What is new !

Release 0.42

Fixes:

Logic error on 240039, SAE-EXT detection
Updated message 20029 text (TCP MSS)
20049, AP Interface on halfdupplex is not reported for RLAN ports
CTS command on interface causing parsing error
Error during wifi7 validation, if SAE-EXT was not present (old versions)
230050: modified to only be reported if there are IOS APs present
240036: H2E check in 6GHz, added 17.9.6/17.12.4 as fixed versions, bypassing check
Fix AP CDP parsing for multiple IP addresses on entry

Features:

parsing 17.18/17.15 new AP config details
230153, warns if NDP protected is in use, and CW916X/CW917X are present.
230154, check when OSPF is configured, to ensure wireless multicast is enabled
parsing install summary
230155, minor warning if more than 100 Policy tags are defined (possible config optimization)

Release 0.40

Fixes:

Corrected rommon for 9800-40
Adjusted 230066 (HTTPS redirection) severity and test message
Mesh mode radios were not tracked as client serving
Corrected SFP-H10GB-CU1.5M entry in supported 9800-40 SFP list
Increased severity of 240027, CCKM in use warning

Features/New Checks:

250031, recommends to disable radius interim accounting, for performance reasons
250032, warns if mDNS Apple continuity is enabled and in use in an active Policy profile, possible performance impact
230147, minor warning if more than 100 Site tags are defined (possible config optimization)
230148, warning if a process has high CPU (>90, 5 min)
230149, reports if dataplane has high CPU (>80, 5 min)
230150, warns if only one physical interface is operational up (no redundancy). Check is skipped for 9800-CL
230151, warning if two up interfaces are using same IP address
230152, if WiFi-7 APs are present, warns if 802.11be is disabled across all bands
Added full AKM support on WLAN table

Release 0.39

Features

Changes in 240009 (WMM per WLAN check), now it is error level, as disabling WMM on current APs may lead to association errors
Changes in 250028 (IP mac binding), Added Option 82 as one of the impacted features, if it is disabled
New Check 300005, warns if DHCP required has been set on a policy with AP using Default Flex profile
New Check 230146, warns if HTTP Max connection command is set to non-default low value. This may cause issues on UI/Guest access Fixes:
exception handling if IP address has invalid format
count of 11be/11ax radios per summarization level

Release 0.38

Fixes:

Exception on AP interface speed check, if AP did not have any statistics collected Features:
Added check 290007, warns if AP profile has both private/public discovery, and NAT is in use for WLC
Check 290008/290009, validate if country is set for AP profiles, high severity if not set and AP ROW types are in use
Check 250029, warns if policy profile has idle timeout larger than broadcast key timeout
Check 230145, warns if custom mDNS service policy has not been configured in both directions

Release 0.37

Fixes:

Exception on XLS report, if file did not have band network configuration (incomplete file)
Updated recommended IOS-XE versions
Parsing hang on file with timestamps on the beginning of file. The file now finishes with error "invalid file"
AireOS JSON time export

Release 0.36

Fixes:

230059 is ignored, if release is 17.9.1 or higher
230049 generated exception if WLAN name referenced in tag was not present, preventing execution of other checks
AVC service profile caused incorrect file parsing (hostname overwrite)
3 9800 AP checks were applied to AireOS, triggering errors
Reduced AP certification lifetime warning to 90 remaining days

Release 0.35

Fixes

Check 230112 was run only against WLANs currently in use with APs associated. Changed to run across wlan/profile combinations, regardless of APs
Fixed error with :Interface name mapped failed: Tw0/0/x
AP CDP neighbor interface type

Features

Warn if AP radio slot has more than 2 failures per day
New checks for AP primary/backup disk images state, warn if any component is corrupted
New check if AP has more than 2 CDP neighbors, which may indicate CDP flooding at directly connected switch
Warns if AP slot has failed regulatory domain checks (country config)
Checks if Media Stream is enabled, and video bandwidth is set to 5%
Updated SFP support, including CW9800 controller types
Warns if IGMP querier is enabled

