Release Notes for Cisco Catalyst 9800 Series Wireless Controller, Cisco IOS XE Amsterdam 17.3.x
Introduction to Cisco Catalyst 9800 Series Wireless Controllers
The Cisco Catalyst 9800 Series Wireless Controllers comprise next-generation wireless controllers (referred to as controller in this document) built for intent-based networking. The Catalyst 9800 Series Wireless Controllers are Cisco IOS XE based and integrate the radio frequency (RF) capabilities from Cisco Aironet with the intent-based networking capabilities of Cisco IOS XE to create a best-in-class wireless experience for your organization.
The Catalyst 9800 controllers are enterprise ready to power your business-critical operations and transform end-customer experiences:
-
The controllers come with high availability (HA) and seamless software updates that are enabled by hot and cold patching. This keeps your clients and services up and running always, both during planned and unplanned events.
-
The controllers come with built-in security, including secure boot, run-time defenses, image signing, integrity verification, and hardware authenticity.
-
The controllers can be deployed anywhere to enable wireless connectivity, for example, on an on-premise device, on cloud (public or private), or embedded on a Cisco Catalyst switch (for SDA deployments) or a Cisco Catalyst access point (AP).
-
The controllers can be managed using Cisco Digital Network Architecture (DNA) Center, programmability interfaces, for example, NETCONF and YANG, or web-based GUI or CLI.
-
The controllers are built on a modular operating system. Open and programmable APIs enable the automation of your day zero to day n network operations. Model-driven streaming telemetry provides deep insights into your network and client health.
The Catalyst 9800 Series controllers are available in multiple form factors to cater to your deployment options:
-
Catalyst 9800 Series Wireless Controller Appliance
-
Catalyst 9800 Series Wireless Controller for Cloud
-
Catalyst 9800 Embedded Wireless Controller for a Cisco switch
![]() Note |
All the Cisco IOS-XE programmability-related topics on the Cisco Catalyst 9800 controllers are supported by DevNet, either through community-based support or through DevNet developer support. For more information, go to https://developer.cisco.com. |
What's New in Cisco IOS XE Amsterdam 17.3.7
Feature Name |
Description and Documentation Link |
---|---|
Secure Data Wipe |
This feature allows you to securely erase files from the file system of the Cisco Access Points. For more information, see the chapter Secure Data Wipe. |
What's New in Cisco IOS XE Amsterdam 17.3.6
This release includes critical bug fixes relating to scale and stability improvements.
Feature Name |
Description and Documentation Link |
---|---|
Mesh and Mesh + Flex Support for Cisco Catalyst 9124AXE Outdoor Access Points |
Mesh feature and Mesh + Flex feature is supported in Cisco Catalyst 9124AXE outdoor Access Points. For more information, see the chapter Mesh Access Points. |
Mesh and Mesh + Flex Support for Cisco Catalyst 9124AXI/D Outdoor Access Points |
Mesh feature and Mesh + Flex feature is supported in Cisco Catalyst 9124AXI/D outdoor Access Points. For more information, see the chapter Mesh Access Points. |
![]() Important |
Open issue: Slow TCP downloads and failing EAP-TLS are observed in Cisco IOS XE 17.3.6 - Cisco Aironet 2800, 3800, 4800, 1562, or Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Points (CSCwd37092). To fix this issue, we recommend that you download APSP2 (CSCwd40096) which includes the above fix along with fixes for CSCvz99036 and CSCwc78435 while upgrading to Cisco IOS XE Amsterdam 17.3.6. |
What's New in Cisco IOS XE Amsterdam 17.3.5b
This release includes few critical bug fixes from Cisco IOS XE Amsterdam 17.3.5a to improve stability.
What's New in Cisco IOS XE Amsterdam 17.3.5a
This release includes critical bug fixes relating to scale and stability improvements.
Feature Name |
Description and Documentation Link |
||
---|---|---|---|
Support for SGT Inline Tagging Over Port-Channel Uplink |
SGT inline tagging over port-channel uplink is supported in Cisco IOS XE Amsterdam 17.3.5a for Cisco Catalyst 9800-L Wireless Controller, Cisco Catalyst 9800-40 Wireless Controller, and Cisco Catalyst 9800-80 Wireless Controller.
For more information, see the Cisco TrustSec chapter. |
||
Cisco Catalyst 9124AXE Access Point |
Cisco Catalyst 9124AXE Access Point is supported from this release. The supported regulatory domains are A, B, E, and Z. |
![]() Important |
Mesh features are not supported in Cisco Catalyst 9124 series APs, in Cisco IOS XE 17.3.5a and earlier releases. |
![]() Important |
Known issue: APs are unable to join the controller because of an invalid path MTU in the AP join request (CSCwb13784). To fix this issue, apply the mandatory patch that has been released for all deployments having an MTU lower than 1500 bytes (for example, CAPWAP over WANs), regardless of the AP type. This recommendation could apply to local network scenarios. This hot patch does not require a controller reload. The following are the image names for the SMU update:
You can download the software from the software download home page at: https://software.cisco.com/download/home The following products are supported: For information about the SMU installation process, see: |
What's New in Cisco IOS XE Amsterdam 17.3.4c
This release includes critical bug fixes found in 17.3.3 and 17.3.4 releases. Some of these fixes were previously released through Software Maintenance Upgrade (SMU) and AP Service Pack (APSP).
The supported regulatory domains for Cisco Catalyst 9124AXI/D Access Points are A, B, E, Q, Z, F, and R.
What's New in Cisco IOS XE Amsterdam 17.3.4
Feature Name |
Description and Documentation Link |
---|---|
Cisco Catalyst 9124 Access Points |
|
What's New in Cisco IOS XE Amsterdam 17.3.3
Feature Name |
Description and Documentation Link |
---|---|
Overlapping Client IP Address in Flex Deployment |
This feature offers overlapping IP address across various flex sites and provides all the functionalities that are supported in flex deployments. For more information, see the Overlapping Client IP Address in Flex Deployment chapter. |
Plug and Play Support for Cisco DNA Center Provisioning |
From this release, the controller supports PnP feature, which allows for automated provisioning on DNA Center (DNAC 2.1.2.x release and above). |
Smart Software Manager On-Prem (SSM On-Prem) Support for Smart Licensing Using Policy |
SSM On-Prem is an asset manager, which works in conjunction with CSSM. It enables you to administer products and licenses on your premises instead of having to directly connect to CSSM. Here, a product instance is connected to SSM On-Prem, and SSM On-Prem becomes the single point of interface with CSSM. The product instance can be configured to push the required information to SSM On-Prem. Alternatively, SSM On-Prem can be set-up to pull the required information from a product instance at a configurable frequency. After usage information is available in SSM On-Prem, you must synchronize the same with CSSM, to ensure that the product instance count, license count and license usage information is the same on both, CSSM and SSM On‐Prem. Offline and online options are available for synchronization between CSSM and SSM On‐Prem. Minimum Required SSM On-Prem Version: Version 8, Release 202102 Minimum Required Cisco IOS XE Version: Cisco IOS XE Amsterdam 17.3.3 For more information, see the Smart Licensing Using Policy chapter and the Command Reference guide. |
What's New in Cisco IOS XE Amsterdam 17.3.2a
Feature Name |
Description and Documentation Link |
---|---|
Assurance and IoT Services Coexistence Without iCAP |
From this release onwards, the controller supports deployment of both Cisco DNA Spaces IoT Services and Network Assurance on Cisco DNA Center. However, IoT Services and Intelligent Capture (iCAP) port configuration are still mutually exclusive. For more information, see IoT Services Management chapter. |
AP Authorization Using Serial Number |
From this release onwards, serial number authorization is applicable to all the access points. When serial-number authorization is enabled, the controller uses the top-assembly serial number for the authorization of the AP. For more information, see Authorizing Access Points section in Converting Autonomous Access Points to Lightweight Mode chapter. |
OEAP Personal SSID Support |
From this release onwards, the Cisco OfficeExtend Access Point (OEAP) supports personal SSID. This enables a local home client to use the same OEAP for local networking and internet connectivity. For more information, see OEAP Personal SSID section in FlexConnect chapter. |
Smart Licensing Using Policy |
An enhanced version of Smart Licensing, with the overarching objective of providing a licensing solution that does not interrupt the operations of your network, rather, one that enables a compliance relationship to account for the hardware and software licenses you purchase and use. With this licensing model, you do not have to complete any licensing-specific operations, such as registering or generating keys before you start using the software and the licenses that are tied to it. Only export-controlled and enforced licenses require Cisco authorization before use. License usage is recorded on your device with timestamps and the required workflows can be completed at a later date. Multiple options are available for license usage reporting – this depends on the topology you implement. You can use the Cisco Smart Licensing Utility (CSLU) Windows application, or report usage information directly to CSSM. A provision for offline reporting for air-gapped networks, where you download usage information and upload to CSSM, is also available. Starting with this release, Smart Licensing Using Policy is automatically enabled on the device. This is also the case when you upgrade to this release. By default, your Smart Account and Virtual Account in CSSM is enabled for Smart Licensing Using Policy. For more information, see the Smart Licensing Using Policy chapter. |
Cisco DNA Center Support for Smart Licensing Using Policy |
Cisco DNA Center supports Smart Licensing Using Policy functionality starting with Cisco DNA Center Release 2.2.2. The corresponding minimum required Cisco IOS XE Release for this platform is Cisco IOS XE Amsterdam 17.3.2a. Implement the “Connected to CSSM Through a Controller” topology to have Cisco DNA Center manage a product instance. When you do, the product instance records license usage, but it is the Cisco DNA Center that initiates communication with the product instance to retrieve and report usage to Cisco Smart Software Manager (CSSM), and returns the acknowledgement (RUM ACK). In order to meet reporting requirements, Cisco DNA Center provides ad hoc or on-demand reporting, as well as scheduled reporting options. For more information, see the Smart Licensing Using Policy chapter. |
What's New in Cisco IOS XE Amsterdam 17.3.1
Feature Name |
Description and Documentation Link |
||
---|---|---|---|
Access Point Audit Configuration |
In this release, AP Audit Configuration feature helps to detect wireless service synchronization issues between the controller and AP. Two methods are implemented to support the AP audit configuration. The following commands were introduced:
For more information, see the AP Audit Configuration chapter. |
||
Access Point Image Download Time Enhancement |
This feature adds support to multiple sliding windows for control packets going from controller to AP. The following commands were introduced:
For more information, see the AP Image Download Time Enhancement chapter. |
||
Access Point Support Bundle |
You can now retrieve the support bundle information of an AP and export it to the controller or an external server. The AP support bundle contains core files, crash files, show run-configuration, configuration commands, msglog, and traplog. Until Cisco IOS XE 17.2.1 Release, you had to login to the AP console to retrieve the AP support-bundle information. The following commands were introduced:
For more information about Access Point Support Bundle, see AP Support Bundle chapter. |
||
Application Visibility and Control support |
From this release onwards, AVC is supported on Cisco Industrial Wireless 3702 Access Point. |
||
BLE Management in the Controller |
From this release onwards, you can enable the BLE radio configuration globally, manually configure gRPC token on the controller, and manually enable gRPC in the AP profile. The following commands were introduced:
For more information about BLE management in the controller, see BLE Management in the Controller chapter. |
||
Cisco DNA Center Assurance Wi-Fi 6 2 |
The Cisco DNA Center Assurance Wi-Fi 6 dashboard provides a visual representation of the wireless network. In this release, commands to troubleshoot this network is introduced.
For more information, see Cisco DNA Center Assurance Wi-Fi 6 Dashboard chapter. |
||
Client Roaming Across Policy Profile |
The controller allows seamless roaming between same WLAN associated with different policy profile. For more information, see The following command was introduced:
|
||
Support for Spectrum Intelligence in Cisco Catalyst 9115 AP |
From this release, Spectrum Intelligence feature is supported on Cisco Catalyst 9115 Access Points.
For more information, see Spectrum Intelligence chapter. |
||
Embedded Wireless on Cisco Catalyst 9000 Series Switches for Single Secure Site Deployment (Non-SDA) |
The Cisco Integrated Wireless on Cisco Catalyst 9000 Series Switches is the next-generation Wi-Fi solution, combining the most advanced features of the Cisco Catalyst 9800 Series Wireless controller with the Catalyst 9000 series switches, creating a best-in-class wireless experience that provides enterprise-class resiliency, security, and IT simplicity for single site deployments. For more information, see Embedded Wireless on Cisco Catalyst 9000 Series Switches for Single Secure Site Deployment (Non-SDA) chapter. |
||
Enable/Disable IW3702 Heaters |
Cisco Industrial Wireless 3702 Access Point has two heaters that are enabled by default and will start to work when the environment temperature is under -20°C. If you determine that the environment temperature where the AP is deployed will never be under -20°C, you can turn off the heaters, which allows the APs to request less power from the device when the AP is powered by PoE+. To display the AP temperature, status, and the heater operational status you can use the following command.
