Release Notes for Cisco Connected Mobile Experiences (CMX), Release 10.6.0 and Later

Release Notes for Cisco CMX Release 10.6.x

---

First Published: January 30, 2019
Last Modified: May 23, 2024

Introduction

Cisco Connected Mobile Experiences (Cisco CMX) Release 10.6.0 and later is a high-performing scalable software solution that addresses the mobility services requirements of high-density Wi-Fi deployments. Unless otherwise noted, Cisco Connected Mobile Experiences is referred to as Cisco CMX in this document.

This release is suitable for on-premise deployments where the following features are required:

• Detect and Locate
• Analytics
• Hyperlocation
• FastLocate
• Federal Information Processing Standard (FIPS) deployment
• Integration with Cisco Prime Infrastructure Release 3.4 or later
• Integration with Cisco Digital Network Architecture (DNA) Center Release 2.1 or later
• Single sign-on through Security Assertion Markup Language (SAML)

This release is not suitable for deployments where the following are required:

• Cisco Adaptive Wireless Intrusion Prevention System (aWIPS) feature

What’s New

What’s New in Cisco CMX Release 10.6.2-89

This is a mandatory security patch which addresses CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046 vulnerability issues in Apache log4j. This patch works for Cisco CMX Release 10.6.2-89.

You must download Cisco CMX Release 10.6.2-89 patch cmx-log4j-vulnerability-patch-10.6.2-2.cmxp available at Software Download page and copy the patch file to /home/cmxadmin directory.

---

Note If the cmx-log4j-vulnerability-patch-10.6.2-1.cmxp patch file is previously installed, ensure that you run the cmxos patch remove command to remove the patch before installing the new patch.

To apply this patch on Cisco CMX High Availability, you must break High Availability and rebuild it.

To install Cisco CMX Release 10.6.2-89 patch:

---

Step 1 Log in to Cisco Connected Mobile Experiences (Cisco CMX) through SSH.

Step 2 Enter the cmxos patch list command to check if a patch file is installed.

Step 3 Enter the cmxos patch remove command to remove any installed patch.

Run the command and provide the patch name that needs to be removed.

Step 4 Enter the cmxctl restart command to restart Cisco CMX services.

Step 5 Download Cisco CMX Release 10.6.2-89 patch cmx-log4j-vulnerability-patch-10.6.2-2.cmxp available at Software Download page.

Step 6 Copy the patch file to /home/cmxadmin directory.

Step 7 Enter the cmxos patch install command to install the patch.

Run the command and provide the patch name as cmx-log4j-vulnerability-patch-10.6.2-2.cmxp.

 

---

Note This patch restarts all Cisco CMX services and might take few minutes to complete. We recommend that you wait until the installation process is complete.

 

 

 

 

 

System Information

• Supported Hardware
• Software Requirements

License Information

 

• The Cisco CMX Evaluation License provides full functionality for a period of 120 days. The countdown starts when you start Cisco CMX and enable a service.

Two weeks before the evaluation license expires, you will receive a daily alert for obtaining a permanent license. If the evaluation license expires, you will not be able to access the Cisco CMX GUI or APIs. Cisco CMX will continue to run in the background and collect data until you add a permanent license and regain access to it.

• A Cisco DNA Spaces license (SEE or ACT/EXT) is required to connect Cisco CMX to a cloud. The cloud license includes the Cisco CMX license required to enable Cisco CMX.
• Cisco CMX now includes license changes that warn that the use of Cisco Hyperlocation capabilities requires the Cisco CMX Advanced License. If you have any questions about licensing, contact your Cisco account team.
• The High-Availability feature on Cisco CMX is part of the Cisco CMX Base license, which you should install on the primary HA server. The secondary HA server automatically receives a copy of the Cisco CMX license during synchronization. There is no HA-specific license to install.
• When a third-party certificate is installed in an HA setup, the certificate needs to be installed separately on both the primary and secondary Cisco CMX servers. For additional information and procedures, see the “Installing a CA-Signed Certificate for High Availability in Cisco CMX” section in the Cisco CMX Configuration Guide at
  https://www.cisco.com/c/en/us/td/docs/wireless/mse/10-6/cmx_config/b_cg_cmx106/getting_started_with_cisco_cmx.html#id_122557.

