Wireless Troubleshooting Tools
id feature text level category action
0 WCAE No Messages reported Info Config Error Nothing reported
10025 WCAE Parsing: missing configuration file section(s), checks may not be executed properly:{0} Error Information One or more configuration sections were not found, this is indication of corrupted file, or very old software version. If the file is believed to be correct, please contact wcae@cisco.com, otherwise try to capture it again: https://developer.cisco.com/docs/wireless-troubleshooting-tools/#!how-to-colletct-sh-run-config
10026 WCAE line with invalid information:{0} Warning Information The line present in the file has incorrect format or unexpected values. this is indication of possibly corrupted file, or old software version. If the file is believed to be correct, please contact wcae@cisco.com
10027 WCAE Invalid File format provided, please use sh run-config (AireOS) or sh tech wireless (IOS-XE) Error Information The file provided to be parsed, is not one of the expected formats, and it may not be possible to run any analysis. If the file is believed to be correct, please contact wcae@cisco.com
10028 WCAE Critical error while running checks against file, section {0} Error Information A group of checks did not execute properly. If the file is believed to be correct, please contact wcae@cisco.com
10029 WCAE Critical error while doing data process at {0} Error Information Data analysis failed. If the file is believed to be correct, please contact wcae@cisco.com
20001 Certificate AP: Invalid certificate type, possible config error, or file format Warning Information The AP information for 'AP Certificate Type' is invalid, could be corrupted run-config file, or AP error
20002 HW AP: Access point without radio, possible domain error Warning Information Check if AP domain (ETSI, FCC, Japan, etc) matches the configured country types, alternately check PoE errors, or a hardware issue
20004 Radio AP: Unknown radio type, slot:{0} Error Information AP has invalid radio type, this could be corrupted run-config file, or new/unknown AP model
20005 Radio AP: Access point without valid TX levels, on slot {0} Error Information Radio reports no valid power levels, either radio is down (bug), wrong country code, or corrupted run-config file
20006 Radio AP: Unknown radio type in nearby info Error Information While parsing the 'nearby' section, the band type is not recognized, this is normally due to corrupted config file, please capture again
20007 CAPWAP AP: Possibly incorrect primary switch configuration, not found in controller list, or controller config not loaded. Warning Config Error The AP has configured a controller name which is not present in the analyzed config file. This may also indicate an error in the AP configuration.
20008 CAPWAP AP: Possibly incorrect secondary switch configuration, not found in controller list, or controller config not loaded. Warning Config Error The AP has configured a controller name which is not present in the analyzed config file. This may also indicate an error in the AP configuration.
20009 CAPWAP AP: Possibly incorrect tertiary switch configuration, not found in controller list, or controller config not loaded. Warning Config Error The AP has configured a controller name which is not present in the analyzed config file. This may also indicate an error in the AP configuration.
20010 Radio AP: Antenna gain set to zero in Radio Slot: {0} Warning Config Error Antenna gain may not be valid. If antenna gain was previously configured, then this may indicate an invalid template push from PI. This may lead to wrong TPC power calculation
20011 Radio AP: Antenna gain set to zero in 802.11a radio Info Config Error Antenna gain may not be valid. If antenna gain was previously configured, then this may indicate an invalid template push from PI. This may lead to wrong TPC power calculation
20012 CAPWAP AP: Empty primary controller. It is recommended, to have a primary controller name configured, for better/more predictive AP join process. This is not mandatory Warning Config Error Primary controller name is not set, this is not recommended as it can lead to random AP join across controllers (salt and pepper scenario). Recommendation is to have it explicitly configured
20013 CAPWAP AP: {0} and {1} controller names are the same, not recommended Warning Config Error Controller names for join process are same in at least 2 positions. This is not a recommended configuration
20015 Security AP: SSH is enabled on this access point. Depending on security policies this may or not be correct Info Information No action required, this is just informational message for awareness
20016 Security AP: Telnet is enabled on this access point. Depending on security policies this may or not be correct Warning Information Telnet is not a secure protocol, and not recommended for security reasons. It is advisable to use SSH for remote access to AP CLI
20017 Syslog AP: Syslog messages are sent to broadcast address, if there are errors reported by many APs, and there are too many APs per vlan, this can cause broadcast storms. For best practices, it is better to configure to individual server Warning Best Practices AP syslog is set to broadcast destination (default). It is recommended to configure unicast server, for security and ease of troubleshooting. Command: config ap syslog host global
20019 RRM AP: RRM values out of range, potential damaged radio, please double check with direct testing before replacement Warning Information AP reported a RRM value out of expected range. This could be indication of software or hardware defect, and should be investigated
20020 Radio AP: Channel number not found for slot {0} on Radio Parsing. Possible corrupted or incomplete config Warning Information AP lacks channel information on one of its radios. This is indication of incomplete or corrupted config file. Try to capture using transfer upload command
20021 CAPWAP AP: Default gateway not on same subnet as IP address of AP, this may be result of IP redirect or proxy ARP, this can cause severe problems, check your IP/DHCP config Error Information AP default gateway is outside its assigned subnetwork. This is normally indication of wrong configuration. Review DHCP pool or AP IP address settings
20022 RRM AP: Invalid RRM data found for AP. Section: {0} Error Config Error AP reported a RRM value out of expected range. This could be indication of software or hardware defect, and should be investigated
20023 Radio AP: More than 4 SSID per radio. High SSID counts may contribute to higher channel utilization. It is advisable to keep the SSID count per radio to the minimum needed. Warning Best Practices Each SSID consumes RF time, it is advisable for best performance to keep the number of SSIDs as low as possible, ideally on 4 or lower. If more SSIDs are required, make sure to disable low data rates to lower the impact
20024 WCAE AP: Missing configuration, information not present in file. Possible corrupted file Error Config Error This is indication of incomplete or corrupted config file. Try to capture using transfer upload command
20025 Certificate AP: Certificate with less than {0} calculated days left and Ignore MIC certs expiration is not enabled. Please validate cert date on directly on AP for confirmation, and enable the expiration date ignore feature on WLC Error Config Error Based on serial number, the AP certificate could have expired or expire soon. Use the WLC command: config ap cert-expiry-ignore mic enable, to avoid problems
20026 11n/11ac AP: Radio 11n or 11ac, operating in legacy mode due to security settings (no wlan with WPA2/AES or Open) Warning Config Error AP has 11n or 11ac capable radio, but due to configuration, it is operating in legacy mode. Ensure that you have WLANs with WMM and WPA2AES or Open policies to use high speed rates
20027 11n/11ac AP: Manual channel assignment in use with channel bonding and 11ac and/or 11n are disabled. Invalid configuration Warning Config Error AP has channel bonding configuration, but 11n/11ac are disabled. Please configure the AP back to 20 MHz to avoid issues
20028 RRM AP: The assigned channel is not in the DCA list. AP slot:{0} Warning Config Error Current assigned channel is not on the DCA list, this could cause problems on roaming or reaction to DFS events. It is recommended to match the DCA channel list to the AP assigned channels
20029 TCP-MSS AP: TCP-MSS feature should be enabled Warning Information TCP-MSS feature is not enabled, this can have performance implications. Use command: config ap tcp-mss-adjust enable all 1300, to enable it
20030 TCP-MSS AP: It is recommended to set the MSS size at 1300 Info Information TCP-MSS adjust value found to be different from 1300. This is not a problem , as value could be different due to network MTU characteristics. It is purely informational
20031 CAPWAP AP: Native vlan ID should be set for flex APs Info Best Practices For best practices, it is advisable to set native vlan in flex deployments
20032 Rogue Containment AP: Containment count over 0, this can produce performances issues. Use dedicated APs for this Info Information AP has been used for containment. This is a security feature, but its usage on client serving AP have severe impact on WLAN service availability. If containment is required, use dedicated APs to lower network impact
20033 CAPWAP AP: Native VLAN id should be same across the APs in Flex group. Error Config Error Native VLAN is not same across all AP in same flex group. This could have severe impact on roaming scenarios. It should be corrected to match
20034 CAPWAP AP: Invalid IP address configured on the {0} controller. Error Config Error The IP address configured in the AP controller list, does not match the address of the current controller. Possible invalid configuration that should be corrected
20035 AP-UX AP: UX Device has not been primed, this will affect functionality Error Config Error This is AP UX model, that has not been primed (country assigned). AP wiil operate with a subset of possible channels/powers, with impact to the network. It is strongly advised to correct this problem
20036 WCAE AP: Incomplete configuration file, no AP general config section found Error Config Error Partially incomplete configuration file, try to capture again, optionally use transfer upload command
20037 WCAE AP: Incomplete configuration file, no RF config found slot 0 Error Config Error Partially incomplete configuration file, try to capture again, optionally use transfer upload command
20038 WCAE AP: Incomplete configuration file, no RF config found slot 1 Error Config Error Partially incomplete configuration file, try to capture again, optionally use transfer upload command
20039 11g/11n AP: No OFDM are set as mandatory for 2800/3800/1560 AP model, this can cause severe performance problems. Check CSCvi96066 Error Config Error Due to chipset behavior, AP models 2800/3800/1560 need at least one OFDM set as mandatory in the 2.4 GHz slot. You need to change either 2.4 global config, or the RF profile. Please be aware that using any OFDM as mandatory may limit legacy 802.11b clients to join
20040 Configuration AP: in IOS-XE controller, the AP is flagged as having invalid profile or tag Error Config Error Check AP assigned tags/profiles, use command show ap tag summary, validate misconfigured column
20041 Configuration AP: in IOS-XE controller, has Policy Tag with a Policy profile pointing to invalid WLAN Profile name. Check AP configuration Error Config Error Check the WLAN profile assigned to the Policy Profile/Tag, it has invalid name. This must be corrected
20042 Configuration AP: in IOX-XE AP has Site name not found in controller, this is either incorrect config, or error in file Error Config Error Check the AP site name is same as one configured in controller
20043 Configuration AP: in IOX-XE AP has Flex profile name not found in controller, this is either incorrect config, or error in file Error Config Error Check the AP flex profile name is same as one configured in controller
20044 CAPWAP AP has invalid IP netmask, please check if it is configuration error, or corrupted format line Warning Config Error Confirm netmask configuration on AP
20045 HW AP 1550 with 64MB Ram. it has restricted feature set Info Information None required, this is due to manufacturing date on AP
20046 CAPWAP Access point with name exceeding 32 characters, this could lead to memory corruption/crashes for releases without the fix Error Config Error Reduce AP name to 32 or lower, or upgrade to one of the fixed releases (17.6, 17.3.4, etc). This is related to defect CSCvy11981
20047 Configuration AP: in IOX-XE AP has join profile name not found in controller, this is either incorrect config, or error in file Error Config Error Check the AP join profile name is same as one configured in controller
20048 Radio AP has radio slots that are operational down. Validate if this is intentional Warning Operational Confirm the reasons why the radio slot shows as operational down. This could be due to configuration, PoE limits, channel assignament, DFS, etc
30001 Version Controller with not recommended code version:{0} Error Best Practices Controller is running deferred or not recommended code and should be upgraded. Refer http://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-TAC-Recommended-AireOS.html
30002 AP Groups Controller with APs with AP-Group in use Info Information Nothing required, this is purely informational message
30003 AAA Override Controller with at WLAN with AAA Override in use. {0} Info Information Nothing required, this is purely informational message
30004 CAPWAP Controller is currently on Layer 2 mode, this may lead to scalability problems or broadcast control issues Warning Deprecated This message is only applicable for 4400 or older controllers, on LWAPP mode. L2 was no longer recommended mode of operation
30005 Interface Interface has 0.0.0.0 address, incorrect configuration: {0} Warning Config Error An interface does not have an IP address assigned. This is not recommended because it might affect DHCP handling in the controller.
