Table Of Contents
Release Notes for the CiscoWorks Wireless LAN Solution Engine, Release 2.13
New Features
Product Documentation
Documentation Updates
Known and Resolved Problems
Obtaining Documentation
Cisco.com
Documentation DVD
Ordering Documentation
Documentation Feedback
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for the CiscoWorks Wireless LAN Solution Engine, Release 2.13
Revised: June 5, 2006, OL-8373-01
These release notes are for use with the CiscoWorks Wireless LAN Solution Engine (WLSE) Release 2.13.
These release notes provide:
•
New Features
• Product Documentation
• Documentation Updates
• Known and Resolved Problems
• Obtaining Documentation
• Documentation Feedback
• Cisco Product Security Overview
• Obtaining Technical Assistance
• Obtaining Additional Publications and Information
New Features
The WLSE Release 2.13 contains support for:
•Deployment on the following hardware platforms: 1130, 1130-19, and 1030.
•Software support for:
–Cisco IOS software version 12.3(8)JA
–User role integration with ACS
–Enhanced support for WLSM faults, reports, discovery, and inventory
–IDS: Management Frame Protection (MFP)
–Voice support (802.11e TSPEC CAC), GPR
–Voice support which includes:
Traffic Stream Metrics
GPR
Enhanced radio parameter generation to support voice deployment
Voice profile to support consistency between Self Healing and radio parameter generation
Note Non-IOS APs are not supported on WLSE 2.13.
Product Documentation
You can access the WLSE online help by clicking the Help button in the top right corner of the screen or by selecting an option, then clicking the Help button. You can access the user guide from the online help by clicking the View PDF button.
The following product documentation is available for the WLSE Release 2.13:
Documentation Updates
The latest version of the CiscoWorks Wireless LAN Solution Engine documentation does not include the following information:
•The Supported Browsers section should read Java Plug-in version 1.5 is required.The Java Plug-in is used by certain WLSE features such as Location Manager and Real Time Graphs. The Java Plug-in can be installed from a third-party source such as Sun Microsystems.
•In addition, Mozilla should be replaced with Firefox version 1.06.
•The Deployment Wizard section of the User Guide for the CiscoWorks Wireless LAN Solution Engine should contain the following information:
•The roles and privileges assigned to your login determine whether you can use the Deployment Wizard. Select Admin > User Admin > Manage Roles, and make sure that both the Wizard > WLSE Wizard and Configure > Auto Update options are checked.
•The Naming Guidelines in the online help should include information stating that pound (#) signs must not be used in the shared secret for RADIUS or TACACS+ authentication modules, which are defined under Admin > Appliance > Security > Authentication Modules.
Known and Resolved Problems
Caution Refer to Bug ID
CSCse02049 for important information regarding a patch needed after upgrading to WLSE 2.13 from Releases 2.11 or 2.12.
• Table 2 describes problems known to exist in this release.
• Table 3 describes problems resolved since the last release.
Note To obtain more information about known problems, access the Cisco Software bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)
Table 2 Known Problems in the WLSE
Bug ID
|
Summary
|
Explanation
|
CSCeb36372
|
The Client Historical Association report does not contain a disassociation time.
|
The Client Historical Association report does not have information about the last time a client associated with the AP, the time it disconnected from the AP, the duration of the association, or the association state.
There is no workaround for this problem.
Note In the current release, only association times of a client are supported. Disassociation time of the client is not available in this release.
|
CSCec41188
|
You cannot add an AP-based LEAP server to the WLSE if it is already a managed by WLSE.
|
You cannot add an AP-based LEAP/EAP-FAST server to WLSE if that AP is already being managed by WLSE. The WLSE views it as a duplicate device.
There is no workaround for this problem.
|
CSCef90440
|
A database exception occurs when creating jobs in multiple WLSE sessions.
|
When you try to create WLSE configuration templates in two separate browser windows simultaneously, one configuration template does not get saved.
To work around this problem, create templates in a single browser window at one time.
|
CSCeh06754
|
Radio Monitoring is not enabled after rebooting a 350 AP.
|
Occasionally after rebooting a 350 AP, if you do show wlccp ap rm, Radio Monitoring is not enabled on the AP even though it is enabled from WLSE.
