Cisco APIC 4.2(1i) released

Release 4.2(1i) became available on Sep 8, 2019.

13 min read
By prox
Cisco APIC 4.2(1i) released

New software features

  • Ability to pin EPGs to an uplink on a VMware DVS. You can configure up to 32 uplinks for each instance of Cisco ACI Virtual Edge (in native switching mode) or VMware VDS. You also can rename the uplinks and configure failover for them within endpoint groups (EPGs) associated with the VMware VDS or Cisco ACI Virtual Edge.
  • Cisco APIC Release 4.2.(1) introduces the new avread command, which provides the same information as the acidiag avread command, but in a tabular format. For more information, see the Cisco APIC Troubleshooting Guide, Release 4.2(x).
  • BGP neighbor shutdown. The BGP neighbor shutdown feature is similar to the neighbor shutdown command in NX-OS, which shuts down the corresponding BGP neighbor. Use this policy to disable and enable the BGP neighbor's admin state. Using this feature shuts down the BGP sessions without the need to delete the BGP peer configuration. For more information, see the Cisco APIC and BGP Neighbor Shutdown and Soft Reset document.
  • BGP neighbor soft reset. The BGP neighbor soft reset feature provides automatic support for a dynamic soft reset of inbound and outbound BGP routing table updates that are not dependent upon stored routing table update information. Use this policy to enable the soft dynamic inbound reset and soft outbound reset. For more information, see the Cisco APIC and BGP Neighbor Shutdown and Soft Reset document.
  • Blocking ACI upgrades or downgrades if faults are present. Beginning with release 4.2(1), when you attempt to trigger an upgrade or downgrade operation, the operation might be blocked if any faults on the fabric are detected, depending on the severity of the fault detected. For more information, see the Cisco APIC Installation, Upgrade, and Downgrade Guide.
  • Cisco APIC Release 4.2.(1) introduces the new cluster_health command, which enables you to verify the Cisco APIC cluster status. For more information, see the Cisco APIC Troubleshooting Guide, Release 4.2(x).
  • fd_vlan mismatch enhancement. If the same VLAN pool is being used on both a vPC and an orphan port, a fd_vlan mismatch will occur and a fault will be raised.
  • Floating Layer 3 Outside network connection. You can configure a floating L3Out that allows a virtual router to move from under one leaf switch to another. The feature saves you from having to configure multiple L3Out interfaces to maintain routing when virtual machines move from one host to another. This feature is supported for VMware VDS.
  • IPv6 multicast is now enabled with PIM6 protocol settings. For more information, see the Cisco ACI Support for Layer 3 IPv6 Multicast document.
  • Policy-based redirect backup policy. This feature enables you to configure a backup node for a policy-based redirect (PBR) policy. If an active node goes down, traffic gets routed through the backup node instead of getting routed through one of the other active nodes. The backup node avoids a situation in which the connection could be reset if, for example, the data paths through another active node are traversing stateful firewalls. For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.2(x).
    • The backup policy option is supported only on new generation leaf switches, which are switch models with -EX, -FX, or -FX2 at the end of the switch name.
    • Resilient hashing must be enabled.
    • Only Layer 3 PBR destinations are supported.
    • Multiple backup PBR destinations per backup policy can be configured.
  • Redistributing static routes to BGP with prefix list. For Cisco APIC releases before release 4.2(1), you can configure a route map policy for the redistribution of static routes into BGP using the Create Route Map/Profile feature, which defines the route map for BGP dampening and route redistribution. This feature is used to set attributes, such as community, on certain static routes on one border leaf switch, and then, based on these attributes, configure these routes on other border leaf switches. Beginning with Cisco APIC Release 4.2(1), this feature is extended for static routes. This allows you to configure a route map policy that will be applied while redistributing static routes into BGP. For more information, see the Cisco APIC and Redistributing Static Routes to BGP With Prefix List document.