30006 Backup Port AP manager interface with backup port, incorrect configuration: {0} Error Config Error Never configure a backup port for an AP-manager interface, even if it is allowed in older software versions. The redundancy is provided by the multiple AP-manager interfaces
30007 Interface Interface does not have port assigned, incomplete CLI configuration: {0} Error Config Error Interface created without any port assignment, incomplete config. Use config interface port command to correct this problem
30008 Hardware Controller with high internal temperature: {0} Error Operational Controller operating outside its internal temperature limits. Check environmental conditions, as this could lead to HW failures
30009 Spanning Tree Spanning Tree Algorithm is enabled in controller, this must be disable, as this may cause stability issues Error Deprecated This is legacy check for older AireOS controller models. It may have negative interactions with other STP devices in the network
30010 Interface Duplicated IP address with controller: Error Config Error Same IP address was detected across two or more controllers. This could cause traffic loss and multiple failures scenarios
30011 RF Group RF Group Name is different with Controller: Warning Config Error The RF group name is used to stablish relationship between controllers, and it is different across the controllers included on the files analyzed. This could affect TPC and DCA calculations. It may be intentional if the network should be split at RF level. Command: config network rf-network-name
30012 AP Manager AP manager interfaces count less than number of active ports, and no LAG, not supported configuration Error Config Error For non LAG scenarios, all active physical ports should have a AP manager interface associated, otherwise there can be traffic issues, or CAPWAP errors. Check active port assignment on the interfaces
30013 WPA/WPA2 WLAN with both WPA and WPA2 enabled, this may cause problems with old client drivers and some PDAs. WLAN(s):{0} Info Best Practices WPA in general is not recommended, it should only be used for legacy client support. Some older clients may have problems if WPA and WPA2 are enabled on same WLAN. This is not an issue if all clients are relatively recent
30014 Multicast Multicast address is same as mDNS, this may cause problems with Apple Bonjour, iTunes. Network: {0} Warning Config Error Multicast forwarding address overlaps with the mDNS address(224.0.0.251), this will break Apple Bonjour, as traffic will be dropped, it should be changed. Command:config network multicast mode multicast
30015 Multicast Current address is {0}, it is recommended for best practices to use a multicast address on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0. and 239.128.0.x. Warning Best Practices It is advisable to use a private multicast address. Command:config network multicast mode multicast
30016 Multicast Current selected multicast address ({0}), can generate a flood, as it overlaps with local mac address. It is strongly recommended to use one on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0.x and 239.128.0.x Warning Config Error Switch address to mac conversion could cause a L2 flood , it is advisable to change. Command:config network multicast mode multicast
30018 AP Manager AP manager interface on same subnetwork as Manager Interface, but VLAN is different, this may generate CAPWAPP protocol errors. Interface {0} Error Config Error This is a configuration error that may lead to CAPWAP errors, it should be corrected
30028 CAPWAP Max AP count reached on controller Error Best Practices WLC is running at its maximum capacity. No more APs will be able to join
30031 RRM Global RRM Min power limit in use: {0} Info Information This is informational message to indicate that there is a power limit set at global level (could be overridden by RF profile). No action required
30032 RRM Global RRM Max power limit in use: {0} Info Information This is informational message to indicate that there is a power limit set at global level (could be overridden by RF profile). No action required
30033 Multicast Multicast forwarding address not found for controller Info Config Error This is informational message to indicate possibly missing configuration
30035 WCAE WLC configuration taken with no-ap option, this limits all RF analysis and information that can be displayed. It is recommended not to use this option with WLCCA Error Information This is informational message to indicate that there is no RF information collected, and that will limit the analysis possible. For full analysis, collect with sh run-config or using transfer upload command
30036 NAC NAC and Fast SSID must not be used at same time. WLAN(s): {0} Error Config Error As FastSSID by design allows clients to jump between SSIDS without clearing current policies, it is not recommended to mix with NAC features on same WLAN
30037 RRM Non default RRM timer in use. This is not recommended unless directed by Cisco support. {0} Info Config Error This is informational message, no action required, if the timer was changed intentionally
30038 RRM RRM timer at 1h. This can cause problems on calculations. Must be avoided. {0} Error Best Practices Using RRM timer set to 1h may lead to different calculation errors. Unless this was directed by Cisco Support, it should be avoided
30040 Load Balancing Load Balancing window value too aggressive. Minimum recommended value is 5 or higher Warning Best Practices Using a low window can cause association errors, try to use 5 or higher. Command: config load-balancing window
30041 Load Balancing Load Balancing window is zero, it is strongly suggested to use higher value Error Config Error Using a window set to zero can cause serious association errors, try to use 5 or higher. Command: config load-balancing window
30045 Webauth Do not configure IP address starting by 127.x, as it may affect webauth. Interface(s): {0} Error Config Error Using loopback address will break webauth, reconfigure the interface. Command:config interface address
30046 Broadcast/Multicast GTK Randomization is enabled, this is intended only for Hotspot 2.0 deployments, and may break normal clients (no multicast/broadcast received ), normally not recommended. WLAN(s): {0} Error Config Error GTK randomization could cause clients to stop receiving broadcast, this could be intentional for security purposes. Command:config wlan security wpa gtk-random
30047 Interfaces Interfaces with overlapping address: {0} and {1} Error Config Error This is configuration error, there are interfaces with same IP address. it must be corrected. Command:config interface address
30048 11n Global MCS rate disabled, all rates from 0 to 15 must be set minimum, as supported, otherwise it may generate interoperability issues with some clients.Band(s) {0} Warning Config Error Some clients have interoperability issues if any rates on 0-15 is dissbled. Impact depends largely on client version, check if applicable to your deployment. It may be have been overriddend by RF profiles. Command: config 802.11a 11nSupport mcs tx
30049 Multicast Multicast or Broadcast forwarding enabled, with null multicast address destination. You should configure a multicast address Warning Config Error This is configuration error that will lead to traffic loss. A multicast address should be configured. Command:config network multicast mode multicast
30050 High Density RX SOP is in use for radio slot: {0} Threshold {1} Info Information This is informational message, no action required, if this was changed intentionally
30051 High Density CCA is in use for radio slot: {0} Threshold {1} Info Information This is informational message, no action required, if this was changed intentionally
30052 Webauth Webauth is in use, but no pre-auth ACL is set, this is required for external webauth, it may not apply depending on your configuration WLAN(s): {0} Warning Config Error This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl
30053 Webauth Webauth is in use, but no pre-auth ACL IPv6 is set, this is required for external webauth, and IPv6 fw is enabled. WLAN(s): {0} Warning Config Error This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl
30054 11n 802.11n/11ac radios are present, but WMM is disabled on the WLAN(s): {0} Warning Config Error This is configuration error that will prevent usage of high speed rates on the WLAN. If this is not intentional, it should be corrected. Command: config wlan wmm allow
30055 11n 802.11n radios are present, but WMM is disabled on the WLAN(s): Warning Config Error This is configuration error that will prevent usage of high speed rates on the WLAN. If this is not intentional, it should be corrected. Command: config wlan wmm allow
30056 High Availability HA is active, but no vlan set on Manager interface Error Config Error HA is only supported on tagged management interfaces. This is also recommended for WGB or IPv6 features, you should configure vlan on management interface. Command: config interface vlan management
30057 RF Legacy rate in {0} in use. Disabling low data rates/11b can help to optimise the channel utilisation on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies. Info Best Practices In most scenarios, it is good idea to disable 11b data rates (1,2,5.5,11), as they would use more RF time, and be more sensible to interference, it is advisable to only enable 11g rates, unless you need to support legacy devices. Command:config 802.11b rate disabled X
30058 Multicast Multicast unicast mode is suboptimal transport for networks with IPv6, mDNS, etc. Multicast mode is recommended. To use it, you also need multicast routing between WLC and Aps Warning Best Practices Multicast unicast mode allows replication of broadcast and multicast frame, without network infrastructure support to multicast routing, but it is a very intensive process. For most scenarios, it is strongly suggested to use multicast-multicast replication mode
30059 Mobility This controller has a large mobility group count. For optimization purposes, please ensure that controllers with the same mobility group name are only configured when there is a shared RF space where roaming can happen Info Best Practices Remove mobility peers outside the same RF roaming space. This is purely an optimization
30061 Authentication EAP identity timeout may need to be larger if using EAP-TLS, OTP based authentication. Please validate on your specific client types before enforcing the changes Info Best Practices If using EAP-TLS, OTP is advisable to have a large EAP ID request timeout. Use command:config advanced eap identity-request-timeout, to set it to 30 seconds or higher
30062 DHCP Interface pointing to WLC as Internal DHCP server. This feature is not intended for large scale deployments. Please check depending on your network size, it may be recommended to use external DHCP Server. {0} Warning Best Practices One or more interfaces found that could be using WLC DHCP internal server. It is advisable to use external DHCP server for best performance on medium/large deployments
30063 Local EAP Local EAP in use. This feature is not intended for very large scale deployments. Please check depending on your network size, it may be recommended to use external Radius Server. {0} Warning Best Practices One or more WLANS using local EAP. It is advisable to use external Radius server for best performance on medium/large deployments
30064 Authentication EAPoL request timeout larger than {0} ms. EAP key requests may benefit for faster recovery, and better behavior on bad RF, by using higher counts, lower retry timeout. Please validate on your specific client types before enforcing the changes Info Best Practices EAPoL request timer found to be higher than 400ms. In most scenarios, 400 would allow faster recovery in case of problems. Some devices may need longer timers, so always check. Use command: config advanced eap eapol-key-timeout, to adjust
