| 0 |
WCAE |
No Messages reported |
Info |
Config Error |
Nothing reported |
| 10025 |
WCAE |
Parsing: missing configuration file section(s), checks may not be executed properly:{0} |
Error |
Information |
One or more configuration sections were not found, this is indication of corrupted file, or very old software version. If the file is believed to be correct, please contact wcae@cisco.com, otherwise try to capture it again For more information: https://developer.cisco.com/docs/wireless-troubleshooting-tools/#!how-to-colletct-sh-run-config |
| 10026 |
WCAE |
line with invalid information:{0} |
Warning |
Information |
The line present in the file has incorrect format or unexpected values. this is indication of possibly corrupted file, or old software version. If the file is believed to be correct, please contact wcae@cisco.com |
| 10027 |
WCAE |
Invalid File format provided, please use sh run-config (AireOS) or sh tech wireless (IOS-XE) |
Error |
Information |
The file provided to be parsed, is not one of the expected formats, and it may not be possible to run any analysis. If the file is believed to be correct, please contact wcae@cisco.com |
| 10028 |
WCAE |
Critical error while running checks against file, section {0} |
Error |
Information |
A group of checks did not execute properly. If the file is believed to be correct, please contact wcae@cisco.com |
| 10029 |
WCAE |
Critical error while doing data process at {0} |
Error |
Information |
Data analysis failed. If the file is believed to be correct, please contact wcae@cisco.com |
| 20001 |
Certificate |
AP: Invalid certificate type, possible config error, or file format |
Warning |
Information |
The AP information for 'AP Certificate Type' is invalid, could be corrupted run-config file, or AP error |
| 20002 |
HW |
AP: Access point without radio, possible domain error |
Warning |
Information |
Check if AP domain (ETSI, FCC, Japan, etc) matches the configured country types, alternately check PoE errors, or a hardware issue |
| 20004 |
Radio |
AP: Unknown radio type, slot:{0} |
Error |
Information |
AP has invalid radio type, this could be corrupted run-config file, or new/unknown AP model |
| 20005 |
Radio |
AP: Access point without valid TX levels, on slot {0} |
Error |
Information |
Radio reports no valid power levels, either radio is down (bug), wrong country code, or corrupted run-config file |
| 20006 |
Radio |
AP: Unknown radio type in nearby info |
Error |
Information |
While parsing the 'nearby' section, the band type is not recognized, this is normally due to corrupted config file, please capture again |
| 20007 |
CAPWAP |
AP: Possibly incorrect primary controller configuration, not found in controller list, or controller config not loaded. |
Warning |
Config Error |
The AP has configured a controller name which is not present in the analyzed config file. This may also indicate an error in the AP configuration. |
| 20008 |
CAPWAP |
AP: Possibly incorrect secondary switch configuration, not found in controller list, or controller config not loaded. |
Warning |
Config Error |
The AP has configured a controller name which is not present in the analyzed config file. This may also indicate an error in the AP configuration. |
| 20009 |
CAPWAP |
AP: Possibly incorrect tertiary switch configuration, not found in controller list, or controller config not loaded. |
Warning |
Config Error |
The AP has configured a controller name which is not present in the analyzed config file. This may also indicate an error in the AP configuration. |
| 20010 |
Radio |
AP: Antenna gain set to zero in Radio Slot: {0} |
Warning |
Config Error |
Antenna gain may not be valid. If antenna gain was previously configured, then this may indicate an invalid template push from PI. This may lead to wrong TPC power calculation |
| 20011 |
Radio |
AP: Antenna gain set to zero in 802.11a radio |
Info |
Config Error |
Antenna gain may not be valid. If antenna gain was previously configured, then this may indicate an invalid template push from PI. This may lead to wrong TPC power calculation |
| 20012 |
CAPWAP |
AP: Empty primary controller name. It is recommended, to have a primary controller name configured, for better/more predictive AP join process. This is not mandatory |
Warning |
Config Error |
Primary controller name is not set, this is not recommended as it can lead to random AP join across controllers (salt and pepper scenario). Recommendation is to have it explicitly configured |
| 20013 |
CAPWAP |
AP: {0} and {1} controller names are the same, not recommended |
Warning |
Config Error |
Controller names for join process are same in at least 2 positions. This is not a recommended configuration |
| 20015 |
Security |
AP: SSH is enabled on this access point. Depending on security policies this may or not be correct |
Info |
Information |
No action required, this is just informational message for awareness |
| 20016 |
Security |
AP: Telnet is enabled on this access point. Depending on security policies this may or not be correct |
Warning |
Information |
Telnet is not a secure protocol, and not recommended for security reasons. It is advisable to use SSH for remote access to AP CLI |
| 20017 |
Syslog |
AP: Syslog messages are sent to broadcast address, if there are errors reported by many APs, and there are too many APs per vlan, this can cause broadcast storms. For best practices, it is better to configure to individual server |
Warning |
Best Practices |
AP syslog is set to broadcast destination (default). It is recommended to configure unicast server, for security and ease of troubleshooting. Command: config ap syslog host global |
| 20019 |
RRM |
AP: RRM values out of range, potential damaged radio, please double check with direct testing before replacement |
Warning |
Information |
AP reported a RRM value out of expected range. This could be indication of software or hardware defect, and should be investigated |
| 20020 |
Radio |
AP: Channel number not found for slot {0} on Radio Parsing. Possible corrupted or incomplete config |
Warning |
Information |
AP lacks channel information on one of its radios. This is indication of incomplete or corrupted config file. Try to capture using transfer upload command |
| 20021 |
CAPWAP |
AP: Default gateway not on same subnet as IP address of AP, this may be result of IP redirect or proxy ARP, this can cause severe problems, check your IP/DHCP config |
Error |
Information |
AP default gateway is outside its assigned subnetwork. This is normally indication of wrong configuration. Review DHCP pool or AP IP address settings |
| 20022 |
RRM |
AP: Invalid RRM data found for AP. Section: {0} |
Error |
Config Error |
AP reported a RRM value out of expected range. This could be indication of software or hardware defect, and should be investigated |
| 20023 |
Radio |
AP: More than 4 SSID per radio. High SSID counts may contribute to higher channel utilization. It is advisable to keep the SSID count per radio to the minimum needed. |
Warning |
Best Practices |
Each SSID consumes RF time, it is advisable for best performance to keep the number of SSIDs as low as possible, ideally on 4 or lower. If more SSIDs are required, make sure to disable low data rates to lower the impact |
| 20024 |
WCAE |
AP: Missing configuration, information not present in file. Possible corrupted file |
Error |
Config Error |
This is indication of incomplete or corrupted config file. Try to capture using transfer upload command |
| 20025 |
Certificate |
AP: Certificate with less than {0} calculated days left and Ignore MIC certs expiration is not enabled. Please validate cert date on directly on AP for confirmation, and enable the expiration date ignore feature on WLC |
Error |
Config Error |
Based on serial number, the AP certificate could have expired or expire soon. Use the WLC command: config ap cert-expiry-ignore mic enable for AireOS, or a trustpool policy in IOS-XE, to avoid problems. For more information: https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html |
| 20026 |
11n/11ac |
AP: Radio 11n or 11ac, operating in legacy mode due to security settings (no wlan with WPA2/AES or Open) |
Warning |
Config Error |
AP has 11n or 11ac capable radio, but due to configuration, it is operating in legacy mode. Ensure that you have WLANs with WMM and WPA2AES or Open policies to use high speed rates |
| 20027 |
11n/11ac |
AP: Manual channel assignment in use with channel bonding and 11ac and/or 11n are disabled. Invalid configuration |
Warning |
Config Error |
AP has channel bonding configuration, but 11n/11ac are disabled. Please configure the AP back to 20 MHz to avoid issues |
| 20028 |
RRM |
AP: The assigned channel is not in the DCA list. AP slot:{0} |
Warning |
Config Error |
Current assigned channel is not on the DCA list, this could cause problems on roaming or reaction to DFS events. It is recommended to match the DCA channel list to the AP assigned channels |
| 20029 |
TCP-MSS |
AP: TCP-MSS feature should be enabled |
Warning |
Information |
TCP-MSS feature is not enabled, this can have performance implications. Use command: config ap tcp-mss-adjust enable all 1300, to enable it |
| 20030 |
TCP-MSS |
AP: It is recommended to set the MSS size at 1250 |
Info |
Information |
TCP-MSS adjust value found to be different from 1250. This is not a problem , as value could be different due to network MTU characteristics. It is purely informational |
| 20031 |
CAPWAP |
AP: Native vlan ID should be set for flex APs |
Info |
Best Practices |
For best practices, it is advisable to set native vlan in flex deployments |
| 20032 |
Rogue Containment |
AP: Containment count over 0, this can produce performances issues. Use dedicated APs for this |
Info |
Information |
AP has been used for containment. This is a security feature, but its usage on client serving AP have severe impact on WLAN service availability. If containment is required, use dedicated APs to lower network impact |
| 20033 |
CAPWAP |
AP: Native VLAN id should be same across the APs in Flex group. |
Error |
Config Error |
Native VLAN is not same across all AP in same flex group. This could have severe impact on roaming scenarios. It should be corrected to match |
| 20034 |
CAPWAP |
AP: Invalid IP address configured on the {0} controller. |
Error |
Config Error |
The IP address configured in the AP controller list, does not match the address of the current controller. Possible invalid configuration that should be corrected |
| 20035 |
AP-UX |
AP: UX Device has not been primed, this will affect functionality |
Error |
Config Error |
This is AP UX model, that has not been primed (country assigned). AP will operate with a subset of possible channels/powers, with impact to the network. It is strongly advised to correct this problem |
| 20036 |
WCAE |
AP: Incomplete configuration file, no AP general config section found |
Error |
Config Error |
Partially incomplete configuration file, try to capture again, optionally use transfer upload command |
| 20037 |
WCAE |
AP: Incomplete configuration file, no RF config found slot 0 |
Error |
Config Error |
Partially incomplete configuration file, try to capture again, optionally use transfer upload command |
| 20038 |
WCAE |
AP: Incomplete configuration file, no RF config found slot 1 |
Error |
Config Error |
Partially incomplete configuration file, try to capture again, optionally use transfer upload command |
| 20039 |
11g/11n |
AP: No OFDM are set as mandatory for 2800/3800/1560 AP model, this can cause severe performance problems. Check CSCvi96066 |
Error |
Config Error |
Due to chipset behavior, AP models 2800/3800/1560 need at least one OFDM set as mandatory in the 2.4 GHz slot. You need to change either 2.4 global config, or the RF profile. Please be aware that using any OFDM as mandatory may limit legacy 802.11b clients to join |
| 20040 |
Configuration |
AP: in IOS-XE controller, the AP is flagged as having invalid profile or tag |
Error |
Config Error |
Check AP assigned tags/profiles, use command show ap tag summary, validate misconfigured column |
| 20041 |
Configuration |
AP: in IOS-XE controller, has Policy Tag with a Policy profile pointing to invalid WLAN Profile name. Check AP configuration |
Error |
Config Error |
Check the WLAN profile assigned to the Policy Profile/Tag, it has invalid name. This must be corrected |
| 20042 |
Configuration |
AP: in IOX-XE AP has Site name not found in controller, this is either incorrect config, or error in file |
Error |
Config Error |
Check the AP site name is same as one configured in controller |
| 20043 |
Configuration |
AP: in IOX-XE AP has Flex profile name not found in controller, this is either incorrect config, or error in file |
Error |
Config Error |
Check the AP flex profile name is same as one configured in controller |
| 20044 |
CAPWAP |
AP has invalid IP netmask, please check if it is configuration error, or corrupted format line |
Warning |
Config Error |
Confirm netmask configuration on AP |
| 20045 |
HW |
AP 1550 with 64MB Ram. it has restricted feature set |
Info |
Information |
None required, this is due to manufacturing date on AP |
| 20046 |
CAPWAP |
Access point with name exceeding 32 characters, this could lead to memory corruption/crashes for releases without the fix |
Error |
Config Error |
Reduce AP name to 32 or lower, or upgrade to one of the fixed releases (17.6, 17.3.4, etc). This is related to defect CSCvy11981 |
| 20047 |
Configuration |
AP: in IOX-XE AP has join profile name not found in controller, this is either incorrect config, or error in file |
Error |
Config Error |
Check the AP join profile name is same as one configured in controller |
| 20048 |
Radio |
AP has radio slots that are operational down. Validate if this is intentional |
Warning |
Operational |
Confirm the reasons why the radio slot shows as operational down. This could be due to configuration, PoE limits, channel assignment, DFS, etc |
| 20049 |
Ethernet |
AP has Interface on half duplex mode. Please validate that this is intentional |
Warning |
Operational |
A half duplex interface, could point to negotiation issues with the switch due to cable length, errors, etc. This could lead to significant impact in stability and performance |
| 20050 |
Ethernet |
AP has Interface on 100 Mbps mode. Please validate that this is intentional |
Warning |
Operational |
An interface at 100 Mbps could point to negotiation issues with the switch due to cable length, errors, etc. This could lead to significant impact in stability and performance |
| 20051 |
WCAE |
AP: Incomplete configuration file, no RF config found slot 2 |
Error |
Config Error |
Partially incomplete configuration file, try to capture again, optionally use transfer upload command |
| 20052 |
WCAE |
AP: Incomplete configuration file, no RF config found slot 3 |
Error |
Config Error |
Partially incomplete configuration file, try to capture again, optionally use transfer upload command |
| 20053 |
Radio |
AP: Slot 0 Radio is active, but has no WLANs configured |
Warning |
Config Error |
No wlans were found for this AP radio slot 0. This could be a configuration error, or missing information in the file. Validate your policy tag config for this AP |
| 20054 |
Radio |
AP: Slot 1 Radio is active, but has no WLANs configured |
Warning |
Config Error |
No wlans were found for this AP radio slot 1. This could be a configuration error, or missing information in the file. Validate your policy tag config for this AP |
| 20055 |
Radio |
AP: Slot 2 Radio is active, but has no WLANs configured |
Warning |
Config Error |
No wlans were found for this AP radio slot 2. This could be a configuration error, or missing information in the file. Validate your policy tag config for this AP |
| 20056 |
Radio |
AP: Slot 3 Radio is active, but has no WLANs configured |
Warning |
Config Error |
No wlans were found for this AP radio slot 3. This could be a configuration error, or missing information in the file. Validate your policy tag config for this AP |
| 20057 |
POE |
AP is operating at Medium Power, check if this is intentional |
Warning |
Operational |
PoE at Medium power may lead to reduced radio stream count and other HW limitations. Ensure if this is intentional, as it can lead to performance issues. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_access_point_power_control.html#poe-profiles |
| 20058 |
POE |
AP is operating at Low Power, this can lead to severe limitations and/or radios disabled. Check if this is intentional |
Error |
Operational |
PoE at Low power will disable radios, and enforce other HW limitations. Ensure if this is intentional, as it can lead to severe performance issues. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_access_point_power_control.html#poe-profiles |
| 20059 |
Radio |
AP has more than 2 radio reset failures per day of uptime in Slot0. This may cause client or application issues |
Error |
Operational |
AP has automatic recovery in case of a radio problem, this reset process may disconnect active clients, with possible connection impact. If this is persistent, it is advisable to open a TAC case to identify any possible defects For more information: https://mycase.cloudapps.cisco.com/start |
| 20060 |
Radio |
AP has more than 2 radio reset failures per day of uptime in Slot1. This may cause client or application issues |
Error |
Operational |
AP has automatic recovery in case of a radio problem, this reset process may disconnect active clients, with possible connection impact. If this is persistent, it is advisable to open a TAC case to identify any possible defects For more information: https://mycase.cloudapps.cisco.com/start |
| 20061 |
Radio |
AP has more than 2 radio reset failures per day of uptime in Slot2. This may cause client or application issues |
Error |
Operational |
AP has automatic recovery in case of a radio problem, this reset process may disconnect active clients, with possible connection impact. If this is persistent, it is advisable to open a TAC case to identify any possible defects For more information: https://mycase.cloudapps.cisco.com/start |
| 20062 |
Radio |
AP has more than 2 radio reset failures per day of uptime in Slot3. This may cause client or application issues |
Error |
Operational |
AP has automatic recovery in case of a radio problem, this reset process may disconnect active clients, with possible connection impact. If this is persistent, it is advisable to open a TAC case to identify any possible defects For more information: https://mycase.cloudapps.cisco.com/start |
| 20063 |
Software |
AP has a disk primary image corrupted, this indicates that one or more components of the running image, was detected as corrupted |
Error |
Operational |
During self-check, the AP detected that at least one primary disk image component is corrupted. This should be corrected, to avoid downtime in case of AP reload For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220443-how-to-avoid-boot-loop-due-to-corrupted.html |
| 20064 |
Software |
AP has a secondary disk image corrupted, this indicates that one or more components of the running image, was detected as corrupted |
Warning |
Operational |
During self-check, the AP detected that at least one disk disk image component is corrupted. This should be corrected, but it should not impact normal operation, nor upgrades For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220443-how-to-avoid-boot-loop-due-to-corrupted.html |
| 20065 |
CDP |
AP has a large CDP neighbor count, this may indication that directly connected switch does not support CDP, and it is flooding the protocol |
Warning |
Operational |