To work around this problem, reenable Radio Manager from WLSE.
|
CSCsa60720
|
Location Manager loads with a previous version of jar file.
|
To work around this problem, close all instances of your browser to clear the Java cache. Then relaunch your browser and relaunch Location Manager.
|
CSCsa79506
|
If a switch has multiple IP addresses, port suppression may fail.
|
If a switch has multiple IP addresses, port suppression might fail. In order for a switchport to be suppressed, the switch must be in the Managed state. If a switch has multiple IP addresses, WLSE stores only one IP address. If WLSE discovers the rogue on a different VLAN on the same switch with a different IP address (other than the one stored in WLSE), WLSE does not suppress the port because this IP address is not in the database.
To work around this problem, manually suppress the switchport from the Rogue Details screen.
|
CSCsa93652
|
Backup data fails occasionally due to database locks.
|
The backup function occasionally does not work.
To work around this problem, do the following:
Stop the services by entering
services stop
services status
Make sure the database is no longer running, and then restart the services by entering
services start
If the services do not restart after entering these commands, reboot the WLSE.
After restarting the WLSE, log into the WLSE and select Admin > Appliance > DIAGNOSTICS > Processes.
Check WirelessSvcMgr and click Stop.
Check WLSEjobvm and click Stop.
Check WLSEFaults and click Stop.
Make sure the processes actually stop; the green arrow pointing up should change to a red arrow pointing down.
After the processes have been stopped, perform the backup.
|
CSCsb54491
|
Non-base mac-add BSSIDs show up in the Rogue list if MBSSID is enabled.
|
If you have multiple VLANs/SSIDs set up on an AP and then turn on MBSSID, WLSE moves the non-base mac-add BSSIDs into the Rogue list.
This happens if the WLSE discovery process runs after the rogue is detected. After inventory runs, clear the fault.
There is no workaround for this problem.
|
CSCsb64225
|
Replacement AP shows incorrect MAC address in Location Manager.
|
If you replace an AP with a different AP that has the same management IP address (but different MAC addresses), after reinventory of that AP, all reports show the new AP's MAC addresses, but Location Manager still shows the old AP's MAC addresses.
There is no workaround for this problem.
|
CSCsb65071
|
An SNMP timeout occurs during AP radio scan jobs.
|
In some cases, you might get a "Not SNMP Accessible" error message on some APs during an AP Radio Scan even though the AP is SNMP reachable and the SNMP RW community string provided in WLSE is correct. During the start of the AP Radio Scan or in any of the following 8 power steps, WLSE gives an error message indicating that a particular interface is not SNMP accessible. A corresponding SNMP Timeout exception appears in the swan.log for the same APs.
To work around this problem, do one of the following:
•Reduce the number of APs in the AP Radio Scan job and then rerun the job.
•Create a new radio scan job and include the APs that had SNMP errors, select some neighboring APs (for example, from the same floor, one floor above, or one floor below), then run the AP Radio Scan job.
|
CSCsb65711
|
Deleted and re-discovered devices do not get listed in Radio Monitoring.
|
After an AP is deleted then rediscovered, Radio Monitoring is not turned on for that AP.
To work around this problem, select Radio Mgr > Radio Monitoring, select the AP, and turn on Radio Monitoring.
|
CSCsb69261
|
The 802.11a maximum power is not displayed correctly unless native power is enabled.
|
The 802.11a radio maximum transmit power for the UNII-2 (52-64) and UNII-3 (149-161) channels is incorrectly displayed as 30mW in the Location Manager GUI.
To work around this problem, enable dot11 extension power native on the 802.11a radio interface by issuing the following configuration commands:
ap(config)#int d1
ap(config-if)#dot11 extension power native
|
CSCsb73871
|
WLSM-WDS does not get discovered after being deleted.
|
After you delete WLSM-WDS from WLSE, subsequent manual discovery and auto-discovery of WLSM-WDS fails.
To work around this problem, reboot WLSE or stop and then start the services.
|
CSCsd01131
|
Telnet enable doesn't sync up to standby WLSE.
|
After you enable Telnet on an active WLSE, the user interface of the standby WLSE incorrectly shows that Telnet is enabled on the standby WLSE. However, Telnet is not enabled; you must use the Standby WLSE user interface to reenable Telnet.
|
CSCsd23516
|
Redundancy gets stuck in the pre-standby state after reinitdb.
|
The Standby WLSE server might remain in the pre-standby state for a long time, for example, more than 3 hours.