|
||
Enhanced Certificate Management Through GUI |
The Public Key Infrastructure (PKI) Management page now displays the following tabs: Trustpoints tab: Used to add, create or enroll a new trustpoint. This also displays the current Trustpoints configured on the controller and other details of the trustpoint. You can also see if the trustpoint is in use for any of the features. CA Server tab: Used to enable or disable the Certificate Authority (CA) server functionality on the controller. The CA server functionality should be enabled for the controller to generate a Self-Signed Certificate (SSC). Key Pair Generation tab: Used to generate key pairs. Certificate Management tab: Used to generate and manage certificates, and perform all certificate related operations, on the controller. For more information about certificate management, see Certificate Management chapter. |
||
Enhanced Mesh Convergence |
Mesh convergence allows MAPs to reestablish connection with the controller, when it loses backhaul connection with the current parent. |
||
Ethernet Daisy Chain on Cisco Industrial Wireless 3702 |
The Cisco Industrial Wireless 3702 Access Points have the capability to daisy chain APs when they function as MAPs. The daisy chained MAPs can either operate the APs as a serial backhaul, allowing different channels for uplink and downlink access, thus improving backhaul bandwidth, or extend universal access. The following command was introduced:
|
||
External Modules |
External module enables traffic to flow in and out from the Cisco Aironet Developer Platform module, when an AP is in both local and flex connect mode. In this release, the following command was introduced:
For more information on configuring external modules, see RLAN External Module chapter. |
||
Flexible Antenna Port Configuration for Cisco Industrial Wireless 3702 |
The presence of multiple antennas on the transmitters and the receivers of APs results in better performance and reliability of the APs. The following commands were introduced:
For more details, see Cisco Flexible Antenna Port chapter. |
||
gNMI Configuration Persistence |
The gNMI Configuration Persistence feature ensures that all successful configuration changes made through gNMI SET persists in the configuration after a device restart. |
||
Hotspot 2.0 Updates |
The Hotspot 2.0 R3 has added options such as new ANQP elements, Terms & Conditions, and integration of OSEN security and WPA2 security on the same SSID: The following commands were introduced:
For more information on the Hotspot 2.0 feature enhancements, see Hotspot 2.0 chapter. |
||
HTTP and HTTPS Requests for Web Authentication |
From Cisco IOS XE Amsterdam 17.3.1 onwards, to control the HTTP and HTTPS requests sent to the web authentication module, new commands that are listed below are introduced under the global parameter map parameters. The following commands were introduced:
For more information, see Configuring HTTP and HTTPS Requests for Web Authentication section. |
||
IoT Module Management in the Controller |
The IoT Module Management solution uses the USB interface on the Cisco Catalyst 9105AXI, 9105AXW, 9115AX, 9117AX, 9120AX, and 9130AX series Access Points, to connect to the IoT connector. These APs host the third party application software components, that act as containers. Cisco DNAC helps in the provisioning, deployment, and in controlling the container applications on the APs. The controller and the APs are managed by Cisco DNAC. You can connect the USB modules to the APs, then login to the controller and run the commands to enable the USB and Cisco IOx application to the APs associated in the AP profile group. The following commands were introduced:
For more information, see IoT Module Management in the Controller chapter. |
||
Mesh - 2.4 GHz Mesh Backhaul |
In certain countries, you might prefer to use 2.4 GHz radio frequencies to achieve much larger mesh or bridge distances. For more information, see Mesh Access Points chapter. |
||
Mesh Off Channel Background Scanning |
This release supports off channel background scanning for Mesh APs. For more information, see Mesh Access Points chapter. |
||
Multicast Filtering |
In this release, the Multicast Filtering feature is supported on Layer 3 for IPv6. When you enable this feature, the APs will stop forwarding multicast packets to the clients. For more information, see the Multicast Filtering chapter. |
||
Address Resolution Protocol (ARP) and Neighbor Discovery (ND) Proxy |
Neighbor Discovery (ND) Proxy is the ability of the controller to respond to the Neighbor Solicitation packet destined to the wireless clients. The following commands were introduced:
For more information, see the IPv6 Client IP Address Learning chapter. |
||
OFDMA in Cisco Catalyst 9130 APs |
Both Uplink and Downlink Orthogonal frequency-division multiple access (UL OFDMA and DL OFDMA) features are supported in Cisco Catalyst 9130 APs in this release.
|
||
Retain Client for 10 seconds after delete |
The controller retains client session for 10 seconds instead of immediately deleting for few clients. This feature is applicable for run state clients, if any client status shows as controller IPLEARN or Authenticating, that client entry will be removed from the controller and only run state clients will be moved to idle state. This is supported on central authentication with local and flex mode enabled. You must execute the following commands to view the clients in idle state.
|
||
Rogue Containment and AP Impersonation Detection based on AP Authentication |
In Cisco IOS XE Amsterdam 17.3.1 Release, a rogue device that is enabled with 802.11w Protected Management Frames (PMF) is not contained. Instead, the rogue device is marked as Contained Pending and a wireless service assurance (WSA) alarm is raised to inform about the event. As the device containment is not performed, AP resources are not consumed unnecessarily. The AP Authentication feature allows you to detect AP impersonation. When you enable this feature, the controller creates an AP domain secret and shares it with other APs in the same network. This allows the APs to authenticate each other. Also, this is enhanced using two other methods:
The following command was introduced:
For more information, see Managing Rogue Devices chapter. |
||
Standby Monitoring |
Standby Monitoring feature allows to monitor the Health of the Standby controller directly from the Standby, without going through the Active controller. The following commands are introduced:
For more information, see the High Availability chapter. |
||
Support for Cisco Catalyst 9105 Series APs |
Support is added for Cisco Catalyst 9105I and 9105W APs in this release. |
||
Support for Configuring SR-IOV for KVM and VMware ESXi Environments |
Starting with this release, SR-IOV can be configured on KVM and ESXi environments. For more information on configuring SR-IOV for KVM and ESXi, see the following sections: |
||
Cisco User Defined Network (UDN) Mobile Application |
The Cisco User Defined Network (UDN) mobile application helps create a user defined network and restrict access to devices unless they are invited to share the network. For more information, see User Guide for Cisco User Defined Network Mobile Application. |
||
Support for Configuring High Throughput Templates on Cisco Catalyst 9800-CL Cloud Wireless Controller |
From 17.3 release onwards, high throughput templates can be configured on the Cisco Catalyst 9800-CL Cloud Wireless Controller private cloud instances. With this enhancement, the throughput can be raised from 2 Gbps to 5 Gbps. For information on the supported templates and hardware requirements, see Supported Templates and Hardware Requirements. |
||
Syslog Support for Client State Change |
The Syslog Support for Client State Change feature enables you to track the client details such as IP addresses, AP names, and so on. The following commands was introduced:
|
||
Support for Direct-Sequence (DS) Parameter Set |
The managed APs will now have additional information about the DS Parameter Set of the detected Rogue AP, in the Rogue AP reports. If an impersonation attack is detected, the controller checks if the reported DS channel matches with one of the recent channels used by the managed APs. If a match is not found, a DS channel attack alarm is raised through the wireless service assurance (WSA) impersonation alarm. |
||
Tri-Radio (Dynamic) |
Support for Dual Radio role is added to the Tri-Radio feature. This feature enables FRA to dynamically choose between dual radio and tri-radio mode and determine the radio role as client-serving or monitor for the individual radios. For more information, see Cisco Access Points with Tri-Radio chapter. |
||
Uplink MU-MIMO in Cisco Catalyst 9130 APs |
Uplink Multi-user multiple-input and multiple-output (UL MU MIMO) feature is supported in Cisco Catalyst 9130 APs in this release.
|
||
User Defined Network |
A user defined network (UDN) is a solution that is aimed at providing secure and remote on-boarding of devices in shared service environments like dormitory rooms, resident halls, class rooms and auditoriums. For more information, see the User Defined Network chapter. |
||
WIPS: Advanced Security Enhancements |
The following WIPS alarms were included in this release:
|
Feature Name |
Web UI Path |
---|---|
Dark Mode option |
You can enable Dark Mode in the GUI. Dark Mode (screen with light text in a dark background) is best suited for reducing eye strain, especially in low-light conditions. Screen glare and flickering is also reduced. Click the Preferences icon (the gear icon) > Dark Mode option |
Download AP support bundle from the GUI |
Configuration > Wireless > Access Points > Edit AP |
Enhanced Certificate Management Through the GUI |
Configuration > Security > PKI Management |
Embedded Wireless on Cisco Catalyst 9000 Series Switches for Single Secure Site Deployment (Non-SDA) |
Configuration > Embedded Wireless Setup |
Open Roaming |
Configuration > Wireless > Hotspot/OpenRoaming |
Software Upgrade page enhancement |
Administration > Software Management > Software Upgrade |
Tracking of appliance temperature in the System Information dashlet |
Cisco Catalyst 9800 Wireless Controller GUI Dashboard |
Tri-Radio (Dynamic) |
|
Model Configuration |
Small (Low Throughput) |
Medium (Low Throughput) |
Large (Low Throughput) |
Small (High Throughput) |
Medium (High Throughput) |
Large (High Throughput) |
---|---|---|---|---|---|---|
Minimum number of vCPUs (Hyperthreading is not supported) |
4 |
6 |
10 |
7 |
9 |
13 |
Minimum CPU Allocation (MHz) |
4,000 |
6,000 |
10, 000 |
4000 |
6000 |
10,000 |
Minimum Memory (GB) |
8 |
16 |
32 |
8 |
16 |
32 |
Required Storage (GB) |
16 |
16 |
16 |
16 |
16 |
16 |
Virtual NICs (vNIC) (*) 3rd NIC for High Availability |
2/(3)* |
2/(3)* |
2/(3)* |
2/(3)* |
2/(3)* |
2/(3)* |
MIBs
The following MIBs were modified.
-
CISCO-LWAPP-AP-MIB.my
-
Added the following scalar objects:
-
cLApGlobalAPAuditReport
-
cLApGlobalAPAuditReportInterval
-
-
Added following objects to the cLApProfileEntry table:
-
cLApProfilePersistentSsidBroadcastEnable
-
cLApProfileDhcpFallback
-
-
-
CISCO-LWAPP-DOT11-CLIENT-CALIB-MIB.my
-
CISCO-LWAPP-DOT11-CLIENT-MIB.my
-
CISCO-LWAPP-DOT11-MIB.my
-
CISCO-LWAPP-WLAN-SECURITY-MIB.my
-
CISCO-WIRELESS-HOTSPOT-MIB.my
-
CISCO-LWAPP-REAP-MIB.my
-
CISCO-LWAPP-WLAN-MIB.my
-
cLWlanWifiDirectPolicyStatus: The following policy value was added.
-
xconnectNotAllow
-
-
Compliance with Pyang
Some models are not fully compliant with all IETF guidelines as exemplified by
running the pyang tool with the --lint
flag. The errors and
warnings exhibited by running pyang with the --lint
flag are
currently deemed to be non-critical as they do not impact the semantic of the models
or prevent the models being used as part of tool chains. A script has been provided,
"check-models.sh", that runs pyang with --lint
validation enabled,
but ignoring certain errors. This allows the developer to determine what issues may
be present.
As part of the model validation for this release we are ignoring "LEAFREF_IDENTIFIER_NOT_FOUND" and "STRICT_XPATH_FUNCTIONS" error types. Reason being that the missing leafref reference errors are due to pyang bug which needs to be fixed and some of the XPATH function errors are false positives which are handled in the newer version of pyang (2.3.2)
Interactive Help
The Cisco Catalyst 9800 Series Wireless Controller GUI features an interactive help that walks you through the GUI and guides you through complex configurations.
You can start the interactive help in the following ways:
-
By hovering your cursor over the blue flap at the right-hand corner of a window in the GUI and clicking Interactive Help.
-
By clicking Walk-me Thru in the left pane of a window in the GUI.
-
By clicking Show me How displayed in the GUI. Clicking Show me How triggers a specific interactive help that is relevant to the context you are in.
For instance, Show me How in Configure > AAA walks you through the various steps for configuring a RADIUS server. Choose Configuration> Wireless Setup > Advanced and click Show me How to trigger the interactive help that walks you through the steps relating to various kinds of authentication.
The following features have an associated interactive help:
-
Configuring AAA
-
Configuring FlexConnect Authentication
-
Configuring 802.1x Authentication
-
Configuring Local Web Authentication
-
Configuring OpenRoaming
-
Configuring Mesh APs
![]() Note |
If the WalkMe launcher is unavailable on Safari, modify the settings as follows:
|
Behavior Change
-
From Cisco IOS XE Amsterdam 17.3.5a onwards, rate limiting is performed for ARP packets for each client to prevent a denial-of-service attack. If a client sends an ARP storm, then the client is excluded. To configure rate limiting, use the ip arp-limit rate command at the policy profile level.
-
Cisco CleanAir feature is supported on the Cisco Catalyst 9120AXE Access Points from Cisco IOS XE Amsterdam Release 17.3.x.
-
In-Service Software Upgrade (ISSU) feature is supported officially from this release.
-
If a switchover occurs while performing Rolling AP Upgrade during ISSU, the Rolling Upgrade process will restart automatically after the switchover.
-
From Cisco IOS XE Amsterdam 17.3.1 onwards, Cisco Catalyst 9800-CL Wireless Controller requires 16 GB of disk space for new deployments.
-
If you are upgrading to Cisco IOS XE Amsterdam 17.3.x from a previous release, resizing of disk space is not supported. If the current disk space is lesser than 16 GB, you need to redeploy the VM to meet the new disk space requirements.
-
From Cisco IOS XE Amsterdam 17.3.1 onwards, higher number of port channels are supported on the following Cisco Catalyst 9800 Series Wireless Controllers:
-
Cisco Catalyst 9800-80 Wireless Controller: From 1-40 to 1-64
-
Cisco Catalyst 9800-40 Wireless Controller: From 1-4 to 1-16
-
Cisco Catalyst 9800-L Wireless Controller: From 1-6 to 1-14
If you downgrade from Cisco IOS XE Amsterdam 17.3.1 to an earlier release, the port channels that are configured with higher range will disappear.
-
-
From Cisco IOS XE Amsterdam 17.3.1 onwards, the AP name can only be up to 32 characters.
-
When EoGRE AAA-proxy is used, AAA ports are set to 1645 and 1646 by default. To change this port configuration, use the following command: tunnel eogre interface tunnel-intf aaa proxy key key key-name auth-port auth_port acct-port acct_port
-
Mobility Tunnel will go down and come up if SSO is triggered due to gateway check failure.
-
Adding support for the LED blink in Cisco Catalyst 9800 Wireless Controllers.
-
Log viewer window added to the GUI, to view radioactive trace logs.
-
New field is added to display AP configuration state in the GUI.
-
Column header in rogue detection changed from MFP Required to PMF Required.
-
The Central Forwarding field that was present in the EoGRE > Tunnel Profiles > Edit Tunnel Profile > General tab, has been removed.
-
From Cisco IOS XE Amsterdam 17.3.1, the LED Flash configuration under AP profile is deprecated. The following command is deprecated: ledflash { duration | indefinite} . To enable or disable LED Flash, use the ap name led flash command in the Privileged EXEC mode.
-
From Cisco IOS XE Amsterdam 17.3.1 onwards, the command ap country is deprecated and renamed as wireless country <1 country code>, where you can enter country codes for more than 20 countries. Although the existing command ap country is still functional, it is recommended that you use the wireless country <1 country code> command.
-
Windows 10 cannot be connected using Intel chipset series such as 260, 9560, AX200, AX201, and AX210 to a WLAN configured with security WPA3 or WPA2 with Protected Management Frames (PMF) requirements. This is a limitation in Windows and is only fixed in Windows version 21H2.
-
To migrate public IP address from 16.12.x to 17.x. ensure that you configure the service internal command. Failing to do so will not carry forward the IP address.
Important Notes
-
To migrate public IP address from 16.12.x to 17.x. ensure that you configure the service internal command. If you do not configure the service internal command, the IP address does not carry forward.
Supported Hardware
The following table lists the supported virtual and hardware platforms. (See Table 3 for the list of supported modules.)