  • Route control on an aggregator route during import/export. When creating a subnet, the export route control subnet and import route control subnet allow Aggregate Export and Aggregate Import. For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.2(x).
  • Route control per BGP peer. Route control policies determine what routes are advertised out to the external network (export) or allowed into the fabric (import). For Cisco APIC releases before Release 4.2(1), you configure these policies at the L3Out level, under the L3Out profile (l3extInstP) or through the L3Out subnet under the L3Out (l3extSubnet), so those policies apply to protocols configured for all nodes or paths included in the L3Out. With this configuration, there could be multiple node profiles configured in the L3Out, and each could have multiple nodes or paths with the BGP neighbor specified. Because of this, there is no way to apply individual policies to each protocol entity. Beginning with Cisco APIC Release 4.2(1), the route control per BGP peer feature is introduced to begin to address this situation, where more granularity in route export and import control is needed. For more information, see the Cisco APIC and Route Control Per BGP Peer document.
    • You must configure route profiles used per BGP peer under a tenant.
    • The methods to configure route map match, set rule or route profile, and the behavior of each of those components, do not change from previous releases.
    • The route profile for this feature can only be set to Match Routing Policy Only (global policy), where the route profile is the only source of information to generate the per BGP peer route map. You cannot set the route profile for this feature to Match Prefix and Routing Policy.
    • In addition, you must explicitly specify the bridge domain subnets in the prefix list if you want them to be exported.
  • SDWAN integration enhancement. This release adds support for enabling returning traffic from a remote site that is destined for the ACI data center to receive differentiated services over the WAN. After the tenant admin registers the Cisco APIC to vManage, the Cisco APIC pulls the WAN-SLA policies and the WAN-VPN from vManage. Then, the Cisco APIC assigns a DSCP to each WAN-SLA policy and pushes a prefix list. The prefix list, which is taken from the EPG if the contract between this EPG and L3Out has WAN-SLA configured, enables quality of service on the returning traffic. The WAN-SLA policy and WAN-VPN are both available in the tenant common. Tenant admins map the WAN-VPNs to VRF instances on remote sites. For more information, see the Cisco ACI and SDWAN Integration KB article.
  • Simplified ELAM output. This release adds an option to the Embedded Logic Analyzer Module (ELAM) tool that changes the output to a human-readable format, which enables you to find key information quickly and more efficiently. In addition, hexadecimal values have been converted to decimal values in some instances for improved readability. For backward compatibility, the existing usage of ELAM is kept intact. For more information, see the Cisco APIC Troubleshooting Guide, Release 4.2(x).
    • This feature is supported only on switch models with EX, FX, or FX2 at the end of the switch name.
  • Storm control SNMP traps. This release supports triggering SNMP traps from Cisco ACI when storm control thresholds are met.
    • There are two actions associated with storm control: drop and shutdown. With the shutdown action, interface traps will be raised, but the storm control traps to indicate that the storm is active or clear is not determined by the shutdown action. Storm control traps with the shutdown action on the policy should therefore be ignored.
    • If the ports flap with the storm control policy on, clear and active traps are seen together when the stats are collected. Clear and active traps are typically not seen together, but this is expected behavior in this case.
    • This feature is not supported on Cisco Nexus C93128TX, C9396PX, C9396TX, C93120TX, C9332PQ, C9372PX, C9372TX, C9372PX-E, nor C9372TX-E switches.