30065 Authentication EAPoL request retries lower than {0}. EAP requests may benefit for faster recovery, and better behavior on bad RF, by using higher counts, lower retry timeout. Please validate on your specific client types before enforcing the changes Info Best Practices EAPoL request retry count found to be lower than 2. In most scenarios, 3 retries should work. This value could be set to zero for Krack attack client side workaround. Command: config advanced eap eapol-key-retries
30066 TACACS Tacacs management timeout lower than 5 seconds. Using longer TACACS timeout is recommended for OTP systems. Server(s): {0} Warning Best Practices Using a low TACACS timeout can cause server issues or authentication failures. Use command: config tacacs auth mgmt-server-timeout X 5, to set it to 5 seconds or higher, replace X with the server ID
30067 Rogue Detection Minimum Rogue RSSI detection threshold should be set to {0} or higher, unless mandated by your security policies Info Best Practices Min RSSI feature allows to filter out unwanted rogues from the network (out of building). It is advisable to use -70 to -80 depending on your physical location and security policies. Command: config rogue detection min-rssi
30069 Rogue Contention At least one Autocontain policy is enabled. Rogue contention has severe impact on client serving time, it should be avoided unless mandated by your security policies Warning Best Practices One ore more auto-contain policies were detected, this could have legal and performance implications. Ignore if this is intentional
30070 AVC AVC is recommended. Ensure you are using 8.0 or higher, and current load on WLC does not exceed 50%. Info Deprecated This is general best practice. Please be aware of any possible performance impact for loaded controllers
30071 Fast SSID Fast SSID enabled is recommended for networks that may have Apple IOS client devices Warning Best Practices Fast SSID allows easier client jump between WLANS, and it is highly recommended for networks with Apple devices. It should not be used in combination with NAC policies. Command: config network fast-ssid-change enable
30072 CleanAir CleanAir detection disabled. It is highly recommended if your current AP HW types support the feature. Band(s): {0} Info Best Practices CleanAir provides additional visibility on RF issues. It should be enabled if the AP types support it. Command: config 802.11X cleanair enable network, with X=a or b. Ensure BLE beacon detection is disabled for best performance
30074 WPA WLAN with standalone TKIP policy. This will be deprecated soon due to certification requirements, or migrated to WPA2 AES+TKIP. It is advisable to modify the configuration. WLAN(s): {0} Warning Best Practices For security reasons, and certification requirements, TKIP as standalone policy is not recommended, and should only be used for strict legacy support
30075 WPA WLAN with WPA AES policy. This will be deprecated soon due to certification requirements, or migrated to WPA2 AES. It is advisable to modify the configuration. WLAN(s):{0} Warning Best Practices One or more WLAN affected: WPA/AES is not a supported policy for AP-COS Aps, it should be replaced with WPA2/AES
30076 NTP Controller without time source, please configure a valid NTP server Warning Best Practices No time source detected for this controller. It could be incomplete configuration, check that NTP servers are configured. Command: config time ntp server
30077 Security Controller with telnet enabled, this is not advisable from security point of view Warning Best Practices For security reasons, it is not recommended to use Telnet for CLI access to the controller, use SSH instead
30081 Load Balancing Enterprise: Aggressive Load Balancing is a recommended best practice for enterprise environments with proper AP density, for local mode APs. Do not use for WLANs with interactive applications (voice/video) Info Config Error Load Balancing could help on load distribution on some scenarios, it must be avoided for networks with interactive traffic like voice or video. Command: config wlan load-balance allow enable ID
30082 Client Profiling Local Profiling is a recommended best practice for better client visibility Info Information Local profiling is recommended in general, unless using NAC profiling. To enable: config wlan profiling local all enable ID
30083 High Availability High Availability is a recommended redundancy solution for supported platforms Info Best Practices This is general recommendation to use HA feature when possible, to improve network reliability
30084 Webauth Virtual Gateway IP is not on 192.0.2.0/24 , 198.51.100.0/24 , 203.0.113.0/24 networks, change to recommended to avoid overlapping with Internet Allocated addresses. RFC5737 Info Best Practices Virtual GW address must not match any Internet Routable address, as it could lead to controller absorving traffic for it. Use one of the recommended addresses
30085 CCX If not using Cisco WGB or Voice devices, it is recommended to disable Aironet Extensions for simplicity on the I.E. beacon set. WLAN(s): {0} Info Best Practices This is general recommendation to improve WGB support, and simplify information elements included in beacons
30086 Webauth If using sleeping client feature, idle timer must be lower than the session timeout. WLAN(s): {0} Warning Best Practices For sleeping client feature to work correctly, idle timer must be shorter than session timeout. Please adjust WLAN configuration
30087 Multicast If using AAA override or Interface Groups, enable the Multicast Vlan if using any multicast applications. WLAN(s): {0} Info Best Practices Multicast VLAN feature will allow that devices between different vlans associated on same WLAN, can receive all related Multicast traffic, it is recommended to enable this feature if using AAA override, and needing multicast applications
30088 CAPWAP Controller with 90% or more of AP licenses in use Warning Best Practices Controller is reaching its AP licensed capacity, evaluate if additional controllers or licenses are needed for future growth
30089 CAPWAP Controller with 90% or more of capacity in use and join priority enabled, monitor usage as AP disconnections may happen as configured Warning Best Practices This is warning that feature may trigger AP disconnection, to ensure this is a desired scenario
30091 Band Select Band Select is not in use on any WLAN. it is a recommended feature when there is a good AP density in Enterprise deployments. Do not use for WLANs with interactive applications (voice/video) Info Config Error This is purely a general recommendation, please validate if applicable in your environment
30092 RRM For enterprise environments, it is recommended to use DCA with 40 MHz channel width or Best setting, except for High Density deployment scenarios Info Best Practices This is purely a general recommendation, please validate if applicable in your environment
30093 AP Groups AP groups are not in use. For enterprise environments, it is best practices to enable this feature for more granular AP settings Info Best Practices This is purely a general recommendation, please validate if applicable in your environment
30094 RF Profiles RF profiles are not in use. For enterprise environments, it is best practices to enable this feature for more granular RF control Info Best Practices This is purely a general recommendation, please validate if applicable in your environment
30095 RRM DCA is not set to Auto. For general deployments it is recommended to use RRM. Band(s): {0} Info Best Practices This is purely a general recommendation, please validate if applicable in your environment
30097 RRM TPC is not set to Auto. For general deployments it is recommended to use RRM. Band(s): {0} Warning Best Practices This is purely a general recommendation, please validate if applicable in your environment
30098 RRM ED-RRM is not in use. It is recommended to enable for enterprise environments. Band(s): {0} Warning Best Practices This is purely a general recommendation, please validate if applicable in your environment
30099 RRM AP Load is not a recommended metric for Enterprise DCA. Disable to avoid possible channel flapping. Band(s): {0} Warning Best Practices Modify RRM DCA settings. This can lead to severe channel assignament issues, it is not rescommended for most environments
30101 RRM Channels 100-140 are not in use for DCA. If country regulations allows it, it is advisable to enable to improve channel distribution on 5GHz band Info Best Practices When possible, enable all supported channels, to reduce any co-channel interference on high AP density scenarios
30103 CAPWAP Untagged Management interface, this may affect feature behavior for IPv6, WGB vlan support. it is recommended to configure vlan on management interface Warning Best Practices Several features need management interface to have a VLAN tag, except for simple network scenarios, it is strongly recommended to have a VLAN assigned
30104 RRM DCA with channel bonding in use and 11ac and/or 11n are disabled. Invalid configuration. Warning Config Error Either enabled 11n/11ac networks, or set DCA channel width to 20 MHz
30105 11n/11ac/1ax Aggregation scheduler disabled. Band: {0} Warning Config Error This is a non-default configuration that could lead so severe performance impact. Enable with config 802.11a/b 11nSupport a-mpdu tx scheduler enable
30107 DHCP DHCP proxy enabled on the interface , but DHCP IP is not configured. Interface(s): {0} Warning Config Error DHCP proxy feature needs DHCP server IP address to be configured. Please add the missing information
30108 RF 2.4 and 5 GHz Networks are disabled. Info Information Informational message to notify that both bands are disabled, which is not a normal scenario. Please confirm if this is intentional
30109 mDNS mDNS profile is configured in WLAN, but global mDNS snooping is disabled. WLAN(s):{0} Info Information This is to inform that there is a possible incomplete mDNS configuration. if needing this feature, global mDNS should be enabled
30110 WIPs IDS legacy and WIPs submode are enabled at the same time. This is not recommended configuration Error Config Error It is not advisable to combine IDS and WIPS, as it can lead to some incompatibilities. Please isable legacy IDS if using WIPS
30111 DHCP It is recommended to have the DHCP proxy enabled. Info Parsing Error This is purely a general recommendation, please validate if applicable in your environment
30112 Multicast The IPv6 Multicast/Broadcast mode is on Unicast. Warning Information For performance optimizations, it is recommended to use multicast transport mode. Please enable in general multicast settings
30113 MFP 11v is enabled, it is recommended to have the MFP infrastructure disabled. It may cause incompatibility with some clients. WLAN(s): {0} Warning Information This is purely a general recommendation, please validate if applicable in your environment
30115 HW RAID drive status is not reported as OK. It should be checked. Error Operational Disk status may have issues, please check if your RAID disks are in proper state. This may need TAC case for replacement
30116 Mobility Mobility Multicast enabled but the mobility peer {0} is not in the controller management subnet. Impact depends on network multicast routing state Warning Information Mobility multicast may cause roaming issues, not a recommended configuration. If the controllers are on different subnets, it needs proper multicast routing support
30117 Certificate Certificate {0} and Ignore MIC certs expiration is not enabled. Please validate cert date on directly on Controller for confirmation, and enable the expiration date ignore feature on WLC Error Operational To avoid AP join issues for older harware, ensure you have ignore MIC certificate expiration enabled.