Platform |
Description |
---|---|
Cisco Catalyst 9800-80 Wireless Controller |
A modular wireless controller with up to 100-GE modular uplinks and seamless software updates. The controller occupies 2-rack unit space and supports multiple module uplinks. |
Cisco Catalyst 9800-40 Wireless Controller |
A fixed wireless controller with seamless software updates for mid-size to large enterprises. The controller occupies 1-rack unit space and provides four 1-GE or 10-GE uplink ports. |
Cisco Catalyst 9800 Wireless Controller for Cloud |
A virtual form factor of the Catalyst 9800 Wireless Controller that can be deployed in a private cloud (supports ESXi, KVM, Microsoft Hyper-V, and NFVIS on ENCS hypervisors), or in the public cloud as Infrastructure as a Service (IaaS) in Amazon Web Services (AWS) and Google Cloud Platform (GCP) marketplace. |
Cisco Catalyst 9800 Embedded Wireless Controller for Switch |
The Catalyst 9800 Wireless Controller software for the Cisco Catalyst 9000 switches bring the wired and wireless infrastructure together with consistent policy and management. This deployment model supports only SD Access, which is a highly secure solution for small campuses and distributed branches. |
Cisco Catalyst 9800-L Wireless Controller |
The Cisco Catalyst 9800-L Wireless Controller is the first low-end controller that provides a significant boost in performance and features. |
The following table lists the host environments supported for private and public cloud.
Host Environment |
Software Version |
---|---|
VMware ESXi |
|
KVM |
|
AWS |
AWS EC2 platform |
NFVIS |
ENCS 3.8.1 and 3.9.1 |
GCP |
GCP marketplace |
Microsoft Hyper-V |
Windows 2019 Server and Windows Server 2016 (Version 1607) with Hyper-V Manager (Version 10.0.14393) |
The following table lists the supported Cisco Catalyst 9800 Series Wireless Controller hardware models.
The Base PIDs are the model numbers of the controller.
The Bundled PIDs indicate the orderable part numbers for the Base PIDs that are bundled with a particular network module. Running the show version , show module or show inventory command on such a controller (bundled PID) displays its Base PID.
Note that unsupported SFPs will bring down a port. Only Cisco-supported SFPs (GLC-LH-SMD and GLC-SX-MMD) should be used on the RP port of C9800-80-K9 and C9800-40-K9.
Controller Model |
Description |
---|---|
C9800-CL-K9 |
Cisco Catalyst Wireless Controller as an infrastructure for Cloud. |
C9800-80-K9 |
Eight 1/10-Gigabit Ethernet SFP or SFP+ ports and two power supply slots. The following SFPs are supported:
|
The following enhanced SFPs are supported:
|
|
The following QSFP+s are supported:
|
|
C9800-40-K9 |
Four 1/10-Gigabit Ethernet SFP or SFP+ ports and two power supply slots The following SFPs are supported:
|
The following enhanced SFPs are supported:
|
|
C9800-L-C-K9 |
The following SFPs are supported:
|
C9800-L-F-K9 |
The following SFPs are supported:
|
Optics Modules
Cisco Catalyst 9800 Series Wireless Controller supports a wide range of optics. The list of supported optics is updated on a regular basis. See the tables at the following location for the latest transceiver module compatibility information:
https://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
Supported APs
The following Cisco APs are supported in this release.
Indoor Access Points
-
Cisco Catalyst 9105AXI Access Points
-
VID 04 or later - supported from 17.3.6
-
VID 03 or earlier - supported in all 17.3.x releases
-
-
Cisco Catalyst 9105AXW Access Points
-
VID 02 or later - supported from 17.3.6
-
VID 01 or earlier - supported in all 17.3.x releases
-
-
Cisco Catalyst 9115AX (I/E) Access Points
-
Cisco Catalyst 9117AXI Access Points
-
Cisco Catalyst 9120AX (I/E) Access Points
-
VID 07 or later - supported from 17.3.6
-
VID 06 or earlier - supported in all 17.3.x releases
-
-
Cisco Catalyst 9120AXP Access Points
-
Cisco Catalyst 9130AX (I/E) Access Points
-
VID 03 or later - supported from 17.3.6
-
VID 02 or earlier - supported in all 17.3.x releases
(For information about Cisco Catalyst 9105, 9120, or 9130 Access Points version support, see the Field Notice 72424.)
-
-
Cisco Aironet 1700 Series Access Points
-
Cisco Aironet 1800I, 1815 (I/W), 1830 (I), 1840 (I), and 1850 (I/E) Access Points
-
Cisco Aironet 2700 Series Access Points
-
Cisco Aironet 2800 (I/E) Series Access Points
-
Cisco Aironet 3700 Series Access Points
-
Cisco Aironet 3800 (I/E/P) Series Access Points
-
Cisco Aironet 4800 Series Access Points
Outdoor Access Points
-
Cisco Aironet 1540 Access Points
-
Cisco Aironet 1560 Series Access Points
-
Cisco Aironet 1570 Series Access Points
-
Cisco Industrial Wireless 3700 Series Access Points
-
Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Point
-
Cisco 6300 Series Embedded Services Access Point
-
Cisco Catalyst 9124AXI Access Points - supported from 17.3.4
-
Cisco Catalyst 9124AXD Access Points - supported from 17.3.4
-
Cisco Catalyst 9124AXE Access Points - supported from 17.3.5a
![]() Note |
Do not enable Efficient Image Download feature on controllers running Cisco IOS XE Amsterdam 17.3.x when there are Cisco Catalyst 9124AX and Cisco Catalyst 9130AX APs in the same group. |
Integrated Access Points
-
Integrated Access Point on Cisco 1100 ISR
Network Sensor
-
Cisco Aironet 1800s Active Sensor
For information about Cisco Wireless software releases that support specific Cisco AP modules, see the "Software Release Support for Specific Access Point Modules" section in the Cisco Wireless Solutions Software Compatibility Matrix document.
Compatibility Matrix
The following table provides software compatibility information.
Cisco Catalyst 9800 Series Wireless Controller Software |
Cisco Identity Services Engine |
Cisco CMX |
Cisco Prime Infrastructure |
Cisco AireOS-IRCM Interoperability |
Cisco DNA Center |
---|---|---|---|---|---|
Amsterdam 17.3.7 |
3.1 3.0 2.7 2.6 2.4 |
10.6.2 10.6 10.5.1 |
3.10.1 3.9.1 3.9 3.8.1 |
8.10.171.0 8.10.162.0 8.10.160.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.8.125.0 8.8.120.0 8.8.111.0 8.5.182.104 8.5.176.2 8.5.164.216 |
|
Amsterdam 17.3.6 |
3.1 3.0 2.7 2.6 2.4 |
10.6.2 10.6 10.5.1 |
3.10.1 3.9.1 3.9 3.8.1 |
8.10.171.0 8.10.162.0 8.10.160.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.8.125.0 8.8.120.0 8.8.111.0 8.5.182.104 8.5.176.2 8.5.164.216 |
|
Amsterdam 17.3.5b |
3.1 3.0 2.7 2.6 2.4 |
10.6.2 10.6 10.5.1 |
3.10.1 3.9.1 3.9 3.8.1 |
8.10.171.0 8.10.162.0 8.10.160.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.8.125.0 8.8.120.0 8.8.111.0 8.5.182.104 8.5.176.2 8.5.164.216 8.5.164.0 |
|
Amsterdam 17.3.5a |
3.1 3.0 2.7 2.6 2.4 |
10.6.2 10.6 10.5.1 |
3.10.1 3.9.1 3.9 3.8.1 |
8.10.171.0 8.10.162.0 8.10.160.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.8.125.0 8.8.120.0 8.8.111.0 8.5.182.104 8.5.176.2 8.5.164.216 8.5.164.0 |
|
Amsterdam 17.3.4c |
3.0 2.7 2.6 2.4 |
10.6.2 10.6 10.5.1 |
3.9.1 3.9 3.8.1 |
8.10.171.0 8.10.162.0 8.10.160.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.8.125.0 8.8.120.0 8.8.111.0 8.5.176.0 8.5.164.0 |
|
Amsterdam 17.3.4 |
3.0 2.7 2.6 2.4 |
10.6.2 10.6 10.5.1 |
3.9.1 3.9 3.8.1 |
8.10.171.0 8.10.162.0 8.10.160.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.8.125.0 8.8.120.0 8.8.111.0 8.5.176.0 8.5.164.0 |
|
Amsterdam 17.3.3 |
2.7 2.6 2.4 |
10.6.2 10.6 10.5.1 |
3.9 3.8.1 |
8.10.171.0 8.10.162.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.8.125.0 8.8.120.0 8.8.111.0 8.5.164.0 8.5.182.104 8.5.152.103 8.5.164.216 8.5.176.2 |
|
Amsterdam 17.3.2a |
2.7 2.6 P6 2.4 |
10.6.2 10.6 10.5.1 |
3.8.1 |
8.10.171.0 8.10.162.0 8.10.151.0 8.10.142.0 8.10.130.0 8.8.130.0 8.8.125.0 8.8.120.0 8.8.111.0 8.5.164.0 8.5.182.104 8.5.152.103 8.5.164.216 8.5.176.2 |
|
Amsterdam 17.3.1 |
2.7 2.6 P6 2.4 |
10.6.2 10.6 10.5.1 |
3.8.1 |
8.10.171.0 8.10.162.0 8.10.142.0 8.10.130.0 8.10.122.0 8.10.121.0 8.10.113.0 8.10.112.0 8.10.105.0 8.9.111.0 8.9.100.0 8.8.125.0 8.8.120.0 8.8.111.0 8.5.164.0 8.5.182.104 8.5.152.103 8.5.164.216 8.5.176.2 |
GUI System Requirements
The following subsections list the hardware and software required to access the Cisco Catalyst 9800 Controller GUI.
Processor Speed |
DRAM |
Number of Colors |
Resolution |
Font Size |
---|---|---|---|---|
233 MHz minimum3 |
512 MB4 |
256 |
1280 x 800 or higher |
Small |
Software Requirements
Operating Systems:
-
Windows 7 or later
-
Mac OS X 10.11 or later
Browsers:
-
Google Chrome: Version 59 or later (on Windows and Mac)
-
Microsoft Edge: Version 40 or later (on Windows)
-
Safari: Version 10 or later (on Mac)
-
Mozilla Firefox: Version 60 or later (on Windows and Mac)
![]() Note |
Firefox Version 63.x is not supported. |
The controller GUI uses Virtual Terminal (VTY) lines for processing HTTP requests. At times, when multiple connections are open, the default number of VTY lines of 15 set by the device might get exhausted. Therefore, we recommend that you increase the number of VTY lines to 50.
To increase the VTY lines in a device, run the following commands in the following order:
-
device# configure terminal
-
device(config)# line vty 50
A best practice is to configure the service tcp-keepalives to monitor the TCP connection to the device.
-
device(config)# service tcp-keepalives-in
-
device(config)# service tcp-keepalives-out
Before You Upgrade
Ensure that you familiarize yourself with the following points before proceeding with the upgrade:
APs running Cisco IOS-XE 17.9.3 might encounter issues when attempting to upgrade their software due to insufficient space in the /tmp directory. When the /tmp space on the AP becomes full, it prevents the download of the new AP image. In such instances, we recommend that you reboot the AP.
Wave 2 APs may get into a boot loop when upgrading software over a WAN link. For more information, see: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220443-how-to-avoid-boot-loop-due-to-corrupted.html.
![]() Caution |
During controller upgrade or reboot, if route processor ports are connected to any Cisco switch, ensure that the route processor ports are not flapped (shut/no shut process). Otherwise, it may lead to a kernel crash. |
![]() Note |
|
The following Wave 1 APs are not supported from 17.4 to 17.9.2, 17.10.x and 17.11.x:
-
Cisco Aironet 1570 Series Access Point
-
Cisco Aironet 1700 Series Access Point
-
Cisco Aironet 2700 Series Access Point
-
Cisco Aironet 3700 Series Access Point
![]() Note |
|
-
If APs fail to detect the backup image after running the archive download-sw command, perform the following steps:
-
Upload the image using the no-reload option of the archive download-sw command:
Device# archive download-sw /no-reload tftp://<tftp_server_ip>/<image_name>
-
Restart the CAPWAP process using capwap ap restart command. This allows the AP to use the correct backup image after the restart (reload is not required.)
Device# capwap ap restart
Caution
The AP will lose connection to the controller during the join process. When the AP joins the new controller, it will see a new image in the backup partition. So, the AP will not download a new image from the controller.
-
-
The controller reloads automatically when a cold patch is applied using web UI. This behavior is applicable to 17.3.x and 17.6.x releases.
-
Fragmentation lower than 1500 is not supported for the RADIUS packets generated by wireless clients in the Gi0 (OOB) interface.
-
Cisco IOS XE allows you to encrypt all the passwords used on the device. This includes user passwords and SSID passwords (PSK). For more information, see the "Password Encryption" section of the Cisco Catalyst 9800 Series Configuration Best Practices document.
-
While upgrading the Cisco Catalyst 9800-80 Wireless Controller to Cisco IOS XE Amsterdam 17.3.4 using BUNDLE mode, ensure that the ROMMON version is 16.12.5r. Otherwise, the controller gets stuck in a boot loop. We recommend that you upgrade the ROMMON version to 16.12.5r, even for the INSTALL mode upgrade. Note that this recommendation is not applicable to other versions of the Cisco Catalyst 9800 Wireless Controller.
For information about how to upgrade the ROMMON, see the "Upgrading Field Programmable for Cisco Catalyst 9800-80 Wireless Controller" section of the Upgrading Field Programmable Hardware Devices for Cisco Catalyst 9800 Series Wireless Controllers document.
-
While upgrading to Cisco IOS XE 17.3.x and later releases, if the ip http active-session-modules none command is enabled, you will not be able to access the controller GUI using HTTPS. To access the GUI using HTTPS, run the following commands in the order specified below:
-
ip http session-module-list pkilist OPENRESTY_PKI
-
ip http active-session-modules pkilist
-
-
Cisco Aironet 1815T OfficeExtend Access Point will be in local mode when connected to the controller. However, when it functions as a standalone AP, it gets converted to FlexConnect mode.
-
If you have configured FIPS mode, ensure that you remove the security wpa wpa1 cipher tkip command configuration from WLANs before upgrading to Cisco IOS XE Amsterdam 17.3.x from an earlier version. Failure to do so will set the WLAN security to TKIP, which is not supported in FIPS mode. After the upgrade, reconfigure WLAN with AES.
-
The Cisco Catalyst 9800 devices running Cisco IOS XE Amsterdam 17.3.1 can either support the BLE solution with Cisco Spaces, or the Network Assurance solution with Cisco DNA Center. The Network Assurance (including iCAP) and BLE solution are mutually exclusive. That is, if Network Assurance or iCAP has to be enabled on a device, the BLE solution cannot be deployed. In the same way, if the BLE solution has to be enabled on a device, Network Assurance and iCAP cannot be deployed.
-
The Cisco Catalyst 9800-L Wireless Controller may fail to respond to the BREAK signals received on its console port during boot time, preventing users from getting to the ROMMON. This problem is observed on the controllers manufactured until November 2019, with the default config-register setting of 0x2102. This problem can be avoided if you set config-register to 0x2002. This problem is fixed in the 16.12(3r) ROMMON for Cisco Catalyst 9800-L Wireless Controller. For information about how to upgrade the ROMMON, see the Upgrading ROMMON for Cisco Catalyst 9800-L Wireless Controllers section of the Upgrading Field Programmable Hardware Devices for Cisco Catalyst 9800 Series Wireless Controllers document.
