New and Modified Software Features

Improvements

Cloud Monitoring for Catalyst Controllers

• The Cloud Monitoring for Catalyst Controllers feature helps to monitor Wireless Controllers using the Meraki dashboard. Currently, this feature is in a limited customer beta and is not supported by Cisco TAC.

Modified Trustpoints for Secure Unique Device Identity (SUDI) Certificates

From Cisco IOS XE 17.9.5 onwards, the following changes have been introduced for trustpoints:

1. Trustpoint names for existing SUDI certificates. If your device supports Cisco Manufacturing CA III certificate and is not disabled, the trustpoint names are as follows:

• For Cisco Manufacturing CA III certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI to CISCO_IDEVID_CMCA3_SUDI
• For Cisco Manufacturing CA SHA2 certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI_LEGACY to CISCO_IDEVID_CMCA2_SUDI

1. If your device does not support Cisco Manufacturing CA III certificate or if the certificate is disabled using no platform sudi cmca3 command, the trustpoint names are as follows:

• For Cisco Manufacturing CA SHA2 certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI to CISCO_IDEVID_CMCA2_SUDI
• For Cisco Manufacturing CA certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI_LEGACY to CISCO_IDEVID_CMCA_SUDI

Hardware SUDI certificates

• If your device supports High Assurance SUDI CA certificate, this certificate is loaded under CISCO_IDEVID_SUDI trustpoint.
• If your device does not support High Assurance SUDI CA certificate, ACT2 SUDI CA certificate is loaded under CISCO_IDEVID_SUDI trustpoint.

show wireless management trustpoint command output

• If Cisco Catalyst 9300 Series Switch is used with a Cisco Catalyst 9800 Series Wireless Controller for wireless deployments, the trustpoint name in the output of show wireless management trustpoint command is updated to the modified trustpoint name as mentioned previously.

show ip http server status command output

• If you configure the trustpoint for the HTTP server as CISCO_IDEVID_SUDI, the output of show ip http server status command displays the operating trustpoint along with the configured trustpoint.

Open Caveats

CSCwi51168

FlexConnect setup fails to renew 4-way handshake when Pairwise Master Key (PMK) ID does not match.

CSCwi55714

Controller reboots when handling Cisco Network Mobility Services Protocol (NMSP) Transport Layer Security (TLS) connection.

CSCwi53481

Controller loses SUDI MIC trustpoint when upgrading from Cisco IOS-XE 17.6.4 to 17.9.4a via SDA.

CSCwh63050

Controller with Cisco IOS-XE 17.9.3 sends Internet Group Management Protocol (IGMP) queries with a non-WLC IP address and MAC address.

CSCwi16509

APs do not join the controller with Invalid radio slot id error.

CSCwi60173

Security Group Tag (SGT) is not applied to wireless client in Software Defined-Access (SDA) fabric.

CSCwi28382

Controller reloads unexpectedly due to Keymgmt: Failed to eapol key m1 retransmit failure. Max retries for M1 over .

CSCwi57179

A client with a static IP is assigned to the wrong VLAN (vlan group) during roaming.

CSCwh18613

Encrypted mesh pre-shared key changes each time the password encryption aes is applied.

CSCwi62934

Cisco Catalyst 9120 AP drops the large frame downstream towards the wireless client.

CSCwi16104

Controller experiences an unexpected reboot in DBM during the Flex VLAN list retrieval.

CSCwi66133

Cisco Catalyst 9130 AP reloads unexpectedly due to kernel panic.

CSCwi42112

Wired clients learn MAC address from the Cisco Catalyst 9124 MAP port.

CSCwi56780

The MAC Authentication Bypass (MAB) is not initiated unless the controller deauthenticates the device.

CSCwi04855

Cisco Catalyst 9115 APs join and disjoin repeatedly with traceback.

CSCwi51025

Cisco Catalyst 9130 AP reloads unexpectedly resulting in kernel panic crash.

CSCwi27380

Media stream feature does not work.

CSCwi29636

Cisco Catalyst 9800-40 Wireless Controller reloads unexpectedly when Cisco IOS-XE 17.9.3 WNCD is down.