30118 Certificate Unknown Serial Number format. Certification Expiration Date can not be calculated. Info Information Error parsing serial number to calculate a possible certificate expiration date. No action required, just informational message
30119 NTP NTP Polling Interval is set, but no NTP Server is configured. Controller should have time source Warning Best Practices Please check the NTP time sync status, as having a proper time source is critical for several features
30122 RLDP RLDP is enabled for all AP types. This may have severe impact on voice applications, and lower performance for general data. It is advisable to use the option of monitor mode Aps if this is a security requirement, or disable it Error Information RLDP should be configured to use only Monnitor mode APs, please check your WPS configuration. This may have severe impact on performance
30123 Multicast Multicast Unicast forwarding mode is enabled, and either multicast or broadcast is in use with more than 50 APs. Depending on network traffic characteristics, this could have large performance impact. It is advisable to use multicast-multicast mode to prevent issues, which may have multicast routing dependencies on your infrastructure Warning Config Error Please check your multicast configurations under Network tab
30124 HW Controller with low memory: {0} bytes, {1:.2f} % available Error Operational This is wearning on a potential out of memory scenario. Evaluate if a reload is needed or contact TAC for further analysis
30125 WLAN Disabled WLAN, no checks run. WLAN(s): {0} Info Information No action required, this is just informational message
30126 Webauth Webauth is in use, but no pre-auth ACL for flexconnect is set, this is required for external webauth,wlan is set for local switching and there are Flex APs detected. WLAN(s): {0} Warning Config Error This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl
30127 FRA RRM leaders do not match between 2.4 and 5GHz bands, this could lead to errors on FRA calculations Error Config Error FRA needs that both 2.4 and 5GHz leaders run on same physical controller. In situations for static leaders, if the platform license AP count is exceeded, the grouping may be splitl leading to this situation. In that case, FRA can't be used. A configuration change or reassignment of APs is recommended
30128 CleanAir CleanAir BLE Beacon detection signature has significant performance impact, it is recommended to run CleanAir enabled, with this specific device type disabled, unless required by deployment Error Config Error Ensure BLE beacon detection is disabled for best 2.4 GHz performance, unless required by deployment. Command: config 802.11b cleanair device disable ble-beacon
30129 Webauth HTTPS interception for Webauth may have severe performance impact due to scalability problems, only use on small deployments. Use a recommended code from 8.7 and higher, if this feature is required Error Config Error HTTPS redirection was redesigned from 8.7, with significant performance improvements. If possible upgrade to a recommended release above 8.7 if HTTPS webauth redirection is required
30130 Security WLC is not vulnerable to CVE-2017-13082 802.11r/FT Info Config Error Informational message about vulnerability exposure
30131 Security WLC is vulnerable to CVE-2017-13082 802.11r/FT, it is recommended to upgrade or apply workaround Error Config Error Informational message about vulnerability exposure, upgrade is recommended
30132 Webauth No IP address detected, or invalid address on Virtual GW interface Warning Config Error This is potential indication of either corrupted config file sent for processing, or the address used in the virtual GW is invalid. it could lead to issues on webauth or DHCP processing
30133 Rogue - CMX Rogue queues have high utilization. Possible MSE/CMX connection problem Error Config Error If any of Rogue queues show a high utilization, this may be indication of a MSE/CMX connection problem (server is down, TLS auth failed, wrong server IP configured, etc)
30134 Leak High system timers utilization (more than 80% in use). This is indication of a leak or extreme utilization scenario Error Config Error A high timer count report may be indication of a timer leak (software defect) or a extreme high load. This should be investigated as it may lead to several features affected
30135 IPv6 Link Local bridging is enabled, and the controller is not running code with the fix CSCvf15991, this may cause traffic forwarding issues Error Config Error The Link Local bridging feature may lead to traffic forwarding randomly failing, especially for AAA override clients. Please upgrade to code with the fix CSCvf15991, for example: 8.5.120.0, 8.3.141.0, 8.6 or higher, or disable the feature. Command: config network link-local-bridging disable
30136 Webauth Port 443 is configured for redirection, instead of using the HTTPS redirection feature. This will break management HTTPS access when using 8.3.140.0 or higher Error Config Error The webauth port list should be cleaned with the command : config network web-auth port 0
30137 Roaming Assisted Roaming is enabled, this could cause roaming failures in multiple scenarios. It is recommended to use 802.11k/v roaming instead. Reported for WLAN(s): {0} Warning Config Error Disable the feature using the command config wlan assisted-roaming prediction disable X, where X is the WLAN ID
30138 HW Controller with high external temperature: {0} Error Operational Controller air intake is exceeding the supportate range, please check environmental conditions as this could lead to HW issues
30139 HW Controller with high mGig temperature: {0} Error Operational Controller mGig port temperature sensor reports high value, this could indicate a HW problem
30140 Performance Data plane Fast cache is disabled. This may have severe performance impact, and should only be used following TAC instructions Error Config Error If this is not part of explicit troubleshooting scenario, enable it with config advanced fastpath fastcache enable
30141 PMF WLAN with PMF set as required and 9120 AP models detected. This may have negative performance impact if the client does not support SHA256. Either set to PMF Optional or use 8.10MR1 code. WLANs: {0} Error Config Error AP model 9120 had a mandatory requirement for SHA256 and PMF, if the client does not support this option, it could lead to limiting client to legacy rate. Configure your WLAN for PMF optional/disabled, or upgrade
30142 DHCP Global DHCP timeout is set to less than 30 seconds, this may cause on boarding failures. Unless justified, try to keep the default of 120 seconds Warning Config Error Use the command 'config dhcp timeout 120'
30143 WPA3 WLAN with WPA3 and Adaptive FT roaming enabled. This is not recommended. WLAN(s): {0} Warning Best Practices Adaptive FT has not been tested for WPA3 scenarios. Either change to FT enabled, or disable it
30144 FT WLAN with CCKM and FT roaming enabled. This not supported, and may cause some client types to fail. WLAN(s): {0} Error Config Error FT has not been tested for CCKM scenarios, and configuring both will cause client connection issues. You should disable CCKM
50003 Mobility Peer down. This may have impact on CPU usage, and roaming. Peer(s): {0} Error Operational On some scenarios, a mobility peer down can drive CPU usage up. Please check configuration, remove any unused peer entries, and/or check controller reachability
50006 Mobility Controller is not referencing itself as Info Config Error Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration
50007 Mobility Controller is referenced as in controller Info Config Error Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration
50008 Mobility Controller has different group name as configured in controller Error Config Error Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration
50010 Mobility No management interface found!. Probably an incorrect config file Info Information Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration
50012 Mobility Multicast This controller does not have Multicast Address assigned, but others peers have. Validate that this is intentional, that this is not a mix of different controllers versions, or error in parsing config file Error Config Error Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration
50013 Mobility Multicast Controllers have different Mobility Multicast Address. Validate configuration Error Config Error Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration
50014 Mobility Multicast Peer multicast address is same as mDNS (224.0.0.251), this may cause problems with Apple Bonjour, iTunes. Peer(s): {0} Warning Config Error Please check configuration
50015 Mobility Multicast Peer current address is not private range, it is recommended for best practices to use a multicast address on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0.x and 239.128.0.x. Peer(s): {0} Info Best Practices Possibly incorrect mobility configuration, address in use is not recommended. Not critical change
50016 Mobility Multicast Peer current selected multicast address, can generate a flood, as it overlaps with local mac address. It is strongly recommended to use one on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0.x and 239.128.0.x. Peer(s): {0} Warning Config Error Address in use could cause flood issues, it is advisable to change mobility configuration
50017 Configuration One of the following situations has been found: AAA Override, AP groups, of different subnetwork across same WLAN between WLCs evaluated. As you may have L3 mobility, for best practices, it is recommended to enable Symmetric mobility if using Voice services, or network core has RPF checks (Antispoofing, FW for example) Info Config Error This is just best practice recommendation
60003 RF Coverage Profile Failed in 2.4GHz Band, slot {0} per controller profile settings Info Information
60004 RF Interference Profile Failed in 5GHz Band, slot {0} per controller profile settings Info Information
60005 RF Interference Profile Failed 2.4GHz Band, slot {0} per controller profile settings Info Information
60006 RF Interference Profile Failed 5GHz Band, slot {0} per controller profile settings Info Information
60007 RF Load Profile Failed 2.4GHz Band, slot {0} per controller profile settings Info Information
60008 RF Load Profile Failed, 5GHz Band, slot {0} per controller profile settings Info Information
60009 RF Noise Profile Failed 2.4GHz Band, slot {0} per controller profile settings Info Information
60010 RF Noise Profile Failed 5GHz Band, slot {0} per controller profile settings Info Information
60011 RF AP has a neighbor on same channel at power {0} above co-channel threshold, for slot {1} Info Operational
60012 RF AP has a neighbor on same channel at power {0} above co-channel threshold, for slot {1} Info Operational
60013 RF AP on channel {0}, has a neighbor on a side channel {1} for slot {2} radio, with power {3} Info Operational
60014 RF AP has channel utilization at {0}% for slot {1} above threshold Info Operational
60015 RF AP has channel utilization at {0}% for slot {1} above threshold Info Operational
60016 RF AP detected a persistent device on channel with duty cycle of {0}%, type {1} on slot {2}, channel {3} Error Operational
60018 RF WLC has {0:3.1f}% of APs with high channel utilization for 2.4GHz Band Warning Operational
60019 RF WLC has {0:3.1f}% of APs with high channel utilization for 5GHz Band Warning Operational
60020 RF WLC has {0:3.1f}% of APs with failed Interference Profile for 2.4GHz Band Warning Operational
60021 RF WLC has {0:3.1f}% of APs with failed Interference Profile for 5GHz Band Warning Operational
60022 RF WLC has {0:3.1f}% of APs with failed Load Profile for 2.4GHz Band Warning Operational
60023 RF WLC has {0:3.1f}% of APs with failed Load Profile for 5GHz Band Warning Operational