For information about procuring Cisco CMX licenses, see the Cisco Connected Mobile Experiences (CMX) Version 10 Ordering and Licensing Guide for this release at: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/connected-mobile-experiences/guide-c07-734430.html.

For information about adding and deleting licenses, see the “Managing Licenses” section in the Cisco CMX Configuration Guide for this release at: https://www.cisco.com/c/en/us/support/wireless/connected-mobile-experiences/products-installation-and-configuration-guides-list.html.

Installation and Upgrade Information

• ( CSCvp04706) Use the CLI, not the GUI, to upgrade to Cisco CMX Release 10.6.1 or later.
• You cannot upgrade to Cisco CMX Release 10.6.x or later from Cisco CMX Release 10.4.x or earlier until you install and deploy the latest Cisco CMX OVA or ISO file on your system.
• Before installing and deploying the Cisco CMX OVA or ISO file, back up your existing system to a safe location. After OVA or ISO deployment, you can restore your data to your system running Cisco CMX Release 10.5.x or later.

For complete information about the relevant procedures, see the Cisco Mobility Services Engine Virtual Appliance Installation Guide for this release at: https://www.cisco.com/c/en/us/support/wireless/connected-mobile-experiences/products-installation-guides-list.html.

• Downgrading from any Cisco CMX release is not supported.
• Inline upgrade from Cisco CMX Release 10.5.x to Cisco CMX Release 10.6.x is supported.
• We recommend that you run Cisco CMX Release 10.5.x or later in parallel with the existing Cisco MSE appliance Release 8.0 or earlier, and utilize the evaluation license for 120 days. After the evaluation period, the earlier Cisco MSE appliance release can be decommissioned.
• No database migration or inline upgrade is supported from Cisco MSE appliance Release 8.0 or earlier to Cisco CMX Release 10.5.x or later.
• ( CSCvn98931) The Cisco 3375 appliance supports Cisco CMX Release 10.5.1 and later. Do not upgrade the Cisco Integrated Management Controller (CIMC) software.

For information about upgrading from an earlier Cisco CMX release to this release, see the Chapter “Upgrading” in the Cisco Mobility Services Engine Virtual Appliance Installation Guide for Cisco CMX for this release at: https://www.cisco.com/c/en/us/support/wireless/connected-mobile-experiences/products-installation-guides-list.html.

For information about upgrading from Cisco MSE appliance Release 8.x to Cisco CMX Release 10.x, see the applicable Release Notes for Cisco Mobility Services Engine, Release 8.0.x at: https://www.cisco.com/c/en/us/support/wireless/mobility-services-engine/products-release-notes-list.html.

Limitations, Restrictions, and Important Notes

Tip To clean up long queues and long-running processes, we recommend that you schedule a full restart of Cisco CMX once a month during a low activity time, such as late at night or early in the morning. The restart takes approximately 5 minutes to complete.

To restart Cisco CMX services, follow these steps:

1. Enter the cmxctl stop -a command.

2. Enter the cmxctl start -a command.

---

Note Contact Cisco Customer Support (https://www.cisco.com/c/en/us/support/index.html) for the patch file.

 

---

Note If a Cisco CMX CLI or GUI user account is inactive for 60 days or more, the account is locked. A Cisco CMX admin user (cmxadmin) can unlock the account and use the applicable command:

• cmxctl users unlock gui < userID > command to unlock the user’s Cisco CMX GUI account.
• cmxctl users unlock cli < userID > command to unlock the user’s Cisco CMX CLI account.

If the Cisco CMX admin user account is locked out, the admin user must connect directly to the console and use the applicable command: cmxctl users unlock gui < userID > or cmxctl users unlock cli < userID >.

 

• You can use the cmxctl config auth settings command to set the expiration period for the password. The default expiration period is 9999 days.
• ( CSCvo95518) Cisco CMX Release 10.6.2 and later with FIPS mode enabled can establish a Network Mobility Services Protocol (NMSP) connection with Cisco Catalyst 9800 wireless controllers running Release 16.12, with FIPS and CC mode enabled.