You should disable CDP at the AP join profile. CDP is a layer 2 multicast protocol, for neighbor discovery over LAN networks. Normally used between Cisco devices. If AP shows more CDP neighbors than directly connected LAN ports, this may be indication that the directly connected switch does not support CDP, or has it disabled. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-15/config-guide/b_wl_17_15_cg/m_config_model.html?bookSearch=true#config-ap-profile-gui |
| 20066 |
Regulatory |
AP has radio slot0 with failed regulatory domain, this may be due to incorrect country configuration on AP profile or at controller global level, or AP radio type is not supported on this version yet |
Error |
Config Error |
Check the country configuration on the AP join profile, if it matches the AP regulatory type For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-15/config-guide/b_wl_17_15_cg/m_config_model.html?bookSearch=true#config-ap-profile-gui |
| 20067 |
Regulatory |
AP has radio slot1 with failed regulatory domain, this may be due to incorrect country configuration on AP profile or at controller global level, or AP radio type is not supported on this version yet |
Error |
Config Error |
Check the country configuration on the AP join profile, if it matches the AP regulatory type For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-15/config-guide/b_wl_17_15_cg/m_config_model.html?bookSearch=true#config-ap-profile-gui |
| 20068 |
Regulatory |
AP has radio slot2 with failed regulatory domain, this may be due to incorrect country configuration on AP profile or at controller global level, or AP radio type is not supported on this version yet |
Error |
Config Error |
Check the country configuration on the AP join profile, if it matches the AP regulatory type For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-15/config-guide/b_wl_17_15_cg/m_config_model.html?bookSearch=true#config-ap-profile-gui |
| 20069 |
Regulatory |
AP has radio slot3 with failed regulatory domain, this may be due to incorrect country configuration on AP profile or at controller global level, or AP radio type is not supported on this version yet |
Warning |
Config Error |
Check the country configuration on the AP join profile, if it matches the AP regulatory type For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-15/config-guide/b_wl_17_15_cg/m_config_model.html?bookSearch=true#config-ap-profile-gui |
| 20070 |
Hardware |
AP and switch are mGig capable, but AP is operating at 1 Gbps, this may indicate a cabling issue |
Warning |
Operational |
CDP information shows that the switch is mGig capable, and AP supports mGig, but the negotiated speed was 1000 mbps or less. This may cause performance issues |
| 20071 |
Hardware |
AP has 80 MHz or higher channel, and it is operating at 1 Gbps, this is a suboptimal deployment, and mnay lead to performance issues |
Info |
Operational |
AP model supports mGig, but is currently not using the capability. The wireless configuration is capable of higher speeds, than what is supported on the Ethernet port |
| 30001 |
Version |
Controller with not recommended code version:{0} |
Error |
Best Practices |
Controller is running deferred or not recommended code and should be upgraded For more information: http://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-TAC-Recommended-AireOS.html |
| 30002 |
AP Groups |
Controller with APs with AP-Group in use |
Info |
Information |
Nothing required, this is purely informational message |
| 30003 |
AAA Override |
Controller with at WLAN with AAA Override in use. {0} |
Info |
Information |
Nothing required, this is purely informational message |
| 30004 |
CAPWAP |
Controller is currently on Layer 2 mode, this may lead to scalability problems or broadcast control issues |
Warning |
Deprecated |
This message is only applicable for 4400 or older controllers, on LWAPP mode. L2 was no longer recommended mode of operation |
| 30005 |
Interface |
Interface has 0.0.0.0 address, incorrect configuration: {0} |
Warning |
Config Error |
An interface does not have an IP address assigned. This is not recommended because it might affect DHCP handling in the controller. |
| 30006 |
Backup Port |
AP manager interface with backup port, incorrect configuration: {0} |
Error |
Config Error |
Never configure a backup port for an AP-manager interface, even if it is allowed in older software versions. The redundancy is provided by the multiple AP-manager interfaces |
| 30007 |
Interface |
Interface does not have port assigned, incomplete CLI configuration: {0} |
Error |
Config Error |
Interface created without any port assignment, incomplete config. Use config interface port command to correct this problem |
| 30008 |
Hardware |
Controller with high internal temperature: {0} |
Error |
Operational |
Controller operating outside its internal temperature limits. Check environmental conditions, as this could lead to HW failures |
| 30009 |
Spanning Tree |
Spanning Tree Algorithm is enabled in controller, this must be disable, as this may cause stability issues |
Error |
Deprecated |
This is legacy check for older AireOS controller models. It may have negative interactions with other STP devices in the network |
| 30010 |
Interface |
Duplicated IP address with controller: |
Error |
Config Error |
Same IP address was detected across two or more controllers. This could cause traffic loss and multiple failures scenarios |
| 30011 |
RF Group |
RF Group Name is different with Controller: |
Warning |
Config Error |
The RF group name is used to stablish relationship between controllers, and it is different across the controllers included on the files analyzed. This could affect TPC and DCA calculations. It may be intentional if the network should be split at RF level. Command: config network rf-network-name |
| 30012 |
AP Manager |
AP manager interfaces count less than number of active ports, and no LAG, not supported configuration |
Error |
Config Error |
For non LAG scenarios, all active physical ports should have a AP manager interface associated, otherwise there can be traffic issues, or CAPWAP errors. Check active port assignment on the interfaces |
| 30013 |
WPA/WPA2 |
WLAN with both WPA and WPA2 enabled, this may cause problems with old client drivers and some PDAs. WLAN(s):{0} |
Info |
Best Practices |
WPA in general is not recommended, it should only be used for legacy client support. Some older clients may have problems if WPA and WPA2 are enabled on same WLAN. This is not an issue if all clients are relatively recent |
| 30014 |
Multicast |
Multicast address is same as mDNS, this may cause problems with Apple Bonjour, iTunes. Network: {0} |
Warning |
Config Error |
Multicast forwarding address overlaps with the mDNS address(224.0.0.251), this will break Apple Bonjour, as traffic will be dropped, it should be changed. Command:config network multicast mode multicast |
| 30015 |
Multicast |
Current address is {0}, it is recommended for best practices to use a multicast address on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0. and 239.128.0.x. |
Warning |
Best Practices |
It is advisable to use a private multicast address. Command:config network multicast mode multicast |
| 30016 |
Multicast |
Current selected multicast address ({0}), can generate a flood, as it overlaps with local mac address. It is strongly recommended to use one on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0.x and 239.128.0.x |
Warning |
Config Error |
Switch address to mac conversion could cause a L2 flood , it is advisable to change. Command:config network multicast mode multicast |
| 30018 |
AP Manager |
AP manager interface on same subnetwork as Manager Interface, but VLAN is different, this may generate CAPWAPP protocol errors. Interface {0} |
Error |
Config Error |
This is a configuration error that may lead to CAPWAP errors, it should be corrected |
| 30028 |
CAPWAP |
Max AP count reached on controller |
Error |
Best Practices |
WLC is running at its maximum capacity. No more APs will be able to join |
| 30031 |
RRM |
Global RRM Min power limit in use: {0} |
Info |
Information |
This is informational message to indicate that there is a power limit set at global level (could be overridden by RF profile). No action required |
| 30032 |
RRM |
Global RRM Max power limit in use: {0} |
Info |
Information |
This is informational message to indicate that there is a power limit set at global level (could be overridden by RF profile). No action required |
| 30033 |
Multicast |
Multicast forwarding address not found for controller |
Info |
Config Error |
This is informational message to indicate possibly missing configuration |
| 30035 |
WCAE |
WLC configuration taken with no-ap option, this limits all RF analysis and information that can be displayed. It is recommended not to use this option with WLCCA |
Error |
Information |
This is informational message to indicate that there is no RF information collected, and that will limit the analysis possible. For full analysis, collect with sh run-config or using transfer upload command |
| 30036 |
NAC |
NAC and Fast SSID must not be used at same time. WLAN(s): {0} |
Error |
Config Error |
As FastSSID by design allows clients to jump between SSIDS without clearing current policies, it is not recommended to mix with NAC features on same WLAN |
| 30037 |
RRM |
Non default RRM timer in use. This is not recommended unless directed by Cisco support. {0} |
Info |
Config Error |
This is informational message, no action required, if the timer was changed intentionally |
| 30038 |
RRM |
RRM timer at 1h. This can cause problems on calculations. Must be avoided. {0} |
Error |
Best Practices |
Using RRM timer set to 1h may lead to different calculation errors. Unless this was directed by Cisco Support, it should be avoided |
| 30040 |
Load Balancing |
Load Balancing window value too aggressive. Minimum recommended value is 5 or higher |
Warning |
Best Practices |
Using a low window can cause association errors, try to use 5 or higher. Command: config load-balancing window |
| 30041 |
Load Balancing |
Load Balancing window is zero, it is strongly suggested to use higher value |
Error |
Config Error |
Using a window set to zero can cause serious association errors, try to use 5 or higher. Command: config load-balancing window |
| 30045 |
Webauth |
Do not configure IP address starting by 127.x, as it may affect webauth. Interface(s): {0} |
Error |
Config Error |
Using loopback address will break webauth, reconfigure the interface. Command:config interface address |
| 30046 |
Broadcast/Multicast |
GTK Randomization is enabled, this is intended only for Hotspot 2.0 deployments, and may break normal clients (no multicast/broadcast received ), normally not recommended. WLAN(s): {0} |
Error |
Config Error |
GTK randomization could cause clients to stop receiving broadcast, this could be intentional for security purposes. Command:config wlan security wpa gtk-random |
| 30047 |
Interfaces |
Interfaces with overlapping address: {0} and {1} |
Error |
Config Error |
This is configuration error, there are interfaces with same IP address. it must be corrected. Command:config interface address |
| 30048 |
11n |
Global MCS rate disabled, all rates from 0 to 15 must be set minimum, as supported, otherwise it may generate interoperability issues with some clients.Band(s) {0} |
Warning |
Config Error |
Some clients have interoperability issues if any rates on 0-15 is disabled. Impact depends largely on client version, check if applicable to your deployment. It may be have been overridden by RF profiles. Command: config 802.11a 11nSupport mcs tx |
| 30049 |
Multicast |
Multicast or Broadcast forwarding enabled, with null multicast address destination. You should configure a multicast address |
Warning |
Config Error |
This is configuration error that will lead to traffic loss. A multicast address should be configured. Command:config network multicast mode multicast |
| 30050 |
High Density |
RX SOP is in use for radio slot: {0} Threshold {1} |
Info |
Information |
This is informational message, no action required, if this was changed intentionally |
| 30051 |
High Density |
CCA is in use for radio slot: {0} Threshold {1} |
Info |
Information |
This is informational message, no action required, if this was changed intentionally |
| 30052 |
Webauth |
Webauth is in use, but no pre-auth ACL is set, this is required for external webauth, it may not apply depending on your configuration WLAN(s): {0} |
Warning |
Config Error |
This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl |
| 30053 |
Webauth |
Webauth is in use, but no pre-auth ACL IPv6 is set, this is required for external webauth, and IPv6 fw is enabled. WLAN(s): {0} |
Warning |
Config Error |
This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl |
| 30054 |
11n |
802.11n/11ac radios are present, but WMM is disabled on the WLAN(s): {0} |
Warning |
Config Error |
This is configuration error that will prevent usage of high speed rates on the WLAN. If this is not intentional, it should be corrected. Command: config wlan wmm allow |
| 30055 |
11n |
802.11n radios are present, but WMM is disabled on the WLAN(s): |
Warning |
Config Error |
This is configuration error that will prevent usage of high speed rates on the WLAN. If this is not intentional, it should be corrected. Command: config wlan wmm allow |
| 30056 |
High Availability |
HA is active, but no vlan set on Manager interface |
Error |
Config Error |
HA is only supported on tagged management interfaces. This is also recommended for WGB or IPv6 features, you should configure vlan on management interface. Command: config interface vlan management |
| 30057 |
RF |
Legacy rate in {0} in use. Disabling low data rates/11b can help to optimise the channel utilisation on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies. |
Info |
Best Practices |
In most scenarios, it is good idea to disable 11b data rates (1,2,5.5,11), as they would use more RF time, and be more sensible to interference, it is advisable to only enable 11g rates, unless you need to support legacy devices. Command:config 802.11b rate disabled X |
| 30058 |
Multicast |
Multicast unicast mode is suboptimal transport for networks with IPv6, mDNS, etc. Multicast mode is recommended. To use it, you also need multicast routing between WLC and Aps |
Warning |
Best Practices |
Multicast unicast mode allows replication of broadcast and multicast frame, without network infrastructure support to multicast routing, but it is a very intensive process. For most scenarios, it is strongly suggested to use multicast-multicast replication mode |
| 30059 |
Mobility |
This controller has a large mobility group count. For optimization purposes, please ensure that controllers with the same mobility group name are only configured when there is a shared RF space where roaming can happen |
Info |
Best Practices |
Remove mobility peers outside the same RF roaming space. This is purely an optimization |
| 30061 |
Authentication |
EAP identity timeout may need to be larger if using EAP-TLS, OTP based authentication. Please validate on your specific client types before enforcing the changes |
Info |
Best Practices |
If using EAP-TLS, OTP is advisable to have a large EAP ID request timeout. Use command:config advanced eap identity-request-timeout, to set it to 30 seconds or higher |
| 30062 |
DHCP |
Interface pointing to WLC as Internal DHCP server. This feature is not intended for large scale deployments. Please check depending on your network size, it may be recommended to use external DHCP Server. {0} |
Warning |
Best Practices |
One or more interfaces found that could be using WLC DHCP internal server. It is advisable to use external DHCP server for best performance on medium/large deployments |
| 30063 |
Local EAP |
Local EAP in use. This feature is not intended for very large scale deployments. Please check depending on your network size, it may be recommended to use external Radius Server. {0} |
Warning |
Best Practices |
One or more WLANS using local EAP. It is advisable to use external Radius server for best performance on medium/large deployments |
| 30064 |
Authentication |
EAPoL request timeout larger than {0} ms. EAP key requests may benefit for faster recovery, and better behavior on bad RF, by using higher counts, lower retry timeout. Please validate on your specific client types before enforcing the changes |
Info |
Best Practices |
EAPoL request timer found to be higher than 400ms. In most scenarios, 400 would allow faster recovery in case of problems. Some devices may need longer timers, so always check. Use command: config advanced eap eapol-key-timeout, to adjust |
| 30065 |
Authentication |
EAPoL request retries lower than {0}. EAP requests may benefit for faster recovery, and better behavior on bad RF, by using higher counts, lower retry timeout. Please validate on your specific client types before enforcing the changes |
Info |
Best Practices |
EAPoL request retry count found to be lower than 2. In most scenarios, 3 retries should work. This value could be set to zero for Krack attack client side workaround. Command: config advanced eap eapol-key-retries |
| 30066 |
TACACS |
Tacacs management timeout lower than 5 seconds. Using longer TACACS timeout is recommended for OTP systems. Server(s): {0} |
Warning |
Best Practices |
Using a low TACACS timeout can cause server issues or authentication failures. Use command: config tacacs auth mgmt-server-timeout X 5, to set it to 5 seconds or higher, replace X with the server ID |
| 30067 |
Rogue Detection |
Minimum Rogue RSSI detection threshold should be set to {0} or higher, unless mandated by your security policies |
Info |
Best Practices |
Min RSSI feature allows to filter out unwanted rogues from the network (out of building). It is advisable to use -70 to -80 depending on your physical location and security policies. Command: config rogue detection min-rssi |
| 30069 |
Rogue Contention |
At least one Autocontain policy is enabled. Rogue contention has severe impact on client serving time, it should be avoided unless mandated by your security policies |
Warning |
Best Practices |
One ore more auto-contain policies were detected, this could have legal and performance implications. Ignore if this is intentional |
| 30070 |
AVC |
AVC is recommended. Ensure you are using 8.0 or higher, and current load on WLC does not exceed 50%. |
Info |
Deprecated |
This is general best practice. Please be aware of any possible performance impact for loaded controllers |
| 30071 |
Fast SSID |
Fast SSID enabled is recommended for networks that may have Apple IOS client devices |
Warning |
Best Practices |
Fast SSID allows easier client jump between WLANS, and it is highly recommended for networks with Apple devices. It should not be used in combination with NAC policies. Command: config network fast-ssid-change enable |
| 30072 |
CleanAir |
CleanAir detection disabled. It is highly recommended if your current AP HW types support the feature. Band(s): {0} |
Info |
Best Practices |
CleanAir provides additional visibility on RF issues. It should be enabled if the AP types support it. Command: config 802.11X cleanair enable network, with X=a or b. Ensure BLE beacon detection is disabled for best performance |
| 30074 |
WPA |
WLAN with standalone TKIP policy. This will be deprecated soon due to certification requirements, or migrated to WPA2 AES+TKIP. It is advisable to modify the configuration. WLAN(s): {0} |
Warning |
Best Practices |
For security reasons, and certification requirements, TKIP as standalone policy is not recommended, and should only be used for strict legacy support |
