policy download happens, nginx generates a core. The process recovers by itself after a restart. This issue does not have any major functionality impact. |
6.0(4c) |
Known Issues
Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Exists In" column of the table specifies the 6.0(4) releases in which the bug exists. A bug might also exist in releases other than the 6.0(4) releases.
| Bug ID |
Description |
Exists in |
| The "show run leaf|spine <nodeId>" command might produce an error for scaled up configurations. |
6.0(4c) and later |
|
| License manager occasionally cores after image upgrade. |
6.0(4c) and later |
|
| With a uniform distribution of EPs and traffic flows, a fabric module in slot 25 sometimes reports far less than 50% of the traffic compared to the traffic on fabric modules in non-FM25 slots. |
6.0(4c) and later |
|
| When you click Restart for the Microsoft System Center Virtual Machine Manager (SCVMM) agent on a scaled-out setup, the service may stop. You can restart the agent by clicking Start. |
6.0(4c) and later |
|
| One of the following symptoms occurs: App installation/enable/disable takes a long time and does not complete. Nomad leadership is lost. The output of the acidiag scheduler logs members command contains the following error: Error querying node status: Unexpected response code: 500 (rpc error: No cluster leader) |
6.0(4c) and later |
|
| The CRC and stomped CRC error values do not match when seen from the APIC CLI compared to the APIC GUI. This is expected behavior. The GUI values are from the history data, whereas the CLI values are from the current data. |
6.0(4c) and later |
|
| Upgrading Cisco APIC from a 3.x release to a 4.x release causes Smart Licensing to lose its registration. Registering Smart Licensing again will clear the fault. |
6.0(4c) and later |
|
| In the 4.x and later releases, if a firmware policy is created with different name than the maintenance policy, the firmware policy will be deleted and a new firmware policy gets created with the same name, which causes the upgrade process to fail. |
6.0(4c) and later |
|
| svcredirDestmon objects get programmed in all of the leaf switches where the service L3Out is deployed, even though the service node may not be connected to some of the leaf switch. There is no impact to traffic. |
6.0(4c) and later |
|
| A remote leaf switch has momentary traffic loss for flushed endpoints as the traffic goes through the tglean path and does not directly go through the spine switch proxy path. |
6.0(4c) and later |
|
| xR IP flush for all endpoints under the bridge domain subnets of the EPG being migrated to ESG. This will lead to a temporary traffic loss on remote leaf switch for all EPGs in the bridge domain. Traffic is expected to recover. |
6.0(4c) and later |
|
| With the floating L3Out multipath recursive feature, if a static route with multipath is configured, not all paths are installed at the non-border leaf switch/non-anchor nodes. |
6.0(4c) and later |
|
| Starting with the 6.0(4) release, the following apps built with the following non-compliant Docker versions cannot be installed nor run:
● ConnectivityCompliance 1.2
● SevOneAciMonitor 1.0
|
6.0(4c) and later |
|
| The file size mentioned in the status managed object for techsupport "dbgexpTechSupStatus" is wrong if the file size is larger than 4GB. |
6.0(4c) and later |
|
| In the "Visibility and Troubleshooting Wizard," ERSPAN support for IPv6 traffic is not available. |
6.0(4c) and later |
|
| While navigating to the last records in the various History sub tabs, it is possible to not see any results. The first, previous, next, and last buttons will then stop working too. |
6.0(4c) and later |
|
| VMMmgr process experiences a very high load for an extended period of time that impacts other operations that involve it. The process may consume excessive amount of memory and get aborted. This can be confirmed with the command "dmesg -T | grep oom_reaper" if messages such as the following are reported: oom_reaper: reaped process 5578 (svc_ifc_vmmmgr.) |
6.0(4c) and later |
|
| When the "BGP" branch is expanded in the Fabric > Inventory > POD 1 > Leaf > Protocols > BGP navigation path, the GUI freezes and you cannot navigate to any other page. This occurs because the APIC gets large set of data in response, which cannot be handled by the browser for parts of the GUI that do not have the pagination. |
6.0(4c) and later |
|
| The logical switch created for the EPG remains in the NSX-T manager after the EPG is disassociated from the domain, or the logical switch does not get created when the EPG is associated with the domain. |
6.0(4c) and later |
|
| Multiple duplicate subnets are created on Nutanix for the same EPG. |
6.0(4c) and later |
|
