Caveats
•CSCsc41313—The Cisco Aironet 1500 Series Lightweight Outdoor Access Points are configured by default to allow old bridges. When this configuration is enabled, the shared secret key set on the controller is not passed to the access points, so a few access points might be running on the old key. If these access points reset or new access points are waiting to join the running network, they may take a very long time to connect to the network or might not join at all. The default value has been changed to not allow old bridges to authenticate.
Workaround: Configure the controller using this command: config network allow-old-bridge-aps disable.
•CSCsc68154—The controller’s error log repeatedly displays the “Got an idle-timeout message from an unknown client” error message for some unknown reason.
Workaround: None at this time.
•CSCsc70484—Most IPSec VPN clients start using the new security association (SA) immediately upon rekeying. However, the Cisco VPN Client continues to use the old SA for some time before switching to the new one, which results in packet loss until the client switches over.
Workaround: Use these WLAN settings on the controller to ensure that the client controls when the rekey process takes effect and the controller responds to the client for the phase 1 SA rekey:
–Session Timeout: 0 seconds
–Layer 3 Security: IPsec
–IPsec Authentication: HMAC SHA1
–IPsec Encryption: AES (If you choose 3DES, configure the IPsec lifetime to a value greater than the expected duration of the client session.)
–IKE Phase 1: Aggressive
–Lifetime: 43200 to 57600 seconds (12 to 16 hours)
–IKE Diffie Hellman Group: Group 2 (1024 bits)
•CSCsc75351—The controller CLI command debug mac addr client_mac_address, which is designed to limit debug output to the specified client, is not filtering client traffic.
Workaround: None at this time.
•CSCsc77157—Multiple 4100 series controllers may simultaneously reset without crash files or message log entries being generated.
Workaround: None at this time.
•CSCsc92354—The Security > MAC Filtering page on the controller GUI shows MAC address filters in this format: XX:XX:XX:XX:XX:XX, which differs from the Cisco standard format of XXXX:XXXX:XXXX.
Workaround: None at this time.
•CSCsc98897—The SecureCRT application cannot open an SSH session on the controller. Workaround: Use PuTTy, the SSH client on Windows, or SSH in Linux.
•CSCsd04684—The 4100 series controller ports do not work when the Gateway Load Balancing Protocol (GLBP) is configured on the management interface VLAN.
Workaround: Do not configure GLBP on the management interface VLAN. For redundancy, Hot Standby Router Protocol (HSRP) can be used on the management interface VLAN.
Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 3.2.171.6