-
By default, the controller uses a TFTP block size value of 512, which is the lowest possible value. This default setting is used to ensure interoperability with legacy TFTP servers. If required, you can change the block size value to 8192 to speed up the transfer process, using the ip tftp blocksize command in global configuration mode.
-
We recommend that you configure the password encryption aes and the key config-key password-encrypt key commands to encrypt your password.
-
If the following error message is displayed after a reboot or system crash, we recommend that you regenerate the trustpoint certificate:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Use the following commands in the order specified below to generate a new self-signed trustpoint certificate:
-
device# configure terminal
-
device(config)# no crypto pki trustpoint trustpoint_name
-
device(config)# no ip http server
-
device(config)# no ip http secure-server
-
device(config)# ip http server
-
device(config)# ip http secure-server
-
device(config)# ip http authentication local/aaa
-
-
Do not deploy OVA files directly to VMware ESXi 6.5. We recommend that you use an OVF tool to deploy the OVA files.
-
Ensure that you remove the controller from Cisco Prime Infrastructure before disabling or enabling Netconf-YANG. Otherwise, the system may reload unexpectedly.
-
Unidirectional Link Detection (UDLD) protocol is not supported.
-
SIP media session snooping is not supported on FlexConnect local switching deployments.
-
The Cisco Catalyst 9800 Series Wireless Controllers (C9800-CL, C9800-L, C9800-40, and C9800-80) support a maximum of 14,000 leases with internal DHCP scope.
-
Configuring the mobility MAC address using the wireless mobility mac-address command is mandatory for both HA and 802.11r.
-
When you configure the Cisco Catalyst 9800 Series Wireless controllers with Cisco Aironet 3700 Series Access Points through IPv6, and then connect the IPv6-capable clients, the IP addresses of all the IPv6 clients are not updated on the controller.
-
If you have Cisco Catalyst 9120 (E/I/P) and Cisco Catalyst 9130 (E) APs in your network and you want to downgrade, use only Cisco IOS XE Gibraltar 16.12.1t. Do not downgrade to Cisco IOS XE Gibraltar 16.12.1s.
-
The following SNMP variables are not supported:
-
CISCO-LWAPP-WLAN-MIB: cLWlanMdnsMode
-
CISCO-LWAPP-AP-MIB.my: cLApDot11IfRptncPresent, cLApDot11IfDartPresent
-
-
If you are upgrading from Cisco IOS XE Gibraltar 16.11.x or an earlier release, ensure that you unconfigure the advipservices boot-level licenses on both the active and standby controllers using the no license boot level advipservices command before the upgrade. Note that the license boot level advipservices command is not available in Cisco IOS XE Gibraltar 16.12.1s and 16.12.2s.
-
The Cisco Catalyst 9800 Series Wireless Controller has a service port that is referred to as GigabitEthernet 0 port.
The following protocols and features are supported through this port:
-
Cisco DNA Center
-
Cisco Smart Software Manager
-
Cisco Prime Infrastructure
-
Telnet
-
Controller GUI
-
HTTP
-
HTTPS
-
Licensing for Smart Licensing feature to communicate with CSSM
-
SSH
-
-
During device upgrade using GUI, if a switchover occurs, the session expires and the upgrade process gets terminated. As a result, the GUI cannot display the upgrade state or status.
-
From Cisco IOS XE Bengaluru 17.4.1 onwards, the telemetry solution provides a name for the receiver address instead of the IP address for telemetry data. This is an additional option. During the controller downgrade and subsequent upgrade, there is likely to be an issue—the upgrade version uses the newly named receivers, and these are not recognized in the downgrade. The new configuration gets rejected and fails in the subsequent upgrade. Configuration loss can be avoided when the upgrade or downgrade is performed from Cisco DNA Centre.
-
The Cisco Catalyst 9800 Wireless Controller might reload if downgraded from 17.x to 16.12.4a. To avoid this, we recommend that you downgrade to Cisco IOS XE Gibraltar 16.12.5 instead of 16.12.4a.
Note
It is recommended to do the following:
-
Disable Spectrum Intelligence on Cisco Catalyst 9115 Access Points.
-
Disable BSS colouring feature on the controller.
-
-
It is not possible to shut down the WLAN policy profile when you downgrade from Cisco IOS XE Amsterdam 17.3.x (supporting local switching IPv6 AVC) to Cisco IOS XE Gibraltar 16.12.x (where local switching IPv6 AVC is not supported). In such instances, we recommend that you delete the existing WLAN policy profile and create a new one.
-
The following access points may encounter stability issues when you upgrade to Cisco IOS XE Amsterdam 17.3.4:
-
Cisco Aironet 1562 APs
-
Cisco Aironet 2800 Series APs
-
Cisco Aironet 3800 Series APs
-
Cisco Aironet 4800 Series APs
-
Cisco Catalyst IW6300 DC Heavy Duty Access Point
To avoid stability issues, we recommend you upgrade to Cisco IOS XE Amsterdam 17.3.4 and install AP Service Pack (APSP). For more information, see the Information About Per Site or Per AP Model Service Pack section in Software Maintenance Upgrade chapter.
Note
The AP stability issue is not applicable to Cisco IOS XE Amsterdam 17.3.7 and later releases.
-
-
Communication between Cisco Catalyst 9800 Series Wireless Controller and Cisco Prime Infrastructure uses different ports:
-
All the configurations and templates available in Cisco Prime Infrastructure are pushed through SNMP and CLI, using UDP port 161.
-
Operational data for controller is obtained over SNMP, using UDP port 162.
-
AP and client operational data leverage streaming telemetry:
-
Cisco Prime Infrastructure to controller: TCP port 830 is used by Cisco Prime Infrastructure to push the telemetry configuration to the controller (using NETCONF).
-
Controller to Cisco Prime Infrastructure: TCP port 20828 is used for Cisco IOS-XE 16.10.x and 16.11.x, and TCP port 20830 is used for Cisco IOS-XE 16.12.x, 17.1.x and later releases.
-
-
-
To migrate public IP address from 16.12.x to 17.x. ensure that you configure the service internal command. If you do not configure the service internal command, the IP address does not get carried forward.
-
When you encounter the SNMP error
, it means that the specified SNMP variable is not accessible.SNMP_ERRORSTATUS_NOACCESS 6
-
We recommend that you perform a controller reload whenever there is a change in the controller's clock time to reflect an earlier time.
![]() Note |
The DTLS version (DTLSv1.0) is deprecated for Cisco Aironet 1800 based on latest security policies. Therefore, any new out-of-box deployments of Cisco Aironet 1800 APs will fail to join the controller and you will get the following error message:
To onboard new Cisco Aironet 1800 APs and to establish a CAPWAP connection, explicitly set the DTLS version to 1.0 in the controller using the following configuration:
Note that setting the DTLS version to 1.0 affects all the existing AP CAPWAP connections. We recommend that you apply the configuration only during a maintenance window. After the APs download the new image and join the controller, ensure that you remove the configuration. |
Upgrade Path to Cisco IOS XE Amsterdam 17.3.x
Current Software |
Upgrade Path to Cisco IOS XE Amsterdam 17.3.x Release |
---|---|
16.10.x |
Upgrade first to 16.12.5 and then to 17.3.x. |
16.11.x |
Upgrade first to 16.12.5 and then to 17.3.x. |
16.12.x |
You can upgrade directly to 17.3.x. |
17.1.x |
You can upgrade directly to 17.3.x. |
17.2.x |
You can upgrade directly to 17.3.x. |
Upgrading the Controller Software
This section describes the various aspects of upgrading the controller software.
For information on the upgrade process and the methods to upgrade the Cisco Catalyst 9800 Series Wireless Controller software, see the "Upgrading the Cisco Catalyst 9800 Wireless Controller Software" chapter of the Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide.
Finding the Software Version
The package files for the Cisco IOS XE software are stored in the system board flash device (flash:).
Use the show version privileged EXEC command to see the software version that is running on your controller.
![]() Note |
Although the show version output always shows the software image running on the controller, the model name shown at the end of the output is the factory configuration, and does not change if you upgrade the software license. |
Use the show install summary privileged EXEC command to see the information about the active package.
Use the dir filesystem: privileged EXEC command to see the directory names of other software images that you have stored in flash memory.
Software Images
-
Release: Cisco IOS XE Amsterdam 17.3.x
-
Image: Universal
-
File Name: C9800-universalk9_wlc.17.3.x.SPA.bin
Software Installation Commands
Cisco IOS XE Amsterdam 17.3.x |
|||
---|---|---|---|
To install and activate a specified file, and to commit changes to be persistent across reloads, run the following command: device# install add file filename [activate |commit] To separately install, activate, commit, end, or remove the installation file, run the following command: device# install ?
|
|||
add file tftp: filename |
Copies the install file package from a remote location to a device, and performs a compatibility check for the platform and image versions. |
||
activateauto-abort-timer] |
Activates the file and reloads the device. The auto-abort-timer keyword automatically rolls back image activation. |
||
commit |
Makes changes that are persistent over reloads. |
||
rollback to committed |
Rolls back the update to the last committed version. |
||
abort |
Cancels file activation, and rolls back to the version that was running before the current installation procedure started. |
||
remove |
Deletes all unused and inactive software installation files. |
Licensing
This section provides information about the licensing packages for the features that are available in the Cisco Catalyst 9800 Series Wireless Controller.
The software features that are available on the controller fall under these license categories:
-
AIR DNA Essentials (AIR-DNA-E)
-
AIR DNA Advantage (AIR-DNA-A) (Includes the features that are available with the Cisco DNA Essentials license and more.)
Note
The controller starts with AIR-DNA-A as the default. Any change in the license level requires a reboot.
![]() Note |
After adding new license in the Cisco Smart Software Manager (CSSM) for customer virtual account, run the license smart renew auth command on the controller to get the license status changed from Out OF Compliance to Authorized. |
Base Licenses
Base licenses are perpetual licenses and can be used even after the expiry of Air-DNA-A and AIR-DNA-E. Base licenses include:
-
AIR Network Essentials (AIR-NE)
-
AIR Network Advantage (AIR-NA) (Includes the features that are available in the Network Essentials license.)
License Term
The licenses are available for a three, five, or seven-year periods.
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.
Interoperability with Clients
This section describes the interoperability of the controller software with client devices.
The following table lists the configurations used for testing client devices.
Hardware or Software Parameter |
Hardware or Software Type |
---|---|
Release |
Cisco IOS XE Amsterdam 17.3.x |
Cisco Wireless Controller |
See Supported Hardware. |
Access Points |
See Supported APs. |
Radio |
|
Security |
Open, PSK (WPA2-AES), 802.1X (WPA2-AES) (EAP-FAST, EAP-TLS) 802.11ax |
RADIUS |
|
Types of tests |
Connectivity, traffic (ICMP), and roaming between two APs |
The following table lists the client types on which the tests were conducted. Client types included laptops, hand-held devices, phones, and printers.
Client Type and Name |
Driver or Software Version |
||
---|---|---|---|
Wi-Fi 6 Devices (Mobile Phone and Laptop) |
|||
Apple iPhone 11 | iOS 14.1 | ||
Apple iPhone SE 2020 |
iOS 14.1 | ||
Dell Intel AX1650w | Windows 10 ( 21.90.2.1) | ||
Dell Latitude 5491 (Intel AX200) | Windows 10 Pro (21.40.2) | ||
Samsung S20 | Android 10 | ||
Samsung S10 (SM-G973U1) | Android 9.0 (One UI 1.1) | ||
Samsung S10e (SM-G970U1) | Android 9.0 (One UI 1.1) | ||
Samsung Galaxy S10+ | Android 9.0 | ||
Samsung Galaxy Fold 2 |
Android 10 | ||
Samsung Galaxy Flip Z |
Android 10 | ||
Samsung Note 20 |
Android 10 | ||
Laptops |
|||
Acer Aspire E 15 E5-573-3870 (Qualcomm Atheros QCA9377) | Windows 10 Pro (12.0.0.832) | ||
Apple Macbook Air 11 inch | OS Sierra 10.12.6 | ||
Apple Macbook Air 13 inch | OS Catalina 10.15.4 | ||
Apple Macbook Air 13 inch | OS High Sierra 10.13.4 | ||
Macbook Pro Retina | OS Mojave 10.14.3 | ||
Macbook Pro Retina 13 inch early 2015 | OS Mojave 10.14.3 | ||
Dell Inspiron 2020 Chromebook |
Chrome OS 75.0.3770.129 |
||
Google Pixelbook Go |
Chrome OS 84.0.4147.136 |
||
HP chromebook 11a |
Chrome OS 76.0.3809.136 |
||
Samsung Chromebook 4+ |
Chrome OS 77.0.3865.105 |
||
Dell Latitude 3480 (Qualcomm DELL wireless 1820) | Win 10 Pro (12.0.0.242) | ||
Dell Inspiron 15-7569 (Intel Dual Band Wireless-AC 3165) | Windows 10 Home (18.32.0.5) | ||
Dell Latitude E5540 (Intel Dual Band Wireless AC7260) | Windows 7 Professional (21.10.1) | ||
Dell XPS 12 v9250 (Intel Dual Band Wireless AC 8260 ) | Windows 10 (19.50.1.6) | ||
Dell Latitude 5491 (Intel AX200) | Windows 10 Pro (21.40.2) | ||
Dell XPS Latitude12 9250 (Intel Dual Band Wireless AC 8260) | Windows 10 Home (21.40.0) | ||
Lenovo Yoga C630 Snapdragon 850 (Qualcomm AC 2x2 Svc) |
Windows 10 (1.0.10440.0) |
||
Lenovo Thinkpad Yoga 460 (Intel Dual Band Wireless-AC 9260) | Windows 10 Pro ( 21.40.0) | ||
|
|||
Tablets |
|||
Apple iPad Pro | iOS 13.5 | ||
Apple iPad Air2 MGLW2LL/A | iOS 12.4.1 | ||
Apple iPad Mini 4 9.0.1 MK872LL/A | iOS 11.4.1 | ||
Apple iPad Mini 2 ME279LL/A | iOS 12.0 | ||
Microsoft Surface Pro 3 – 11ac | Qualcomm Atheros QCA61x4A | ||
Microsoft Surface Pro 3 – 11ax | Intel AX201 chipset. Driver v21.40.1.3 | ||
Microsoft Surface Pro 7 – 11ax | Intel Wi-Fi chip (HarrisonPeak AX201) (11ax, WPA3) | ||
Microsoft Surface Pro X – 11ac & WPA3 | WCN3998 Wi-Fi Chip (11ac, WPA3) | ||
Mobile Phones |
|||
Apple iPhone 5 | iOS 12.4.1 | ||
Apple iPhone 6s | iOS 13.5 | ||
Apple iPhone 8 | iOS 13.5 | ||
Apple iPhone X MQA52LL/A | iOS 13.5 | ||
Apple iPhone 11 | iOS 14.1 | ||
Apple iPhone SE MLY12LL/A | iOS 11.3 | ||
ASCOM SH1 Myco2 | Build 2.1 | ||
ASCOM SH1 Myco2 | Build 4.5 | ||
ASCOM Myco 3 v1.2.3 | Android 8.1 | ||
Drager Delta | VG9.0.2 | ||
Drager M300.3 | VG2.4 | ||
Drager M300.4 | VG2.4 | ||
Drager M540 | DG6.0.2 (1.2.6) | ||
Google Pixel 2 | Android 10 | ||
Google Pixel 3 | Android 11 | ||
Google Pixel 3a |
Android 11 |
||
Google Pixel 4 | Android 11 | ||
Huawei Mate 20 pro | Android 9.0 | ||
Huawei P20 Pro | Android 9.0 | ||
Huawei P40 |
Android 10 |
||
LG v40 ThinQ | Android 9.0 | ||
One Plus 8 |
Android 10 |
||
Oppo Find X2 |
Android 10 |
||
Redmi K20 Pro |
Android 10 |
||
Samsung Galaxy S7 | Andriod 6.0.1 | ||
Samsung Galaxy S7 SM - G930F | Android 8.0 | ||
Samsung Galaxy S8 | Android 8.0 | ||
Samsung Galaxy S9+ - G965U1 | Android 9.0 | ||
Samsung Galaxy SM - G950U | Android 7.0 | ||
Sony Experia 1 ii |
Android 10 |
||
Sony Experia xz3 | Android 9.0 | ||
Xiaomi Mi10 |
Android 10 |
||
Spectralink 8744 | Android 5.1.1 | ||
Spectralink Versity Phones 9540 | Android 8.1 | ||
Vocera Badges B3000n | 4.3.2.5 | ||
Vocera Smart Badges V5000 | 5.0.4.30 | ||
Zebra MC40 | Android 5.0 | ||
Zebra MC40N0 | Android 4.1.1 | ||
Zebra MC92N0 | Android 4.4.4 | ||
Zebra TC51 | Android 7.1.2 | ||
Zebra TC52 | Android 8.1.0 | ||
Zebra TC55 | Android 8.1.0 | ||
Zebra TC57 | Android 8.1.0 | ||
Zebra TC70 | Android 6.1 | ||
Zebra TC75 | Android 6.1.1 | ||
Printers | |||
Zebra QLn320 Printer | LINK OS 6.3 | ||
Zebra ZT230 Printer | LINK OS 6.3 | ||
Zebra ZQ310 Printer | LINK OS 6.3 | ||
Zebra ZD410 Printer | LINK OS 6.3 | ||
Zebra ZT410 Printer | LINK OS 6.3 | ||
Zebra ZQ610 Printer | LINK OS 6.3 | ||
Zebra ZQ620 Printer | LINK OS 6.3 | ||
Wireless Module |
|||
Intel 11ax 200 |
Driver v22.20.0 | ||
Intel AC 9260 |
Driver v21.40.0 | ||
Intel Dual Band Wireless AC 8260 |
Driver v19.50.1.6 |
Caveats
Caveats describe unexpected behavior in Cisco IOS releases in a product. Caveats that are listed as Open in a prior release are carried forward to the next release as either Open or Resolved.