In contrast, Cisco CMX Release 10.6.2 and later with FIPS mode enabled cannot establish an NMSP connection with Cisco WLCs running Release 8.x.

---

Note Before enabling FIPS mode on Cisco CMX, remove all the non-FIPS compliant controllers from Cisco CMX. Otherwise, establishing NMSP connectivity after restarting Cisco CMX services will require an extensive amount of time.

• For support in using APIs, including the GitHub version of API Version 3, contact the Cisco DevNet Community at: https://developer.cisco.com/site/cmx-mobility-services/.
• Cisco CMX supports the Cisco Mobility Express wireless network solution.
• The Cisco FlexConnect feature does not support DNS ACL, and as such, you cannot use DNS ACLs when configuring Cisco CMX Connect and Engage.
• ( CSCve28851) The following error message is displayed because MATLAB only counts heavy walls for location calculation, while Java counts all the obstacles on the floor map. Ignore this message because the heat maps are now correctly generated and stored:

• ( CSCve37513) Cisco CMX detects the same sources of interferences as the Cisco CleanAir system. For more information, see the “Configuring Cisco CleanAir on the Cisco Wireless LAN Controller (GUI)” section in the Chapter “Wireless Quality of Service” of the Cisco Wireless Controller Configuration Guide, Release 8.4 at: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-4/config-guide/b_cg84/wireless_quality_of_service.html#ID51.

The sources of interference are:

– Bluetooth Paging Inquiry: A Bluetooth discovery (802.11b/g/n only)

– Bluetooth Sco Acl: A Bluetooth link (802.11b/g/n only)

– Generic DECT: A digital, enhanced cordless communication-compatible phone

– Generic TDD: A time division duplex (TDD) transmitter

– Generic Waveform: A continuous transmitter

– Jammer: A jamming device

– Microwave: A microwave oven (802.11b/g/n only)

– Canopy: A canopy bridge device

– Spectrum 802.11 FH: An 802.11 frequency-hopping device (802.11b/g/n only)

– Spectrum 802.11 inverted: A device using spectrally inverted Wi-Fi signals

– Spectrum 802.11 non std channel: A device using nonstandard Wi-Fi channels

– Spectrum 802.11 SuperG: An 802.11 SuperAG device

– Spectrum 802.15.4vAn 802.15.4 device (802.11b/g/n only)

– Video Camera: An analog video camera

– WiMAX Fixed: A WiMAX fixed device (802.11a/n/ac only)

– WiMAX Mobile: A WiMAX mobile device (802.11a/n/ac only)

– XBox: A Microsoft Xbox (802.11b/g/n only)

• ( CSCve56353) End users using Android devices are unable to open the Cisco CMX landing page URL configured from the Connect & Engage > Connect Experiences window. In addition, the Guest Portal might also close after an end user registers. This is a known “Redirection to Success Page” Android bug from Google. For more information, see: https://support.cmxcisco.com/hc/en-us/articles/115007357987
• ( CSCve73287) The default setting of Cisco CMX Connect allows for a maximum of approximately two clients per second continuously. A higher number can be achieved at peak, for example, 4,000 HTTP connections can be made during a 5-minute window. In addition, special configuration changes can be made to increase this rate. Contact Cisco Technical Support for more information on these recommendations.
• ( CSCvg10317) Cisco MSE virtual machine (VM) appliance running Cisco CMX might not function properly after being powered on after a power outage. If this occurs:

1. Use the cmxos date command to make sure that the Cisco CMX system date matches the current date. If the dates do not match, use the NTP server to synchronize the dates.