| 30075 |
WPA |
WLAN with WPA AES policy. This will be deprecated soon due to certification requirements, or should be migrated to WPA2 AES. It is advisable to modify the configuration. WLAN(s):{0} |
Warning |
Best Practices |
One or more WLAN affected: WPA/AES is not a supported policy for AP-COS Aps, it should be replaced with WPA2/AES |
| 30076 |
NTP |
Controller without time source, please configure a valid NTP server |
Warning |
Best Practices |
No time source detected for this controller. It could be incomplete configuration, check that NTP servers are configured. Command: config time ntp server |
| 30077 |
Security |
Controller with telnet enabled, this is not advisable from security point of view |
Warning |
Best Practices |
For security reasons, it is not recommended to use Telnet for CLI access to the controller, use SSH instead |
| 30081 |
Load Balancing |
Enterprise: Aggressive Load Balancing is a recommended best practice for enterprise environments with proper AP density, for local mode APs. Do not use for WLANs with interactive applications (voice/video) |
Info |
Config Error |
Load Balancing could help on load distribution on some scenarios, it must be avoided for networks with interactive traffic like voice or video. Command: config wlan load-balance allow enable ID |
| 30082 |
Client Profiling |
Local Profiling is a recommended best practice for better client visibility |
Info |
Information |
Local profiling is recommended in general, unless using NAC profiling. To enable: config wlan profiling local all enable ID |
| 30083 |
High Availability |
High Availability is a recommended redundancy solution for supported platforms |
Info |
Best Practices |
This is general recommendation to use HA feature when possible, to improve network reliability |
| 30084 |
Webauth |
Virtual Gateway IP is not on 192.0.2.0/24 , 198.51.100.0/24 , 203.0.113.0/24 networks, change to recommended address to avoid overlapping with Internet Allocated addresses. RFC5737 |
Info |
Best Practices |
Virtual GW address must not match any Internet Routable address, as it could lead to controller dropping traffic for it. Use one of the recommended addresses |
| 30085 |
CCX |
If not using Cisco WGB or Voice devices, it is recommended to disable Aironet Extensions for simplicity on the I.E. beacon set. WLAN(s): {0} |
Info |
Best Practices |
This is general recommendation to improve WGB support, and simplify information elements included in beacons |
| 30086 |
Webauth |
If using sleeping client feature, idle timer must be lower than the session timeout. WLAN(s): {0} |
Warning |
Best Practices |
For sleeping client feature to work correctly, idle timer must be shorter than session timeout. Please adjust WLAN configuration |
| 30087 |
Multicast |
If using AAA override or Interface Groups, enable the Multicast Vlan if using any multicast applications. WLAN(s): {0} |
Info |
Best Practices |
Multicast VLAN feature will allow that devices between different vlans associated on same WLAN, can receive all related Multicast traffic, it is recommended to enable this feature if using AAA override, and needing multicast applications |
| 30088 |
CAPWAP |
Controller with 90% or more of AP licenses in use |
Warning |
Best Practices |
Controller is reaching its AP licensed capacity, evaluate if additional controllers or licenses are needed for future growth |
| 30089 |
CAPWAP |
Controller with 90% or more of capacity in use and join priority enabled, monitor usage as AP disconnections may happen as configured |
Warning |
Best Practices |
This is warning that feature may trigger AP disconnection, to ensure this is a desired scenario |
| 30091 |
Band Select |
Band Select is not in use on any WLAN. it is a recommended feature when there is a good AP density in Enterprise deployments. Do not use for WLANs with interactive applications (voice/video) |
Info |
Config Error |
This is purely a general recommendation, please validate if applicable in your environment |
| 30092 |
RRM |
For enterprise environments, it is recommended to use DCA with 40 MHz channel width or Best setting, except for High Density deployment scenarios |
Info |
Best Practices |
This is purely a general recommendation, please validate if applicable in your environment |
| 30093 |
AP Groups |
AP groups are not in use. For enterprise environments, it is best practices to enable this feature for more granular AP settings |
Info |
Best Practices |
This is purely a general recommendation, please validate if applicable in your environment |
| 30094 |
RF Profiles |
RF profiles are not in use. For enterprise environments, it is best practices to enable this feature for more granular RF control |
Info |
Best Practices |
This is purely a general recommendation, please validate if applicable in your environment |
| 30095 |
RRM |
DCA is not set to Auto. For general deployments it is recommended to use RRM. Band(s): {0} |
Info |
Best Practices |
This is purely a general recommendation, please validate if applicable in your environment |
| 30097 |
RRM |
TPC is not set to Auto. For general deployments it is recommended to use RRM. Band(s): {0} |
Warning |
Best Practices |
This is purely a general recommendation, please validate if applicable in your environment |
| 30098 |
RRM |
ED-RRM is not in use. It is recommended to enable for enterprise environments. Band(s): {0} |
Warning |
Best Practices |
This is purely a general recommendation, please validate if applicable in your environment |
| 30099 |
RRM |
AP Load is not a recommended metric for Enterprise DCA. Disable to avoid possible channel flapping. Band(s): {0} |
Warning |
Best Practices |
Modify RRM DCA settings. This can lead to severe channel assignment issues, it is not recommended for most environments |
| 30101 |
RRM |
Channels 100-140 are not in use for DCA. If country regulations allows it, it is advisable to enable to improve channel distribution on 5GHz band |
Info |
Best Practices |
When possible, enable all supported channels, to reduce any co-channel interference on high AP density scenarios |
| 30103 |
CAPWAP |
Untagged Management interface, this may affect feature behavior for IPv6, WGB vlan support. it is recommended to configure vlan on management interface |
Warning |
Best Practices |
Several features need management interface to have a VLAN tag, except for simple network scenarios, it is strongly recommended to have a VLAN assigned |
| 30104 |
RRM |
DCA with channel bonding in use and 11ac and/or 11n are disabled. Invalid configuration. |
Warning |
Config Error |
Either enabled 11n/11ac networks, or set DCA channel width to 20 MHz |
| 30105 |
11n/11ac/1ax |
Aggregation scheduler disabled. Band: {0} |
Warning |
Config Error |
This is a non-default configuration that could lead so severe performance impact. Enable with config 802.11a/b 11nSupport a-mpdu tx scheduler enable |
| 30107 |
DHCP |
DHCP proxy enabled on the interface , but DHCP IP is not configured. Interface(s): {0} |
Warning |
Config Error |
DHCP proxy feature needs DHCP server IP address to be configured. Please add the missing information |
| 30108 |
RF |
2.4 and 5 GHz Networks are disabled. |
Info |
Information |
Informational message to notify that both bands are disabled, which is not a normal scenario. Please confirm if this is intentional |
| 30109 |
mDNS |
mDNS profile is configured in WLAN, but global mDNS snooping is disabled. WLAN(s):{0} |
Info |
Information |
This is to inform that there is a possible incomplete mDNS configuration. if needing this feature, global mDNS should be enabled |
| 30110 |
WIPs |
IDS legacy and WIPs submode are enabled at the same time. This is not recommended configuration |
Error |
Config Error |
It is not advisable to combine IDS and WIPS, as it can lead to some incompatibilities. Please disable legacy IDS if using WIPS |
| 30111 |
DHCP |
It is recommended to have the DHCP proxy enabled. |
Info |
Parsing Error |
This is purely a general recommendation, please validate if applicable in your environment |
| 30112 |
Multicast |
The IPv6 Multicast/Broadcast mode is on Unicast. |
Warning |
Information |
For performance optimizations, it is recommended to use multicast transport mode. Please enable in general multicast settings |
| 30113 |
MFP |
11v is enabled, it is recommended to have the MFP infrastructure disabled. It may cause incompatibility with some clients. WLAN(s): {0} |
Warning |
Information |
This is purely a general recommendation, please validate if applicable in your environment |
| 30115 |
HW |
RAID drive status is not reported as OK. It should be checked. |
Error |
Operational |
Disk status may have issues, please check if your RAID disks are in proper state. This may need TAC case for replacement |
| 30116 |
Mobility |
Mobility Multicast enabled but the mobility peer {0} is not in the controller management subnet. Impact depends on network multicast routing state |
Warning |
Information |
Mobility multicast may cause roaming issues, not a recommended configuration. If the controllers are on different subnets, it needs proper multicast routing support |
| 30117 |
Certificate |
Certificate {0} and Ignore MIC certs expiration is not enabled. Please validate cert date on directly on Controller for confirmation, and enable the expiration date ignore feature on WLC |
Error |
Operational |
To avoid AP join issues for older hardware, ensure you have ignore MIC certificate expiration enabled. |
| 30118 |
Certificate |
Unknown Serial Number format. Certification Expiration Date can not be calculated. |
Info |
Information |
Error parsing serial number to calculate a possible certificate expiration date. No action required, just informational message |
| 30119 |
NTP |
NTP Polling Interval is set, but no NTP Server is configured. Controller should have time source |
Warning |
Best Practices |
Please check the NTP time sync status, as having a proper time source is critical for several features |
| 30122 |
RLDP |
RLDP is enabled for all AP types. This may have severe impact on voice applications, and lower performance for general data. It is advisable to use the option of monitor mode Aps if this is a security requirement, or disable it |
Error |
Information |
RLDP should be configured to use only Monitor mode APs, please check your WPS configuration. This may have severe impact on performance |
| 30123 |
Multicast |
Multicast Unicast forwarding mode is enabled, and either multicast or broadcast is in use, or IPv6 is enabled, with more than 50 APs. Depending on network traffic characteristics, this could have large performance impact. It is advisable to use multicast-multicast mode to prevent issues, which may have multicast routing dependencies on your infrastructure |
Warning |
Config Error |
Please check your multicast configurations under Network tab, and enable Multicast mode. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-6/b_Cisco_Wireless_LAN_Controller_Configuration_Best_Practices.html#concept_A00DD1DF19234C8EAD756137594CC2AA |
| 30124 |
HW |
Controller with low memory: {0} bytes, {1:.2f} % available |
Error |
Operational |
This is a warning on a potential out of memory scenario. Evaluate if a reload is needed or contact TAC for further analysis |
| 30125 |
WLAN |
Disabled WLAN, no checks run. WLAN(s): {0} |
Info |
Information |
No action required, this is just informational message |
| 30126 |
Webauth |
Webauth is in use, but no pre-auth ACL for flexconnect is set, this is required for external webauth,wlan is set for local switching and there are Flex APs detected. WLAN(s): {0} |
Warning |
Config Error |
This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl |
| 30127 |
FRA |
RRM leaders do not match between 2.4 and 5GHz bands, this could lead to errors on FRA calculations |
Error |
Config Error |
FRA needs that both 2.4 and 5GHz leaders run on same physical controller. In situations for static leaders, if the platform license AP count is exceeded, the grouping may be split leading to this situation. In that case, FRA can't be used. A configuration change or reassignment of APs is recommended |
| 30128 |
CleanAir |
CleanAir BLE Beacon detection signature has significant performance impact, it is recommended to run CleanAir enabled, with this specific device type disabled, unless required by deployment |
Error |
Config Error |
Ensure BLE beacon detection is disabled for best 2.4 GHz performance, unless required by deployment. Command: config 802.11b cleanair device disable ble-beacon |
| 30129 |
Webauth |
HTTPS interception for Webauth may have severe performance impact due to scalability problems, only use on small deployments. Use a recommended code from 8.7 and higher, if this feature is required |
Error |
Config Error |
HTTPS redirection was redesigned from 8.7, with significant performance improvements. If possible upgrade to a recommended release above 8.7 if HTTPS webauth redirection is required |
| 30130 |
Security |
WLC is not vulnerable to CVE-2017-13082 802.11r/FT |
Info |
Config Error |
Informational message about vulnerability exposure |
| 30131 |
Security |
WLC is vulnerable to CVE-2017-13082 802.11r/FT, it is recommended to upgrade or apply workaround |
Error |
Config Error |
Informational message about vulnerability exposure, upgrade is recommended |
| 30132 |
Webauth |
No IP address detected, or invalid address on Virtual GW interface |
Warning |
Config Error |
This is potential indication of either corrupted config file sent for processing, or the address used in the virtual GW is invalid. it could lead to issues on webauth or DHCP processing |
| 30133 |
Rogue - CMX |
Rogue queues have high utilization. Possible MSE/CMX connection problem |
Error |
Config Error |
If any of Rogue queues show a high utilization, this may be indication of a MSE/CMX connection problem (server is down, TLS auth failed, wrong server IP configured, etc) |
| 30134 |
Leak |
High system timers utilization (more than 80% in use). This is indication of a leak or extreme utilization scenario |
Error |
Config Error |
A high timer count report may be indication of a timer leak (software defect) or a extreme high load. This should be investigated as it may lead to several features affected |
| 30135 |
IPv6 |
Link Local bridging is enabled, and the controller is not running code with the fix CSCvf15991, this may cause traffic forwarding issues |
Error |
Config Error |
The Link Local bridging feature may lead to traffic forwarding randomly failing, especially for AAA override clients. Please upgrade to code with the fix CSCvf15991, for example: 8.5.120.0, 8.3.141.0, 8.6 or higher, or disable the feature. Command: config network link-local-bridging disable |
| 30136 |
Webauth |
Port 443 is configured for redirection, instead of using the HTTPS redirection feature. This will break management HTTPS access when using 8.3.140.0 or higher |
Error |
Config Error |
The webauth port list should be cleaned with the command : config network web-auth port 0 |
| 30137 |
Roaming |
Assisted Roaming is enabled, this could cause roaming failures in multiple scenarios. It is recommended to use 802.11k/v roaming instead. Reported for WLAN(s): {0} |
Warning |
Config Error |
Disable the feature using the command config wlan assisted-roaming prediction disable X, where X is the WLAN ID |
| 30138 |
HW |
Controller with high external temperature: {0} |
Error |
Operational |
Controller air intake is exceeding the supported temperature range, please check environmental conditions as this could lead to HW issues |
| 30139 |
HW |
Controller with high mGig temperature: {0} |
Error |
Operational |
Controller mGig port temperature sensor reports high value, this could indicate a HW problem |
| 30140 |
Performance |
Data plane Fast cache is disabled. This may have severe performance impact, and should only be used following TAC instructions |
Error |
Config Error |
If this is not part of explicit troubleshooting scenario, enable it with config advanced fastpath fastcache enable |
| 30141 |
PMF |
WLAN with PMF set as required and 9120 AP models detected. This may have negative performance impact if the client does not support SHA256. Either set to PMF Optional or use 8.10MR1 code. WLANs: {0} |
Error |
Config Error |
AP model 9120 had a mandatory requirement for SHA256 and PMF, if the client does not support this option, it could lead to limiting client to legacy rate. Configure your WLAN for PMF optional/disabled, or upgrade |
| 30142 |
DHCP |
Global DHCP timeout is set to less than 30 seconds, this may cause on boarding failures. Unless justified, try to keep the default of 120 seconds |
Warning |
Config Error |
Use the command 'config dhcp timeout 120' |
| 30143 |
WPA3 |
WLAN with WPA3 and Adaptive FT roaming enabled. This is not recommended. WLAN(s): {0} |
Warning |
Best Practices |
Adaptive FT has not been tested for WPA3 scenarios. Either change to FT enabled, or disable it |
| 30144 |
FT |
WLAN with CCKM and FT roaming enabled. This not supported, and may cause some client types to fail. WLAN(s): {0} |
Error |
Config Error |
FT has not been tested for CCKM scenarios, and configuring both will cause client connection issues. You should disable CCKM |
| 30145 |
AP |
Easy Admin is enabled, This is not recommended after provisioning, as it may lead to duplicate APIPA address errors |
Error |
Config Error |
Easy Admin can be used for AP provisioning, but usage during Day N, may lead to duplicate addresses in 169.254.x.x space. It should be disabled for normal production |
| 50003 |
Mobility |
Peer down. This may have impact on CPU usage, and roaming. Peer(s): {0} |
Error |
Operational |
On some scenarios, a mobility peer down can drive CPU usage up. Please check configuration, remove any unused peer entries, and/or check controller reachability |
| 50006 |
Mobility |
Controller is not referencing itself as |
Info |
Config Error |
Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration |
| 50007 |
Mobility |
Controller is referenced as in controller |
Info |
Config Error |
Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration |
| 50008 |
Mobility |
Controller has different group name as configured in controller |
Error |
Config Error |
Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration |
| 50010 |
Mobility |
No management interface found!. Probably an incorrect config file |
Info |
Information |
Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration |
| 50012 |
Mobility Multicast |
This controller does not have Multicast Address assigned, but others peers have. Validate that this is intentional, that this is not a mix of different controllers versions, or error in parsing config file |
Error |
Config Error |
Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration |
| 50013 |
Mobility Multicast |
Controllers have different Mobility Multicast Address. Validate configuration |
Error |
Config Error |
Possibly incorrect mobility configuration, or incomplete mobility DB entry. Please check configuration |
| 50014 |
Mobility Multicast |
Peer multicast address is same as mDNS (224.0.0.251), this may cause problems with Apple Bonjour, iTunes. Peer(s): {0} |
Warning |
Config Error |
Please check configuration |
| 50015 |
Mobility Multicast |
Peer current address is not private range, it is recommended for best practices to use a multicast address on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0.x and 239.128.0.x. Peer(s): {0} |
Info |
Best Practices |
Possibly incorrect mobility configuration, address in use is not recommended. Not critical change |
| 50016 |
Mobility Multicast |