Changes in behavior

  • APIC and switch upgrades are now stopped if the scheduled time and date has already passed.
  • You can now configure the Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) in the leaf and spine switch management interfaces.
  • The default behavior of the Callhome email received by a user has been modified for clarity.
  • IPv6 multicast is now enabled with PIMv6 protocol settings.
  • Multi-node policy-based redirect now supports up to 5 nodes in a single service graph.
  • When installing the Cisco ACI simulator virtual machine, you no longer need a challenge key nor an activation token. You still need the challenge key and activation token for earlier releases.
  • The tech support file size is reduced by up to 25%, depending on the switch type and the configured features.

Resolved caveats


CDP is not enabled on the management interfaces for the leaf switches and spine switches.


A service cannot be reached by using the APIC out-of-band management that exists within the subnet.


When configuring an L3Out under a user tenant that is associated with a VRF instance that is under the common tenant, a customized BGP timer policy that is attached to the VRF instance is not applied to the L3Out (BGP peer) in the user tenant.


The APIC log files are extremely large, which takes a considerable amount of time to upload, especially for users with slow internet connectivity.


This is an enhancement that allows failover ordering, categorizing uplinks as active or standby, and categorizing unused uplinks for each EPG in VMware domains from the APIC.


A single user can send queries to overload the API gateway.


The svc_ifc_policye process consumes 100% of the CPU cycles. The following messages are observed in svc_ifc_policymgr.bin.log:

8816||18-10-12 11:04:19.101||route_control||ERROR||co=doer:255:127:0xff00000000c42ad2:11||Route entry order exceeded max for st10960-2424833-any-2293761-33141-shared-svc-int Order:18846Max:17801||



An SHA2 CSR for the ACI HTTPS certificate cannot be configured in the APIC GUI.


When 3 DNS providers are added, F3546 faults are raised for:

Policy Configuration for DNS Profile: default failed due to : provider-limit-exceeded.

To debug/rectify: DNS Provider count cannot exceed 2. The first 2 DNS providers you provide will be used for name resolution. The rest of the nameservers will be not be used for name resolution.


After changing the VRF instance association of a shared-services bridge domain, a shared-services route is still present in the old VRF instance.


After upgrading APICs from a pre-4.0 version to 4.0 or newer, the leaf switches will not upgrade, or the switches will upgrade and then automatically downgrade back to the previous version.


A service graph with a Layer 1 device goes to the "failed" state when an inter-tenant contract is used. The error in the graph will be "id-allocation-failure".


When using the "Clone" option for a policy group or interface profile and an existing name is used, the cloned policy overwrites the old policy. A warning should be displayed regarding the policy name that already exists.


With the PBR feature, the svcredirDestmon object in the leaf switch is incorrectly removed. As a result, a service device cannot be tracked and the switch incorrectly reports the status to APIC that the service device is down.

When this happens, the switch attempts to take corrective action based on the user configuration (the threshold action configuration). The switch attempts to skip the service node if thresholdDownAction is set to "bypass," send the traffic directly to the destination if thresholdDownAction is set to "permit," or drop the traffic if thresholdDownAction is set to "deny".


Bridge domain stretch should not be supported in MSC configuration when cross site boundary with Remote Leaf is involved.


The CPTEP loopback IP address is not advertised to the IPN.


After a VC was disconnected and reconnected to the APIC, operational faults (for example, discovery mismatching between APIC and VC) were cleared, even the if faulty condition still existed.


The APIC process information from the APIC GUI may have the wrong values.


An APIC running the 3.0(1k) release sometimes enters the "Data Layer Partially Diverged" state. The acidiag rvread command shows the following output for the service 10 (observer):

Non optimal leader for shards :10:1,10:3,10:4,10:6,10:7,10:9,10:10,10:12,10:13,10:15,10:16,10:18,10:19,10:21, 10:22,10:24,10:25,10:27,10:28,10:30,10:31


When connecting the ExternalSwitch app to a UCSM environment, ACI VLANs are not deployed to the fabric-connected vNICS that were configured as part of a redundancy peer. The VLANs are allocated from the ACI VLAN pools, but are never added to the UCSM LAN group nor VLANs, and are not added to the vNICs when the vNICs are configured with Redundant Peer configurations in UCSM.


Inventory pull operations or VMware vCenter updates are delayed.


Syslog is not sent upon any changes in the fabric. Events are properly generated, but no Syslog is sent out of the oobmgmt ports of any of the APICs.