2. Enter the cmxctl stop –a command to shut down Cisco CMX services.

3. Enter the cmxctl start command to restart the services.

• ( CSCvg28274) If NMSP tunnel flapping occurs, ping an external address to check if the DNS resolution is slow. If it is slow, delete all the external DNS server entries in the /etc/resolv.conf file, except for the entry that maps to the localhost.
• ( CSCvg79749) In Cisco CMX Release 10.4.0, the v3 client API was introduced, and the v2 client API was deprecated. We recommend that you use the v3 API instead of the v2 API. High CPU usage by the Cisco CMX Location service occurs when the v2 API is used for a long duration. Restart the Cisco CMX Location service to correct the condition.
• ( CSCvh13119) (On Apple MacBook Pro laptops) After accepting the terms and conditions and clicking Submit, the Cisco CMX portal page with the Facebook icon keeps redisplaying and does not connect to the Internet. Opening a separate browser session results in connecting to the Internet, but bypasses portal authentication.

(On Apple iPads) The custom portal page appears twice before authentication is successful.

• ( CSCvi07385) With VMware vSphere ESXi 6.5 Update 2, you can successfully deploy the Cisco CMX OVA file. Update 2 displays the deployment options (Low-end, Standard, and High-end). Minor erroneous text such as [object Object] is also displayed.

With VMware vSphere ESXi 6.5 and VMware vSphere ESXi 6.5 Update 1, the deployment options are not displayed.

• ( CSCvi84935) High CPU usage of the Cisco CMX Analytics and Location services might occur during initial HA synchronization, causing the synchronization to not complete. If this occurs, remove the Cisco WLC from the system to decrease the CPU usage of the Cisco CMX Analytics service. This provides enough memory for the initial HA synchronization to complete.
• ( CSCvj52515) There is significant overhead in maintaining the compact history, which allows you to query the unique clients seen on a floor or zone per day. This does not affect the regular clients history that is stored in the Cassandra database.

---

Note From Cisco CMX Release 10.4.1-15, the Feature Flags setting is disabled by default. If your system is running an earlier release of Cisco CMX, we recommend that you disable the Feature Flags setting.

To disable the Feature Flags setting, enter these commands:

a. cmxctl config featureflags location.compactlocationhistory false

b. cmxctl agent restart

c. cmxctl location stop

d. cmxctl location start

• ( CSCvn33059) When you click the Client movement history playback icon on the Detect & Location > Activity Map window, you can select a day—up to 30 days from the current date—to track the history of a client. This window of 30 days is independent of the Data Retention - Client History Pruning Interval.
• ( CSCvn98927) We recommend that you assign an IP address to a single interface (ens32). Assigning IP addresses to two interfaces allows data to go to both the interfaces, which causes Cisco CMX to drop packets, and creates issues related to client tracking.
• ( CSCvo14248) Generating scheduled reports in PDF format is not supported on Cisco CMX Release 10.5.0 and later. Use the PrtSc option instead. This feature set will be removed from the product.
• ( CSCvo60319) On Cisco CMX, using OAuth with Instagram might not always display the Log In portal. If the portal is not displayed, refresh your browser.
• ( CSCvp00432) As of Cisco CMX Release 10.6.0, Cisco CMX no longer supports the Historylite (/api/location/v1/historylite) API. The API requires collecting compact location history, which causes performance issues.
• ( CSCvp11685) If FIPS mode is enabled on Cisco CMX, the Maps online sync (Import from Cisco Prime Infrastructure) fails for Cisco Prime Infrastructure Release 3.5.

To import maps from Cisco Prime Infrastructure Release 3.5 to Cisco CMX with FIPS mode enabled, you must download the tar file of Cisco Prime Infrastructure, and then upload the tar file to Cisco CMX, as described in the “Importing Maps” section in the Cisco CMX Configuration Guide at: https://www.cisco.com/c/en/us/support/wireless/connected-mobile-experiences/products-installation-and-configuration-guides-list.htm.

• (CSCvp19413) If you need to use round brackets (such as parentheses) in a Cisco CMX API regex expression, use a backslash (\) to escape the next character. For example, instead of this string:

use this string:

• ( CSCvp31400) Cisco CMX in FIPS mode does not support the aes128-ctr and aes256-ctr ciphers (while Cisco CMX in non-FIPS mode supports them). If a Cisco Catalyst 9800 wireless controller is using either of these ciphers, it will not be able to communicate with Cisco CMX in FIPS mode.