Peer current selected multicast address, can generate a flood, as it overlaps with local mac address. It is strongly recommended to use one on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0.x and 239.128.0.x. Peer(s): {0} |
Warning |
Config Error |
Address in use could cause flood issues, it is advisable to change mobility configuration |
| 50017 |
Configuration |
One of the following situations has been found: AAA Override, AP groups, of different subnetwork across same WLAN between WLCs evaluated. As you may have L3 mobility, for best practices, it is recommended to enable Symmetric mobility if using Voice services, or network core has RPF checks (Antispoofing, FW for example) |
Info |
Config Error |
This is just best practice recommendation |
| 50021 |
Mobility |
If case of doing IRCM against a 9800, it is advisable to set the DSCP value to 48, to match the 9800 configuration |
Warning |
Information |
Use the command: config mobility dscp 48, to set this value |
| 60003 |
RF |
Coverage Profile Failed in 2.4GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60004 |
RF |
Interference Profile Failed in 5GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60005 |
RF |
Interference Profile Failed 2.4GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60006 |
RF |
Interference Profile Failed 5GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60007 |
RF |
Load Profile Failed 2.4GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60008 |
RF |
Load Profile Failed, 5GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60009 |
RF |
Noise Profile Failed 2.4GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60010 |
RF |
Noise Profile Failed 5GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60011 |
RF |
AP has a neighbor on same channel at power {0} above co-channel threshold, for slot {1} |
Info |
Operational |
|
| 60012 |
RF |
AP has a neighbor on same channel at power {0} above co-channel threshold, for slot {1} |
Info |
Operational |
|
| 60013 |
RF |
AP on channel {0}, has a neighbor on a side channel {1} for slot {2} radio, with power {3} |
Info |
Operational |
|
| 60014 |
RF |
AP has channel utilization at {0}% for slot {1} above threshold |
Info |
Operational |
|
| 60015 |
RF |
AP has channel utilization at {0}% for slot {1} above threshold |
Info |
Operational |
|
| 60016 |
RF |
AP detected a persistent device on channel with duty cycle of {0}%, type {1} on slot {2}, channel {3} |
Error |
Operational |
|
| 60018 |
RF |
WLC has {0:3.1f}% of APs with high channel utilization for 2.4GHz Band |
Warning |
Operational |
|
| 60019 |
RF |
WLC has {0:3.1f}% of APs with high channel utilization for 5GHz Band |
Warning |
Operational |
|
| 60020 |
RF |
WLC has {0:3.1f}% of APs with failed Interference Profile for 2.4GHz Band |
Warning |
Operational |
|
| 60021 |
RF |
WLC has {0:3.1f}% of APs with failed Interference Profile for 5GHz Band |
Warning |
Operational |
|
| 60022 |
RF |
WLC has {0:3.1f}% of APs with failed Load Profile for 2.4GHz Band |
Warning |
Operational |
|
| 60023 |
RF |
WLC has {0:3.1f}% of APs with failed Load Profile for 5GHz Band |
Warning |
Operational |
|
| 60024 |
RF |
WLC has {0:3.1f}% of APs with failed Noise Profile for 2.4GHz Band |
Warning |
Operational |
|
| 60025 |
RF |
WLC has {0:3.1f}% of APs with failed Noise Profile for 5GHz Band |
Warning |
Operational |
|
| 60026 |
RF |
AP is isolated (no neighbors) on 2.4 band. This could be expected on single AP scenarios, but could be indication of poor RF design or NDP issues |
Warning |
Operational |
|
| 60027 |
RF |
AP is isolated (no neighbors) on 5GHz band. This could be expected on single AP scenarios, but could be indication of poor RF design or NDP issues |
Warning |
Operational |
|
| 60028 |
RF |
AP shows low coverage (all neighbors < -75 dBm) on 2.4GHz band. This could affect roaming and be indication of poor RF design or NDP issues |
Warning |
Config Error |
|
| 60029 |
RF |
AP shows low coverage (all neighbors < -75 dBm) on 5GHz band. This could affect roaming and be indication of poor RF design or NDP issues, or physically isolated AP |
Warning |
Operational |
This message is intended to flag APs that don't have a smooth coverage transition to other APs. This may be result of AP physical placement |
| 60030 |
RF |
AP has asymmetric nearby between radios, assuming similar antennas per band are the same, this could indicate a radio hang or NDP issue. Slot {0}, Band {1} |
Warning |
Operational |
Based on neighbor RSSI from another radio, the AP shows no nearby entries. Check if this is expected, or there is a radio hang or NDP issue. This could negatively impact RRM |
| 60031 |
RF |
AP has high channel count (more than 10) per day on 2.4GHz radio. Check RF conditions or RRM configuration |
Error |
Operational |
Frequent channel changes can cause severe impact in client stability. This could be triggered due to bad RF, RRM issues, or incorrect RRM configuration |
| 60032 |
RF |
AP has high channel count (more than 10) per day on 5GHz radio. Check RF conditions or RRM configuration |
Error |
Operational |
Frequent channel changes can cause severe impact in client stability. This could be triggered due to bad RF, RRM issues, or incorrect RRM configuration |
| 60033 |
Radio |
AP has radio slot in 2.4 band in a channel that has an Air Quality index below 60%, this could have significant negative impact to performance |
Warning |
Operational |
The RF environment is significantly degraded, this may have negative impact into overall network performance. It is advisable to take corrective actions, for example, a site survey, review AP positioning, check for RF interferers, etc |
| 60034 |
Radio |
AP has radio slot in 5 band in a channel that has an Air Quality index below 60%, this could have significant negative impact to performance |
Warning |
Operational |
The RF environment is significantly degraded, this may have negative impact into overall network performance. It is advisable to take corrective actions, for example, a site survey, review AP positioning, check for RF interferers, etc |
| 60035 |
RF |
Coverage Profile Failed in 6Hz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60036 |
RF |
Interference Profile Failed 6GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60037 |
RF |
Load Profile Failed, 6GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60038 |
RF |
Noise Profile Failed, 6GHz Band, slot {0} per controller profile settings |
Info |
Information |
|
| 60039 |
RF |
AP has a neighbor on same channel at power {0} above co-channel threshold, for slot {1} |
Info |
Operational |
|
| 60040 |
RF |
WLC has {0:3.1f}% of APs with high channel utilization for 6GHz Band |
Warning |
Operational |
|
| 60041 |
RF |
AP has high channel count (more than 10) per day on 6GHz radio. Check RF conditions or RRM configuration |
Error |
Operational |
Frequent channel changes can cause severe impact in client stability. This could be triggered due to bad RF, RRM issues, or incorrect RRM configuration |
| 60042 |
Radio |
AP has radio slot in 6GHz band in a channel that has an Air Quality index below 60%, this could have significant negative impact to performance |
Warning |
Operational |
The RF environment is significantly degraded, this may have negative impact into overall network performance. It is advisable to take corrective actions, for example, a site survey, review AP positioning, check for RF interferers, etc |
| 60043 |
RF |
AP is isolated (no neighbors) on 6GHz band. This could be expected on single AP scenarios, but could be indication of poor RF design or NDP issues |
Warning |
Operational |
|
| 60044 |
RF |
WLC has {0:3.1f}% of APs with high channel utilization for 6GHz Band |
Warning |
Operational |
|
| 60045 |
RF |
WLC has {0:3.1f}% of APs with failed Interference Profile for 6GHz Band |
Warning |
Operational |
|
| 60046 |
RF |
WLC has {0:3.1f}% of APs with failed Load Profile for 6GHz Band |
Warning |
Operational |
|
| 60047 |
RF |
WLC has {0:3.1f}% of APs with failed Noise Profile for 6GHz Band |
Warning |
Operational |
|
| 60048 |
RF |
AP shows low coverage (all neighbors < -75 dBm) on 6GHz band. This could affect roaming and be indication of poor RF design or NDP issues, or physically isolated AP |
Warning |
Operational |
This message is intended to flag APs that don't have a smooth coverage transition to other APs. This may be result of AP physical placement |
| 70003 |
Mesh |
Bridge Shared Secret is set to the default value, it is recommended to set a user defined secret on mesh environments |
Warning |
Best Practices |
Using default BGN is a security risk, please modify your mesh configuration |
| 70004 |
Mesh |
It is recommended to have more than one RAP per BGN for redundancy on sectors with multiple MAPs |
Warning |
Best Practices |
This is a general topology recommendation, please check if it applies to your network design |
| 70005 |
Mesh |
if AP density/channel allocation allows it, it is recommended to use 40 or 80 channel width for backhaul |
Warning |
Best Practices |
This is a general topology recommendation, please check if it applies to your network design |
| 70006 |
Mesh |
It is recommended to use EAP as authentication method for mesh networks |
Warning |
Best Practices |
This is a security recommendation, please check if it applies to your network design |
| 70007 |
Mesh |
Channels 100-140 detected as not in use. Use this channel range is necessary for some outdoor domains (p. e. ETSI) |
Error |
Best Practices |
Validate your 802.11a channel list, as this could lead to radio down scenarios on some countries |
| 100001 |
Flex |
Flex Aps detected, but no flex groups in use |
Warning |
Best Practices |
This is a best practices recommendation, to use Flex groups whenever possible |
| 100002 |
Flex |
Efficient AP upgrade is not enabled for Flex group(s): {0} |
Info |
Best Practices |
This is a best practices recommendation, to use Flex efficient upgrade whenever possible |
| 100003 |
Flex |
Flex AP without flex group detected. |
Warning |
Best Practices |
This is a best practices recommendation, to use Flex groups whenever possible |
| 100004 |
Flex |
AP has native VLAN not matching its group configuration, unless it is on different physical site, it would be a non-recommended scenario |
Warning |
Config Error |
Check AP Flex native VLAN configuration, if the AP is on same site as others in the same group, ensure it has same native VLAN |
| 100005 |
Flex |
Flexgroup has AP included, but AP is not in Flex or Flex-Mesh mode |
Info |
Config Error |
|
| 100006 |
Flex |
AP has WLAN-VLAN mapping not matching its Flex Group, possible AP with corrupted configuration |
Error |
Config Error |
Check AP Flex-WLAN mappings, at least one mapping group-specific was not matching expected VLAN info |
| 100007 |
Flex |
AP WLAN-VLAN mapping count not matching its Flex Group, possible AP with corrupted configuration, or per AP-specific WLAN entries |
Warning |
Config Error |
Check AP Flex-WLAN mappings, the WLAN count does not match its Flex Group to confirm it is intentional |
| 110001 |
BYOD |
Radius NAC should be enabled to allow Radius Change of Authorization between ISE and WLC. |
Warning |
Information |
|
| 110002 |
BYOD |
MAC filter is recommended to enable. |
Warning |
Information |
|
| 110003 |
BYOD |
AAA override is recommended to enable. |
Warning |
Information |
|
| 110004 |
BYOD |
802.11r is needed for client fast transition. |
Warning |
Information |
|
| 110005 |
BYOD |
Longer session timeout is better for AAA load up to a value of 86400 seconds for 802.1X SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view. Do not leave the session timeout unset as ISE will remove ''inactive sessions'' after 5 days leading to a possible session miss-match between ISE and the WLC for long lasting connections. |
Warning |
Information |
|
| 110006 |
BYOD |
Interim Accounting should be disabled to prevent unneeded accounting load on ISE Exception is for ISPs, which provide tracking on byte based services. |
Warning |
Information |
|
| 110007 |
BYOD |
User Idle Timeout should not be over 300sec. |
Warning |
Information |
|
| 110008 |
BYOD |
Recommended Client Exclusion value with ISE is 180 sec, to prevent misconfigured clients cause intensive radius traffic for ISE. |
Warning |
Information |
|
| 110009 |
BYOD |
Aggressive failover should be disabled to prevent WLC from pre-maturely mark ISE dead. However is based on customer needs and maybe still needs to be enabled |
Warning |
Information |
|
| 110010 |
BYOD |
It is recommended to have less than 10 EAPOL Identity Request Retries. |
Warning |
Information |
|
| 110011 |
BYOD |
It is recommended to have EAPOL Request Timeout less than 3 seconds. |
Warning |
Information |
|
| 110012 |
BYOD |
It is recommended to have less than 10 EAP Identity Request Retries. |
Warning |
Information |
|
| 110013 |
BYOD |
RFC3576 is not enabled on the radius server, please enable it for BYOD deployments. Server IP: |
Warning |
Information |
|
| 120001 |
Security |
It is recommended to disable Management over wireless, if the feature is needed, ensure you have a proper CPU ACL |
Warning |
Best Practices |
In Config/network, you can enable/disable this feature. Use only when needed |
| 120002 |
Security |
HTTPS for management is disabled, it is recommended to always encrypt management connections |
Warning |
Best Practices |
This is just warning on best practices for GUI management. You can enable in Config/Network |
| 120003 |
Security |
It is recommended to monitor all channels for rogue detection. Band(s): {0} |
Error |
Best Practices |
This is best practices recommendation, to improve rogue detection. This is under 802.11a/b, General tab, Monitoring Channel setting. |
| 120004 |
Security |
No WLAN with WPA2/802.1X was detected, it is recommended to use proper authentication for security reasons. This may not be applicable on some deployment models |
Warning |
Config Error |
It is expected to see at least one network with L2 security policies enable. This is just a general check to confirm if this is a status done intentionally |
| 120005 |
Security |
No Rogue entries found. Check if rogue detection is enabled, or if it has been disabled per AP. Rogue detection is recommended for security reasons |
Warning |
Best Practices |
This is informational security check, to ensure rogue detection is properly set |
| 120006 |
Security |
SSH is disabled and telnet is enabled. it is recommended to use SSH for security reasons |
Warning |
Best Practices |
This is informational security warning, to ensure proper management policies are in place. You can enable it under network configuration |
| 120007 |
Security |
Client exclusion not detected on any WLAN. It should be enabled as a general security precaution. |
Warning |
Config Error |
Client exclusion can prevent DoS scenarios against your AAA subsystem. You can enable this under WLAN/Advanced tab |
| 120008 |
Security |
AP Local credentials to access point CLI are not configured. For best security practices, it is recommended to configure to Username/passwords to all APs |
Warning |
Best Practices |
It is strongly recommended to change the default AP credentials, to a custom username/password. This can be done globally under Wireless/Access Points/Global Configuration |
| 120009 |
Security |
No CPU ACL detected, it is recommended it, to restrict management access to the controller |
Warning |
Best Practices |
In some scenarios, a CPU ACL can be set to improve security. This may need testing, so use with care |
| 120010 |
Security |
WLAN may be using management vlan. It is recommended to never set SSID into management vlan, even for anchor scenarios. WLAN(s): {0} |
Error |
Best Practices |
It is not advisable to share a WLAN With the management vlan, except for simple networks |
| 120011 |
Security |
if high security is needed, AP should use dot1x authentication towards switch port |
Info |
Best Practices |
This is optional security best practice |
| 120013 |
Security |
Minimum management password length should be 8 or higher |
Warning |
Best Practices |
This is optional security best practice |
| 120014 |
Security |
The following Management Password polic{0} not enabled: {1} |
Warning |
Best Practices |
This is optional security best practice |
| 120015 |
Security |
HTTP access to management is enabled, it is recommended to only allow https for security reasons |
Warning |
Best Practices |
This is optional security best practice |
| 120016 |
Security |
High encryption for HTTPS management is not enabled. Some older web browsers may not support these stronger cryptos |
Warning |
Best Practices |
This is optional security best practice |
| 120017 |
Security |
For security reasons, WEP is no longer recommended. WLAN(s): {0} |
Warning |
Information |
This is security best practice |
| 120018 |
Security |
It is not recommended to have the EAP local policy with LEAP. |
Warning |
Information |
This is optional security best practice |
| 120019 |
Security |
SSL is enabled for GUI management access, for security reasons it is recommended not to use it |
Warning |
Best Practices |
This is optional security best practice |
| 120020 |
Security |
RC4 is enabled for GUI management access, for security reasons it is recommended not to use it |
Warning |
Best Practices |
This is optional security best practice |
| 120021 |
Security |
CSRF protection is not enabled, it is recommended to enable to prevent these types of attacks |
Warning |
Best Practices |
This is security best practice |
| 120022 |
Security |
SSH high encryption is not enabled, it is good security practice to enable it. Some older SSH clients may not support these stronger cryptos |
Warning |
Best Practices |
This is optional security best practice |
| 230001 |
Version |
IOS-XE Controller with not recommended code:{0}, please check software download page for the current version for your hardware |
Warning |
Config Error |
Controller is running not recommended code and should be upgraded, better, similar code is available. |
| 230002 |
Version |
IOS-XE Controller with deferred or security impacted (PSIRT) code:{0}, it is strongly advised to migrated to recommended code |
Error |
Config Error |
Controller is running deferred code and should be upgraded. |
| 230003 |
Hardware |
At least one Environment (temperature, voltage, fan) sensor is reporting abnormal value: {0} |
Error |
Operational |
Check on show environment all, for possible HW or temperature issue |
| 230004 |
RRM |
DCA is not set to Auto. For general deployments it is recommended to use RRM. Band(s): {0} |
Info |
Best Practices |
Check on show ap dot11 24/5ghz channel, for most deployments, using Auto mode is best option, unless you need specialized RRM settings |
| 230005 |
RRM |
TPC is not set to Auto. For general deployments it is recommended to use RRM. Band(s): {0} |
Warning |
Best Practices |
Check on show ap dot11 24/5ghz txpower, for most deployments, using Auto mode is best option, unless you need specialized RRM setting |
| 230006 |
Load Balancing |
AP Load is not a recommended metric for Enterprise DCA. Disable to avoid possible channel flapping. Band(s): {0} |
Warning |
Best Practices |
Check on GUI Radio Configurations/RRM/Band/DCA section |
| 230007 |
RRM |
Non default RRM timer in use. This is not recommended unless directed by Cisco support. {0} |
Info |
Config Error |
This is informational message, no action required, if the timer was changed intentionally |
| 230008 |
RRM |
RRM timer at 1h. This may cause problems on calculations. It should be avoided. {0} |
Error |
Best Practices |