![]() Note |
All incremental releases contain fixes from the current release. |
Cisco Bug Search Tool
The Cisco Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of a caveat, click the corresponding identifier.
Open Caveats for Cisco IOS XE Amsterdam 17.3.7
Identifier |
Headline |
---|---|
Error propagation from wncd back to manageability agent through wncmgrd. |
|
Controller is remarking SIP packets from CS3 to CS0 in upstream/downstream when voice cac is configured. |
|
Controller should not enable second 5-Ghz radio for 9124E with PoE+ (30W). |
|
Controller GUI goes blank after logging in if username has '&'. |
|
Cisco Catalyst 9166 AP: Radio-2 firmware crash is observed. |
|
Cisco Catalyst OEAP 9105w CAPWAP DTLS session closed for AP, due to DTLS shutdown. |
|
Cisco Catalyst 9130 AP: Probe suppression for Macro-Micro cell client steering is not supported. |
|
Cisco Catalyst 9117 AP: Crash is observed on Slot 1. |
|
Cisco Aironet 1832 AP is not sending packets to radio. |
|
Cisco Catalyst 9130AX APs are decoding Extensible Authentication Protocol (EAP) request ID incorrectly. |
|
AIRESPACE-WIRELESS-MIB: bsnAPIfType OID documentation incomplete. |
|
Tx power mismatch on RAP & MAP even though same power is set on RAP & MAP |
|
Controller is reloading unexpectedly generating "wncd" core files. |
|
Cisco Catalyst 9105w Office Extend Access Points (OEAP) is crashing due to kernel panic. |
|
Cisco APs are not assigned up with IPv6 addresses after upgrade from 17.6.1 to 17.6.2 or 17.7.1. |
|
Cisco Catalyst 9105i OEAP is crashing due to kernel panic. |
|
Cisco Aironet 1815W AP: Kernel panic with radio stats crash. |
|
Cisco Catalyst 9105AX AP: Kernel panic crash is observed. |
|
Cisco Catalyst 9800-CL-K9 unexpectedly reloads and generates pubd core. |
|
Cisco Catalyst 9105AXW APs are crashing. |
|
Cisco Catalyst 9124E AP: Max transmit power is being capped for some domains resulting in 3 to 4dB less power. |
|
Poor reassociation behavior is observed between Spectralink 84xx series phones and Cisco Catalyst 9136 APs. |
|
Cisco Catalyst 9115 AP in workgroup bridge (WGB) stops sending traffic to the root AP after about 60 seconds from its initial connection. |
|
ECDHE ciphers are not listed when WLAN Common Criteria (WLAN CC) is enabled. |
|
Controller does not send LLC or XID spoofed frames after a mobility event. |
|
Unexpected reboot due wncd. |
|
Cisco Catalyst 9120 AP: Kernel panic is seen on AP when client is disconnected and connected back with Target Wake Time (TWT) session. |
|
Radio firmware reloads unexpectedly due to a frozen RC queue. |
|
Cisco Catalyst 9164 and 9166 APs running Cisco IOS-XE 17.9.2 is facing Dynamic Frequency Selection (DFS) detections in all channels. |
|
Cisco Catalyst 9136I AP: Kernel crash is observed. |
|
Regular ASR support field is disabled for supporting clients. |
|
Cisco Catalyst 9120AX AP kernel crash - PC is at rhb_del_interface+0xc. |
|
Cisco Catalyst 9105AXW AP and Cisco Aironet 1815W Flex RLAN AP does not apply VLAN in the ethernet port after AAA vlan override. |
|
Cisco Catalyst 9800-L Series Controller: Observed qfp-ucode-wlc crash. |
|
Clients stop passing traffic when there is a missing bandwidth limit AAA attribute on the controller. |
|
Cisco Catalyst 9130 AP: Packet loss is observed on Digital Signage device. |
|
Cisco Catalyst 9115 and 9120 APs are crashing: WL_REINIT_RC_MQ_ERROR. |
|
Cisco Catalyst 9105 AP is stuck in U-BOOT. |
|
Cisco Catalyst 9130 AP: Radio crash is observed. |
|
The primary member displays "standby hot" even though the standby is in recovery mode. |
|
Cisco AP is not forwarding IGMPv3 query to wireless clients. |
|
After changing channel and bandwidth of AP (with SIA), antenna shows incorrect legal/configured gain. |
|
Cisco Catalyst 9105w OEAP: CAPWAP DTLS session is closed for AP due to DTLS server session shutdown. |
|
Observing AID leak in Cisco Wave 2 APs in FlexConnect mode. |
|
In-Service Software Upgrade (ISSU) build issue. |
|
Traceback is seen after provisioning controller from Cisco DNA Centre. |
|
Tx power changes are not getting applied to the AP. |
|
Dual DFS stats on AP do not match controller information. |
|
Unexpected error messages flooding in RA logs for successful client joins. |
|
Cisco Catalyst 9120 AP: Sending Msg:2 in mode:2 to hostapd failed. |
|
Unclear reason for radio reset due to role change sent from controller to Cisco DNA Center. |
|
Cisco Catalyst 9120 AP is dropping DHCP offer in click. Not forwarding to wireless interface. |
|
Cisco Catalyst 9120AX AP+SIA-DART: Initial configuration for slot 0 show configured gain value as 0. |
|
Cisco AP reloads unexpectedly due to kernel panic. |
|
WPA3-Suite B: Incorrect APUT response to STA incorrect TLS authentication parameters. |
|
Cisco Catalyst 9124 AP: MAPs are no longer able to join RAP due to security failures. |
Open Caveats for Cisco IOS XE Amsterdam 17.3.6
Caveat ID |
Description |
---|---|
Slow TCP downloads and failing EAP-TLS are observed in Cisco IOS XE 17.3.6 - Cisco Aironet 2800, 3800, 4800, 1562, or Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Points. |
|
Cisco Aironet 1572EAC Access Point does not respond to the Canadian EIRP regulation. |
|
The reason for radio reset is unclear due to role change sent from controller to Cisco DNAC. |
|
Cisco Aironet 1832 Access Point does not forward packets to radio. |
|
Cisco Catalyst 9115 Access Point reports Dynamic Frequency Selection (DFS) in channels incorrectly: "blocked list due to be cleared". |
|
Factory reset using a physical button does not work always. |
|
Cisco Catalyst 4800 Series Access Point in local mode running 8.10.171.0 experiences radio coredump. |
|
Cisco Catalyst 9130 Access Point sends incorrect channel list in out-of-band DFS event causing client connectivity issues. |
|
Cisco Catalyst 3800 Access Point radio reloads unexpectedly in Slot 0 ap-17.9.0.135. |
|
Cisco Aironet 1852 Access Point experiences radio firmware crash. |
|
Cisco Catalyst 9136I Access Point experiences kernel crash in ap-17.9.1.7. |
|
Firmware radio crash is observed in Cisco Catalyst 4800 Access Point in Cisco IOS-XE 17.3.5b release. |
|
Access Point show logging is flooded with "syslog: parse_tx_bcn: Bcn payload is NULL" syslog messages. |
|
Cisco Catalyst 9130 Access Point: Probe suppression for macro-micro cell client steering does not work. |
|
Cisco Catalyst 9105AXW Access Point introduces latency when clients use RLAN ports. |
|
Mac and Android OS clients are not able to pass traffic when connected to Cisco Aironet 1810W Access Point RLAN ports. |
|
CleanAir data is missing for 2.4-GHz in few Cisco Catalyst 9120 or 9130 Access Points. |
|
Workgroup bridge (WGB) breaks in Pre-Shared Key (PSK) with key length of 63. |
|
Changing an AP site or policy tag to a Flex local switching set intermittently causes client connectivity failure to local web auth WLANs. |
|
Cisco Access Point reloads unexpectedly due to system critical process crash. |
|
5-GHz channel 165 cannot be selected in Cisco Aironet 2800, 3800, and 4800 Access Point models. |
|
Burst beacon is enabled by default for 11ac Cisco Wave 2 QCA Access Points. |
|
Cisco Catalyst 9120 Access Point: Radio Core Dump: wl0: wlc_check_assert_type HAMMERING. |
|
Backslash "\" in the end of the RADIUS servers' shared secret is not allowed for FlexConnect groups configuration. |
|
The primary member displays "standby hot" even though the standby is in recovery mode. |
|
wncd crash is observed at wsa_clt_evt_cache_update during client join with Cisco DNAC auth rate testing. |
|
Cisco Catalyst 9800 Wireless Controller - Link down due to local fault. |
|
Changing channel to 165 or width 20 fails when an Access Point is configured with channel width 40. |
|
Cisco Catalyst 9500-32C and 9500-32QC missing air license related XML entries. |
|
FlexConnect WLAN VLAN mapping disappears when VLAN name is defined in the FlexProfile. |
|
Controller does not send LLC or XID spoofed frames after a mobility event. |
|
Access Points operate in disabled RF profile channels in Cisco IOS-XE 17.6.2 ESW01. |
|
Need to increase the 8 IP address limit in the controller datapath. |
|
SISF crash is observed when handling the DHCP messages. |
|
Access Point does not join the controller due to CAPWAP data tunnel plumb failure. |
Open Caveats for Cisco IOS XE Amsterdam 17.3.5b
Caveat ID |
Description |
---|---|
The AVC page does not load in the GUI under Configuration > Services > AVC. |
|
The primary controller displays "standby hot" even though the standby controller is in recovery mode. |
|
Crash occurs when Btrace modules exceed the initial maximum number of registrations. |
|
The controller standby chassis shows Cisco Unknown Power Supply and the same serial number in the show inventory command output. |
|
Cisco Aironet 1542 Series APs are not listed while adding to the Floor Map. |
|
Configures the APs workflow to Resume or Cancel errors. |
|
Cisco Catalyst 9130AX AP reloads unexpectedly when PC is at __qdf_bug+0x0/0x8 osif_delete_vap_wait_and_free. |
|
Cisco Aironet 3800 Series AP does not pass Address Resolution Protocol (ARP) requests when configured in Custom Flex Group. |
|
AIR-AP1815I-H-K9: AP abnormal reboot without crash or core file. |
|
Cisco Catalyst 9130AXI AP changes the Domain Name System (DNS) information from the Dynamic Host Configuration Protocol (DHCP) offer packet. |
|
The FortyGigabitEthernet interfaces in Cisco Catalyst 9800-80 Wireless Controller gets stuck in the down state after repeated High Availability (HA) failovers. |
|
CleanAir status down reported by multiple APs in controller running 8.10.151.0. |
|
Cisco Catalyst 9117AX AP reloads unexpectedly due to radio failure (radio recovery failed) when beacons are stuck in Radio 1. |
|
Incorrect campus maps information is observed in Cisco CMX 10.6.2-89. |
|
Cisco Aironet 1562 Series AP acts as Work Group Bridge (WGB) but unable to pass multicast traffic to passive client behind it. |
|
Cisco Catalyst 9130 Series AP driver declines authorization request causing 802.11w client join issues. |
|
Clients are unable to join the Cisco Catalyst 9130 AP slot 2 when transmission power is set to the lower power level (-2dbm or -4dbm). |
|
Cisco Aironet 4800 AP crash: Unable to handle kernel NULL pointer dereference at virtual address. |
|
Cisco Catalyst 9130 Series AP crashes on CAPWAP after joining the controller. |
|
Radio failure (radio recovery failed) due to Cisco Catalyst 9117 Series AP Beacon stuck. |
|
Wireless controller is unable to use the wireless broadcast vlan X command. |
Open Caveats for Cisco IOS XE Amsterdam 17.3.5a
Caveat ID |
Description |
---|---|
The AVC page does not load in the GUI under Configuration > Services > AVC. |
|
The primary controller displays "standby hot" even though the standby controller is in recovery mode. |
|
Crash occurs when Btrace modules exceed the initial maximjm number of registrations. |
|
The controller standby chassis shows Cisco Unknown Power Supply and the same serial number in the show inventory command output. |
|
Cisco Aironet1542 Series APs are not listed while adding to the Floor Map. |
|
Configures the APs workflow to Resume or Cancel errors. |
|
Cisco Aironet 1572EAC AP does not respond to the Canadian EIRP regulation. |
|
Cisco Catalyst 9130 series AP does not send M1 over the air. |
|
Cisco Catalyst 9130 Series AP crash - PC is at __qdf_bug+0x0/0x8 osif_delete_vap_wait_and_free. |
|
Cisco Aironet 3800 Series AP not passing Address Resolution Protocol (ARP) requests when configured on Custom Flex Group. |
|
Cisco Catalyst 9130 Series high channel utilization and client lags with 9 or more clients using MS Teams. |
|
AIR-AP1815I-H-K9: AP abnormal reboot without crash/core file. |
|
Cisco Catalyst 9130AXI AP changes the Domain Name System (DNS) information from the Dynamic Host Configuration Protocol (DHCP) offer packet. |
|
The FortyGigabitEthernet interfaces on Cisco Catalyst 9800-80 Wireless Controller gets stuck in the down state after repeated High Availability (HA) failovers. |
|
Multiple CleanAir Sensor Status: 'Down' - Controller 8.10.151.0 |
|
Cisco Catalyst 9117 Series APs crashes due radio failure (radio recovery failed) Beacons stuck on Radio 1. |
|
Incorrect campus maps information on CMX 10.6.2-89. |
|
Cisco Aironet 1562 Series AP acts as Work Group Bridge (WGB) but unable to pass multicast traffic to passive client behind it. |
|
Cisco Catalyst 9130 Series AP driver declines authorization request causing 11w client join issues. |
|
Tx power for Microcell created by AP for slot 2 of Cisco Catalyst 9130 Series AP. |
|
Cisco Aironet 4800 AP crash: Unable to handle Kernel NULL pointer dereference at virtual address. |
|
Cisco Catalyst 9130 Series AP crashes on CAPWAP after joining with the controller. |
|
Cisco Catalyst 9117 Series AP Beacon Struck - crash due to radio failure (radio recovery failed). |
|
Controller does not send TCP SYN or ACK for web redirect once TCP SYN is received and punted to CPU. |
Open Caveats for Cisco IOS XE Amsterdam 17.3.4c
Caveat ID |
Description |
---|---|
WGB loses connectivity to the controller. |
|
Cisco Aironet 3802 AP is not able to acknowledge EAP frames (EAP-TLS). |