Release 0.34

Feature

Adoption of multiprocessing parsing as default + termination fixes

Release 0.33

Fixes

Correction for rogue rule parsing with long names, impacting 230099
Formatting of messages with large list of object names (added space after comma)
Fixing errors when tag name contains commas
Fixing parsing errors while parsing IPv6 in AP configuration
Exception on null AP group data during XLS export

Release 0.32, July 2024

Features

Fixed Client delete reasons
230135: Usage of specific SUDI trust point in webauth may cause performance issues
Updated recommended ROMMON and code versions
Per user feedback, now AP profile checks are applied, even if the profile has no APs joined
230136: Warning if FT or OKC are in use, and Default site tag is on flex mode with more than 2 APs joined
230137: Warning if this is a medium/large deployment and AP load balancing method is not in use
230138: Warning when more than 3000 clients are present, and half of them are on same WNCD
Improved check 20053, and converted into 20053 to 20055 to have one warning per slot ID (original check did not include slot number)
New checks 20057, 20058, to warn if AP is using medium or low power
New multiprocessing parsing engine. Speed gains up to 80% in large files, especially in AireOS
230131, warns if 802.11h CSA is disabled
230132, warns if http max-connect is set on webauth map
230133, Usage of specific SUDI trust point in Local EAP may cause performance issues
300004, error if VLAN name mapping from policy profile, is missing in Flex profile. This would cause WLAN not to be pushed to AP
Added WLC SN to summary data

Fixes

240034: skip check if version has the fix
230070: improved error reporting, to indicate which policy profile is missing
Different typos across messages
230072: Fixed false positive, if WLAN is using FT_802.1X or DOT1X_SHA256 instead of legacy 802.1X
240036: Fixed false positive is SAE is not in use
290001: False positive caused by overlap of new AP Proxy support feature
AP Profile prim/sec controller address support IPv6 or v4 addresses
230051: adjusted warning for use of default site tags with large AP counts (>200)
230049: more than 4 WLANs per radio, fixed count of WLAN to be done per frequency band, not in total per policy tag
Prevents Excel format errors when debug data is exported for AireOS
Handles error in Allowed channel list exception
Adjusted message text for 230130 about IOS AP support changes
Updated text on 20025 for AP expired certs
Exception during corrupted Flex profile parsing
Modified certificate expiration, to differentiate from "expiring in 60 days" vs already expired certs

Release 0.18, December 2023. 5 new checks, several fixes

Features:

Speed gain for IOS-XE file parsing (up to 90% faster). No changes in processing/report generation
Support for IOS-XE 17.13
Support for Mac OS 14.x
New checks: 230124, 230125 for HTTP access class as best practices (IPv6/ipv4)
New Mesh check:270004 Warns if link SNR is lower than 12
New Mesh check:270005 Warns if RAP is connected over wireless backhaul and not ethernet
New Mesh check:270006 validates if all APs in a sector have same regulatory domain
New Mesh check:270007 informs if there are more than 4 hops for a given MAP

Fixes:

Exception on IOS-XE check if multicast address parsing failed (invalid file)
Removed unnessary processing error for 240035, when WLAN has no WPA2 policy defined
Fixed 230098 detection (SNMPv1 trap destination)
Debug bundle failed to find file properly, if command separator was a lower slash
Execption while doing RF health calculation, if radio did not have mac address (corrupted source file)
Exception when version line is split, leading to incorrect parsing
Exception if FRA interval is null
XLS generation error during 6GHz radio reporting
Fix on nearby exception handling
Fix on AireOS reporting missing radio due to 2800 showing 3 radios slots, when it only has 2 (third is monitoring, not in file)
Missing radio types in AireOS definitions (this was marking valid radios incorrectly)
Client state parsing was including client summary data incorrectly
Missing 6GHz RFstats export in JSON
Corrections on IOS-XE recommended and deferred code listing

v0.17

Features - 9800:

New Check 230118, warns if pubkey has less than 2048 bits (needs 17.12)
New Check 230119, warns if a large number of pubkeys have been created (provisioning problem)
New Check 250028, checks if IP mac binding is disabled, and policy profile is using L3 features that require it
New Check 230120, warns if DTLS 1.0 is disabled, that could prevent IOS and some older APs to join
New Check 230121, informational message if cipher ECDHE-RSA-AES128-GCM-SHA256 is not enabled, and version is 17.12 or higher, as it could prevent AP downgrade scenarios
New Check 240034, in Flex local switching, AKM 802.1x-256 does not support fast roaming or OKC on some client types
Added new option, to override automatic file type detection. Useful when file has long text at the beginning (banner, or other not-relevant data)
New Check 290006, BSSID Neighbor stats warning, if the feature is enabled with less than 180 seconds interval
Changes to AP RF Summary page, it now includes Channel width, and neighbor overlapping on secondary channel count
New Check 230122, validates ending character in hostname for DNAC interoperability
Updated ROMMON version recommendations
New Check 230123, warning if certificate has less than 60 days of lifetime remaining
New report tab for 9800: all controller certificates

Fixes:

Parsing error on policy profile for corrupted config files
NDP report not getting generated
Exception in client audit, if DCA interval is None
Exception on XLS export if there are no client delete reason entries
Exception if version number is None
False positive on 230033 in some default scenarios (VRF count)

v0.16

Fixes issue on check 20021, AP default gw check, intf check
Fixed file reference breaking some of the packaging options when installing as library

Features:

Added tracking of AP models, per tag combination, included in Policy Usage report tab
New check 250026: Warns if IOS AP is mapped to a policy profile with Fabric
New check 240032: Warns if IOS AP is mapped to a WLAN profile with WPA3
New check 250027: Error reported if policy profile name has special characters, and version is lower than 17.12
Added hypervisor info in controller data summary tab, if available (9800-CL/17.9+)
New check 230116: Warns if WMI is using DHCP addressing
New check 240033: Warns WLAN has radio dot11 commands, to ensure migration to dot11 policy CLI before deprecation
Added handling when AP radio has failed regulatory domain check (Join profile config setting)
New check 230117: Error reported if a RW file system has less than 10% of free disk space

Fixes:

Incorrect grouping of AP tag names, in the RF Neigh. report
Exception on band name in Vocera audit
Exception when handling 16.10 incomplete files
Exception on uptime processing in case of invalid date present
Error on client audit, when 5.5 rate was enabled
RF summary report had tool tips off by 1 column
Exception if Client delete reasons section had no data
Cochannel statistic was not filtering for only neighborgs in channel, leading to incorrect high counts
Important fix on 17.9.2+ AP summary list. New IOS-XE
Radio with 5/6 GHz support was being marked as invalid
Fixed RMI command parsing if controller is using IPv6

Release 0.14, April 23. Focus on fixes

Fixes:

Incorrect parsing of tunnel eogre parameters, leading to missing RF profile in run-config
Incorrect parsing for 6GHz RF profiles
Added 9136/916x for Fastlane+ support in Apple client audit
Vocera audit errors for data rates
Client profiling name parsing failing if it was longer than 32 characters
Added improved 17.9 parsing
Exception during XLS report if WLAN profile was missing in policy tag

Release 0.13, March 23. RF Health Improvements, new checks

Features:

RF Health metric for Radio utilization has been modified: Now it evaluates what is the AP/Client generated utilization vs what is present in the channel by other sources. This prevents false positives due to valid client activity New RF Health metric for Channel changes per day: it does a correlation of channel changes vs days of uptime, and flags if there are more than 4 channels a day, with 12/day as worst score
Rework of check 230052: Flex AP count per site tag for PMK distribution. This is now correctly based on count of AP per site, and it check if High Scale distribution feature is enabled or not
Cosmetic changes to Table of Content on XLSX report
Cosmetic changes to GUI button placement
New Check 230110, warns if SSH key is less than 2048 bits
New Check 230111, Validates that RMI and WMI are on same subnetwork
New Check 230112, Checks if WLAN is shared across policy profiles, and all AVC profiles are same
Updated recommended IOS-XE Versions
New Check 230115: Warns if RF profile name is correct on each RF tag
New checks 230113/230114: Validate Rommon version installed
New Client Delete Reason report

Fixes:

Corrected parsing error when "commands" entry was present in run-config
Incorrect state for MLD snooping if command is missing
Added support for NTP IPv6 servers, correcting false positive of lack of time sync
Fix error if uptime is null
RFHealth was not calculated for slot1, etc, if slot0 was on monitor mode
Invalid Channel changes per day calculation, if uptime was just one day (was set to zero)
Incorrect parsing of show version values (PID, Confreg, etc)

Release 0.12, December 22. Lots of new checks

Features:

9800: new check 240030, warns if WLAN profile name has 32 characters
9800: new check 230107, warns if SSC token is configured for controllers with embedded cert (non-CL)
9800: new check 230108, validates that Trustsec and RMI are not used together
Added new Best Practices report: get how many BP checks are, and missing entries for your configuration. With direct link for easy navigation to the Check report page
9800: Shows AP count in tag view report (how many APs are using each tag/policy combination)
9800: Adds check for last run time in BSS Color for 6GHz
9800: new check 230106, if WMI is pointing to invalid interface name
AireOS: shows password policies in controller tab
All AP lists are now sorted alphabetically

Fixes:

Exception handling 16.10 versions
Minor readability changes in AP checks report
Prevent exception if active client info is not present
Message 20031 was reported in error for 9800, this check is now disabled, unless it is AireOS controller (new check is needed at flex profile level)
Updated GUI library to solve the Mac OS Ventura issue
Predicted power level in 6GHz dBm was off by one level when current power matching one entry on 6GHz table
Improved parsing of AP CDP entries, to avoid reporting duplicate names as errors if using non-Cisco switches
Fixed multiple typos across the checks/messages

Release 0.10, October 22. Focus in Load analysis

This release brings 7 new checks focused in 9800 Radius load and mDNS, plus add several new tables to better understand 9800 load scenarios, AP group usage in AireOS, and extracting AP related configuration for analysis or lab use

New checks:

9800: new mDNS check, 230103, warns if mDNS GW is enabled, but not in use on any active WLAN
9800: new mDNS check, 230104, checks if there are more than 128 mDNS wired services, to prevent high CPU load issues
9800: new mDNS check, 230104, checks if there are more than 128 mDNS wired services per VLAN, to prevent high CPU load issues
9800: new mDNS check, 250025, validates that location filtering is enabled across all the mDNS service profiles
9800: new mDNS check, 240030, warns if WLAN/Policy profile are using the default mDNS service profile
9800: Two checks 230101, warning if radius server is down, and 230102, generates warning is server is Up, has more than 100 requests, and there is more than 40% of timeouts

WNCD Load visualisation - 9800

Performs aggregation across tags, for every AP, adding radio client counts. Also, if using latest 17.3/17.6/17.9 versions, it can include per WNCD CPU load This is intended as analysis tool, to isolate where possible WNCD load may be coming from, and evaluate in detail client counts per tag. This can be leveraged to do proper static wncd-tag configuration in 17.10 or manual split via tag customisation in previous versions Expanding the WNCD row, can show the AP/Client counts per associated tag

mDNS Browser - 9800

This new report adds a "navigation" view into mDNS services being learned by the IOS-XE controller It can show per VLAN (wired) or per WLAN (wireless) detailed services counts. This can be used to isolate where additional filtering may be needed, or to identify potential sources of high CPU load due to miss-configured mDNS service policies You can expand each entry, to see individual services

AAA Report - 9800

Displays stats for all radius servers, and highlights those with timeouts for more than 30% of requests This is intended to help detecting typical high load scenarios, where radius servers could not cope with accounting or profiling requests

Improved readability for AP checks report

Instead of displaying all AP names impacted per each check, now the report shows a summary with AP counts If needed, you can expan the row, to see the individual APs impacted

New Summary view for AireOS AP Groups

You can now visualize each AP group, APs count associated to it, and WLANs in use, RF profiles, etc, all in one page

AP config Export - 9800

When using the AP Config tab, each AP name will contain a note, with all the applicable configuration profiles for that AP. You can do "right-click" and select "Show/Hide Note" to make it permanent, and copy it to another application if needed This can be used for lab testing, config comparison, etc