Using RRM timer set to 1h may lead to different calculation errors. It should be avoided, unless this was directed by Cisco Support, |
| 230009 |
RRM |
Channels 100-140 are not in use for DCA. If country regulations allows it, it is advisable to enable to improve channel distribution on 5GHz band |
Info |
Best Practices |
When possible, enable all supported channels, to reduce any co-channel interference on high AP density scenarios |
| 230010 |
11n/11ac/11ax |
DCA with channel bonding in use and 11n/11ac/11ax are disabled. Invalid configuration. |
Warning |
Config Error |
Either disable channel bonding in 5GHz configuration, or enable back high speed protocols (11n/11ac/11ax) |
| 230011 |
RRM |
RRM leaders do not match between 2.4 and 5GHz bands, this could lead to errors on FRA calculations |
Error |
Operational |
FRA needs that both 2.4 and 5GHz leaders run on same physical controller. In situations for static leaders, if the platform license AP count is exceeded, the grouping may be split leading to this situation. In that case, FRA can't be used. A configuration change or reassignment of APs is recommended |
| 230012 |
mDNS |
Multicast forwarding address is same as mDNS, this may cause problems with Apple Bonjour, iTunes. Network: {0} |
Error |
Config Error |
Multicast forwarding address overlaps with the mDNS address(224.0.0.251/FF02::FB), this will break Apple Bonjour, as traffic will be dropped, it should be changed. Command:config network multicast mode multicast |
| 230013 |
Multicast |
Multicast Unicast forwarding mode is enabled, and either multicast or broadcast is in use with more than 50 APs. Depending on network traffic characteristics, this could have large performance impact. It is advisable to use multicast-multicast mode to prevent issues, which may have multicast routing dependencies on your infrastructure |
Warning |
Config Error |
Change Multicast forward mode to multicast. This may need multicast routing if APs are not on same VLAN as WLC management interface |
| 230014 |
Multicast |
Current address is {0}, it is recommended for best practices to use a multicast address on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0. and 239.128.0.x. |
Warning |
Best Practices |
It is advisable to use a private multicast address. Command:wireless multicast x.x.x.x |
| 230015 |
Multicast |
Current selected multicast address ({0}), can generate a flood, as it overlaps with local mac address. It is strongly recommended to use one on the rage of 239.0.0.0-239.255.255.255, not including for 239.0.0.x and 239.128.0.x |
Warning |
Config Error |
Switch address to mac conversion could cause a L2 flood , it is advisable to change. Command:wireless multicast x.x.x.x |
| 230016 |
Capacity |
Max AP count reached on controller. No more APs will be able to join |
Error |
Operational |
WLC is running at its maximum capacity. You should consider a topology modification, or add controllers to the network |
| 230017 |
CAPWAP |
Invalid AP join counter, it is higher than controller capacity, contact TAC as it is possible software defect |
Warning |
Best Practices |
If the AP joined counter is higher than platform allowed count, this could indicate a potential software defect, contact TAC for more information |
| 230018 |
Capacity |
Controller with 90% or more of AP licenses in use |
Warning |
Operational |
Controller is reaching its AP licensed capacity, evaluate if additional controllers or licenses are needed for future growth |
| 230019 |
Capacity |
Controller active client count has reached max capacity, no more clients will be able to join |
Warning |
Operational |
Client count has reached max capacity, you should consider adding new controllers to spread the load |
| 230020 |
Webauth |
Virtual Gateway IP is not on 192.0.2.0/24 , 198.51.100.0/24 , 203.0.113.0/24 networks, change to recommended to avoid overlapping with Internet Allocated addresses. RFC5737 |
Info |
Best Practices |
Virtual GW address must not match any Internet Routable address, as it could lead to controller blackholing traffic for it. Use one of the recommended addresses |
| 230021 |
Load Balancing |
Load Balancing window value too aggressive. Minimum recommended value should be 5 or higher |
Warning |
Best Practices |
Using a low window can cause association errors, try to use 5 or higher. Command: config load-balancing window |
| 230022 |
Load Balancing |
Load Balancing window is zero, it is strongly suggested to use higher value |
Error |
Config Error |
Using a window set to zero can cause serious association errors, try to use 5 or higher. Command: config load-balancing window |
| 230023 |
NTP |
Controller with no valid time source (sync has not happened) or file without NTP information, please check if controller has valid NTP server configured |
Warning |
Best Practices |
No active time source detected for this controller. It could be incomplete configuration. Command: config time ntp server |
| 230024 |
CleanAir |
CleanAir detection disabled. It is highly recommended if your current AP HW types support the feature. Band(s): {0} |
Info |
Best Practices |
CleanAir provides additional visibility on RF issues. It should be enabled if the AP types support it. Command: #ap dot11 5ghz|24ghz cleanair. Ensure BLE beacon detection is disabled for best performance |
| 230025 |
CleanAir |
CleanAir BLE Beacon detection signature has significant performance impact, it is recommended to run CleanAir enabled, with this specific device type disabled, unless required by deployment |
Error |
Config Error |
Ensure BLE beacon detection is disabled for best 2.4 GHz performance, unless required by deployment. Command: no ap dot11 24ghz cleanair device ble-beacon |
| 230026 |
11b |
Legacy rate enabled in {0}. Disabling low data rates/11b can help to optimise the channel utilisation on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies. |
Info |
Best Practices |
In most scenarios, it is good idea to disable 11b data rates (1,2,5.5,11), as they would use more RF time, and be more sensible to interference, it is advisable to only enable 11g rates, unless you need to support legacy devices. Command:config 802.11b rate disabled X |
| 230027 |
Rogue Detection |
Minimum Rogue RSSI detection threshold should be set to {0} or higher, unless mandated by your security policies. Current value: {1} |
Info |
Best Practices |
Min RSSI feature allows to filter out unwanted rogues from the network (out of building). It is advisable to use -70 to -80 depending on your physical location and security policies. Command: config rogue detection min-rssi |
| 230028 |
Authentication |
EAP identity timeout may need to be larger if using EAP-TLS, OTP based authentication. Please validate on your specific client types before enforcing the changes |
Info |
Best Practices |
If using EAP-TLS, OTP is advisable to have a large EAP ID request timeout. Use command:config advanced eap identity-request-timeout, to set it to 30 seconds or higher |
| 230029 |
TACACS |
Tacacs management timeout lower than 5 seconds. Using longer TACACS timeout is specially recommended if OTP systems. Server(s): {0} |
Warning |
Best Practices |
Using a low TACACS timeout can cause server issues or authentication failures. Use command: config tacacs auth mgmt-server-timeout X 5, to set it to 5 seconds or higher, replace X with the server ID |
| 230030 |
Rogue Contention |
At least one Autocontain policy is enabled. Rogue contention has severe impact on client serving time, it should be avoided unless mandated by your security policies |
Warning |
Best Practices |
One ore more auto-contain policies were detected, this could have legal and performance implications. Ignore if this is intentional |
| 230031 |
Webauth |
If using sleeping client feature, idle timer must be lower than the session timeout. WLAN/Policy Profile(s): {0} |
Warning |
Best Practices |
Modify the policy profile idle timeout, ensure that it is lower than session timeout, or set it back to default value, 5 minutes |
| 230032 |
Multicast |
IP Multicast Distributed routing is enabled. This is unsupported configuration, and it may lead to severe multicast traffic disruptions. It is strongly recommended to disable it |
Error |
Best Practices |
Disable the feature, use the command 'no ip multicast-routing distributed' |
| 230033 |
VRF |
VRF have been configured, this is not a supported feature in 9800 controllers, and it will lead to severe functionality impact |
Error |
Config Error |
Disable the feature, use the command 'no vrf definition NAMEOFVRF' |
| 230034 |
High Availability |
Redundancy mac address is not set. This is mandatory configuration value if using redundancy feature |
Warning |
Best Practices |
Set the command 'wireless mobility mac-address' to the management interface mac address |
| 230035 |
Hardware |
Possible unsupported SFP detected, it may stop working on 16.12.3, 17.x or newer versions, please check compatible list in controller datasheet |
Error |
Operational |
The SFP type should be replaced with a supported model. Confirm models in controller data sheet or in release notes. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/release-notes/rn-17-3-9800.html#id_114714 |
| 230036 |
AP Tag |
Recommended Number of APs on a single tag has been exceeded, it is advisable to split the APs between different tags to avoid CPU load issues, and use an AP balancing method. Tags:{0} |
Error |
Config Error |
Tags are used to balance AP between different CPU/cores, it is important to keep AP count around 500 per tag, to ensure proper load balance. Ensure you use Load command in AP site tag, or RF Load Balancing in 17.12 or higher |
| 230037 |
CAPWAP |
A wireless management trust point has been defined for a controller with manufacturer certificate, and LSC is not in use, this may cause CAPWAP join issues |
Error |
Config Error |
Validate why the command 'wireless management trustpoint' has been defined. This is normally no needed for controllers, except for 9800-CL model |
| 230038 |
Management |
To prevent WebUI issues while using some large GUI options (VLANs for example), it is advisable to increase the VTY count to 50 |
Warning |
Config Error |
Use the command 'line vty 0 50' to increase the VTY count |
| 230039 |
Hardware |
At least one hardware resource has reached warning threshold. This should be investigated: {0} |
Error |
Operational |
A resource, for example CPU, data plane or memory are above warning threshold. This could indicate high network load, memory leak, etc. |
| 230040 |
High Availability |
Redundancy management interface has overlapping address with wireless management, this can cause serious network problems |
Error |
Config Error |
Modify the command redun-management using non-overlapping addresses. |
| 230041 |
High Availability |
Redundancy management interface vlan is not the same as the wireless management interface |
Warning |
Config Error |
Modify the command redun-management to match both vlans/interfaces. |
| 230042 |
Security |
Password Encryption is not enabled. This is optional feature to protect keys/passwords in configuration |
Info |
Best Practices |
Use password encryption aes command.For more information, check 9800 Best practices guide |
| 230043 |
Install |
Installation mode is BUNDLE, it is advisable to use INSTALL mode for several disk, memory and feature benefits |
Warning |
Best Practices |
Check 9800 Best practices guide for more information |
| 230044 |
Security |
Management over Wireless is enabled, this is not recommended from a security point of view |
Warning |
Best Practices |
Management over wireless should be used with care, only enable if absolutely required. Check 9800 Best practices guide for more information |
| 230045 |
Client Profiling |
Device Classification (client profiling) is not globally enabled, it is recommended to use it |
Info |
Best Practices |
Use Device classification as best practice, to help on troubleshooting, network characterization or problem isolation |
| 230046 |
RRM |
ED-RRM is not in use. It is recommended to enable for enterprise environments. Band(s): {0} |
Info |
Best Practices |
This is purely a general recommendation, please validate if applicable in your environment. ED-RRM could provide fast reaction to severe RF issues |
| 230047 |
Optimized Roaming |
Optimized Roaming is enabled, this could cause roaming failures in multiple scenarios. It is recommended to use 802.11k/v roaming instead. Reported for Band(s): {0} |
Warning |
Best Practices |
Disable the feature using the command ap dot11 5ghz/24ghz rrm optimized-roam. New devices will use 11k/v information when present |
| 230048 |
FRA |
FRA Interval has to be equal or larger than the DCA interval. Reported for Band(s): {0} |
Warning |
Best Practices |
Please configure the FRA to match or be higher the DCA interval, in the Config/Radio Configurations/RRM/FRA GUI section |
| 230049 |
RF |
AP Policy tag with more than 4 WLAN/SSIDs active. It is advisable to keep number of SSID to the minimum possible for best performance. Tag(s): {0} |
Warning |
Best Practices |
A high number of SSID will increase the RR utilization time because of all the needed beacons and management frames. It is recommended to keep to max 4 when possible |
| 230050 |
RLDP |
RLDP is configured to use all access points, and not only monitor mode. To prevent significant performance impact, it is advisable to change |
Warning |
Best Practices |
RLDP can use all or monitor mode, to perform the scan. Using monitor mode ensures there is dedicated hardware not impacting client servicing radios. Check your RF design, and modify this in WPS RLDP page |
| 230051 |
AP Tag |
Default site tag is detected as in use for a large number of APs. For optimal roaming, it is advisable to use custom tags, and only use default site tag for initial network bringing up |
Warning |
Best Practices |
Check 9800 best practices document. it is recommended to use custom site tags, and avoid default site, except for initial deployment scenarios, or small networks |
| 230052 |
Flex |
More than 100 Flex APs have been detected with same Site Tag configured. You must use Flex High Scale feature in 17.9 or higher, as this scenario may lead to fast-roaming errors. Tag(s): {0} |
Error |
Best Practices |
Default Maximum supported size for a Flex Tag is 100 APs. The network design or configuration should be adjusted to ensure this limit is not bypassed, or use Flex High Scale mode in 17.9 or higher For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_vewlc_flex_connect.html#Cisco_Concept.dita_806fe241-834b-4994-a6c9-61725d091eef |
| 230053 |
Spectrum Intelligence |
Spectrum Intelligence is enabled, and applicable APs are present. This may have impact on performance due to scan periods. Band(s): {0} |
Warning |
Best Practices |
SI feature provides valuable RF information, but it may have impact on network performance and voice. Use only if it has been determined the impact is acceptable in your use case scenario |
| 230054 |
CAPWAP |
No Wireless Management interface detected. This could indicate incomplete configuration and a non-working scenario |
Error |
Config Error |
Wireless interface is mandatory requirement for basic functionality. Please review initial configuration steps |
| 230055 |
CAPWAP |
Wireless Interface was detected as non-vlan type. For appliances, you should use a SVI (Vlan interface) |
Error |
Config Error |
Create SVI and point your wireless interface setting to it. Do not use physical interfaces, only exception is 9800-CL on public cloud scenarios |
| 230056 |
Management |
Service tcp-keepalive in/out, should be enabled to reduce lingering inactive connections to management points |
Warning |
Best Practices |
Add: service tcp-keepalives in/service tcp-keepalives out to configuration |
| 230057 |
DHCP |
If DHCP helper (relay) is defined, the interface should have dhcp relay source interface command pointing to wireless management interface, to avoid asymmetric DHCP routing scenarios. Interfaces: {0} |
Warning |
Best Practices |
Add: ip dhcp relay source-interface to the interface SVI/Vlan configuration |
| 230058 |
Interfaces |
Interface SVI (vlan) detected, but no corresponding vlan entry configured. Interfaces: {0} |
Error |
Config Error |
Add: vlan NUMBER to the configuration. If this is not corrected, the SVI interface will remain down |
| 230059 |
mDNS |
WLAN is using mDNS gateway functionality, but not corresponding SVI Interface detected. WLANs/Policies: {0} |
Error |
Config Error |
Add: Define a Interface vlan (SVI) for all vlans where mDNS gateway functionality is required. This check may not apply on AAA override scenarios |
| 230060 |
Interface |
Interface referenced by Policy Profile, without IP address configured. Interface: {0} |
Warning |
Config Error |
Interface with incomplete configuration, no IP address, referenced by policy profile. This may cause issues on several features. You should configure valid IP |
| 230061 |
Interface |
Interface referenced by Policy Profile, on administrative shutdown state. Interface: {0} |
Warning |
Config Error |
Interface is on administrative down status, but it is referenced by policy profile. This may cause issues on several features. Check if this should be enabled |
| 230062 |
Interface |
SVI Interface referenced by Policy Profile, on line protocol down state. Interface: {0} |
Warning |
Config Error |
Interface has line protocol down, but it is referenced by policy profile. Down state is typically caused by because vlan has not been assigned to any physical interface or trunk. Either use different interface on policy profile or correctly map the vlan |
| 230063 |
Roaming |
There are denied client roamings across different policy profiles. It is advisable to enable client vlan-persistent command to improve roaming experience |
Warning |
Best Practices |
By default, it is not allowed to roam on same WLAN over different policy profiles. This leads to client delete and a new on boarding is required. Use the command wireless client vlan-persistent on 17.3.4 or higher, to improve roaming. Not recommended for older 17.3 releases. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_client_roaming_policy_profile.html |
| 230065 |
Webauth |
The Webauth Global parameter map, does not have IPv6 virtual address. It is advisable to add one |
Warning |
Best Practices |
Depending on your client types, it is good idea to define IPv6 virtual address for Webauth. It can reduce redirection errors. Use 'parameter-map type webauth global' config command, then 'virtual-ip ipv6 ADDRESS' |
| 230066 |
Webauth |
HTTPS webauth redirection is enabled. This may lead to certificate errors and possible performance issues. Use with care |
Warning |
Config Error |
HTTPS redirection feature success depends largely on the client type, and webauth certificates installed. On some scenarios it can lead to failures. In general, it does not help, it is not largely required for most devices |
| 230067 |
Webauth |
WLAN with webauth configured, but no aaa authorization network command detected. This may be incomplete configuration |
Error |
Config Error |
For webauth, you should set a network authorization method. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/16-11/config-guide/b_wl_16_11_cg/cisco-guest-foreign.html |
| 230068 |
Management |
Controller HTTP server is configured with all modules disabled (ip http active-session-modules none), this could prevent GUI access starting with 17.3. Please ensure this is intentional |
Error |
Config Error |
Starting 17.3 and higher, there is a new behavior change that will cause the no modules option to disable management. During upgrades, this config could lead to issues. Recommendation is to remove the command, unless it is intentional or needed. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/release-notes/rn-17-3-9800.html#id_136398 |