|
Cisco Aironet 1572EAC Access Point does not respond to the Canadian EIRP regulation. |
|
Cisco 1815 AP ends abnormally on the controller due to Out of Memory. |
|
Cisco Aironet 1570 AP does not display the RRM neighbors. |
|
Cisco Catalyst 9120 Access Point experiences crash after upgrading to 8.10.158.38. |
|
Cisco Catalyst 9120 AP stops transmitting frames to Macbook after a session reauthetication. |
|
When Samsung tries to join the WPA3 AES-802.1x or SHA256 WLAN, AP sends corrupted assoc response. |
|
Cisco Catalyst 9115 AP crashes after loading the 17.3.3 ES6 image. |
|
Controller does not send TCP SYN or ACK for web redirect once TCP SYN is received and punted to CPU. |
|
Wireless controller is unable to use the "wireless broadcast vlan X". |
Open Caveats for Cisco IOS XE Amsterdam 17.3.4
Caveat ID |
Description |
---|---|
WGB loses connectivity to the controller. |
|
Cisco Aironet 3802 AP is not able to acknowledge EAP frames (EAP-TLS). |
|
Cisco Aironet 1572EAC Access Point does not respond to the Canadian EIRP regulation. |
|
Cisco 1815 AP ends abnormally on the controller due to Out of Memory. |
|
Cisco Aironet 1570 AP does not display the RRM neighbors. |
|
Cisco Catalyst 9120 Access Point experiences crash after upgrading to 8.10.158.38. |
|
Cisco Catalyst 9120 AP stops transmitting frames to Macbook after a session reauthetication. |
|
When Samsung tries to join the WPA3 AES-802.1x or SHA256 WLAN, AP sends corrupted assoc response. |
|
Cisco Catalyst 9115 AP crashes after loading the 17.3.3 ES6 image. |
|
AP stops forwarding RTP packets to clients. |
|
Cisco Catalyst 9120AX Series Access Point does not forward downstream packets to the device. |
|
Controller does not send TCP SYN or ACK for web redirect once TCP SYN is received and punted to CPU. |
|
Wireless controller is unable to use the "wireless broadcast vlan X". |
Open Caveats for Cisco IOS XE Amsterdam 17.3.3
Caveat ID |
Description |
---|---|
Cisco IOS XE Gibraltar 16.12.5 version generates jumbo frames for dot1x packets. |
|
Process "pubd" uses large amount of memory in case of many subscriptions to large amounts of data. |
|
Zero session-timeout from AAA or policy-profile. |
|
Cisco Aironet 3802 AP is not able to acknowledge EAP frames (EAP-TLS). |
|
Wired Clients behind non-Cisco WGB does not get IP on the controller. |
|
Cisco Aironet 2800 and 3800 APs exhibit choppiness during the multicast voice call. |
|
No validation on unsupported channel configuration in the controller. |
|
Cisco Aironet 2802 AP reloads unexpectedly due to kernel panic. |
|
AP cannot join the controller - Dropping client hello received with zero MAC. |
|
VLANs are not being marked dirty and stuck in ip learn. |
|
Cisco Catalyst 9120 APs cannot send ACK over the air during EAP negotiation. |
|
Controller drops AP DTLS connection. |
|
Cisco Catalyst 9800-CL Cloud Wireless Controller running Hyper-V stops responding intermittently. |
|
DFS detection optimization to avoid false DFS detection in Cisco Catalyst 9115 Series APs. |
|
Cisco Catalyst 9120 Series AP beacon gets stuck after moving from channel UNII 1 to UNII 2. |
|
CWA clients are not moved back to webauth after CoA reauth is sent when client is in RUN. |
|
802.11r retried Auth packet forwarded to controller causes duplicate Auth responses sent to client. |
|
AP does not send an ADDTS response when PMF enabled. |
|
MAC Filtering: Description not imported properly from a CSV file. |
|
Check if the AP-COS crash files print complete information. |
|
The client data rate displays incorrectly on the GUI or CLI. |
|
Observed Cisco C9800-L Wireless Controller downgrade rommon after upgrading hw-programmable phy. |
|
The controller produces an error when RA trace is generated on the GUI or CLI. |
|
The Apple clients fail to pass M2 EAPOL when 802.11r is enabled after a switchover. |
|
PMF Optional - Protecting frames for NON-PMF clients. |
|
C9115/9120 reading /sys/class/thermal/thermal_zone0/temp failed [2]: No such file or directory logs. |
|
AP admin enable doesn't work on slow systems when page is submitted immediately after a click action. |
|
The show wireless client detail command displays the old or incorrect IP address. |
|
Cisco Aironet 2802 series Access Point suddenly drops in transmission power level. |
|
Cisco Aironet 3802 series access points crashes on Radio 1 in FlexConnect mode. |
|
ASR1K platform crashes when applying a hierarchical QoS policy on the tunnel interface. |
Open Caveats for Cisco IOS XE Amsterdam 17.3.2a
Caveat ID |
Description |
---|---|
Cisco Aironet 2802 AP beacon loss issue. |
|
Cisco Aironet 3802 AP is not able to acknowledge Extensible Authentication Protocol (EAP) frames. |
|
Cisco Aironet 3800 and 4800 APs are dropping from the controller. |
|
Cisco Aironet 9130 APs are not sending DHCP messages over the air. |
|
Wired clients are not able to access HTTP/HTTPS through Remote LAN (RLAN). |
|
Wired clients behind a non-Cisco workgroup bridge (WGB) is not getting IP address. |
|
Wave 2 AP crashed due to FIQ/NMI reset. |
|
Controller is not accepting href parameters on web support bundle. |
|
Dual-Band (XOR) radio operating in monitor mode exists as part of 5 GHz band emulated radio table. |
|
WNCD crash is observed after MAB fails to allocate memory. |
|
Inconsistent configuration options to enable 5 GHz single band antennas on external antenna APs. |
|
Cisco Aironet 2800 and 3800 APs exhibit choppiness during the multicast voice call. |
|
Wave 2 APs are not able to negotiate power with SG350 switches. |
|
Controller platform error: %IOSXE-2-PLATFORM: Chassis 1 R0/0: kernel: EXT2-fs (sda1): error. |
|
Controllers fails to save configuration with with EXT2-fs (sdb1) errors. |
|
Controller is unable to classify Google pixel mobile phones. |
|
Gateway MAC address is being learned from Cisco 1815 AP switchport. |
|
MESH: Cisco Aironet 1542 Outdoor Access Point does not converge to Cisco Aironet 1572 Outdoor Access Point. |
|
Cisco Aironet 2800, 3800, 4800, 1560, and 6300 APs fail to transmit data frame to the client from the radio interface. |
|
Fault tolerance is broken in Flex APs. |
|
Flexconnect CA+LS 11w clients may disjoin during standalone to connected transition |
|
Stale client entry leads to client disconnection and association problems. |
|
Transport mode is not persisting across high-availability after upgrade with smart licensing registered. |
|
Cisco Catalyst 9115 Series Wi-Fi 6 Access Point: Clients are unable to connect due to persistent Tx error on radio. |
|
Some commands are not applied while using iosxe_config.txt to load configuration to Cisco Catalyst 9800-CL Wireless Controller using KVM. |
|
Remove unsupported VXLAN-EVPN commands from the controller. |
|
Cisco Catalyst 9130AX Series Access Points are dropping some uplink packets from macbooks. |
|
Netconf and Netconf-YANG are not enabled on the external nodes as part of PnP configuration. |
|
YANG requests from Cisco DNA-C to IoT devices related to device licensing are failing. |
|
Cisco Catalyst 9130AXE Series Access Points are not taking RF tag power settings on slot 2. |
|
Cisco Catalyst 9130AX Series Access Points are not sending M1 over the air. |
|
Cisco Aironet 2802 Access Point shows sudden drop in TX power level. |
|
CAC shown as running for non-DFS channels and even on 2.4GHz band on controller. |
|
Flex: Client is stuck in excluded state after modifying the VLAN to default. |
|
APs are not broadcasting SSID after disabling mobility anchor using web interface. |
|
Cisco Aironet 1852 Access Point: Radio hangs are causing packets drops. |
|
Cisco Catalyst 9130AX Series Access Point is dropping packets and the AP is not able to push packet to click module. |
|
AP location string is truncated during join. |
|
Cisco Embedded Wireless Controller for an AP is not forwarding downstream traffic after active AP failover. |
|
Wncd core is seen when client is getting blacklisting flag from WLAN policy. |
|
Cisco Catalyst 9130 Series Access Point: Repeated log entries are showing dual radio failure. |
|
AQI value is coming as 0 for slot_index:1. |
|
Warn users if a configuration is not applied correctly and remedial steps are to be performed |
|
Controller is unable to push SSIDs while doing a configuration change on policy profile. |
|
Kernel crash seen in the hardware controllers during upgrade. |
|
Interface speed for the AP is showing a wrong value in Cisco Prime. |
|
Data DTLS with IPv6 tunnel is not established after reloading controller. |
|
Client goes to excluded state till timeout expires when changing vlan-id-mapping in both in both flex and policy profile. |
|
Cisco Aironet 3800 Access Point is randomly not sending traffic to client queue 0 after dot1x session-timeout. |
|
The output of the show license authorization command is incorrect. |
|
Make messages such as \"kernel: HANET: ip_local_out send failed\" customer readable or suppress them. |
|
CAPWAP multiwindow feature: AP disconnects after stateful switchover (SSO) while AP image predownload is in progress. |
|
Cisco switches connected to Wave2 APs generate CDP-4-DUPLEX_MISMATCH. |
|
Controller displays incorrect antenna gain. |
|
Smart Liensing Policy: Purchase information should be protected and shouldn't be able to erase. |
Open Caveats for Cisco IOS XE Amsterdam 17.3.1
Caveat ID |
Description |
---|---|
Support for three-step install upgrade with ap image predownload is required. |
|
Device is crashing while executing the copy flash:< >.cfg running-config command. |
|
Disallow Webauth WLANs from being tagged to authentication servers with load-balancing enabled. |
|
Interface speed for the AP is showing as None in Cisco Prime Infrastructure. |
|
The dot11n and dot11ac are disabled and configuration is saved. When the controller reloads, they are enabled again. |
|
Configuration slot 0 output is updating wrong values for XOR radio when mapped to the custom rf-profile. |
|
Radio objects are missing from the RRMradSlot table if AP tag is in mis-configured state. |
|
Cisco Aironet 1570 APs are not allowing clients to connect in 5 GHz. |
|
AP kernel panic crash (PC is at vfp_reload_hw). |
|
Cisco Aironet 3800 AP with data DTLS encryption disconnects from the controller due to CAPWAP keepalive after rx PMTU discovery. |
|
CAPWAP multi-window support: AP disconnects post switchover when AP image predownload is in progress. |
|
Auto-contain doesn't resume after rogue-client is removed. |
|
Rogue rule created is overridden with latest priority. |
|
Cisco Catalyst 9800-80 Controller is sending client traffic out of the AP manager interface. |
|
Client is connected through dot11n or dot11n even when dot11 options are disabled. |
|
AP disjoins after client connects to SSID using LDAP with secure mode. |
|
The show command for AP tri-radio Feature is not available in Cisco Embedded Wireless Controller on Catalyst Access Points. |
|
Cisco Aironet 2800 AP: Wpa2-psk-aes WLAN client is getting disturbed when AP moves from flex. |
|
Spectrum intelligence interference detected by AP is not seen on the controller. |
|
Small VM install of controller loses its management trustpoint after every reboot. |
|
AP is not rejecting incorrect Fast Transition Auth request. |
|
AP is not sending reassociation response. |
|
Controller is showing incorrect AP cisco discovery protocol (CDP) information. |
|
Cisco Embedded Wireless Controller on Catalyst Access Points: AP image predownload status is empty for most of the APs. |
|
Cisco Aironet 3800h AP: Jitter issue with MS-Teams application. |
|
Cisco Catalyst 9105 AP: LED is turned off by default. |
|
Last switchover reason is shown as active unit removed during ISSU upgrade. |
|
Private Pre-Shared-Key (PSK) Pairwise Master Key (PMK) is retained resulting in client delete. Controller is crashing with scaled PPSK join. |
|
Cisco DNA-Centre: When AP fails to pre-download image; further attempts to pre-download are getting stuck. |
Resolved Caveats for Cisco IOS XE Amsterdam 17.3.7
Identifier |
Headline |
---|---|
Cisco Aironet 3800 Access Points experienceWCPd crash when running 17.3.1 image. |
|
Cisco Aironet 2800 and 3800 APs: WGB fails to connect via PEAP if client certificate is not installed. |
|
Cisco Wave 2 APs stuck in bootloop due to image checksum verification failure. |
|
Controller does not remove 802.1X clients after session-timeout. |
|
AP drops packets addressed to 10.128.128.127 or 10.128.128.128. |
|
Remote address attribute missing when accessing controller through GUI using TACACS+ credentials. |
|
Controller sends new Access-Requests using previous packet id. |
|
Controller unexpectedly reloads on DMI authentication task with guestshell enabled. |
|
Kernel panic crash in Cisco Catalyst 9130AX Series APs. |
|
Cisco Catalyst 9115 AP reports DFS on channels incorrectly: "Blocked list due to be cleared". |
|
Cisco iOX app installation fails during app activation phase with the following error: "Error while creating app start up script". |
|
Cisco Catalyst 9105AXW AP is introducing latency when clients are using RLAN ports. |
|
Cisco Aironet 1810W AP: RLAN DHCP issues with certain client models. |
|