| With the addressing of CSCwe64407, a release that integrates that bug fix can the reference of a static VLAN pool in a VMM domain, which before was not possible. However, if the VMM domain is used by Layer 4 to Layer 7 virtual services and the VMM domain is referencing a static VLAN pool, the services do not work and a fault is raised. |
6.0(4c) and later |
|
| After upgrading a Cisco APIC from a release before 5.2(8) to release 6.0(4) or later, there is a loss of out-of-band management connectivity over IPv6 if the APIC has dual stack out-of-band management. However, IPv4 connectivity remains intact. This issue does not occur if the out-of-band management is only IPv4 or only IPv6. |
6.0(4c) and later |
|
| N/A |
Beginning in Cisco APIC release 4.1(1), the IP SLA monitor policy validates the IP SLA port value. Because of the validation, when TCP is configured as the IP SLA type, Cisco APIC no longer accepts an IP SLA port value of 0, which was allowed in previous releases. An IP SLA monitor policy from a previous release that has an IP SLA port value of 0 becomes invalid if the Cisco APIC is upgraded to release 4.1(1) or later. This results in a failure for the configuration import or snapshot rollback. The workaround is to configure a non-zero IP SLA port value before upgrading the Cisco APIC, and use the snapshot and configuration export that was taken after the IP SLA port change. |
6.0(4c) and later |
| N/A |
If you use the REST API to upgrade an app, you must create a new firmware.OSource to be able to download a new app image. |
6.0(4c) and later |
| N/A |
In a multipod configuration, before you make any changes to a spine switch, ensure that there is at least one operationally "up" external link that is participating in the multipod topology. Failure to do so could bring down the multipod connectivity. For more information about multipod, see the Cisco Application Centric Infrastructure Fundamentals document and the Cisco APIC Getting Started Guide. |
6.0(4c) and later |
| N/A |
With a non-english SCVMM 2012 R2 or SCVMM 2016 setup and where the virtual machine names are specified in non-english characters, if the host is removed and re-added to the host group, the GUID for all the virtual machines under that host changes. Therefore, if a user has created a micro segmentation endpoint group using "VM name" attribute specifying the GUID of respective virtual machine, then that micro segmentation endpoint group will not work if the host (hosting the virtual machines) is removed and re-added to the host group, as the GUID for all the virtual machines would have changed. This does not happen if the virtual name has name specified in all english characters. |
6.0(4c) and later |
| N/A |
A query of a configurable policy that does not have a subscription goes to the policy distributor. However, a query of a configurable policy that has a subscription goes to the policy manager. As a result, if the policy propagation from the policy distributor to the policy manager takes a prolonged amount of time, then in such cases the query with the subscription might not return the policy simply because it has not reached policy manager yet. |
6.0(4c) and later |
| N/A |
When there are silent hosts across sites, ARP glean messages might not be forwarded to remote sites if a leaf switch without -EX or a later designation in the product ID happens to be in the transit path and the VRF is deployed on that leaf switch, the switch does not forward the ARP glean packet back into the fabric to reach the remote site. This issue is specific to transit leaf switches without -EX or a later designation in the product ID and does not affect leaf switches that have -EX or a later designation in the product ID. This issue breaks the capability of discovering silent hosts. |
6.0(4c) and later |
| N/A |
Typically, faults are generally raised based on the presence of the BGP route target profile under the VRF table. However, if a BGP route target profile is configured without actual route targets (that is, the profile has empty policies), a fault will not be raised in this situation. |
6.0(4c) and later |
| N/A |
MPLS interface statistics shown in a switch's CLI get cleared after an admin or operational down event. |
6.0(4c) and later |
| N/A |
MPLS interface statistics in a switch's CLI are reported every 10 seconds. If, for example, an interface goes down 3 seconds after the collection of the statistics, the CLI reports only 3 seconds of the statistics and clears all of the other statistics. |
6.0(4c) and later |
Virtualization Compatibility Information
This section lists virtualization compatibility information for the Cisco APIC software.
● For a table that shows the supported virtualization products, see the ACI Virtualization Compatibility Matrix.
● For information about Cisco APIC compatibility with Cisco UCS Director, see the appropriate Cisco UCS Director Compatibility Matrix document.