| 230069 |
Tag |
The following tag have non existing WLAN name. This may cause significant impact. Tags/WLAN: {0} |
Error |
Config Error |
This is normally a misconfiguration on the Tag entry, with possible invalid WLAN name set. Please edit the tag and check the WLAN |
| 230070 |
Tag |
Tag policy is using a Policy profile name not found. This will cause significant impact. {0} |
Error |
Config Error |
This is normally a misconfiguration on the Tag entry, with possible invalid Policy name set. Please edit the tag and check the policy name used |
| 230071 |
HS20 |
HS20: Policy profile with incorrect configuration, At least one roaming OI must have beacon flag. HS20 server entry:{0} |
Error |
Config Error |
The Hotspot 2.0 ANQP server configuration is invalid, it should have at least one beacon-oi entry with beacon flag. Please add it |
| 230072 |
HS20 |
WLAN mapped to policy profile with H2.0 feature, but 802.1X authentication is not enabled: {0} |
Error |
Config Error |
The Hotspot 2.0 feature requires 802.1X authentication type. Please modify the WLAN security settings or remove H2.0 server name in the policy profile |
| 230073 |
RRM |
DCA (channel assignment) has not run in the expected configured frequency. This could indicate a software failure, Band(s):{0} |
Error |
Operational |
This controller is a RRM leader, and the channel assignment algorithm has not been executed on the configured interval. Run show ap dot11 FREQghz channel command again, and if the Last Run keeps increasing over update interval, Please contact TAC |
| 230074 |
RRM |
TPC (power assignment) has not run in the expected configured frequency. This could indicate a software failure, Band(s):{0} |
Error |
Operational |
This controller is a RRM leader, and the power assignment algorithm has not been executed on the configured interval. Run show ap dot11 FREQghz txpower command again, and if the Last Run keeps increasing over update interval, Please contact TAC |
| 230075 |
RRM |
FRA ( Flexible Radio assignment) has not run in the expected configured frequency. This could indicate a software failure |
Error |
Operational |
This controller is a RRM leader, and the power assignment algorithm has not been executed on the configured interval. Please contact TAC |
| 230076 |
RRM |
BSS Coloring has not run in the expected configured frequency. This could indicate a software failure, Band(s):{0} |
Error |
Operational |
This controller is a RRM leader, and the BSS coloring algorithm has not been executed on the configured interval. Please contact TAC |
| 230077 |
RRM |
RF grouping has not run in the expected configured frequency. This could indicate a software failure, Band(s):{0} |
Error |
Operational |
This controller is a RRM leader, and the grouping algorithm has not been executed on the configured interval. Please contact TAC |
| 230078 |
High Availability |
Redundancy state indicates a possible problem. Please check status of the other unit |
Error |
Operational |
RMI configuration was detected, and the current redundancy state indicates a problem. Check the status of the other unit |
| 230079 |
High Availability |
Redundancy is in use, but RMI feature is not enabled. For best high availability scenarios, it is recommended to use it |
Warning |
Best Practices |
Redundancy Manager Interface feature provides significant advantage for HA scenarios. Per best practices, it is advisable to enable it. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_high_availability.html#id_109551 |
| 230080 |
Location |
NMSP server on down state, this may have impact to CMX/DNA Spaces features. Server(s): {0} |
Warning |
Operational |
At least one NMSP server shows as Inactive/communications down. Please check configuration or server status. |
| 230081 |
Mobility |
Mobility peer on down state, Please check communication or configuration, to confirm if this is intentional. Server(s): {0} |
Warning |
Operational |
At least one mobility peer has a down state, depending on the deployment and configuration, this may impact roaming, rogue detection, RF calculation, and guest features |
| 230082 |
URL Filter |
The URL specified in the filter has a wildcard in the middle, this is not supported. URL Filter(s): {0} |
Error |
Config Error |
URL Filters only support wildcard as initial or last section of URL. Please correct the entry |
| 230083 |
Tags |
For versions 17.6 and higher, it is advisable to use AP tag persistency command, to ensure tags are preserved if AP is temporarily moved to another controller |
Info |
Best Practices |
Configure ap tag persistency enable, this is specially important for N+1 redundancy scenarios |
| 230084 |
AAA |
The max-user-login feature is set. This restricts how many clients can share the same username during authentication. Ensure this is intended, as this can impact some deployment scenarios |
Info |
Information |
This is just informational message, to check if this configuration was on purpose. When using devices that can share same user (like phones, student tablets, etc), this could prevent them to join the network. Command to set it to default wireless client max-user-login 0 |
| 230085 |
LAG |
LAG was detected in use, and port channel load balancing is not set to src-dst-mixed-ip-port. Per best practices, please change both the controller and the switch for optimal port balancing |
Warning |
Best Practices |
Best practices recommend to use command port-channel load-balance src-dst-mixed-ip-port, for best port balancing. This must be configured as well on the switch side |
| 230086 |
RRM |
Country is set to either J2, J3 or JP. These country codes are no longer supported from 17.3 and higher, and should be replaced with J4 to allow all applicable AP domains to join |
Error |
Config Error |
Japan country codes where updated after 17.3, and a change is needed to allow AP join and RRM DCA to work for Q,P,U regulatory domain APs. Use ap country J4 command to apply the changes |
| 230087 |
HS2.0 |
In the HS2.0 anpq server definition, the OSU SSID is mapped to existing WLAN profile that is not open auth |
Error |
Config Error |
Per HS2.0 specifications the OSU SSID has to be open. Please ensure WPA2, webauth, etc are not enabled on the WLAN profile mapped to the OSU SSID command |
| 230088 |
HS2.0 |
The OSU SSID is set to a name not present on any WLAN profile mapped to the same policy Tag. |
Error |
Config Error |
OSU SSID should be mapped to a WLAN/SSID present on the same Policy Tag, so clients can see both the H2.0 and the OSU SSID, please check the SSID name |
| 230089 |
HS2.0 |
The OSU SSID is set to WLAN profile currently disabled. |
Warning |
Config Error |
OSU SSID should be mapped to an active WLAN/SSID, please check the WLAN enable status |
| 230090 |
HS2.0 |
In the HS2.0 anpq server definition, nai-realm is set, but the OSU SSID is mapped to a WLAN without OSEN enabled. |
Warning |
Config Error |
Per HS2.0 standard, the corresponding OSU SSID must have OSEN set. Please check the corresponding WLAN profile |
| 230091 |
AAA |
It is recommended to use either radius or tacacs+ as part of the default login method |
Info |
Best Practices |
The command aaa authentication login default, was detected as using only local, for better security, it is recommended to use a external AAA system as well |
| 230092 |
Rogues |
Rogue detection should be configured to report on AdHoc Rogue Access Points |
Info |
Best Practices |
Adhoc rogues could represent a security issue on some scenarios, it is advisable to enable detection as part of WPS policies (command: wireless wps rogue adhoc ) |
| 230093 |
Client Exclusion |
Excessive 802.11 association failures client exclusion policies should be enabled in WPS policies |
Info |
Best Practices |
Client exclusion policies act as a protection mechanism for the WLC. Unless it is needed for special clients compatibility reasons, it is recommended to enable all (command: wireless wps client-exclusion all ) |
| 230094 |
Client Exclusion |
Excessive 802.1X authentication failures client exclusion policies should be enabled in WPS policies |
Error |
Best Practices |
802.1X client exclusion is important to protect the AAA subsystem. Unless it is needed for special clients compatibility reasons, it is recommended to enable all (command: wireless wps client-exclusion all ) |
| 230095 |
Client Exclusion |
IP Theft failures client exclusion policies should be enabled in WPS policies |
Info |
Best Practices |
IP theft protection is important to protect devices. Unless it is needed for special clients compatibility reasons, it is recommended to enable all (command: wireless wps client-exclusion all ) |
| 230096 |
Client Exclusion |
Excessive webauth authentication failures client exclusion policies should be enabled in WPS policies |
Warning |
Best Practices |
Webauth client exclusion is important to protect the AAA subsystem. Unless it is needed for special clients compatibility reasons, it is recommended to enable all (command: wireless wps client-exclusion all ) |
| 230097 |
SNMP |
SNMPv2 community string detected, it is advisable to move to SNMPv3 with authentication and privacy if supported by management software |
Warning |
Best Practices |
SNMPv2 could be a security risk on different scenarios, it is recommended to use SNMPv3 if possible. |
| 230098 |
SNMP |
SNMPv1 trap destination detected, it is advisable to move to SNMPv3 with authentication and privacy if supported by destination |
Warning |
Best Practices |
SNMPv1 could be a security risk on different scenarios, it is recommended to use SNMPv3 if possible. |
| 230099 |
Rogues |
Rogue AP policies and rules should be defined, specially around managed SSIDs |
Info |
Best Practices |
Rogue rules can improve alerting for possible rogues impersonating managed SSID. It is advisable to enable them. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_classify_rogue_aps_ewlc.html |
| 230100 |
Hardware |
WNCD instance detected with more than 500 APs. This could cause high CPU load or feature impact. WNCDs: {0} |
Warning |
Operational |
Depending on different factors, having more than 500 APs per WNCD instance, could lead to high CPU. Review current tag configuration to have a better AP balance across WNCDs. You can control CPU balancing with per site tag Load command, or using 17.12+ RF Auto balancing. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_auto-wncd-lb.html |
| 230101 |
AAA |
Radius server(s) marked as Down: {0} |
Error |
Operational |
Server was marked as not responsive by controller. This could be due to configuration (bad secret), server is down, or excessive load either on accounting or authentication. Evaluate disabling Radius Profiling if active, accounting interim settings, or using load balancers |
| 230102 |
AAA |
High percentage of failed requests. Radius server(s): {0} |
Error |
Operational |
Server is failing to reply more than 40% of the radius requests (either auth or accounting). This could be due to load problems. Evaluate disabling Radius Profiling if active, accounting interim settings, or using load balancers |
| 230103 |
mDNS |
mDNS Gateway is globally enabled, but no WLAN is on gateway mode |
Warning |
Config Error |
Globally enabling mDNS Gateway, without the correct mode on any WLAN, will unnecessarily increase CPU load, and provide no benefit. As important optimization, it is advisable to disable it. Use command no mdns-sd gateway, or check if WLANs have been configured properly (mdns gateway mode) |
| 230104 |
mDNS |
High count from wired mDNS services. VLANs: {0} |
Warning |
Operational |
There are more than 120 wired mDNS services detected, it is advisable to filter out entries on upstream, or restrict mDNS altogether on the VLAN. Depending on the client count, this could lead to high CPU utilization. Wired services do not support location filtering. Alternatively evaluate Cisco DNS Service Bonjour solution For more information: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/dna-service-bonjour-og.pdf |
| 230105 |
mDNS |
mDNS transport is set to both IPv6/IPv4. This may increase load |
Error |
Operational |
mDNS transport is recommend to be IPv4 or IPv6 only if possible. Using both IPv4/IPv6 may cause devices to announce services on both protocols, increasing significantly the overall load. The impact depends largely on network size, client types and services enabled |
| 230106 |
CAPWAP |
Wireless Management interface points to non-existing Interface |
Error |
Config Error |
It was not possible to determine the corresponding interface set in the wireless management command. This could lead to AP join issues, and full network down scenarios. Check the interface set with command: wireless management interface NAME |
| 230107 |
CAPWAP |
SSC auth token is in use, on controller with SUDI (embedded certs). This can trigger AP join issues |
Error |
Config Error |
SSC auth token is normally only used for 9800-CL as it does not have embedded certificates from manufacturing. Ensure if you really need SSC token, as it could just cause join problems when certificates are available. You can remove it with the command: no wireless management certificate ssc auth-token |
| 230108 |
High Availability |
RMI configured with TrustSec, traffic will be sent on SGT tag 0. This feature combination is not supported |
Error |
Config Error |
When using High Availability RMI and Trustsec, Regardless of interface SGT setting, traffic will be set on tag 0. This may be unsupported feature. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_high_availability.html |
| 230109 |
Flex |
More than 300 Flex APs have been detected with same Site Tag configured. This is unsupported configuration even with High Scale option, and it may lead to fast-roaming errors. Tag(s): {0} |
Error |
Best Practices |
Modify the network design or configuration should be adjusted to ensure this limit is not bypassed |
| 230110 |
SSH |
SSH RSA key has modulus less than 2048 bits. This will not be supported on future versions, as well it has security implications. It is advisable to update the key to a larger size |
Error |
Config Error |
Use the command crypto key generate rsa general-keys, and use a longer modulus size. Note: This may cause that SSH clients connecting to the controller will need to get the server key updated |
| 230111 |
High Availability |
RMI IP address is not on the same subnet as the Wireless Management interface. |
Error |
Config Error |
It is expected that RMI and WMI share same subnet. Please use the command redun-management interface to fix this. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_vewlc_high_availability.html |
| 230112 |
AVC |
WLAN profile is mapped to different policy profiles with mismatched AVC policies. WLANs in use impacted: {0} |
Error |
Config Error |
If a WLAN is reused with different Policy profiles, it is mandatory that all AVC profiles match across the policies (same AVC profile), and if it is set, it is configured across all. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_avc_ewlc.html#concept_vrx_lmy_zy |
| 230113 |
HW |
Controller has a ROMMON version lower than the recommended for the platform |
Error |
Operational |
Check ROMMON Software section for your controller, in the Cisco Software Download page, and upgrade to latest version available, otherwise this may prevent future IOS-XE upgrade scenarios |
| 230114 |
HW |
Controller ROMMON version that could lead to upgrade errors, as it is using BUNDLE mode. You must upgrade to latest version |
Error |
Operational |
Check ROMMON Software section for your controller, in the Cisco Software Download page, and upgrade to latest version available |
| 230115 |
RRM |
RF tag points to non-existing RF profile name. This may cause severe controller issues. Tag(s) name: {0} |
Error |
Config Error |
Check the show wireless tag rf all, and confirm all RF profiles entries are present in show ap rf-profile summary. Fix any missing entry |
| 230116 |
Management |
Wireless Management Interface address is configured through DHCP, this may cause problems with DNAC |
Warning |
Config Error |
DNAC does not support variable addressing for WMI, either use static or set a fixed allocation for DHCP pool entry. This check is ignored for AWS deployments |
| 230117 |
Disk |
A file system is running with less than 10% of free disk space. Please check if a cleanup is needed to avoid issues: {0} |
Error |
Operational |
This is a general check across all read/write reported file systems, may include standby devices. It is intended as early warning for low disk space situations |
| 230118 |
PKI |
At least one RSA key on the controller has modulus less than 2048 bits. This will not be supported on future versions. It is advisable to update the key to a larger size. Keys impacted: {0} |
Error |
Operational |
Use the command crypto key generate rsa general-keys, and use a longer modulus size. Note: if the key is used by a certificate (DNA Spaces, webauth, etc), it may be needed to re-issue the cert, which has additional implications |
| 230119 |
PKI |
The system has more than 200 keys generated. This may indicate some key or certificate provisioning issue |
Error |
Operational |
It is not common to have a large number of pubkeys generated, and it may indicate a provisioning issue (check DNASpaces). if the number is too large, this may lead to configuration storage issues |
| 230120 |
CAPWAP |
CAPWAP DTLS 1.0 is disabled. This may prevent older APs to join |
Warning |
Config Error |
DTLS 1.0 is needed for IOS APs (1/2/3700,1570, etc) and older 18xx AP models to join. This may get disabled by explicit configuration, FIPS mode, or during 17.12+ upgrade as result of stronger default settings. You can enable it with ap dtls-version dtls_all command. If you do not need older AP support, it is advisable to use only DTLS 1.2 for better security, and ignore this message |
| 230121 |
CAPWAP |
Secure cipher ECDHE-RSA-AES128-GCM-SHA256 not explicitly available, this may prevent AP downgrade scenarios |
Info |
Config Error |
After 17.12+, APs require stronger DTLS cipher options to join controller. If the cipher ECDHE-RSA-AES128-GCM-SHA256 is not enabled, this may prevent downgrade scenarios. This can be modified with the command ap dtls-ciphersuite priority |
| 230122 |
DNAC |
Invalid hostname ending character, this may cause problems with DNAC |
Warning |
Config Error |
Some versions of DNAC do not handle hostnames ending on non-numeric/alpha characters (CSCwf77077). This may cause onboarding issues. Please change last character using hostname command |
| 230123 |
PKI |
Certificate will expire within the next 60 days, it is advisable to either renew, or if not applicable, to disable certificate expiration. Cert SN: {0} |
Warning |
Operational |
For certificates expiring from a certificate authority under your control, or a self signed cert, you should try to renew before expiration. On exceptional scenarios, if the certificate can't be renewed (HW or manufacturing cert), you should disable cert expiration check, within the trustpoint |
| 230124 |
Management |
HTTP server does not have an IPv4 access class set. To improve security, it is advisable to set ACL explicitly allowing address that can configure the controller |
Error |
Best Practices |
For better WebUI security, set access class with ip http access-class command. For more information: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/221107-filter-traffic-destined-to-cisco-ios-xe.html |
| 230125 |