60024 RF WLC has {0:3.1f}% of APs with failed Noise Profile for 2.4GHz Band Warning Operational
60025 RF WLC has {0:3.1f}% of APs with failed Noise Profile for 5GHz Band Warning Operational
60026 RF AP is isolated (no neighbors) on 2.4 band. This could be expected on single AP scenarios, but could be indication of poor RF design or NDP issues Warning Operational
60027 RF AP is isolated (no neighbors) on 5GHz band. This could be expected on single AP scenarios, but could be indication of poor RF design or NDP issues Warning Operational
60028 RF AP shows low coverage (all neighbors < -75 dBm) on 2.4GHz band. This could affect roaming and be indication of poor RF design or NDP issues Warning Config Error
60029 RF AP shows low coverage (all neighbors < -75 dBm) on 5GHz band. This could affect roaming and be indication of poor RF design or NDP issues, or physically isolated AP Warning Config Error This message is intented to flag APs that don't have a smooth coverage transition to other APs. This may be result of AP physical placement
60030 RF AP has asymmetric nearby between radios, if the antennas per band are the same, this could indicate a radio hang Warning Config Error For non DFS channels, if the antennas are same between both radios, if the AP has neighbors better than -77 in one radio, and none in the other, this could be indication of radio hang, and should be investigated
60031 RF AP has high channel count (more than 10) per day on radio slot0. Check RF conditions or RRM configuration Error Operational Frequent channel changes can cause severe impact in client stability. This could be triggered due to bad RF, RRM issues, or incorrect RRM configuration
60032 RF AP has high channel count (more than 10) per day on radio slot1. Check RF conditions or RRM configuration Error Operational Frequent channel changes can cause severe impact in client stability. This could be triggered due to bad RF, RRM issues, or incorrect RRM configuration
60033 Radio AP has radio slot in 2.4 band in a channel that has an Air Quality index below 60%, this could have significant negative impact to performance Warning Operational The RF environment is significantly degraded, this may have negative impact into overal network performance. It is advisable to take corrective actions, for example, a site survey, review AP positioning, check for RF interferers, etc
60034 Radio AP has radio slot in 5 band in a channel that has an Air Quality index below 60%, this could have significant negative impact to performance Warning Operational The RF environment is significantly degraded, this may have negative impact into overal network performance. It is advisable to take corrective actions, for example, a site survey, review AP positioning, check for RF interferers, etc
70003 Mesh Bridge Shared Secret is set to the default value, it is recommended to set a user defined secret on mesh environments Warning Best Practices Using default BGN is a security risk, please modify your mesh configuration
70004 Mesh It is recommended to have more than one RAP per BGN for redundancy on sectors with multiple MAPs Warning Best Practices This is a general topology recommendation, please check if it applies to your network design
70005 Mesh if AP density/channel allocation allows it, it is recommended to use 40 or 80 channel width for backhaul Warning Best Practices This is a general topology recommendation, please check if it applies to your network design
70006 Mesh It is recommended to use EAP as authentication method for mesh networks Warning Best Practices This is a security recommendation, please check if it applies to your network design
70007 Mesh Channels 100-140 detected as not in use. Use this channel range is necessary for some outdoor domains (p. e. ETSI) Error Best Practices Validate your 802.11a channel list, as this could lead to radio down scenarios on some countries
100001 Flex Flex Aps detected, but no flex groups in use Warning Best Practices This is a best practices recommendation, to use Flex groups whenever possible
100002 Flex Efficient AP upgrade is not enabled for Flex group(s): {0} Info Best Practices This is a best practices recommendation, to use Flex efficient upgrade whenever possible
100003 Flex Flex AP without flex group detected. Warning Best Practices This is a best practices recommendation, to use Flex groups whenever possible
100004 Flex AP has native VLAN not matching its group configuration, unless it is on different physical site, it would be a non-recommended scenario Warning Config Error Check AP Flex native VLAN configuration, if the AP is on same site as others in the same group, ensure it has same native VLAN
100005 Flex Flexgroup has AP included, but AP is not in Flex or Flex-Mesh mode Info Config Error
100006 Flex AP has WLAN-VLAN mapping not matching its Flex Group, possible AP with corrupted configuration Error Config Error Check AP Flex-WLAN mappings, at least one mapping group-specific was not maching expcted VLAN info
100007 Flex AP WLAN-VLAN mapping count not matching its Flex Group, possible AP with corrupted configuration, or per AP-specific WLAN entries Warning Config Error Check AP Flex-WLAN mappings, the WLAN count does not match its Flex Group to confirm it is intentional
110001 BYOD Radius NAC should be enabled to allow Radius Change of Authorization between ISE and WLC. Warning Information
110002 BYOD MAC filter is recommended to enable. Warning Information
110003 BYOD AAA override is recommended to enable. Warning Information
110004 BYOD 802.11r is needed for client fast transition. Warning Information
110005 BYOD Longer session timeout is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view. Do not leave the session timeout unset as ISE will remove ''inactive sessions'' after 5 days leading to a possible session miss-match between ISE and the WLC for long lasting connections. Warning Information
110006 BYOD Interim Accounting should be disabled to prevent unneeded accounting load on ISE Exception is for ISPs, which provide tracking on byte based services. Warning Information
110007 BYOD User Idle Timeout should not be over 300sec. Warning Information
110008 BYOD Recommended Client Exclusion value with ISE is 180 sec, to prevent misconfigured clients cause intensive radius traffic for ISE. Warning Information
110009 BYOD Aggressive failover should be disabled to prevent WLC from pre-maturely mark ISE dead. However is based on customer needs and maybe still needs to be enabled Warning Information
110010 BYOD It is recommended to have less than 10 EAPOL Identity Request Retries. Warning Information
110011 BYOD It is recommended to have EAPOL Request Timeout less than 3 seconds. Warning Information
110012 BYOD It is recommended to have less than 10 EAP Identity Request Retries. Warning Information
110013 BYOD RFC3576 is not enabled on the radius server, please enable it for BYOD deployments. Server IP: Warning Information
120001 Security It is recommended to disable Management over wireless, if the feature is needed, ensure you have a proper CPU ACL Warning Best Practices In Config/network, you can enable/disable this feature. Use only when needed
120002 Security HTTPS for management is disabled, it is recommended to always encrypt management connections Warning Best Practices This is just warning on best practices for GUI management. You can enable in Config/Network
120003 Security It is recommended to monitor all channels for rogue detection. Band(s): {0} Error Best Practices This is best practices recommendation, to improve rogue detection. This is under 802.11a/b, General tab, Monitoring Channel setting.
120004 Security No WLAN with WPA2/802.1x was detected, it is recommended to use proper authentication for security reasons. This may not be applicable on some deployment models Warning Config Error It is expected to see at least one network with L2 security policies enable. This is just a general check to confirm if this is a status done intentionally
120005 Security No Rogue entries found. Check if rogue detection is enabled, or if it has been disabled per AP. Rogue detection is recommended for security reasons Warning Best Practices This is informational security check, to ensure rogue detection is properly set
120006 Security SSH is disabled and telnet is enabled. it is recommended to use SSH for security reasons Warning Best Practices This is informational security warning, to ensure proper management policies are in place. You can enable it under network configuration
120007 Security Client exclusion not detected on any WLAN. It should be enabled as a general security precaution. Warning Config Error Client exclusion can prevent DoS scenarios against your AAA subsystem. You can enable this under WLAN/Advanced tab
120008 Security AP Local credentials to access point CLI are not configured. For best security practices, it is recommended to configure to Username/passwords to all APs Warning Best Practices It is strongly recommended to change the default AP credentials, to a custom username/password. This can be done globally under Wireless/Access Points/Global Configuration
120009 Security No CPU ACL detected, it is recommended it, to restrict management access to the controller Warning Best Practices In some scenarios, a CPU ACL can be set to improve security. This may need testing, so use with care
120010 Security WLAN may be using management vlan. It is recommended to never set SSID into management vlan, even for anchor scenarios. WLAN(s): {0} Error Best Practices It is not advisable to share a WLAN With the managemet vlan, except for simple networks
120011 Security if high security is needed, AP should use dot1x authentication towards switch port Info Best Practices This is optional security best practice
120012 Security it is recommended to set policy to reject WiFi Direct clients for security purposes. Be aware this will impact association on some smartphone models. WLAN: Info Best Practices This is optional security best practice. It may not be suitable for some environments
120013 Security Minimum management password length should be 8 or higher Warning Best Practices This is optional security best practice
120014 Security The following Management Password polic{0} not enabled: {1} Warning Best Practices This is optional security best practice
120015 Security HTTP access to management is enabled, it is recommended to only allow https for security reasons Warning Best Practices This is optional security best practice
120016 Security High encryption for HTTPS management is not enabled. Some older web browsers may not support these stronger cryptos Warning Best Practices This is optional security best practice
120017 Security For security reasons, WEP is no longer recommended. WLAN(s): {0} Warning Information This is security best practice
120018 Security It is not recommended to have the EAP local policy with LEAP. Warning Information This is optional security best practice
120019 Security SSL is enabled for GUI management access, for security reasons it is recommended not to use it Warning Best Practices This is optional security best practice
120020 Security RC4 is enabled for GUI management access, for security reasons it is recommended not to use it Warning Best Practices This is optional security best practice
120021 Security CSRF protection is not enabled, it is recommended to enable to prevent these types of attacks Warning Best Practices This is security best practice
120022 Security SSH high encryption is not enabled, it is good security practice to enable it. Some older SSH clients may not support these stronger cryptos Warning Best Practices This is optional security best practice
230001 Version IOS-XE Controller with not recommended code:{0}, please check software download page for the current version for your hardware Warning Config Error Controller is running not recommended code and should be upgraded, better, similar code is available.