To work around this problem, log into the web server of the Active WLSE, navigate to Admin > Appliance > Redundancy > Manage Redundancy, and click Verify. When asked if you want to apply the changes, click Yes. The Standby WLSE will request another backup from the Active WLSE. After the backup is restored on the Standby WLSE, the WLSE will go to the Standby state.
|
CSCsd23688
|
Changing the webtimeout value starts another instance of Tomcat.
|
When you change the timeout value under Admin > Appliance > Time/NTP/Name/Web Timeout, another set of Tomcat processes are started but the previous processes are not terminated.
To work around this problem, reload the WLSE after changing the web timeout value.
|
CSCsd33933
|
"Voice stream is rejected due to other reason" is not updated.
|
When you generate a report under Reports > Voice > AP Group Voice Stream Summary: Current, the third column of the report displays "Voice Streams Rejected Due To Insufficient Bandwidth."The last column of the report is supposed to display "Voice Streams Rejected Due To Other Reason," which can be any one of the following reasons:
•The SSID is blocked for Admission Control.
•There is an incorrect PHY rate
•There is a TSPEC violation.
However, the report shows the voice streams rejected due to "TSPEC violation" only.
To work around this problem, get the detailed reason for the voice stream rejections from the AP console using the CLI command show dot11 cac. This displays the CAC settings and statistics, including the reasons for the rejections.
|
CSCsd38274
|
TSM QoS threshold settings that are modified in the GUI are overwritten.
|
If you modify and save the TSM QoS Threshold settings under Faults > Voice QoS Settings, and if for any reason, the WLSE is restarted (or the services are stopped and restarted), the TSM QoS threshold settings you modified are overwritten by the system default values. This happens only if and when the WLSE is restarted (or when the services are stopped and restarted).
There is no workaround to this problem. You need to reset the threshold values after the WLSE is restarted.
|
CSCsd66542
|
The date on some reports shows "dddd" for users other than the admin.
|
When a user other than admin accesses reports from the WLSE GUI, the date selection in Trend Reports and some of the Wireless Client Reports shows dddd for the year selection.
To work around this problem, use the default admin user to view Trend and Historical Reports.
|
CSCsd74705
|
Starting an upgrade from a WLSE 2.11, 2.12 or 2.13 base, on a slow link, and utilizing the MS Windows Repository method to upgrade may cause the upgrade to fail.
|
The Microsoft Windows Repository method first downloads the upgrade image from the Windows Server to the WLSE appliance. If this first transaction takes more than 15 minutes to complete, the actual upgrade never starts. Under normal link speeds, the download occurs in less than 15 minutes. The upgrade then has a chance to shut down the idle daemon while the upgrade runs.
To work around this problem:
1. Follow steps 1-7 under the Microsoft Windows Server Repository section in the WLSE-2.13-K9.readme-V1.txt file.
2. From the browser, manually disable the idle daemon before continuing with the upgrade as follows:
a. Select Admin > Appliance > Diagnostics > Processes.
b. Select WLSEIdleServer, then click Stop at the bottom of screen.
3. Continue with step 9 of the upgrade readme.
|
CSCsd89254
|
The authorization settings on a WLSE 2.13 with a restored Release 2.11 or 2.12 backup in which a remote service is configured, are set incorrectly.
|
Restoring a Release 2.11 or 2.12 backup onto a WLSE 2.13 system does not correctly restore the authorization settings if they are set to a remote service. The settings are only partially restored and should work, but will be reported incorrectly as set to local.
To work around this problem, re-run the auth command with the desired settings. This will correctly set all the needed parameters.
|
CSCse02049
|
Apply patch after upgrading/restoring to WLSE 2.13 from 2.11 or 2.12.
|
When you upgrade from WLSE 2.11 or 2.12 to WLSE 2.13, you might encounter the following problems:
•RPG will not work if there are no floor images with Client Walkabout data.
•For floors already present before the upgrade, RPG recommendation for power and channel will be suboptimal.
•Self Healing might fail or will not provide optimized power recommendation.
•ARSS might fail or raise false alarm.