Management |
HTTP server does not have an IPv6 access class set, and controller has IPv6 management address. To improve security, it is advisable to set ACL explicitly allowing address that can configure the controller |
Error |
Best Practices |
For better WebUI security, set access class with ip http access-class command. For more information: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/221107-filter-traffic-destined-to-cisco-ios-xe.html |
| 230126 |
Rogue |
AP authentication is enabled, and at least one WLAN has Aironet IE disabled. WLAN(s): {0} |
Warning |
Config Error |
AP authentication requires that all WLANS use Aironet IE, otherwise it may lead to false rogue reports. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-4/config-guide/b_wl_17_4_cg/m_manage_rogue.html#id_136347 |
| 230127 |
Rogue |
AP authentication is enabled, and AP NTP configuration is not set in join profile. AP Profiles: {0} |
Warning |
Config Error |
AP authentication requires AP side NTP synchronization, to avoid false positives. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-4/config-guide/b_wl_17_4_cg/m_manage_rogue.html#id_136347 |
| 230128 |
Rogue |
AP authentication should be configured with a threshold of at least 5 or higher |
Info |
Best Practices |
AP authentication with a default threshold of 1, may lead to false positives. It is advisable to set to 5 or higher. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-4/config-guide/b_wl_17_4_cg/m_manage_rogue.html#id_136347 |
| 230129 |
Security |
Current configuration is vulnerable to CVE-2023-48795/CSCwi59338, Chacha20 should be removed from SSH encryption options |
Warning |
Config Error |
CVE-2023-48795 describes a security problem on some SSH extensions present in OpenSSH for specific encryption protocols. It is recommended to remove this option from SSH configuration. Use command: ip ssh server algorithm encryption aes128-gcm@openssh.com aes256-gcm@openssh.com aes128-gcm aes256-gcm aes128-ctr aes192-ctr aes256-ctr. |
| 230130 |
CAPWAP |
IOS APs are present in the system, support for these models is included up to 17.9/17.12, please ensure HW migration before upgrading to newer code, as it may result in network outages |
Error |
Operational |
IOS AP models 1700/2700/3700, etc. ended support by April 2024, both for TAC cases and in IOS-XE code for releases after that date. Please plan accordingly. For more information: https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-3700-series/eos-eol-notice-c51-740710.html |
| 230131 |
DFS |
Channel Switch Announcement (CSA) part of 802.11h, should be enabled, as it will become mandatory by regulatory requirements in later versions |
Warning |
Config Error |
Enable CSA, from config mode, use the command: ap dot11 5ghz channelswitch. |
| 230132 |
Webauth |
A webauth parameter map is set with max-http-conns command. This may lead to webauth failures on large deployments, ensure if this is required, otherwise it is advisable to remove |
Warning |
Config Error |
The command max-http-conns limits how many concurrent connections per client are allowed. This may trigger authentication failures, so use with care. |
| 230133 |
Local EAP |
Local EAP authentication is using CISCO_IDEVID_SUDI as trust point. This may lead to performance issues on 17.9.4 or 17.12.2 and higher, not recommended |
Error |
Config Error |
Because of certificate mapping changes, CISCO_IDEVID_SUDI should be replaced with CISCO_IDEVID_CMCA3_SUDI or CISCO_IDEVID_CMCA2_SUDI trustpoint names, to ensure certificate access method remains same after upgrade |
| 230134 |
PKI |
Certificate has already expired, please check if possible to renew, or disable certificate expiration checks if applicable. Cert SN: {0} |
Error |
Operational |
Expired certificates will cause application impact, unless actions are taken. For certificates expiring from a certificate authority under your control, or a self signed cert, you should try to renew before expiration. On exceptional scenarios, if the certificate can't be renewed (HW or manufacturing cert), you should disable cert expiration check, within the trustpoint |
| 230135 |
Webauth |
Webauth is using CISCO_IDEVID_SUDI as trust point. This may lead to performance issues on 17.9.4 or 17.12.2 and higher, not recommended |
Error |
Config Error |
Because of certificate mapping changes, CISCO_IDEVID_SUDI should be replaced with CISCO_IDEVID_CMCA3_SUDI or CISCO_IDEVID_CMCA2_SUDI trustpoint names, to ensure certificate access method remains same after upgrade |
| 230136 |
Roaming |
Default Tag in use on Flex mode APs, and a fast roaming method is enabled (FT, Adaptive or OKC) |
Warning |
Config Error |
Default Tag does not support any fast roaming method, as there is no PMK key distribution. You should modify configuration, and use a custom site tag |
| 230137 |
Hardware |
Controller has more site tags than WNCDs, it is advisable to use a AP Load balancing method, like Site AP Load (17.9+) or AP Auto RF balancing (17.12+) |
Warning |
Config Error |
For medium/large networks (500+ APs), best practices recommend to use a mechanism of load balancing to have a predictable load across CPUs. You can use site tag AP load balance for static distribution,(load command under site tag) or use AP Auto RF Balancing in 17.12. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_auto-wncd-lb.html |
| 230138 |
Hardware |
Controller with a heavy unbalanced Client load (one WNCD with more than 50% than the rest, more than 3000 clients total). Please review AP distribution across site-tags |
Warning |
Config Error |
For optimal performance, it is recommended to distribute client load across site-tags, concentrating APs on same tag that cover similar RF roaming environment |
| 230139 |
Multicast Direct |
Multicast Direct for band(s) {0}, is enabled with the minimum bandwidth. This may cause issues on video calls |
Warning |
Config Error |
Using minimum bandwidth (5%), may cause video calls to be handled as Best Effort, or be dropped. It is advisable to use Media stream with 10% or more, if using video applications |
| 230140 |
Interfaces |
More than one Port Channel interface with same allowed VLAN list |
Warning |
Config Error |
Allowing same VLANs across Port Channels, may cause traffic loop, and possible instability issues. It is advisable to filter out vlans that are not required to be duplicated. Check your topology, as this may depend on switch side configuration as well, and could be fine for your config. Command: switchport trunk allowed vlan |
| 230141 |
Multicast |
IGMP Querier is enabled, ensure only one IGMP Querier is present on the network to avoid multicast issues |
Warning |
Config Error |
In most multicast topologies, the WLC does not need to act as IGMP querier, and this should not be enabled. In some deployment scenarios, like Vocera, this may be used, but ensure there are no other queriers present, as that could lead to conflicts. To disable, use: no ip igmp snooping querier |
| 230142 |
Radius |
Configure Dead Timer and Dead Criteria detection for radius, to move into backup server in case of problems |
Warning |
Best Practices |
When using more than one radius server, use both commands to detect issues: radius-server dead-criteria time 5 tries 3, and radius-server deadtime 5, adjust timers as needed For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#RADIUSServerTimeout |
| 230143 |
Radius |
Configure Active probe for radius to avoid using unreachable server. Server(s): {0} |
Warning |
Best Practices |
When using deadtimer, it is important to configure active server probing with the command: automate-tester username probe-on For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#RADIUSServerTimeout |
| 230144 |
Radius |
Per server radius timeout is too low. Server(s): {0} |
Warning |
Best Practices |
As a general rule, it is recommedned that the radius server timeout is set to 5 or higher, this can be global setting, or per radius server For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#RADIUSServerTimeout |
| 230145 |
mDNS |
When using mDNS custom service policies, service list must be provided for both in/out direction(s): {0} |
Error |
Config Error |
The custom service policy must be configured with service-lists for both directions (IN and OUT); otherwise, the mDNS Gateway will not work (will not learn services if there is no IN service-list, or will not reply or announce services learned if there is no OUT service-list). For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-15/config-guide/b_wl_17_15_cg/m_mdns_gateway.html#enab-mdns-gate-gui |
| 230146 |
HTTP |
HTTP Server max connections commmand has non-default valuet, this may cause problems with UI or guest access, if it is settoo low. Use with care |
Warning |
Config Error |
The ip http max-connections can be used to limit HTTP connections to the controller, from 17.15. It should be used carefuly, as it may have impact on UI on some situations. It is recommended to leave on default (300) For more information: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/command/nm-https-cr-book/nm-https-cr-cl-sh.html#wp4231657522 |
| 230147 |
Site Tags |
More than 100 Site tags detected. Large counts are supported, but they may have a performance impact on some conditions |
Info |
Config Error |
Check if they come from Catalyst Center automation, and see if this can be optimized using network profiles. This is a general optimization recommendation, not a limit For more information: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-7/user_guide/b_cisco_dna_center_ug_2_3_7/m_configure-network-profiles.html#Cisco_Task_in_List_GUI.dita_e823717b-836d-4a05-9fa2-0b447b3580ad |
| 230148 |
CPU |
Process detected with sustained high CPU, please validate if this may be a problem: {0} |
Warning |
Best Practices |
A process may have a peak of utilization during some load conditions, and recover gracefully. If the high CPU process is persistent, check with technical support for additional analysis For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221965-troubleshoot-wireless-lan-controller-cpu.html |
| 230149 |
CPU |
High Data plane utilization (5 min higher than 80%) |
Warning |
Best Practices |
Controller data plane reports high utilization. Check DP specific features, like Netflow/AVC, ACL, DTLS encryption, etc, and the load design For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-cl-wireless-controller-cloud/221058-understand-high-cpu-usage-reported-for-t.html |
| 240001 |
WLAN |
Disabled WLAN, no configuration checks run. WLAN(s): {0} |
Info |
Information |
Just message to inform that WLAN is not in use, so no detailed checks will be applied. Confirm if the wlan disabled status is intentional |
| 240002 |
AAA |
WLAN profile(s) with AAA method list name pointing to non-existing value. {0} |
Error |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 240003 |
Webauth |
WLAN profile(s) with webauth parameter map pointing to non-existing value. {0} |
Error |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 240004 |
Authentication |
WLAN profile(s) with local EAP name pointing to non-existing value. {0} |
Error |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 240005 |
WPA |
Security set with both WPA and WPA2 enabled, this may cause problems with old client drivers and some PDAs. WLAN(s):{0} |
Info |
Best Practices |
WPA in general is not recommended, it should only be used for legacy client support. Some older clients may have problems if WPA and WPA2 are enabled on same WLAN. This is not an issue if all clients are relatively recent |
| 240006 |
WPA |
WPA with AES encryption is enabled. This may be deprecated in the future due to certification requirements, and not supported on some AP models. It is advisable to modify the configuration. WLAN(s):{0} |
Warning |
Best Practices |
Disable WPA if not needing it for legacy clients, and use WPA2-AES encryption or higher. if WPA is needed for backwards compatibility, use with TKIP, but this is a security risk |
| 240007 |
WPA |
Standalone TKIP policy enabled. This w may be deprecated in the future due to certification requirements, or migrated to WPA2 AES+TKIP. It is advisable to modify the configuration. WLAN(s): {0} |
Warning |
Best Practices |
For security reasons, and certification requirements, TKIP as standalone policy is not recommended, and should only be used for strict legacy support |
| 240008 |
CCX |
Aironet IE enabled. If not using Cisco WGB or Voice devices, it is recommended to disable Aironet Extensions for simplicity on the beacon set. WLAN(s): {0} |
Info |
Best Practices |
This is general recommendation to improve client interoperability, and simplify information elements included in beacons. Must not be disabled if using Cisco Voice or WGB |
| 240009 |
11n/11ac/11ax |
802.11n/11ac/11ax/11be radios are present, but WMM is disabled on the WLAN(s): {0} |
Error |
Config Error |
This is configuration error that will prevent usage of high speed rates on the WLAN, and may prevent client association. If this is not intentional, it should be corrected. |
| 240010 |
Webauth |
Webauth is in use, but no pre-auth ACL is set, this is required for external webauth, it may not apply depending on your configuration WLAN(s): {0} |
Warning |
Config Error |
This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl |
| 240011 |
Webauth |
Webauth is in use, but no pre-auth ACL IPv6 is set, this is required for external webauth, and IPv6 fw is enabled. WLAN(s): {0} |
Warning |
Config Error |
This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl |
| 240012 |
Webauth |
Webauth is in use, but no pre-auth ACL for flexconnect is set, this is required for external webauth,wlan is set for local switching and there are Flex APs detected. WLAN(s): {0} |
Deprecated |
Config Error |
This is configuration error that will potentially lead to feature not working. Command: config wlan security web-auth acl |
| 240013 |
Fast Transition |
FT in use, with no L2 security policy (Open) This can cause problems on upgrade or for some AP models on Flex mode. Change FT to disabled. WLAN(s): {0} |
Error |
Config Error |
Go to the WLAN profile and disable the option 'Fast Transition' |
| 240014 |
Voice |
CCKM is in use, but Aironet Extensions are disabled, both must be set to enabled, for WGB or 882x phones to work properly. WLAN(s): {0} |
Error |
Config Error |
Go to the WLAN profile and enable the option 'Aironext Extensions' |
| 240015 |
WPA2 |
CCKM is enabled together with PSK, this is invalid combination. WLAN(s): {0} |
Error |
Config Error |
Go to the WLAN profile and disable the option 'CCKM' |
| 240016 |
Fast Transition |
FT is enabled without WPA2/WPA3, this may lead to it being disabled on some upgrade scenarios. WLAN(s): {0} |
Error |
Config Error |
Go to the WLAN profile and disable the option 'FT' |
| 240017 |
WPA3 |
WPA3 enabled WLAN and IOS APs are present. Those APs do not support it, ensure they are on AP tag not including WPA3. WLAN(s): {0} |
Warning |
Config Error |
Configure AP tag to exclude any WPA3 profile from IOS APs |
| 240018 |
WLAN |
Broadcast SSID is not enabled. Change it for best client compatibility. WLAN(s): {0} |
Warning |
Best Practices |
Disabling Broadcast SSID does not help on security, and it may impact roaming on some device types. Best to enable it on the WLAN profile |
| 240019 |
Voice |
CCKM is in use with low tolerance timer. Recommended value is 5000. WLAN(s): {0} |
Warning |
Best Practices |
To minimize CCKM roaming failures, it is advisable to use a 5000 mSec TSL tolerance timer. This can be modified with command:security wpa akm cckm timestamp-tolerance 5000 |
| 240020 |
11k |
11k Neighbor List is in use, but dual band is disabled. if not using single-band devices, enable both for best results. WLAN(s): {0} |
Warning |
Best Practices |
For best results, it is better to enable dual band support for 11k. This should only be avoided, if single band devices are present on the network. This is part of the WLAN profile |
| 240021 |
Webauth |
WLAN with Webauth policy, without sleeping client feature. For best clients experience, it is recommended to enable it. WLAN(s): {0} |
Warning |
Best Practices |
Sleeping client feature can enhance significantly the end-client experience of a webauth WLAN. For best practices, enable it on the webauth policy map |
| 240022 |
WPA3 |
WLAN with WPA3 and Adaptive FT roaming enabled. This is not recommended. WLAN(s): {0} |
Warning |
Best Practices |
Adaptive FT has not been tested for WPA3 scenarios. Either change to FT enabled, or disable it |
| 240023 |
FT |
WLAN with CCKM and FT roaming enabled. This not supported, and may cause some client types to fail. WLAN(s): {0} |
Error |
Config Error |
FT has not been tested for CCKM scenarios, and configuring both will cause client connection issues. You should disable CCKM |
| 240024 |
802.1X |
WLAN has 802.1X auth, but no valid authentication list has been set, nor there is default AAA method. WLAN(s): {0} |
Error |
Config Error |
Each WLAN must have a valid 802.1X authentication method, either from the default list, or explicitly created. You must create one with command aaa authentication dot1x. For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.pdf |
| 240025 |
Webauth |
For Guest/webauth WLANs, it is advisable to enable Peer to Peer blocking. WLAN(s): {0} |
Info |
Best Practices |
Guest access can benefit for added security when Peer to Peer blocking is enabled. This must not be used if Voice or other interactive traffic between stations is needed |
| 240026 |
Webauth |
For Guest/webauth WLANs, it is to set the Policy Profile QoS to Bronze. WLAN(s)/Policy: {0} |
Info |
Best Practices |
To ensure corporate traffic always gets better priority, guest networks should be set to Bronze and Enterprise WLAN/Policies to Silver and Platinum |
| 240027 |
CCKM |
CCKM will be deprecated in future releases (after 17.12). It is recommended to migrate to FT (802.11r). WLAN(s)/Policy: {0} |
Warning |
Best Practices |
If the client types allow it, you should migrate CCKM WLANS into FT (802.11r) whenever possible. CCKM will remain supported for the time being, so this is just early notification |
| 240028 |
WPA2 |
WLAN with WPA2, configured without any Authentication Key Management. This may lead to security issues. WLAN(s)/Policy: {0} |
Error |
Config Error |
This is invalid configuration scenario, caused by incomplete WPA2 config. You should edit the WLAN profile, and add a valid AKM (dot1x, PSK, etc) |
| 240029 |
Webauth |
WLAN with Webauth, but HTTP server is disabled and no HTTP redirections set in the parameter map. This will prevent web redirections. WLAN/Policy: {0} |
Error |
Config Error |
HTTP Webauth needs controller with HTTP Server, or HTTP to be enabled in the global parameter map. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_vewlc_sec_webauth_cg.html |
| 240030 |
mDNS |
WLAN with default mDNS profile, and more than 120 services, this may have scalability issues. WLAN(s): {0} |
Warning |
Best Practices |
Except on small scale scenarios (less than 120 services), it is advisable to create custom mDNS profile, enable location filtering, and include list of specific services to share |
| 240031 |
WLAN |
WLAN profile name with 32 characters. This may cause problems on some scenarios. Reduce to 31. WLAN(s): {0} |
Warning |
Config Error |
Due to defect, controller may not push WLAN to APs, when profile name is 32 characters. This will cause the SSID not to be broadcast. To correct, delete, and create the profile again with 31 or less characters |
| 240032 |
WLAN |
WLAN with WPA3 in use with IOS APs. Not supported scenario. WLAN(s): {0} |