230002 Version IOS-XE Controller with deferred code:{0}, it is strongly advised to migrated to supported code Error Config Error Controller is running deferred code and should be upgraded
230003 Hardware At least one Environment (temperature, voltage, fan) sensor is reporting abnormal value: {0} Error Operational Check on show environment all, for possible HW or temperature issue
230004 RRM DCA is not set to Auto. For general deployments it is recommended to use RRM. Band(s): {0} Info Best Practices Check on show ap dot11 24/5ghz channel, for most deployments, using Auto mode is best option, unless you need specialized RRM settings
230005 RRM TPC is not set to Auto. For general deployments it is recommended to use RRM. Band(s): {0} Warning Best Practices Check on show ap dot11 24/5ghz txpower, for most deployments, using Auto mode is best option, unless you need specialized RRM setting
230006 Load Balancing AP Load is not a recommended metric for Enterprise DCA. Disable to avoid possible channel flapping. Band(s): {0} Warning Best Practices Check on GUI Radio Configurations/RRM/Band/DCA section
230007 RRM Non default RRM timer in use. This is not recommended unless directed by Cisco support. {0} Info Config Error This is informational message, no action required, if the timer was changed intentionally
230008 RRM RRM timer at 1h. This may cause problems on calculations. It should be avoided. {0} Error Best Practices Using RRM timer set to 1h may lead to different calculation errors. It should be avoided, unless this was directed by Cisco Support,
230009 RRM Channels 100-140 are not in use for DCA. If country regulations allows it, it is advisable to enable to improve channel distribution on 5GHz band Info Best Practices When possible, enable all supported channels, to reduce any co-channel interference on high AP density scenarios
230010 11n/11ac/11ax DCA with channel bonding in use and 11n/11ac/11ax are disabled. Invalid configuration. Warning Config Error Either disable channel bonding in 5GHz configuration, or enable back high speed protocols (11n/11ac/11ax)
230011 RRM RRM leaders do not match between 2.4 and 5GHz bands, this could lead to errors on FRA calculations Error Operational FRA needs that both 2.4 and 5GHz leaders run on same physical controller. In situations for static leaders, if the platform license AP count is exceeded, the grouping may be splitl leading to this situation. In that case, FRA can't be used. A configuration change or reassignment of APs is recommended
230012 mDNS Multicast forwarding address is same as mDNS, this may cause problems with Apple Bonjour, iTunes. Network: {0} Error Config Error Multicast forwarding address overlaps with the mDNS address(224.0.0.251/FF02::FB), this will break Apple Bonjour, as traffic will be dropped, it should be changed. Command:config network multicast mode multicast
230013 Multicast Multicast Unicast forwarding mode is enabled, and either multicast or broadcast is in use with more than 50 APs. Depending on network traffic characteristics, this could have large performance impact. It is advisable to use multicast-multicast mode to prevent issues, which may have multicast routing dependencies on your infrastructure Warning Config Error Change Multicast forward mode to multicast. This may need multicast routing if APs are not on same VLAN as WLC management interface
230014 Multicast Current address is {0}, it is recommended for best practices to use a multicast address on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0. and 239.128.0.x. Warning Best Practices It is advisable to use a private multicast address. Command:wireless multicast x.x.x.x
230015 Multicast Current selected multicast address ({0}), can generate a flood, as it overlaps with local mac address. It is strongly recommended to use one on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0.x and 239.128.0.x Warning Config Error Switch address to mac conversion could cause a L2 flood , it is advisable to change. Command:wireless multicast x.x.x.x
230016 Capacity Max AP count reached on controller. No more APs will be able to join Error Operational WLC is running at its maximum capacity. You should consider a topology modification, or add controllers to the network
230017 CAPWAP Invalid AP join counter, it is higher than controller capacity, contact TAC as it is possible software defect Warning Best Practices If the AP joined counter is higher than platform allowed count, this could indicate a potential software defect, contact TAC for more information
230018 Capacity Controller with 90% or more of AP licenses in use Warning Operational Controller is reaching its AP licensed capacity, evaluate if additional controllers or licenses are needed for future growth
230019 Capacity Controller active client count has reached max capacity, no more clients will be able to join Warning Operational Client count has reached max capacity, you should consider adding new controllers to spread the load
230020 Webauth Virtual Gateway IP is not on 192.0.2.0/24 , 198.51.100.0/24 , 203.0.113.0/24 networks, change to recommended to avoid overlapping with Internet Allocated addresses. RFC5737 Info Best Practices Virtual GW address must not match any Internet Routable address, as it could lead to controller blackholing traffic for it. Use one of the recommended addresses
230021 Load Balancing Load Balancing window value too aggressive. Minimum recommended value should be 5 or higher Warning Best Practices Using a low window can cause association errors, try to use 5 or higher. Command: config load-balancing window
230022 Load Balancing Load Balancing window is zero, it is strongly suggested to use higher value Error Config Error Using a window set to zero can cause serious association errors, try to use 5 or higher. Command: config load-balancing window
230023 NTP Controller with no valid time source (sync has not happened) or file without NTP information, please check if controller has valid NTP server configured Warning Best Practices No active time source detected for this controller. It could be incomplete configuration. Command: config time ntp server
230024 CleanAir CleanAir detection disabled. It is highly recommended if your current AP HW types support the feature. Band(s): {0} Info Best Practices CleanAir provides additional visibility on RF issues. It should be enabled if the AP types support it. Command: #ap dot11 5ghz|24ghz cleanair. Ensure BLE beacon detection is disabled for best performance
230025 CleanAir CleanAir BLE Beacon detection signature has significant performance impact, it is recommended to run CleanAir enabled, with this specific device type disabled, unless required by deployment Error Config Error Ensure BLE beacon detection is disabled for best 2.4 GHz performance, unless required by deployment. Command: no ap dot11 24ghz cleanair device ble-beacon
230026 11b Legacy rate enabled in {0}. Disabling low data rates/11b can help to optimise the channel utilisation on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies. Info Best Practices In most scenarios, it is good idea to disable 11b data rates (1,2,5.5,11), as they would use more RF time, and be more sensible to interference, it is advisable to only enable 11g rates, unless you need to support legacy devices. Command:config 802.11b rate disabled X
230027 Rogue Detection Minimum Rogue RSSI detection threshold should be set to {0} or higher, unless mandated by your security policies. Current value: {1} Info Best Practices Min RSSI feature allows to filter out unwanted rogues from the network (out of building). It is advisable to use -70 to -80 depending on your physical location and security policies. Command: config rogue detection min-rssi
230028 Authentication EAP identity timeout may need to be larger if using EAP-TLS, OTP based authentication. Please validate on your specific client types before enforcing the changes Info Best Practices If using EAP-TLS, OTP is advisable to have a large EAP ID request timeout. Use command:config advanced eap identity-request-timeout, to set it to 30 seconds or higher
230029 TACACS Tacacs management timeout lower than 5 seconds. Using longer TACACS timeout is specially recommended if OTP systems. Server(s): {0} Warning Best Practices Using a low TACACS timeout can cause server issues or authentication failures. Use command: config tacacs auth mgmt-server-timeout X 5, to set it to 5 seconds or higher, replace X with the server ID
230030 Rogue Contention At least one Autocontain policy is enabled. Rogue contention has severe impact on client serving time, it should be avoided unless mandated by your security policies Warning Best Practices One ore more auto-contain policies were detected, this could have legal and performance implications. Ignore if this is intentional
230031 Webauth If using sleeping client feature, idle timer must be lower than the session timeout. WLAN/Policy Profile(s): {0} Warning Best Practices Modify the policy profile idle timeout, ensure that it is lower than session timeout, or set it back to default value, 5 minutes
230032 Multicast IP Multicast Distributed routing is enabled. This is unsupported configuration, and it may lead to severe multicast traffic disruptions. It is strongly recommended to disable it Error Best Practices Disable the feature, use the command 'no ip multicast-routing distributed'
230033 VRF VRF have been configured, this is not a supported feature in 9800 controllers, and it will lead to severe functionality impact Error Config Error Disable the feature, use the command 'no vrf definition NAMEOFVRF'
230034 High Availability Redundancy mac address is not set. This is mandatory configuration value if using redundancy feature Warning Best Practices Set the command 'wireless mobility mac-address' to the management interface mac address
230035 Hardware Possible unsupported SFP detected, it may stop working on 16.12.3, 17.x or newer versions, please check compatible list in controller datasheet Error Operational The SFP type should be replaced with a supported model. Confirm models in controller data sheet or in release notes. https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/release-notes/rn-17-3-9800.html#id_114714
230036 AP Tag Recommended Number of APs per Tag has been exceeded, it is advisable to split the APs between different tags to avoid CPU load issues. Tags:{0} Warning Config Error Tags are used to balance AP between different CPU/cores, it is important to keep AP count around 400 or 800 (9800-80) per tag, to ensure proper load balance
230037 CAPWAP A wireless management trust point has been defined for a controller with manufacturer certificate, and LSC is not in use, this may cause CAPWAP join issues Error Config Error Validate why the command 'wireless management trustpoint' has been defined. This is normally no needed for controllers, except for 9800-CL model
230038 Management To prevent WebUI issues while using some large GUI options (VLANs for example), it is advisable to increase the VTY count to 50 Warning Config Error Use the command 'line vty 0 50' to increase the VTY count
230039 Hardware At least one hardware resource has reached warning threshold. This should be investigated: {0} Error Operational A resource, for example CPU, data plane or memory are above warning threshold. This could indicate high network load, memory leak, etc.
230040 High Availability Redundancy management interface has overlapping address with wireless management, this can cause serious network problems Error Config Error Modify the command redun-management using non-overlapping addresses.
230041 High Availability Redundancy management interface vlan is not the same as the wireles management interface Warning Config Error Modify the command redun-management to match both vlans/interfaces.
230042 Security Password Encryption is not enabled. This is optional feature to protect keys/passwords in configuration Info Best Practices Use password encryption aes command.For more information, check 9800 Best practices guide
230043 Install Installation mode is BUNDLE, it is advisable to use INSTALL mode for several disk, memory and feature benefits Warning Best Practices Check 9800 Best practices guide for more information
230044 Security Management over Wireless is enabled, this is not recommended from a security point of view Warning Best Practices Management over wireless should be used with care, only enable if absolutely required. Check 9800 Best practices guide for more information
230045 Client Profiling Device Classification (client profiling) is not globally enabled, it is recommended to use it Warning Best Practices Use Device classification as best practice, to help on troubleshooting, network characterization or problem isolation
230046 RRM ED-RRM is not in use. It is recommended to enable for enterprise environments. Band(s): {0} Warning Best Practices This is purely a general recommendation, please validate if applicable in your environment. ED-RRM could provide fast reaction to severe RF issues
230047 Optimized Roaming Optimized Roaming is enabled, this could cause roaming failures in multiple scenarios. It is recommended to use 802.11k/v roaming instead. Reported for Band(s): {0} Warning Best Practices Disable the feature using the command ap dot11 5ghz/24ghz rrm optimized-roam. New devices will use 11k/v information when present
230048 FRA FRA Interval has to be equal or larger than the DCA interval. Reported for Band(s): {0} Warning Best Practices Please configure the FRA to match or be higher the DCA interval, in the Config/Radio Configurations/RRM/FRA GUI section
230049 RF AP Policy tag with more than 4 WLAN/SSIDs active. It is advisable to keep number of SSID to the minimum possible for bext performance. Tag(s): {0} Warning Best Practices A high number of SSID will increase the RR utilization time because of all the needed beacons and management frames. It is recommedned to keep to max 4 when possibble
230050 RLDP RLDP is configured to use all access points, and not only monitor mode. To prevent significant performance impact, it is advisable to change Warning Best Practices RLDP can use all or monitor mode, to preform the scan. Using monitor mode ensures there is dedicated hardware not impacting client servicing radios. Check your RF design, and modify this in WPS RLDP page