● This release supports the following additional virtualization products:
| Product |
Supported Release |
Information Location |
| Microsoft Hyper-V |
● SCVMM 2019 RTM (Build 10.19.1013.0) or newer
● SCVMM 2016 RTM (Build 4.0.1662.0) or newer
● SCVMM 2012 R2 with Update Rollup 9 (Build 3.2.8145.0) or newer
|
N/A |
| VMM Integration and VMware Distributed Virtual Switch (DVS) |
6.5, 6.7, 7.0 and 8.0. Note: vSphere 8.0 does not support the vCenter Plug-in and Cisco ACI Virtual Edge (AVE). If you need to continue to use the vCenter Plug-in and Cisco AVE, use vSphere 7.0. |
Hardware Compatibility Information
This release supports the following Cisco APIC servers:
| Product ID |
Description |
| APIC-L2 |
Cisco APIC with large CPU, hard drive, and memory configurations (more than 1000 edge ports) |
| APIC-L3 |
Cisco APIC with large CPU, hard drive, and memory configurations (more than 1200 edge ports) |
| APIC-L4 |
Cisco APIC with large CPU, hard drive, and memory configurations (more than 1200 edge ports) |
| APIC-M2 |
Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1000 edge ports) |
| APIC-M3 |
Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1200 edge ports) |
| APIC-M4 |
Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1200 edge ports) |
The following list includes general hardware compatibility information:
● For the supported hardware, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 16.0(4).
● Contracts using matchDscp filters are only supported on switches with "EX" on the end of the switch name. For example, N9K-93108TC-EX.
● When the fabric node switch (spine or leaf) is out-of-fabric, the environmental sensor values, such as Current Temperature, Power Draw, and Power Consumption, might be reported as "N/A." A status might be reported as "Normal" even when the Current Temperature is "N/A."
● First generation switches (switches without -EX, -FX, -GX, or a later suffix in the product ID) do not support Contract filters with match type "IPv4" or "IPv6." Only match type "IP" is supported. Because of this, a contract will match both IPv4 and IPv6 traffic when the match type of "IP" is used.
The following table provides compatibility information for specific hardware:
| Product ID |
Description |
| Cisco UCS M4-based Cisco APIC |
The Cisco UCS M4-based Cisco APIC and previous versions support only the 10G interface. Connecting the Cisco APIC to the Cisco ACI fabric requires a same speed interface on the Cisco ACI leaf switch. You cannot connect the Cisco APIC directly to the Cisco N9332PQ ACI leaf switch, unless you use a 40G to 10G converter (part number CVR-QSFP-SFP10G), in which case the port on the Cisco N9332PQ switch auto-negotiates to 10G without requiring any manual configuration. |
| Cisco UCS M5-based Cisco APIC |
The Cisco UCS M5-based Cisco APIC supports dual speed 10G and 25G interfaces. Connecting the Cisco APIC to the Cisco ACI fabric requires a same speed interface on the Cisco ACI leaf switch. You cannot connect the Cisco APIC directly to the Cisco N9332PQ ACI leaf switch, unless you use a 40G to 10G converter (part number CVR-QSFP-SFP10G), in which case the port on the Cisco N9332PQ switch auto-negotiates to 10G without requiring any manual configuration. |
| N2348UPQ |
To connect the N2348UPQ to Cisco ACI leaf switches, the following options are available: Directly connect the 40G FEX ports on the N2348UPQ to the 40G switch ports on the Cisco ACI leaf switches Break out the 40G FEX ports on the N2348UPQ to 4x10G ports and connect to the 10G ports on all other Cisco ACI leaf switches. Note: A fabric uplink port cannot be used as a FEX fabric port. |
| N9K-C9348GC-FXP |
This switch does not read SPROM information if the PSU is in a shut state. You might see an empty string in the Cisco APIC output. |
| N9K-C9364C-FX |
Ports 49-64 do not support 1G SFPs with QSA. |
| N9K-C9508-FM-E |
The Cisco N9K-C9508-FM-E2 and N9K-C9508-FM-E fabric modules in the mixed mode configuration are not supported on the same spine switch. |
| N9K-C9508-FM-E2 |
The Cisco N9K-C9508-FM-E2 and N9K-C9508-FM-E fabric modules in the mixed mode configuration are not supported on the same spine switch. The locator LED enable/disable feature is supported in the GUI and not supported in the Cisco ACI NX-OS switch CLI. |
| N9K-C9508-FM-E2 |
This fabric module must be physically removed before downgrading to releases earlier than Cisco APIC 3.0(1). |
| N9K-X9736C-FX |
The locator LED enable/disable feature is supported in the GUI and not supported in the Cisco ACI NX-OS Switch CLI. |
| N9K-X9736C-FX |
Ports 29 to 36 do not support 1G SFPs with QSA. |
Miscellaneous Compatibility Information
This release supports the following products:
| Product |
Supported Release |
| Cisco NX-OS |
16.0(4) |
| Cisco UCS Manager |
2.2(1c) or later is required for the Cisco UCS Fabric Interconnect and other components, including the BIOS, CIMC, and the adapter. |
| CIMC HUU ISO |
● 4.3.2.240009 CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3) and UCS C225 M6 (APIC-L4/M4)
● 4.3.2.230207 CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3) and UCS C225 M6 (APIC-L4/M4)