Cisco Catalyst 9115 AP: Power saving client state on radio. |
|
AP is not copying DHCP ACK packets to the controller after enable "cts manual" on the switch. |
|
High channel utilization on 5-GHz radio with 40Mhz. |
|
Cisco Catalyst 9105w AP is crashing due to kernel panic. |
|
Cisco Catalyst 9105/9115/9120 series APs are unable to handle out of order packets. |
|
AppHost: App install fails when USB state is disabled in the AP Join profile. |
|
Cisco Catalyst 9130 AP does not transmit EAP identity request. |
|
Wireless AAA dynamic VLAN assignment: The wireless clients cannot reach each other. |
|
Cisco Catalyst 9120 and 9130 APs: Missing CleanAir data for 2.4GHz. |
|
Multicast data not sent to clients; some APs may be unable to join the controller. |
|
Cisco Catalyst 9130 AP unexpectedly reload in run_timer_softirq. |
|
Radio firmware crashes in Cisco Aironet 1850 Series Access Points. |
|
Changing an Access Point site or policy tag to a Flex local switching set intermittently causes client connectivity failure to local web auth WLANs. |
|
Controller HA dual active scenario is observed when standby controller is reconnecting to HA pair. |
|
Cisco Catalyst 9124 MAP fails to connect to Cisco Aironet 1562 RAP after first reload of MAP. |
|
Controller experiences an unexpected reset resulting in a system report containing a wncd core file. |
|
Cisco Aironet 1840 OEAP crashed due to radio failure. |
|
Link connecting the controllers goes down due to local fault. |
|
Catalyst 9300 switches generate RUM reports every 8 hours. |
|
Cisco Catalyst 9120 AP: Radio core dump. |
|
For FlexConnect group configuration, do not use backslash (\) at the end of the radius servers shared secret. |
|
Cisco Aironet 4800 AP: Firmware radio crash is observed. |
|
Switch Integrated Security Features (SISF) crash is observed when handling the DHCP messages. |
|
Cisco Catalyst 9130 AP sends incorrect channel list on the "out of band" DFS event, causing client connectivity issues. |
|
Flash file system corruption is observed on AIR-CAP2702E-K-K9. |
|
Cisco Catalyst 9120 AP shows very high noise level on 5-GHz radio. |
|
Controller crash is observed on libewlc_client_dpath_svc.so. |
|
Cisco Aironet 1832 AP reloads unexpectedly due to radio recovery failure. |
|
Cisco Catalyst 9800-L Wireless Controller does not receive HWDIB down message when RP port goes down in HA, preventing WMI from sending GARP. |
|
AP WGB stuck in EAPOL state. |
|
Fman crash seen in SGACL@ fman_sgacl_calloc. |
|
WPA3 and OWE transition enabled: Non-WPA3 clients get network access in "webauth-pending" state. |
|
Cisco Aironet 2802 AP reloads unexpectedly. |
|
Cisco Catalyst 9300 Series Switch is not flushing remote MAC address after roaming to a local AP. |
|
Cisco Aironet 1815 APs reboot - PC is at edma_poll or LR is at dma_cache_maint_page. |
|
PI 3.10.1: Associated APs with controller displays interface mode type as "Half duplex". |
|
Memory leak is observed in wncd process when under load. |
|
Cisco Catalyst 9120 AP: TX is stuck due to data block PS and AP radio crash. |
|
Linux iosd crash on standby controller during reload of the Cisco Catalyst 9800-L Wireless Controller. |
|
802.11r re-auth failed due to invalid Pairwise Master Key ID (PMKID) while doing inter-WNCD roaming. |
|
Controller is accounting wrong class attribute in accounting packets. |
|
Cisco Catalyst 9120, 9115, and 9105 Access Points experience radio firmware crash with Cisco IOS-XE 17.3 or later releases. |
|
Clients not deleted by the controller after session-timeout ("Timer not running" state). |
|
Cisco Catalyst 9162 AP: Client connection failure with BLE configured as native scan. |
|
Cisco Catalyst 9130 Access Point displays different beacon data-rates for different Basic Service Set Identifiers (BSSIDs). |
|
Inject path crash is observed on controller switch on IPv6_qos. |
|
CAPWAP wireless traffic is getting the same Security Group Tag (SGT) as the corresponding incoming wired traffic. |
|
User-agent details needs to be truncated to string length 234 in WSA to prevent vstring corruption. |
|
Active chassis gets stuck during SSO failover in Cisco IOS-XE 17.9 release version. |
|
Cisco Catalyst 9120 AP cannot operate in Multigigabit Ethernet (mGig) when Energy Efficient Ethernet (EEE) is enabled on switchport. |
|
Cisco Catalyst 9120 AP: CleanAir sensor reloads unexpectedly. |
|
Controller fails to update AP configuration with error .
% Error: no ap_name exists |
|
Wired guest client are stuck at IP_LEARN with DHCP packets not forwarded out of the foreign to anchor. |
|
Cisco Aironet 2700 AP: Ignore CAPWAP_PAYLOAD: AP_LAN_CONFIG payload having invalid RLAN port enable value. |
|
Clients are getting deauth immediately after getting IP address in LWA+LocalSW+CentralAuth. |
|
Controller does not follow the DCA sensitivity threshold. |
|
Wireless load balancing affinity incorrectly shows AP site tag as default-site. |
|
Double bit ECC error causes the standby controller to reload. |
|
Cisco Catalyst 9120 AP reloads unexpectedly due to kernel panic. |
|
Cisco Aironet 2800, 3800, 4800, 1562, and 6300 series APs: Slow TCP downloads, failing EAP-TLS. |
|
Cisco Catalyst 9105 AP reloads unexpectedly multiple times. |
|
Cisco Catalyst 9117 AP reloads unexpectedly due to kernel panic at console_unlock+0x320/0x3ac. |
|
AP reloads due to kernel panic. |
|
Multiple Cisco Catalyst 9130AXE APs with DART connectors stuck at channel 36. |
|
Controller stays in the IP_THEFT state indefinitely due to stale client entries in the ODM database. |
|
License: Remove reporting interval (fixed 8 hours) and change Sync report to a user action. |
|
EAP-TLS is failing for the wired clients behind MAP for Cisco 2800, 3800, 4800, 1562, 6300 series APs. |
|
Cisco Catalyst 9130 AP: Radio 1 is crashing. |
|
Controller fails to update DCA channels as RRM is stuck. |
|
Cisco Aironet 3800 AP consistently reports high QBSS load. |
|
Cisco Aironet 3802 AP: Kernel crash is observed. |
|
Wired clients behind WGB do not get IP addresses for anchor WLAN. |
|
Wave 2 APs reloads unexpectedly due to "Systemd critical process crash - dnsmasq-host.service failed" error. |
|
Controller does not provide RSSI location data for some of the RFID tags in the database. |
|
Service insertion fails after CSR1Kv hub in Azure is rebooted. |
|
Controller GUI logging buffer size display is incorrect. |
|
Cisco Aironet 3800 series AP reloads unexpectedly due to kernel panic. |
|
Unexpected reload on the controller caused by WNCd process after removing a VLAN from a VLAN-GROUP. |
|
Cisco Catalyst 9130 AP is dropping EAP-TLS frames. |
|
Cisco Aironet 3800 AP: Radio reloads unexpectedly due to a stuck beacon. |
|
Cisco Catalyst 9120 AP: Kernel panic is observed. |
|
SIGSEGV crash is observed when incrementing roaming statistics. |
|
Controller crashes due to NetFlow watchdog. Observed CPU hog in the wncmgrd process due to NetFlow scale. |
|
Cisco Catalyst 9115 APs intermittently stop transmitting multicast traffic downstream. |
|
Wcpd crashes after reusing freed packets. |
|
Cisco Catalyst 9130 AP radio firmware reloads unexpectedly. |
|
Cisco Aironet 1840 OEAP crashes due to radio failure. |
|
Cisco Wave 1 AP image validation certificate failure or expiry causes AP join issues. |
|
Cisco Catalyst 9130 AP is not sending EAP_ID_RESP next assoc-req after PMF client tx deauth in middle of EAP handshake. |
|
Cisco Aironet 1830 AP: Wireless clients are unable to connect - "writing to fd 27 failed!". |
|
Load average warning is displayed even when Cisco Catalyst 9800-80 Series Controller is healthy. |
|
Access point page shows Power Mode as unknown power. |
|
Adding static IP MAC binding to device tracking fails. |
|
Cisco Catalyst 9115 AP radio 1 crashes. |
|
Cisco Wave 2 APs do not encrypt EAP_ID_REQ after M1-M4, and does not update PMKID for dot1x OKC. |
|
Controller crashes after failing to match the interface ID in the anchor message. |
|
COS AP fails to forward traffic to wireless client for about 60 seconds in SDA Fabric WLANs. |
|
Cisco Catalyst 9120 AP reloads unexpectedly due to radio firmware crash. |
|
Cisco APs such as 2800, 3800, 4800, and 1562 are dropping upstream EAP packets. |
|
Cisco Catalyst 9130 AP: Kernel panic with filp_close and do_close values. |
|
Crash is seen on "Critical process rrm fault on rp_0_0 (rc=139)". |
|
Controller QoS page does not load when ACL has double quotes as special character in the name. |
|
Controller reloads due tomemory corruption when processing DHCP Reply Option82. |
|
Standby controller crashes while saving tbl QoS table. |
|
Day 0 factory image for a new out-of-the-box Cisco Catalyst 9130 AP (VID 03) does not contain |
|
Cisco Catalyst 9130 APs advertise incorrect Local Power Constraint value in management frames. |
|
Cisco Catalyst 9117 AP: Radio firmware crash is observed. |
|
Spectralink Versity 9553 phones experience sporadic delay and robotic voice. |
Resolved Caveats for Cisco IOS XE Amsterdam 17.3.6
Caveat ID |
Description |
---|---|
Cisco Aironet 3800 Access Point does not pass Address Resolution Protocol (ARP) requests in central WLAN when configured in custom flex group. |
|
Cisco Catalyst 9130AX Access Point experiences high channel utilization and client lags with 9 or more clients using MS Teams. |
|
Cisco Catalyst 9130 Access Point drops packets On-Air for Phoenix WinNonlin application. |
|
Cisco Wave 2 Access Points with RLAN port connected to device running LLDP reboots due to Out-of-Memory. |
|
Cisco Aironet 3800 Access Point sends a burst of deauthentication frames after each session timeout for each Access Point in PSK WLAN. |
|
Cisco Catalyst 9117 beacon stuck reloads unexpectedly due to radio failure (radio recovery failed). |
|
Cisco Aironet 1832, 1852, or 1815: Kernel panic is observed at wlan_handle_napi . |
|
Cisco Catalyst 9120 Access Point crashes with Null pointer dereference in wlc_wnm_is_wnmsleeping . |
|
Cisco Aironet 2800 or 3800 Access Points only update the QBSS_AAC sent by the controller after radio reset when CAC is configured. |
|
Cisco Catalyst 9120 Access Point experiences kernel panic crash when PC is at __kmalloc+0x5c/0x140. |
|
Cisco Aironet 2802 and 3802 Access Points experience kernel panic crash when 8.10.151.0 image is executed. |
|
Cisco Catalyst 9120AXI Access Point - capwapd.service failed. |
|
Cisco Catalyst 9120 Access Point running Cisco IOS-XE 17.7.1.11 experiences wcpd.service failure software crash in wcpd process. |
|
Central Web Authentication (CWA) clients with RUN state cannot go online even though it is in RUN state. |
|
Cisco Wave 2 Access Point disconnects from the controller after a CTS switchport configuration. |
|
Cisco Catalyst 9120 Access Point experiences kernel crash while bringing up the slot1 radio. |
|
Cisco Catalyst 9120 Access Point does not send multicast data till it snoops IGMPv2. |
|
Access Points detect its own MAC addresses as rogue in slot1 or slot3 intermittently with an empty SSID. |
|
Cisco Catalyst 9130 and 9120 Access Points in FlexConnect mode does not send SA query. |
|
High latency and drops are observed when associated to Cisco Catalyst 9130 Access Point. |
|
Enhanced diagnostics is required to determine why Cisco Catalyst 9130 Access Point reloads unexpectedly with "PC is at run_timer_softirq". |
|
Cisco Catalyst 9120 and 9130 Access Points in FlexConnect mode sends Assoc reject after a first successful connection. |
|
Cisco Catalyst 9117 Access Point reloads unexpectedly due to kernel panic in "cisco_wlan_crypto_decap". |
|
Cisco Catalyst 9117 Access Point reloads unexpectedly due to kernel panic "dp_print_host_stats". |
|
Cisco Aironet 3800 Access Point plumbs client to VLAN 1 instead of native VLAN 0 causing ARP drops "OUTER_UCAST_VLAN_BLOCK". |
|
Cisco Catalyst 9117AXI-E Access Point reports kernel panic crash. |
|
Cisco Aironet 1832 Access Point reloads due to radio failure - Beacon Stuck- reset radio for recovery. |
|
Cisco Catalyst 9115AXI-E Access Point crashes after upgrading to Cisco IOS-XE 17.3.5a. |
|
Cisco Catalyst 9115 Access Point: Power saving client state in radio. |
|
Cisco Catalyst 9130 Access Point does not process fragmented Extensible Authentication Protocol (EAP) frames from client when doing EAP-TLS. |
|
Cisco Catalyst 9130 Access Points generate radio coredumps. |
|
Cisco Catalyst 9120 Access Point does not send the Aggregate MAC Protocol Data Unit (AMPDUs) for WPA1 AES clients in WPA1 and WPA2 mixed modes. |
|
Cisco Catalyst 9120 or 9130 Access Points send Address Resolution Protocol (ARP) packet without VXLAN encapsulation. |
|
Cisco Catalyst 9130 Access Point reloads unexpectedly due to kernel panic. |
|
Cisco Aironet 4800 Series Access Point in 8.10.171.0 crashes due to FIQ or NMI reset. |
|
Cisco Aironet 1815-T OEAP kernel panic crash is observed in Cisco IOS-XE 17.8.1 CCO. |
|
Cisco Catalyst 9115 Access Point: The Mode reset button does not clear the CC mode and console blocking configuration. |
|
Cisco Catalyst 9130 Access Point experiences kernal crash when PC is at _ZN10CACMetrics25accumulate. |
|
SJC Alpha Cisco Aironet 3800 Access Points in Cisco IOS-XE 17.9.1 EFT2 Slot 0 BSSID beacon frames are received in Slot 1 radio. |