230051 AP Tag Default site tag is detected as in use, for proper CPU load balancing, it is advisable to use custom tags, and only use default site tag for initial network bringing up Warning Best Practices Check 9800 best practices document. it is recommended to use custom site tags, and avoid default site, except for initial deployment scenarios
230052 Flex More than 100 AP have been detected with same Flex Tag configured. This is unsupported configuration, and it may lead to fast-roaming errors. Tag(s): {0} Error Best Practices Maximum supported size for a Flex Tag is 100 APs. The network design or configuration should be adjusted to ensure this limit is not bypassed
230053 Spectrum Intelligence Spectrum Intelligence is enabled, and applicable APs are present. This may have impact on performance due to scan periods. Band(s): {0} Warning Best Practices SI feature provides valuable RF information, but it may have impact on network performance and voice. Use only if it has been determined the impact is acceptable in your use case scenario
230054 CAPWAP No Wireless Management interface detected. This could indicate incomplete configuration and a non-working scenario Error Config Error Wireless interface is mandatory requirement for basic functionality. Please review initial configuration steps
230055 CAPWAP Wireless Interface was detected as non-vlan type. For appliances, you should use a SVI (Vlan interface) Error Config Error Create SVI and point your wireless interface settting to it. Do not use physical interfaces, only exception is 9800-CL on public cloud scenarios
230056 Management Service tcp-keepalive in/out, should be enabled to reduce lingering inactive connections to management points Warning Best Practices Add: service tcp-keepalives in/service tcp-keepalives out to configuration
230057 DHCP If DHCP helper (relay) is defined, the interface should have dhcp relay source interface command pointing to wireless management interface, to avoid asymmetric DHCP routing scenarios. Interfaces: {0} Warning Best Practices Add: ip dhcp relay source-interface to the interface SVI/Vlan configuration
230058 Interfaces Interface SVI (vlan) detected, but no corresponding vlan entry configured. Interfaces: {0} Error Config Error Add: vlan NUMBER to the configuration. If this is not corrected, the SVI interface will remain down
230059 mDNS WLAN is using mDNS gateway functionality, but not corresponding SVI Interface detected. WLANs/Policies: {0} Error Config Error Add: Define a Interface vlan (SVI) for all vlans where mDNS gateway functionality is required. This check may not apply on AAA override scenarios
230060 Interface Interface referenced by Policy Profile, without IP address configured. Interface: {0} Warning Config Error Interface with incomplete configuration, no IP address, referenced by policy profile. This may cause issues on several features. You should configure valid IP
230061 Interface Interface referenced by Policy Profile, on administrative shutdown state. Interface: {0} Warning Config Error Interface is on administrative down status, but it is referenced by policy profile. This may cause issues on several features. Check if this should be enabled
230062 Interface SVI Interface referenced by Policy Profile, on line protocol down state. Interface: {0} Warning Config Error Interface has line protocol down, but it is referenced by policy profile. Down state is typically caused by because vlan has not been assigned to any physical interface or trunk. Either use different interface on policy profile or correctly map the vlan
230063 Roaming There are denied client roamings across different policy profiles. It is advisable to enable client vlan-persistent command to improve roaming experience Warning Best Practices By default, it is not alowed to roam on same WLAN over different policy profiles. This leads to client delete and a new on boarding is required. Use the command wireless client vlan-persistent on 17.3.4 or higher, to improve roaming. Not recommended for older 17.3 releases. Check this document for more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_client_roaming_policy_profile.html
230065 Webauth The Webauth Global parameter map, does not have IPv6 virtual address. It is advisable to add one Warning Best Practices Depending on your client types, it is good idea to define IPv6 virtual address for Webauth. It can reduce redirection errors. Use 'parameter-map type webauth global' config command, then 'virtual-ip ipv6 ADDRESS'
230066 Webauth HTTPS webauth redirection is enabled. This may lead to certificate errors and possible errors. Use with care Info Config Error HTTPS redirection feature success depends largely on the client type, and webauth certificates installed. On some scenarios it can lead to failures. This is just preventive message to ensure all implications of using this feature are understood
230067 Webauth WLAN with webauth configured, but no aaa authorization network command detected. This may be incomplete configuration Error Config Error For webauth, you should set a network authorization method. See this document for more details: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/16-11/config-guide/b_wl_16_11_cg/cisco-guest-foreign.html
230068 Management Controller HTTP server is configured with all modules disabled (ip http active-session-modules none), this could prevent GUI access starting with 17.3. Please ensure this is intentional Error Config Error Starting 17.3 and higher, there is a new behavior change that will cause the no modules option to disable management. During upgrades, this config culd lead to issues. Recommendation is to remove the command, unless it is intentional or needed. For more details: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/release-notes/rn-17-3-9800.html#id_136398
230069 Tag Tag policy is using a non existing WLAN name. This will cause significant impact. Tag {0} Error Config Error This is normally a misconfiguration on the Tag entry, with possible invalid WLAN name set. Please edit the tag and check the WLAN
230070 Tag Tag policy is using a Policy name not found. This will cause significant impact. Tag {0} Error Config Error This is normally a misconfiguration on the Tag entry, with possible invalid Policy name set. Please edit the tag and check the policy name used
230071 HS20 HS20: Policy profile with incorrect configuration, At least one roaming OI must have beacon flag. HS20 server entry:{0} Error Config Error The Hotspot 2.0 ANQP server configuration is invalid, it should have at least one beacon-oi entry with beacon flag. Please add it
230072 HS20 WLAN mapped to policy profile with H2.0 feature, but 802.1x authentication is not enabled: {0} Error Config Error The Hotspot 2.0 feature requires 802.1x authentication type. Please modify the WLAN security settings or remove H2.0 server name in the policy profile
230073 RRM DCA (channel assignment) has not run in the expected configured frequency. This could indicate a software failure, Band(s):{0} Error Operational This controller is a RRM leader, and the channel assignament algorithm has not been executed on the configured interval. Please contact TAC
230074 RRM TPC (power assignment) has not run in the expected configured frequency. This could indicate a software failure, Band(s):{0} Error Operational This controller is a RRM leader, and the power assignament algorithm has not been executed on the configured interval. Please contact TAC
230075 RRM FRA ( Flexible Radio assignment) has not run in the expected configured frequency. This could indicate a software failure Error Operational This controller is a RRM leader, and the power assignament algorithm has not been executed on the configured interval. Please contact TAC
230076 RRM BSS Coloring has not run in the expected configured frequency. This could indicate a software failure, Band(s):{0} Error Operational This controller is a RRM leader, and the BSS coloring algorithm has not been executed on the configured interval. Please contact TAC
230077 RRM RF grouping has not run in the expected configured frequency. This could indicate a software failure, Band(s):{0} Error Operational This controller is a RRM leader, and the grouping lgorithm has not been executed on the configured interval. Please contact TAC
230078 High Availability Redundancy state indicates a possible problem. Please check status of the other unit Error Operational RMI configuration was detected, and the current redundancy state indicates a problem. Check the status of the other unit
230079 High Availability Redundancy is in use, but RMI feature is not enabled. For best high availability scenarios, it is recommended to use it Warning Best Practices Redundancy Manager Interface feature provides significant advantage for HA scenarios. Per best practices, it is advisable to enable it. For more information:https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_high_availability.html#id_109551
230080 Location NMSP server on down state, this may have impact to CMX/DNA Spaces features. Server(s): {0} Warning Operational At least one NMSP server shows as Inactive/communications down. Please check configuration or server status.
230081 Mobility Mobility peer on down state, Please check communication or configuration, to confirm if this is intentional. Server(s): {0} Warning Operational At least one mobility peer has a down state, depending on the deployment and configuration, this may impact roaming, rogue detection, RF calculation, and guest features
230082 URL Filter The URL specified in the filter has a wildcard in the middle, this is not supported. URL Filter(s): {0} Error Config Error URL Filters only support wildcard as initial or last section of URL. Please correct the entry
230083 Tags For versions 17.6 and higher, it is advisable to use AP tag persistency command, to ensure tags are preserved if AP is temporarily moved to another controller Warning Best Practices Configure ap tag persistency enable, this is specially important for N+1 redundancy scenarios
230084 AAA The max-user-login feature is set. This restricts how many clients can share the same username during authentication. Ensure this is intended, as this can impact some deployment scenarios Info Information This is just informational message, to check if this configuration was on purpose. When using devices that can share same user (like phones, student tablets, etc), this could prevent them to join the network. Command to set it to default wireless client max-user-login 0
230085 LAG LAG was detected in use, and port channel load balancing is not set to src-dst-mixed-ip-port. Per best practices, please change both the controller and the switch for optimal port balancing Warning Best Practices Best practices recommend to use command port-channel load-balance src-dst-mixed-ip-port, for best port balancing. This must be configured as well on the switch side
230086 RRM Country is set to either J2, J3 or JP. These country codes are no longer supported from 17.3 and higher, and should be replaced with J4 to allow all applicable AP domains to join Error Config Error Japan country codes where updated after 17.3, and a change is needed to allow AP join and RRM DCA to work for Q,P,U regulatory domain APs. Use ap country J4 command to apply the changes
230087 HS2.0 In the HS2.0 anpq server definition, the OSU SSID is mapped to existing WLAN profile that is not open auth Error Config Error Per HS2.0 specifications the OSU SSID has to be open. Please ensure WPA2, webauth, etc are not enabled on the WLAN profile mapped to the OSU SSID command
230088 HS2.0 The OSU SSID is set to a name not present on any WLAN profile mapped to the same policy Tag. Error Config Error OSU SSID should be mapped to a WLAN/SSID present on the same Policy Tag, so clients can see both the H2.0 and the OSU SSID, please check the SSID name
230089 HS2.0 The OSU SSID is set to WLAN profile currently disabled. Warning Config Error OSU SSID should be mapped to an active WLAN/SSID, please check the WLAN enable status
230090 HS2.0 In the HS2.0 anpq server definition, nai-realm is set, but the OSU SSID is mapped to a WLAN without OSEN enabled. Warning Config Error Per HS2.0 standard, the corresponding OSU SSID must have OSEN set. Please check the corresponding WLAN profile
240001 WLAN Disabled WLAN, no configuration checks run. WLAN(s): {0} Info Information Just message to inform that WLAN is not in use, so no detailed checks will be applied. Confirm if the wlan disabled status is intentional
240002 AAA WLAN profile(s) with AAA method list name pointing to non-existing value. {0} Error Config Error Check the configuration item, and change/replace it with a existing value
240003 Webauth WLAN profile(s) with webauth parameter map pointing to non-existing value. {0} Error Config Error Check the configuration item, and change/replace it with a existing value
240004 Authentication WLAN profile(s) with local EAP name pointing to non-existing value. {0} Error Config Error Check the configuration item, and change/replace it with a existing value
240005 WPA Security set with both WPA and WPA2 enabled, this may cause problems with old client drivers and some PDAs. WLAN(s):{0} Info Best Practices WPA in general is not recommended, it should only be used for legacy client support. Some older clients may have problems if WPA and WPA2 are enabled on same WLAN. This is not an issue if all clients are relatively recent
240006 WPA WPA and AES encryption is enabled. This may be deprecated in the future due to certification requirements, and not supported on some AP models. It is advisable to modify the configuration. WLAN(s):{0} Warning Best Practices Disable WPA if not needing it for legacy clients, and use WPA2-AES encryption or higher
240007 WPA Standalone TKIP policy enabled. This w may be deprecated in the future due to certification requirements, or migrated to WPA2 AES+TKIP. It is advisable to modify the configuration. WLAN(s): {0} Warning Best Practices For security reasons, and certification requirements, TKIP as standalone policy is not recommended, and should only be used for strict legacy support