To workaround this problem, you must install the WLSE-2.13-CSCse02049 patch after you upgrade to WLSE 2.13 from the following WLSE releases: 2.11 or 2.12.
Note The patch does not need to be applied immediately after the upgrade.
|
Table 3 Resolved Problems in the WLSE
Bug ID
|
Summary
|
Explanation
|
CSCeg43747
|
Unable to set EAP-FAST credential-lifetime using quotes.
This problem applies to WLSE 1030 only.
|
If you set the EAP-FAST credential lifetime value using double quotes (" ") from the CLI on a WLSE 1030, the following command fails:
aaa-server eap-fast credential-lifetime "8 days"
|
CSCsa75699
|
The installation wizard does not compare the WLSM version number.
|
Step 4 of the installation wizard displays the software version numbers for APs and WLSM. If you select Compare known devices version, you get a list of APs that meet the recommended version requirement, but the list does not include WLSM. In addition, the recommended version numbers for WLSM are not accurate.
|
CSCsa99224
|
Sometimes the VM crashes in rare conditions.
|
In rare conditions, sometimes the Tomcat or WLSEFaults virtual machine (VM) crashes. If any of the VMs crash in a redundancy environment, the standby WLSE takes over and becomes the Active WLSE and the system recovers. If the Tomcat VM crashes in a standalone environment, the WLSE GUI does not come up and the daemon manager tries to recover and restarts the services automatically. If the WLSEFaults VM crashes in a standalone environment, a red ticker scrolls in the window displaying the message "WLSEFault process is down." In some cases, the daemon manager does not know that the VM crashed and the process status still shows running. If this happens, the system does not recover automatically.
|
CSCsb25230
|
Sometimes disabling redundancy via the GUI on an active WLSE causes the database services to stop on the standby WLSE.
|
If you use the GUI to disable redundancy on an active WLSE, the database services might stop on the standby WLSE. If this occurs, you see the "User role empty" message when you try to log into the GUI of the standby WLSE.
|
CSCsb37387
|
WLSE time and date is not getting synced up with NTP server time.
|
If you set the WLSE time or date to a future date or time before you configure the NTP settings, WLSE does not sync with the NTP server date/time. However, if you set the date/time to a past date, WLSE does sync to the current date/time.
|
CSCsb60195
|
Wizard Compare Known Devices Version cannot detect 350.
|
If you select Wizard > Software, and click Compare Known Devices Version, the table does not show the following AP350 with the latest version, 12.3(7)JA.
|
CSCsb82715
|
Redundancy upgrade doesn't work if admin password changes.
|
If you change the admin password on one WLSE in a redundant environment while an upgrade to 2.12 is in progress, the upgrade will fail.
|
CSCsb95162
|
Windows Domain Auth Server configuration is lost during upgrade.
This problem applies to WLSE 1030 only.
|
When you upgrade a WLSE 1030 from WLSE 2.11 to WLSE 2.12, all data on the Windows Domain Authorization Server page, including host name, port, default domain, default AAA user group, and AAA user groups to windows groups attributes, is lost.
|
CSCsc39117
|
Upgrading to WLSE 2.12 without adequate space may cause you to lose the database.
|
After upgrading to WLSE 2.12, the database does not start, but the web GUI does start and attempts to log in. You are not able to log in to WLSE successfully and a message appears in the upper right corner of the screen indicating the database did not respond correctly.
|
CSCsc50985
|
WLSE is unable to save SNMP community strings for an IP address range.
|
When you add SNMP community strings using an IP address range, for example 172.19.28.[2-80], WLSE does not save the community strings.
To work around this problem, use wildcards instead, for example, use 172.19.28.*.
|
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
•Report security vulnerabilities in Cisco products.
•Obtain assistance with security incidents that involve Cisco products.
•Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:
•Emergencies — security-alert@cisco.com
•Non emergencies — psirt@cisco.com
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:
http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on
In an emergency, you can also reach PSIRT by telephone:
•1 877 228-7302
•1 408 525-6532
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:
http://www.ciscopress.com
•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:
http://www.cisco.com/packet
•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
•World-class networking training is available from Cisco. You can view current offerings at this URL:
http://www.cisco.com/en/US/learning/index.html
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006 Cisco Systems, Inc. All rights reserved.