Error |
Config Error |
IOS APs do not support WPA3 related features, this may cause coverage issues, as profile may not be broadcasted |
| 240033 |
WLAN |
WLAN is using deprecated radio dot11a/b/g commands. This should be migrated to radio policy command. WLAN(s): {0} |
Error |
Config Error |
radio dot11 commands under WLAN profile are deprecated, and will be removed in future releases. Additionally, they may cause issues with ISSU on some scenarios. It is strongly suggested to migrate them. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/config-guide/b_wl_17_6_cg/m_wlan_9800.html#task_25A46C5B2198499C95BA29F0C0FC32E7 |
| 240034 |
Fast Roaming |
WLAN supports fast roaming (either OKD or FT), and it has AKM with 802.1X-256, with Flex local switching mode. This may lead to PMKID roaming errors on some client types. WLAN(s): {0} |
Warning |
Config Error |
Currently, APs in flex LS mode do not support fast roaming scenarios with 802.1X-256 AKM (CSCwf79175). This is only supported in local mode APs. You should either move to dot1x only, or if possible, disable OKC and FT roaming support |
| 240035 |
WLAN |
WLAN has GMCP-256 enabled, and 9105/9120/9115 are in use. WLAN(s): {0} |
Warning |
Config Error |
The encryption type GCMP-256 is not supported by AP models 9105/9120/9115. Ensure the WLAN is not enabled on them, or disable GMCP-256 |
| 240036 |
WLAN |
WLAN has 6GHz support, and Hunt and Pecker hash is enabled, this is not a valid combination. WLAN(s): {0} |
Warning |
Config Error |
For 6GHz, the SAE password element must be H2E, and HNP can't be used. This may lead to ISSU problems. (CSCwh36951) |
| 240037 |
WLAN |
WLAN has SAE support, and 18xx APs were detected. Ensure this is not enabled for those AP models. WLAN(s): {0} |
Warning |
Config Error |
Policy profiles must be set so WLAN is not enabled for those APs |
| 240038 |
WLAN |
WLAN using 802.1x has FT Adaptive or FT disabled. To improve roaming performance and reduce AAA load, evaluate use of FT. WLAN(s): {0} |
Info |
Config Error |
Fast Transition (802.11r) provides a faster roaming, and can reduce significantly AAA load if clients have support. Check if your clients are compatible, and enable when possible For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Enable80211rFastTransition |
| 250001 |
Policy Profile |
Disabled profile, no configuration checks run. Policy Profile(s): {0} |
Info |
Information |
Just message to inform that Policy Profile is disabled, so no detailed checks will be applied. Confirm if the status is intentional |
| 250002 |
URL Filter |
Profile(s) with URL Filter name pointing to non-existing value. {0} |
Error |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 250003 |
Authentication |
Profile(s) with AAA Policy pointing to non-existing value. {0} |
Error |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 250004 |
Accounting |
Profile(s) with Accounting List pointing to non-existing value. {0} |
Error |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 250005 |
QoS |
Policy Profile(s) with Subscriber Policy pointing to non-existing value. {0} |
Error |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 250006 |
SDA |
Profile(s) with Fabric Profile pointing to non-existing value. {0} |
Error |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 250007 |
Flow |
Profile(s) with Flow Monitor name pointing to non-existing value. {0} |
Error |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 250008 |
QoS |
Profile(s) with QoS SSID service name pointing to non-existing value. {0} |
Info |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 250009 |
QoS |
Profile(s) with QoS Client service name pointing to non-existing value. {0} |
Warning |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 250010 |
mDNS |
Profile(s) with mDNS gateway name pointing to non-existing value. {0} |
Error |
Config Error |
Check the configuration item, and change/replace it with an existing value |
| 250011 |
Multicast |
If using AAA override or Interface Groups, enable the Multicast Vlan if using any multicast applications. Profile(s): {0} |
Info |
Best Practices |
Multicast forwarding is enabled, and the policy profile has features in use that should use multicast vlan to allow proper inter-client multicast traffic. Add a vlan in the Multicast Vlan setting |
| 250012 |
Flex |
Profile with Central association enabled, and access points with flex mode detected in controller. This may cause problems with some clients. Disable central association, or upgrade to fixed version (17.x). Profiles: {0} |
Error |
Config Error |
Go to the policy profile and disable the option 'Central Association'. This would not be required on later versions 17.2 or higher |
| 250013 |
Roaming |
Profile has session timeout either disabled or set to zero. This will cause that PMK cache entries are not created, triggering a new auth on every roam. Set a timeout. Profiles: {0} |
Error |
Config Error |
Go to the policy profile and set a session timeout, if long time is needed, set it for a day (session-timeout 86400) |
| 250014 |
ARP |
ARP proxy is disabled. To save client battery and other performance improvements, it is recommended to enable. Profiles: {0} |
Warning |
Best Practices |
Go to the policy profile and enable ARP proxy setting. This is available from 17.3 |
| 250015 |
Security |
Profile with vlan set to default or 1. This is not recommended, even for AAA override scenarios. Profiles: {0} |
Warning |
Best Practices |
Go to the policy profile configure a VLAN. Default should only be used on small network, with low security requirements |
| 250016 |
Device Classification |
When using device classification, it is recommended to enable both HTTP and DHCP TLV caching. Profiles: {0} |
Warning |
Best Practices |
Go to the policy profile and enable DHCP and TLV caching. This will improve Device Profiling |
| 250017 |
Security |
Exclusion list is not enabled. For best practices, it is advisable to have client exclusion active. Profiles: {0} |
Warning |
Best Practices |
Go to the policy profile and enable Exclusion list. This would prevent AAA subsystem attacks, and improve security |
| 250018 |
DHCP |
Policy profile is using DHCP relay functionality, but not corresponding SVI Interface detected. Policies: {0} |
Error |
Config Error |
Add: Define a Interface vlan (SVI) for all vlans where DHCP relay feature is set on the policy profile. This check may not apply on AAA override scenarios |
| 250019 |
Policy Profile |
VLAN name referenced by policy profile was not Found. This can lead to traffic drop issues. Policies: {0} |
Error |
Config Error |
Add: Confirm that the vlan name or ID is valid entry in the VLAN list. |
| 250020 |
Call Snooping |
SIP Call Snooping is not supported on Flex Local switching. Policies: {0} |
Warning |
Config Error |
SIP Call snooping requires central switching mode. Change setting at the policy profile |
| 250021 |
HS20 |
HS2 server name entry points to non existing value, possible incorrect name. Policies: {0} |
Error |
Config Error |
The Hotspot server name entry is incorrectly configured, please make sure it matches one of the anqp-server entries |
| 250022 |
Flex |
Policy profile with local switching, and but central association is enabled. This is a non-supported combination. Policies: {0} |
Error |
Config Error |
The controller has APs in flex mode, and there is at least one policy profile with flex local switching, and central association. This is a combination that may lead to client state issues. Please correct |
| 250023 |
Mobility |
Policy profile has Export anchor enabled, and it is assigned to APs. All WLAN SSIDs will not be broadcasted. Policies: {0} |
Error |
Config Error |
Export anchor setting can't be used in combination with WLANs enabled at APs. This will prevent any client to join this WLAN/Policy combination at this controller. Either disable it, or use different policy for Guest/Mobility anchor feature. For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html |
| 250024 |
Mobility |
Policy profile has Export anchor set and has remote anchor IPs configured. This is not supported. Policies: {0} |
Error |
Config Error |
Export anchor indicates the traffic terminates locally, you can't use it in combination with remote anchor controllers in same profile. For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html |
| 250025 |
mDNS |
mDNS service policy in use, without location filtering. Policy Profile/mDNS Policy: {} |
Warning |
Best Practices |
To avoid high CPU load scenarios, it is advisable to always set a location filter on all mDNS policies, to restrict the total number of services replied to clients. This is very important is using latest Mac OS versions. |
| 250026 |
Fabric |
Fabric seems to be set, and the Policy Profile is mapped to IOS AP, this is not supported. Policy Profile: {} |
Error |
Config Error |
IOS APs do not support Fabric feature. The APs should be mapped to a different Policy profile |
| 250027 |
Management |
Policy name has special characters. This may cause GUI issues, on some versions. Policy Profile: {} |
Error |
Config Error |
Before 17.12, policy profile names with some specific characters (ampersand, quotes, less/more than) may lead to GUI Hang scenarios (CSCwf57471). Either use fixed version, or correct policy profile name |
| 250028 |
L3 Features |
IP Mac Binding feature is disabled, and at least one L3 feature is enabled (DHCP Required, ARP proxy, etc), which will not work. Policy Profile: {} |
Error |
Config Error |
IP Mac Binding is needed to track client IP addresses. On some scenarios it may be disabled, for example when address overlapping is used across sites. When disabled, L3 features, like DHCP Required, ARP proxy, Webauth, NAC, DHCP profiling are not supported. Either enable IP Mac Binding, if not having address duplication, or disable the L3 features |
| 250029 |
Clients |
Idle timeout is set to be longer than the Broadcast Key Rotation time, this may cause peaks of accounting traffic and impact AAA server. Profile(s): {0} |
Warning |
Config Error |
Idle timeout should around 5 minutes for most scenarios, and if it is longer than broadcast rotation time, it may cause sleeping clients or clients no longer present, to be deleted at same time, causing a large accounting activity peaks. This is a policy profile configuration For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#ClientTimers |
| 250030 |
NBAR |
When using NBAR on Flex Local switching, it is only possible to have one flow monitor profile per direction and IPv4/IPv6. Profile(s): {0} |
Warning |
Config Error |
For Local switching, it is only allowed one flow monitor profile per direction. You can have 2 in Central switching/Local mode. You have to remove one of the netflow monitor profiles For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_avc_ewlc.html |
| 250031 |
Radius |
Radius Interim accounting is enabled. This should be avoided on large scale scenarios, to reduce utilization at radius server side. Profile(s): {0} |
Warning |
Config Error |
For most scenarios, accounting interim can be disabled, except when tracking of usage data during the session is needed. Otherwise, this can be disabled for performance reasons For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_interim-accounting.html#info-abt-interim-accounting |
| 250032 |
mDNS |
For mDNS services, Apple Continuity is enabled. This may have performance impact on very large networks. Profile(s): {0} |
Warning |
Config Error |
In scenarios of large client counts with mDNS support, Apple continuity service may generate significant load. Evaluate if it is necessary to support, if not disable as possible performance fine tuning For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#MulticastDNSmDNS |
| 260001 |
RF Profile |
Disabled RF Profile, no configuration checks run. Profile(s): {0} |
Info |
Information |
Just message to inform that RF Profile is disabled, so no detailed checks will be applied. Confirm if the status is intentional |
| 260002 |
RRM |
For enterprise environments, it is recommended to use DCA with 40 MHz channel width or Best setting, except for High Density deployment scenarios. RF Profiles: {0} |
Info |
Best Practices |
Set the RF Policy profile to either 40 MHz or Best. Ensure that Best max width is restricted to 40. 80 or 160 should only be used deployments with a single tenant building scenario (no rogues), or low AP density. 20 should be used for very high AP density |
| 270001 |
DCA |
Channels 100-140 detected as not in use. Use this channel range is necessary for some outdoor domains (p. e. ETSI) |
Error |
Best Practices |
For ETSI AP, you must configure at minimum one valid outdoor channel (100-140) in the DCA list |
| 270002 |
Mesh |
Mesh full sector DFS should be enabled. Mesh profiles: {0} |
Info |
Best Practices |
Full DFS sector change will improve Mesh topology stability in case of DFS (radar) events. |
| 270003 |
Mesh |
Mesh IDS should be disabled. Mesh profiles: {0} |
Info |
Best Practices |
This is just general recommendation, to reduce possible high number of alerts coming from outdoor deployment types |
| 270004 |
Mesh |
Link SNR is lower than 12, this may cause significant performance degradation or mesh tree stability issues. APs:{0} |
Warning |
Operational |
Link SNR is recommended to be higher than 12, RF design should be checked |
| 270005 |
Mesh |
AP configured as RAP was detected with a wireless backhaul. This may point to Ethernet network problem. APs:{0} |
Error |
Operational |
Check cable and wired network connectivity to the RAPs reported |
| 270006 |
Mesh |
AP with different regulatory domains are in the same sector. Ensure channel lists are set properly. Sector Numbers:{0} |
Warning |
Operational |
When different regulatory domains are used (for example -A and -B), channels allowed in DCA list must be for the most restrictive common channels, to avoid MAPs stranding. Check on show wireless mesh tree to get the sector number |
| 270007 |
Mesh |
Mesh AP with More than 4 hops. This can degrade performance:{0} |
Warning |
Operational |
Unless absolutely needed due to physical requirements, Mesh networks should not have more than the recommended 4 hops |
| 280001 |
Voice |
Voice: Platinum/Voice WLAN detected, and local EAP is active. This may not be compatible with older devices like 792x that need deprecated crypto options (RC4) |
Warning |
Config Error |
if support for legacy devices is needed, use external radius server |
| 290001 |
Security |
Management user has not been set. For security reasons, it is best practice to configure username/password for AP access on the join profile. AP Profiles: {0} |
Warning |
Best Practices |
Go to AP Join Profile/Management/User tab, and configure access credentials for AP CLI access |
| 290002 |
Security |
Telnet access is enabled. It is advisable to only allow SSH. Has effect only on IOS APs. AP Profiles: {0} |
Warning |
Best Practices |
For security best practices, it is advisable to only allow SSH access to AP |
| 290003 |
Syslog |
AP join profile with Syslog facility not set to FACILITY_KERN. This may cause syslog messages to be dropped at AP. AP Profiles: {0} |
Error |
Config Error |
For APs 91xx and Wave2 (AP-COS), Syslog facility has to be set to Kernel, it is not supported to change this value. This is tracked through enhancement request CSCvu75017 |
| 290004 |
Syslog |
Syslog host is not set (using default broadcast value). For best practices, it is recommended to use a syslog server. AP Profiles: {0} |
Warning |
Best Practices |
To ensure data is available for future troubleshooting in case of problems, it is best practices to define a syslog server for all APs on the Join profile |
| 290005 |
Monitoring |
AP system monitoring statistics are not enabled. To improve AP status visibility it would be recommended to use it. AP Profiles: {0} |
Info |
Best Practices |
Monitor System Statistics is a feature in 17.5 and higher, to enable AP CPU and memory monitoring , you can enable it on AP profile, AP tab, AP statistics section |
| 290006 |
BSSID Stats |
BSSID neighbor stats are enabled, with a frequency lower than 180 seconds. This may lead to scalability issues. AP Profiles: {0} |
Warning |
Config Error |
Depending on AP density, and RF deployment scenarios, the BSSID neighbor stats may lead to high CPU scenarios, it is recommended to set the interval to a minimum of 180 seconds. Use AP profile command: bssid-neighbor-stats interval 180 |
| 290007 |
CAPWAP |
Join profile with both public and private CAPWAP discovery, and controller has public IP. This is not recommended. AP Profiles: {0} |
Error |
Config Error |
After 17.9.5 and 17.12.1, AP connecting through NAT, may fail to join, if the AP join profile has both Public and Private CAPWAP discovery enabled. It is recommended that the Join profile is specifically configured to only offer either private or public discovery responses. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-13/config-guide/b_wl_17_13_cg/m_config-wmi.html#info-abt-capwap-discovery |
| 290008 |
CAPWAP |
Join profile is missing country setting. AP Profiles: {0} |
Warning |
Config Error |
It is advisable to configure country setting in the AP join profile, specially if more than one country is serviced from the controller For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217734-connect-and-join-a-row-domain-access-po.html |
| 290009 |
CAPWAP |
Join profile is missing country setting and ROW APs are in use. This may cause regulatory issues with radios down. AP Profiles: {0} |
Error |
Config Error |
When ROW AP types are in use, It is necessary to configure country setting in the AP join profile, to avoid radio down issue due to regulatory violations For more information: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217734-connect-and-join-a-row-domain-access-po.html |
| 300001 |
Flex |
The vlan name defined at the Flex profile, does not match name defined at controller for the same ID. This will fully break traffic forwarding. Flex Profiles: {0} |
Error |
Config Error |
When using local switching policy profiles, the name set on the policy profile, must match both the name at controller global list, and the one set at the flex profile. |
| 300002 |
Flex |
Profile is using vlan name matching a defined vlan group at controller level, this is not supported . Flex Profiles: {0} |
Error |
Config Error |
Vlan groups are not supported in flex local switching mode, please map the local vlan name in the flex profile, to something that is different from existing vlan group at controller level |
| 300003 |
OEAP |
Join Profile has OEAP SSID provisioning enabled, and Flex is set to OEAP mode. This should only be used during initial deployment. Validate if this is intended scenario. Flex/AP Join Profiles: {0} |
Warning |
Config Error |
OEAP provisioning will broadcast extra SSID for initial AP setup, this may not be desirable during normal operation. You can disable it on the join profile |
| 300004 |
Flex |
VLAN in policy profile is missing on the Flex profile vlan mappings : {0} |
Error |
Config Error |
Missing VLAN mappings will cause WLANs not to be pushed to AP configuration. Add the vlan mapping under the Flex profile |
| 300005 |
Flex |
DHCP required is configured for Default Flex Profile, policy: {0} |
Error |
Config Error |
DHCP required for Flex is only supported on custom flex profiles, and not on the default, as it needs IP mac binding to be enabled, which is not possible on default flex profile For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-14/config-guide/b_wl_17_14_cg/m_dhcp_wlan_9800.html#d121827e3988a1635 |