240008 CCX Aironet IE enabled. If not using Cisco WGB or Voice devices, it is recommended to disable Aironet Extensions for simplicity on the beacon set. WLAN(s): {0} Info Best Practices This is general recommendation to improve client interoperability, and simplify information elements included in beacons. Must not be disabled if using Cisco Voice or WGB
240009 11n/11ax/11ax 802.11n/11ac radios are present, but WMM is disabled on the WLAN(s): {0} Warning Config Error This is configuration error that will prevent usage of high speed rates on the WLAN. If this is not intentional, it should be corrected. Command: config wlan wmm allow
240010 Webauth Webauth is in use, but no pre-auth ACL is set, this is required for external webauth, it may not apply depending on your configuration WLAN(s): {0} Warning Config Error This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl
240011 Webauth Webauth is in use, but no pre-auth ACL IPv6 is set, this is required for external webauth, and IPv6 fw is enabled. WLAN(s): {0} Warning Config Error This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl
240012 Webauth Webauth is in use, but no pre-auth ACL for flexconnect is set, this is required for external webauth,wlan is set for local switching and there are Flex APs detected. WLAN(s): {0} Deprecated Config Error This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl
240013 Fast Transition FT in use, with no L2 security policy (Open) This can cause problems on upgrade or for some AP models on Flex mode. Change FT to disabled. WLAN(s): {0} Error Config Error Go to the WLAN profile and disable the option 'Fast Transition'
240014 Voice CCKM is in use, but Aironet Extensions are disabled, both must be set to enabled, for WGB or 882x phones to work properly. WLAN(s): {0} Error Config Error Go to the WLAN profile and enable the option 'Aironext Extensions'
240015 WPA2 CCKM is enabled together with PSK, this is invalid combination. WLAN(s): {0} Error Config Error Go to the WLAN profile and disable the option 'CCKM'
240016 Fast Transition FT is enabled without WPA2/WPA3, this may lead to it being disabled on some upgrade scenarios. WLAN(s): {0} Error Config Error Go to the WLAN profile and disable the option 'FT'
240017 WPA3 WPA3 enabled WLAN and IOS APs are present. Those APs do not support it, ensure they are on AP tag not including WPA3. WLAN(s): {0} Warning Config Error Configure AP tag to exclude any WPA3 profile from IOS APs
240018 WLAN Broadcast SSID is not enabled. Change it for best client compability. WLAN(s): {0} Warning Best Practices Disabling Broadcast SSID does not help on security, and it may impact roaming on some device types. Best to enable it on the WLAN profile
240019 Voice CCKM is in use with low tolerance timer. Recommended value is 5000. WLAN(s): {0} Warning Best Practices To minimize CCKM roaming failures, it is advisable to use a 5000 mSec TSL tolerance timer. This can be modified with command:security wpa akm cckm timestamp-tolerance 5000
240020 11k 11k Neighbor List is in use, but dual band is disabled. if not using single-band devices, enable both for best results. WLAN(s): {0} Warning Best Practices For best results, it is better to enable dual band support for 11k. This should only be avoided, if single band devices are present on the network. This is part of the WLAN profile
240021 Webauth WLAN with Webauth policy, without sleeping client feature. For best clients experience, it is recommended to enable it. WLAN(s): {0} Warning Best Practices Sleeping client feature can enhance significantly the end-client experiance of a webauth WLAN. For best practices, enable it on the webauth policy map
240022 WPA3 WLAN with WPA3 and Adaptive FT roaming enabled. This is nor recommended. WLAN(s): {0} Warning Best Practices Adaptive FT has not been tested for WPA3 scenarios. Either change to FT enabled, or disable it
240023 FT WLAN with CCKM and FT roaming enabled. This not supported, and may cause some client types to fail. WLAN(s): {0} Error Config Error FT has not been tested for CCKM scenarios, and configuring both will cause client connection issues. You should disable CCKM
240024 802.1x WLAN has 802.1x auth, but no valid authentication list has been set, nor there is default AAA method. WLAN(s): {0} Error Config Error Each WLAN must have a valid 802.1x authentication method, either from the default list, or explicitly created. You must create one with command aaa authentication dot1x. For more info, check: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.pdf
250001 Policy Profile Disabled profile, no configuration checks run. Policy Profile(s): {0} Info Information Just message to inform that Policy Profile is disabled, so no detailed checks will be applied. Confirm if the status is intentional
250002 URL Filter Profile(s) with URL Filter name pointing to non-existing value. {0} Error Config Error Check the configuration item, and change/replace it with a existing value
250003 Authentication Profile(s) with AAA Policy pointing to non-existing value. {0} Error Config Error Check the configuration item, and change/replace it with a existing value
250004 Accounting Profile(s) with Accounting List pointing to non-existing value. {0} Error Config Error Check the configuration item, and change/replace it with a existing value
250005 QoS Policy Profile(s) with Subscriber Policy pointing to non-existing value. {0} Error Config Error Check the configuration item, and change/replace it with a existing value
250006 SDA Profile(s) with Fabric Profile pointing to non-existing value. {0} Error Config Error Check the configuration item, and change/replace it with a existing value
250007 Flow Profile(s) with Flow Monitor name pointing to non-existing value. {0} Error Config Error Check the configuration item, and change/replace it with a existing value
250008 QoS Profile(s) with QoS SSID service name pointing to non-existing value. {0} Info Config Error Check the configuration item, and change/replace it with a existing value
250009 QoS Profile(s) with QoS Client service name pointing to non-existing value. {0} Warning Config Error Check the configuration item, and change/replace it with a existing value
250010 mDNS Profile(s) with mDNS gateway name pointing to non-existing value. {0} Error Config Error Check the configuration item, and change/replace it with a existing value
250011 Multicast If using AAA override or Interface Groups, enable the Multicast Vlan if using any multicast applications. Profile(s): {0} Info Best Practices Multicast forwarding is enabled, and the policy profile has features in use that should use multicast vlan to allow propoer inter-client multicast traffic. Add a vlan in the Multicast Vlan setting
250012 Flex Profile with Central association enabled, and access points with flex mode detected in controller. This may cause problems with some clients. Disable central association, or upgrade to fixed version (17.x). Profiles: {0} Error Config Error Go to the policy profile and disable the option 'Central Association'. This would not be required on later versions 17.2 or higher
250013 Roaming Profile has session timeout either disabled or set to zero. This will cause that PMK cache entries are not created, triggering a new auth on every roam. Set a timeout. Profiles: {0} Error Config Error Go to the policy profile and set a session timeout, if long time is needed, set it for a day (session-timeout 86400)
250014 ARP ARP proxy is disabled. To save client battery and other performance improvements, it is recommended to enable. Profiles: {0} Error Best Practices Go to the policy profile and enable ARP proxy setting. This is available from 17.3
250015 Security Profile with vlan set to default or 1. This is not recommended, even for AAA override scenarios. Profiles: {0} Warning Best Practices Go to the policy profile configure a VLAN. Default should only be used on small network, with low security requirements
250016 Device Classification When using device classification, it is recommended to enable both HTTP and DHCP TLV caching. Profiles: {0} Warning Best Practices Go to the policy profile and enable DHCP and TLV caching. This will improve Device Profiling
250017 Security Exclusion list is not enabled. For best practices, it is advisable to have client exclusion active. Profiles: {0} Warning Best Practices Go to the policy profile and enable Exclusion list. This would prevent AAA subsystem attacks, and improve security
250018 DHCP Policy profile is using DHCP relay functionality, but not corresponding SVI Interface detected. Policies: {0} Error Config Error Add: Define a Interface vlan (SVI) for all vlans where DHCP relay feature is set on the policy profile. This check may not apply on AAA override scenarios
250019 Policy Profile VLAN name referenced by policy profile was not Found. This can lead to traffic drop issues. Policies: {0} Error Config Error Add: Confirm that the vlan name or ID is valid entry in the VLAN list.
250020 Call Snooping SIP Call Snooping is not supported on Flex Local switching. Policies: {0} Warning Config Error SIP Call snooping requires central switching mode. Change setting at the policy profile
250021 HS20 HS2 server name entry points to non existing value, possible incorrect name. Policies: {0} Error Config Error The Hotspot server name entry is incorrectly configured, please make sure it matches one of the anqp-server entries
250022 Flex Policy profile with local switching, and but central association is enabled. This is a non-supported combination. Policies: {0} Error Config Error The controller has APs in flex mode, and there is at least one policy profile with flex local switching, and central association. This is a combination that may lead to client state issues. Please correct
250023 Mobility Policy profile has Export anchor enabled, and it is assigned to APs. All WLAN SSIDs will not be broadcasted. Policies: {0} Error Config Error Export anchor setting can't be used in combination with WLANs enabled at APs. This will prevent any client to join this WLAN/Policy combination at this controller. Either disable it, or use different policy for Guest/Mobility anchor feature. For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html
250024 Mobility Policy profile has Export anchor set and has remote anchor IPs configured. This is not supported. Policies: {0} Error Config Error Export anchor indicates the traffic terminates locally, you can't use it in combination with remote anchor controllers in same profile. For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html
260001 RF Profile Disabled RF Profile, no configuration checks run. Profile(s): {0} Info Information Just message to inform that RF Profile is disabled, so no detailed checks will be applied. Confirm if the status is intentional
260002 RRM For enterprise environments, it is recommended to use DCA with 40 MHz channel width or Best setting, except for High Density deployment scenarios. RF Profiles: {0} Info Best Practices Set the RF Policy profile to either 40 MHz or Best. Ensure that Best max width is restricted to 40. 80 or 160 should only be used deployments with a single tenant building scenario (no rogues), or low AP density. 20 should be used for very high AP density
270001 DCA Channels 100-140 detected as not in use. Use this channel range is necessary for some outdoor domains (p. e. ETSI) Error Best Practices For ETSI AP, you must configure at minimum one valid outdoor channel (100-140) in the DCA list
280001 Voice Voice: Platinum/Voice WLAN detected, and local EAP is active. This may not be compatible with older devices like 792x that need deprecated crypto options (RC4) Warning Config Error if support for legacy devices is needed, use external radius server
290001 Security Management user has not been set. For security reasons, it is best practice to configure username/password for AP access on the join profile. AP Profiles: {0} Warning Best Practices Go to AP Join Profile/Management/User tab, and configure access credetials for AP CLI access
290002 Security Telnet access is enabled. It is advisable to only allow SSH. Has effect only on IOS APs. AP Profiles: {0} Warning Best Practices For security best practices, it is advisable to only allow SSH access to AP
290003 Syslog AP join profile with Syslog facility not set to FACILITY_KERN. This may cause syslog messages to be dropped at AP. AP Profiles: {0} Error Config Error For APs 91xx and Wave2 (AP-COS), Syslog facility has to be set to Kernel, it is not supported to change this value. This is tracked through enhancement request CSCvu75017
290004 Syslog Syslog host is not set (using default broadcast value). For best practices, it is recommended to use a syslog server. AP Profiles: {0} Warning Best Practices To ensure data is available for future troubleshooting in case of problems, it is best practices to define a syslog server for all APs on the Join profile
300001 Flex The vlan name defined at the Flex profile, does not match name defined at controller for the same ID. This will fully break traffic forwarding. Flex Profiles: {0} Error Best Practices When using local switching policy profiles, the name set on the policy profile, must match both the name at controller global list, and the one set at the flex profile.
300002 Flex Profile is using vlan name matching a defined vlan group at controller level, this is not supported . Flex Profiles: {0} Error Best Practices Vlan groups are not supported in flex local switching mode, please map the local vlan name in the flex profile, to something that is different from existing vlan group at controller level
300003 OEAP Join Profile has OEAP SSID provisioning enabled, and Flex is set to OEAP mode. This should only be used during initial deployment. Validate if this is intended scenario. Flex/AP Join Profiles: {0} Warning Config Error OEAP provisioning will broadcast extra SSID for initial AP setup, this may not be desirable during normal operation. You can disable it on the join profile
Next