● 4.2(3e) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3) and UCS C225 M6 (APIC-L4/M4)
● 4.2(3b) CIMC HUU ISO for UCS C225 M6 (APIC-L4/M4)
● 4.2(3b) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.2(2a) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(3m) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(3f) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(3d) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(3c) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(2m) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2)
● 4.1(2k) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
● 4.1(2g) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
● 4.1(2b) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
● 4.1(1g) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2) and M5 (APIC-L3/M3)
● 4.1(1f) CIMC HUU ISO for UCS C220 M4 (APIC-L2/M2) (deferred release)
● 4.1(1d) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
● 4.1(1c) CIMC HUU ISO for UCS C220 M4 (APIC-L2/M2)
● 4.0(4e) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
● 4.0(2g) CIMC HUU ISO for UCS C220/C240 M4 and M5 (APIC-L2/M2 and APIC-L3/M3)
● 4.0(1a) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
● 3.0(4d) CIMC HUU ISO for UCS C220/C240 M3 and M4 (APIC-L2/M2)
● 3.0(3f) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
● 2.0(13i) CIMC HUU ISO
● 2.0(9c) CIMC HUU ISO
● 2.0(3i) CIMC HUU ISO
|
| Network Insights Base, Network Insights Advisor, and Network Insights for Resources |
For the release information, documentation, and download links, see the Cisco Network Insights for Data Center page. For the supported releases, see the Cisco Data Center Networking Applications Compatibility Matrix. |
● This release supports the partner packages specified in the L4-L7 Compatibility List Solution Overview document.
● A known issue exists with the Safari browser and unsigned certificates, which applies when connecting to the Cisco APIC GUI. For more information, see the Cisco APIC Getting Started Guide, Release 6.0(x).
● For compatibility with Day-2 Operations apps, see the Cisco Data Center Networking Applications Compatibility Matrix.
● Cisco Nexus Dashboard Insights creates a user in Cisco APIC called cisco_SN_NI. This user is used when Nexus Dashboard Insights needs to make any changes or query any information from the Cisco APIC. In the Cisco APIC, navigate to the Audit Logs tab of the System > History page. The cisco_SN_NI user is displayed in the User column.
● If you are using Cisco Nexus 9500 switches in the ACI-mode with the N9K-SUP-A or N9K-SUP-A+ supervisor, because of increased memory usage associated with scalability enhancements in the Cisco ACI 6.0(4c) release, do not install Cisco ACI 6.0(4c) in your Cisco ACI fabrics. We are working on an optimization in a near-future Cisco ACI 6.0 maintenance release that will allow the N9K-SUP-A and N9K-SUP-A+ supervisors to operate in a normal memory condition. Contact your Cisco account team for additional information.
Related Content
See the Cisco Application Policy Infrastructure Controller (APIC) page for the documentation.
The documentation includes installation, upgrade, configuration, programming, and troubleshooting guides, technical references, release notes, and knowledge base (KB) articles, as well as other documentation. KB articles provide information about a specific use case or a specific topic.
By using the "Choose a topic" and "Choose a document type" fields of the APIC documentation website, you can narrow down the displayed documentation list to make it easier to find the desired document.
You can watch videos that demonstrate how to perform specific tasks in the Cisco APIC on the Cisco Cloud Networking YouTube channel.
Temporary licenses with an expiry date are available for evaluation and lab use purposes. They are strictly not allowed to be used in production. Use a permanent or subscription license that has been purchased through Cisco for production purposes. For more information, go to Cisco Data Center Networking Software Subscriptions.
The following table provides links to the release notes, verified scalability documentation, and new documentation:
| Document |
Description |
| Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 16.0(4) |
The release notes for Cisco NX-OS for Cisco Nexus 9000 Series ACI-Mode Switches. |
| This guide contains the maximum verified scalability limits for Cisco Application Centric Infrastructure (ACI) parameters for Cisco APIC and Cisco Nexus 9000 Series ACI-Mode Switches. |
|
| This document resides on developer.cisco.com and provides information about and procedures for using the Cisco APIC REST APIs. The new REST API procedures for this release reside only here and not in the configuration guides. However, older REST API procedures are still in the relevant configuration guides. |
Documentation Feedback
To provide technical feedback on this document, or to report an error or omission, send your comments to apic-docfeedback@cisco.com. We appreciate your feedback.
Legal Information
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2024 Cisco Systems, Inc. All rights reserved.