Cisco CMX in FIPS mode supports only the aes128-cbc, aes256-cbc, aes128-gcm@openssh.com, and aes256-gcm@openssh.com ciphers.

• ( CSCvp25049) The Repeat Devices API does not provide all the required information because it requires information from history location data, which is managed by the compacthistory feature flag. The feature flag causes performance issues and is disabled by default.
• ( CSCvp92688) Cisco CMX might not be able to process a large amount of history data from the Cassandra database if the duration between locatedAfterTime and locatedBeforeTime for the All Client History API is either 1 hour or 20 minutes. We recommend that you use the Cassandra export tool to extract history data.
• ( CSCvq81962) When the Cisco CMX session idle timeout period is reached, users are logged out of their Cisco CMX UI session whether the session is idle or is actively being used. Users must then log in to Cisco CMX again.

Use the cmxctl config auth settings command to configure the Session idle timeout in minutes setting. The time range is 1 to 720 minutes. The default value is 30 minutes.

This timeout period does not apply to Cisco CMX CLI sessions.

• ( CSCvq82147) Cisco CMX supports VMware Snapshot.
• ( CSCvq82305) Location data is poor when too few Angle of Arrival (AoA) measurements are reported in a network, with both hyperlocation and nonhyperlocation access points.
• ( CSCvr16016) The issue of the Cisco CMX Analytics Service not processing data is now fixed in Cisco CMX Release 10.6.2-72 but for the fix to come into effect, you must reboot Cisco CMX.
• ( CSCvr26395 and CSCvr26398) The Cisco CMX Troubleshooting Tool supports only Cisco Hyperlocation-capable access points.
• ( CSCvs57713) With Cisco CMX Release 10.5 and later and Cisco WLC Release 8.7 and later, the Cisco CMX Group Subscription feature allows one Cisco Hyperlocation-enabled wireless controller to connect to multiple Cisco CMX servers.
• ( CSCvs68618) When collecting client data from the Cisco CMX v3 Location API, the last seen time stamp is different from the time stamp displayed on the Cisco CMX GUI.
• In Cisco CMX Release 10.6.2-89, the floorRefId component is replaced with floorId.
• ( CSCvs89951) If your network has a Cisco Catalyst 9800 wireless controller, do not check the Exclude Probing Only Clients check box located in the Settings > Filtering section on the System > Dashboard window on Cisco CMX. Checking the Exclude Probing Only Clients check box causes all the clients (probing and associated clients) to be excluded from the controller, and hence will not be displayed on Cisco CMX.
• ( CSCvt83715) We recommend that you disable the Cisco CMX Analytics service if you are not using the service.

– If you are running Cisco CMX Release 10.6.2-72 or earlier, install the cmx-disableanalytics-patch-10.6.2-1.cmxp patch file. Contact Cisco Customer Support ( https://www.cisco.com/c/en/us/support/index.html) for the patch file.

– If you are running Cisco CMX Release 10.6.2-89 or later, use the cmxctl disable analytics command.

---

Note The cmxctl disable analytics command is supported only on Cisco CMX Release 10.6.2-89 and later.

• ( CSCvt83902) Cisco CMX displays an authentication error during SSO login if the SAML response from the IDP does not include the User.email, User.FirstName, and User.LastName attributes.
• ( CSCvu18413) Due to FIPS/CC/UCAPL compliance, root access is no longer available as of Cisco CMX Release 10.6.0. Only Cisco Customer Support has access to a root patch for troubleshooting. Contact Cisco Customer Support ( https://www.cisco.com/c/en/us/support/index.html) for assistance.

Caveats

• Cisco Bug Search Tool
• Open Caveats
• Resolved Caveats in Cisco CMX Release 10.6.2-89
• Resolved Caveats in Cisco CMX Release 10.6.2-72
• Resolved Caveats in Cisco CMX Release 10.6.2
• Resolved Caveats in Cisco CMX Release 10.6.1
• Resolved Caveats in Cisco CMX Release 10.6.0

Documentation and Support

• Related Documentation
• Cisco Support Community
• Communications, Services, and Additional Information