|
Cisco Catalyst 9120 Access Point stops beaconing. |
|
Cisco Aironet 4800 Access Point displays its own MAC address in the NDP neighbor list. |
|
Cisco Catalyst 9120 Access Points send Authentication response frames to clients after long delays. |
|
Cisco Aironet 1832 Access Point reloads due to radio failure - Beacons are stuck in radio. |
|
APP hosting segmentation does not work in Cisco Catalyst 9100 Acces Point and Cisco Catalyst 9800 controller running Cisco IOS-XE 17.6.3. |
|
Workgroup bridge (WGB) does not support the pre-shared key (PSK) with 63 characters. |
|
Cisco Aironet 1852 Access Point radio hangs causing packets drops. |
|
Clients with EAP-TLS behind the Mesh Access Point (MAP) fails. |
|
Cisco Catalyst 9105 Access Point does not respond to controller's Discovery Response: Error connecting Transport Layer Security (TLS) context. |
|
Cisco Catalyst 9117AX Access Point radio reloads unexpectedly due to partial command issues. |
|
Cisco Catalyst 9120AXI Access Point sends weaker beacons than Cisco Aironet 2802I Access Point. |
|
Cisco Aironet 3802 FQI or NMI reset: LocateAddr & extStaDb_GetStaInfo. |
|
Cisco Catalyst 9117AX Access Point reloads unexpectedly at cmnos_thread.c:3493. |
|
Cisco Aironet 3802 FQI or NMI reset at rb_next+0xc. |
|
Cisco Aironet 1562 Access Point acting as Workgroup bridge (WGB) is unable to pass multicast traffic to the passive client behind it. |
|
Cisco Aironet 4800 Access Point does not get full 31or 32 Watt power while negotiating with UPOE SW. |
|
Cisco Aironet 1832 Access Point reloads unexpectedly due to kernel panic. |
|
Cisco Aironet 2800 and 3800 Access Points in 8.10.162: Incorrect Power Type is displayed when static power is set to 15.4W. |
|
Wired client behind Cisco WGB does not consider the DHCP IP address. |
|
Cisco Aironet 2802 Access Point reloads unexpectedly due to FIQ or NMI reset. |
|
Cisco Catalyst 9120 Access Point experiences kernel crash when PC is at number.isra and LR is at vsnprintf. |
|
Cisco Catalyst 9130 Access Point does not transmit beacons randomly. |
|
Cisco Aironet 2800 Access Points changes the TID for Extensible Authentication Protocol (EAP) over LAN (EAPOL) packets from 6 to 0 after changing the RF profile in the controller. |
|
Low throughput is observed in Cisco Aironet 1852 Access Point. |
|
Incorrect kernel assertion is observed while checking invalid timer objects. |
|
Cisco Wave 2 Access Point looses configuration after an upgrade. |
|
Cisco Access Point reloads unexpectedly with ppr_create_prealloc+0xbc. |
|
Cisco Catalyst 9105 Access Point experiences low throughput with AX clients with adjacent channel interference in 2.4-GHz radio. |
|
Cisco Catalyst 9130 Access Point detects its own BSSID as rogue in 5-GHz channel. |
|
Cisco Access Point reloads unexpectedly in "wlan_objmgr_peer_release_ref" running Cisco IOS-XE 17.3.5. |
|
Cisco Wave 2 Access Point in WGB mode running 8.10.171.4 is unable to assign a static IP with subnet mask other than /24. |
|
Cisco Wave 2 Access Points: CAPWAP MTU flapping occurs due to asymmetric MTU between Access Point to controller and vice-versa. |
|
Access Point crash is observed due to kernel panic - pci_generic_config_read CS00012247092. |
|
Cisco Wave 2 Access Points in Local mode sends address resolution protocol (ARP) requests to wireless clients from 10.128.128.128 IP address. |
|
Cisco Catalyst 9130 Access Point: Kernel panic. __dma_inv_range+0x20/0x50. |
|
Cisco Catalyst 9117 Access Point reloads unexpectedly due to kernel panic with "dp_print_host_stats" logs. |
|
The config boot crashkernel enable Cisco Wave 2 Access Point command does not generate kernel core to USB. |
|
WGB with Static IP loses IP address after multiple roams. |
|
Assert crash is observed in Cisco Catalyst 9120 Access Point. |
|
CAPWAP flapping is observed when VRRPv3 is present in the network. |
|
Access Points are unable to join the controller due to invalid path MTU in the Access Point Join request. |
|
Dataplane classification error is observed in WLCLIENT-IF interface. |
|
Cisco Catalyst 9105 Access Point experiences wncd traceback followed by wncd crash. |
|
C9800:"% TDL error: thrown while configuring clients under manual exclusion list in Cisco IOS-XE 17.6.1. |
|
Cisco Catalyst 9800 Wireless Controller fails to update sdn-network-infra-iwan key after a year. |
|
Pubd crash is observed with tdl_get_manifested_type_info_ptr_mem in 200 Access Points mesh configuration with telemetry subscriptions. |
|
Telemetry: Cisco IOS-XE controller crashes after using show telemetry ietf subscription all command. |
|
GUI does not load the AVC page from Configuration > Services > AVC. |
|
Cisco Catalyst 9800-80 Wireless Controller in SSO running 17.03.04 with APSP and SMU crashes causing unexpected HA failure. |
|
Controller crashes within 10 minutes after starting the pure intra wnc roam at 600 Clients Per Second. |
|
Controller crashes due to memory leak in Simple Network Management Protocol (SNMP) process. |
|
Controller rejects clients with wrong PMKID when changing AKM from FT to dot1x and FT again. |
|
Controller crashes during webauth AAA routines generating wncd core. |
|
Improve serviceability to figure out the reason for blacklisting 802.11w client. |
|
SSDP does not function across VLANs for wireless clients in the same UDN domain. |
|
17.3.5: The show commands, HTTPS, and SNMP stops working in Cisco Catalyst 9800-80 Wireless Controller when DBM process CPU stays high at 100%. |
|
WLAN stopped broadcasting after a configuration change in the WLAN profile. |
|
Controller crashes at ewlc_wlanmgr_wlan_ref_count_cleanup_timer_cb. |
|
Segfault is seen when updating the 802.11 client parameters. |
|
SNMP MIB at times does not return all data or no data at all for SNMP walk with high client count. |
|
Controller displays incorrect available bandwidth calculations for QBSS_AAC with voice CAC and FlexConnect AP. |
|
Controller crashes during mobility routines generating wncd core. |
|
Controller deletes the client when DHCP RELEASE is sent by the client during Posture. |
|
Controller crashes in WNCd when changing the "mac ip binding" configuration. |
|
Controller sends QBSS_AAC with zero available bandwidth after DEL TS. |
|
Intermittent crash is observed in the active controller with Port channel in QoS code. |
|
Cisco Catalyst 9800 Wireless Controller related WLAN configuration is not pushed to APs during a specific wncd. |
|
Client gets stuck in Authenticating state after failing the Broadcast key rotation process. |
|
Client gets deleted due to VLAN failure after performing L3 roaming when VLAN persistency is enabled. |
|
Standby controller goes to standby recovery when Gateway Failover is enabled. |
|
High CPU utilization is observed in wncd due to continuous log in ra_trace "WebAuth info not found while termin". |
|
Clients randomly gets excluded in the Controller with the "CO_CLIENT_DELETE_REASON_EXCLUDE_VLAN_FAIL" reason. |
|
AAA server does not mark as UP, even reachable, and client does not authenticate through the server. |
|
Cisco Catalyst 9800-80 Wireless Controller crashes due to "ewlc_capwapmsg_free_msgbuf_internal". |
|
The controller HTTPS access is broken after an upgrade to Cisco IOS-XE 17.3.5a. |
|
"wncmgrd" process memory leak is observed in Cisco IOS-XE 17.8. |
|
Controller deletes client after roaming with "CO_CLIENT_DELETE_REASON_IP_DOWN_NO_IP" reason. |
|
Controller reloads with the reason "Critical process wncd fault on rp_0_0 (rc=139)". |
|
Controller initiates EAPOL retries for the client in RUN state. |
|
Clients in RUN state are unable to pass traffic after Change of Authorization (CoA) is completed. |
|
Memory leak is observed in the WNCD process due to Unknown responses from the RADIUS server. |
|
Cisco Wave 2 Access Points use native VLAN instead of VLAN used in the Policy Profile. |
|
Secondary controller crash is observed during redundancy switchover. |
|
GUI takes a long time to display the initial page due to http request wirelessDeviceSummary. |
|
Client traffic fails when client roams between Access Points with a transition between dot11r and dot11i. |
|
High Availability split brain is observed due to multiple secondary addresses in the interface. |
|
Zebra RF Gun clients are unable to get the IP address and gets stuck in IPLEARN STATE. |
|
Controller deletes client due to DELETE_REASON_MOBILITY_FAILURE triggered by WEBAUTH_ON_MAB_FAILURE_ROAM. |
|
Client fails to connect when protocol based Quality of Service (QoS) is configured. |
|
Cisco Catalyst 9800-80 Wireless Controller crashes with reason Critical process wncd fault on rp_0_3 (rc=134). |
|
Cisco IOS-XE controller sends SNMP client intance in SNMP wireless client traplogs. |
|
Access Point network icon is missing in the 17.5.1 GUI for Privilege Level 1 users instead you get to view the config icon. |
|
Cisco Catalyst 9800 Wireless Controller generates cpp-mcplo-ucode cpp_fatal_internal in 17.7.1 image. |
|
Access Point does not assign native VLAN when there is no vlan-id configured in the Policy Profile. |
|
"Band Selection" does not change from 2.4-GHz to 5-GHz when performing the operation using 2.4-GHz radios. |
|
Controller sends wrong payload information to AP when mesh RRM is enabled or disabled. |
|
SNMP cLMobilityGroupMembersOperEntry table is not working. |
|
RADSEC counter always remain zero. |
|
Controller crashes with "Critical process nmspd fault on rp_0_0 (rc=1)". |
|
ARP Broadcast in GUI is shown as DISABLED for some VLANs even though it is enabled in VLAN configuration. |
|
Static workgroup bridge (WGB) client does not move to RUN state in the controller. |
|
The controller GUI does not display trustpoints in the PKI Management Trustpoints tab. |
|
MAC authentication bypass (MAB) client does not move to exclude state during a MAB failure. |
|
Client is unable to pass traffic after roaming using WPA2 Opportunistic Key Caching (OKC). |
|
Memory depletion and high WAN latency is observed in FlexConnect deployment. |
|
Japanese GUI displays wrong Mesh information. |
|
Interim update is not sent to AAA during client reassociation or roam in GA. |
|
Image download profile special character support. |
|
WNCD process crash is observed when applying Cisco ATF profiles. |
|
Ethernet over GRE (EoGRE) client traffic stops working after an SSO. |
|
Cisco Catalyst 9800-CL Cloud Wireless Controller crashes after updating the WLAN configuration. |
|
Invalid logging level is observed for Locator ID Separation Protocol (LISP) log. |
|
Incorrect VLAN is assigned to initiate SIP when SIP and AAA override combination is used. |
|
Standby controller crashes when the controller is configured in RMI+RP High Availability mode and wired guest feature. |
|
AP XOR radio role mismatch between GUI and CLI. |
|
Dropping the packets in Cisco Catalyst 9800-CL Cloud or Cisco Catalyst 9800-L Wireless Controller when the call snooping is enabled and call cannot be established. |
|
Controller Web UI does not allow WPA-TKIP only configuration. |
|
Controller does not update radio frequency identification (RFID) location properly. |
|
Unable to map SSID with spaces in it on an attribute list. |
|
WLAN clear refcount command does not accept WLAN names with special characters. |
|
Controller discards the location updates from radio frequency identification (RFID) tags. |
|
The show process cpu platform sorted command is required in show tech wireless . |
|
The AAA VLAN override is not considered with iPSK authentication and anchor WLAN. |
|
Stale client entries are not deleted and stuck in device-tracking database. |
|
CRL verification failure results in 400 Bad Request with DigiCert. |
|
Few OIDs in CISCO-ENHANCED-MEMPOOL-MIB display No instance after switchover in Cisco IOS-XE 17.6.1. |
|
Controller crashes intermittently due to wncd critical process failure. |
|
Controller MAC filtering: WLAN profile column displays the WLAN name and description. |
|
Syslog "LISP RELIABLE REGISTRATION" needs to be enhanced. |
|
L2VNID number in the controller command line and GUI are different. |
|
Verify traffic flow in RP port similar to Internet Control Message Protocol (ICMP) displaying RTT drops and "show int" command. |
|
Controller needs to display the counters of devshell in ethtool -S ha_port. |
|
Warn users if a configuration is not applied correctly and remedial steps are to be performed. |
Resolved Caveats for Cisco IOS XE Amsterdam 17.3.5b
Caveat ID |
Description |
---|---|
APs are unable to join the controller due to invalid Maximum Transmission Unit (MTU) in AP join request. |
|
Traceback is observed when QoS policy is removed in CPP, client is unbound from the policy, and Address Resolution Protocol (ARP) is still flowing. |
|
Cisco Catalyst 9130 Access Point does not send M1 over the Air. |
|
Cisco Catalyst 9130AX AP: High channel utilization and client lags are observed with 9 or more clients using MS TEAMS. |
|
Controller crashes within 10 minutes after starting the pure intra wnc roam at 600 Clients Per Second. |
|
Controller crashes at ewlc_wlanmgr_wlan_ref_count_cleanup_timer_cb. |
|
Cisco Catalyst 9120 AP does not send multicast data till it snoops the IGMPv2. |
|