The ipv4RouteMo/ipv6RouteMo is not present in case of a shared service route leak. The route could have been deleted when EPG to BD association is removed and not added back when this association is created again.


If a user manually modifies an object controlled by the ACI CNI, the configuration will not be restored for up to 14 minutes.


No fault is raised when First Hop Security is enabled in a Layer 2 only Bridge Domain.


The APIC Licensemgr generates a core file while parsing an XML response.


Access-control headers are not present in invalid requests.


Tenants that start with the word "infra" are treated as the default "infra" tenant.


The troubleshooting wizard is unresponsive on the APIC.


The GUI is slow when accessing access policies. This is an enhancement request to add pagination to resolve this issue.


There are issues with out-of-band SSH connectivity to the leaf and spine switches if the out-of-band VRF instance is deleted and re-created with the same name.


When performing a clean reboot using the acidiag touch setup or the acidiag touch clean, during the boot up of the APIC, you will observe a significant delay between the enter key to continue and the interactive setup parameter menu. There is no other operational impact other than slower boot up due to the system delay.


The APIC API and CLI allow for the configuration of multiple native VLANs on the same interface. When a leaf switch port has more than one native VLAN configured (which is a misconfiguration) in place, and a user tries to configure a native VLAN encap on another port on the same leaf switch, a validation error is thrown that indicates an issue with the misconfigured port. This error will occur even if the current target port has no misconfigurations in place.


Using a PBR service graph with ASA in two-arm mode. After upgrade from release 2.3(1) > 3.1 > 3.2(6i), it is noticed that the service graph (in the common tenant) has a couple of faults. The service graph is working for old configured EPGs (verified by checking traffic redirected to FW), but new EPGs cannot be applied to the service graph. The service graph state is also "not applied".

One of the faults mentions that the service graph contract cannot be used as provider and consumer and that it is only supported in single-node PBR with 1-ARM.
The contract is not being applied in any vzAny consumer/provider.
The "Epp not found. Retry or abort task" error appears in the policymanager.

Adding an arp filter on the contract does not it triggers anything, although the modification is seen in the policy distributor.


The Hyper-V agent is in the STOPPED state. Hyper-V agent logs indicate that process is stopping at the "Set-ExecutionPolicy Unrestricted" command.


For virtual pod and physical pod wizards, when a user tries to configure TEP addresses, there is an error on a preconfigured data plane TEP IP address. This error does not let the user proceed with rest of the configuration.


aci-container-controllers will delete all the contract relationships under the default_ext_epg if it loses connectivity to the APIC during the API call to get the subtree for the contract relationships.


In the APIC, the show external-l3 static-route tenant <tenant_name> command does not output as expected.

Symptom 1: The APIC outputs static-routes for tenant A, but not B. The show external-l3 static-route tenant <tenant_name> vrf <vrf_name> node <range> command provides the missing output.

Symptom 2: For the same tenant and a different L3Out, the command does not output all static-routes.


The MTU cannot be modified on the SPAN destination after it is configured.


In a fabric with only fixed spine switches, the modular security license is still used when enabling MACsec. The fixed spine switch should share the same Add-on Security license entitlement with the leaf switch, because the features charge the same price.


show external-l3 interfaces node <id> detail will display "missing" for both "Oper Interface" and "Oper IP", even though the L3Out is functioning as expected.


An eventmgr core file gets generated when a user performs the syslog debug command logit.


A user with read-only permissions cannot collect the techsupport files using the CLI nor a policy.


Specific operating system and browser version combinations cannot be used to log in to the APIC GUI.

Some browsers that are known to have this issue include (but might not be limited to) Google Chrome version 75.0.3770.90 and Apple Safari version 12.0.3 (13606.


When opening an external subnet, a user cannot see Aggregate Export/Import check boxes set in GUI even though they were already configured.


Fault F3206 for "Configuration failed for policy uni/infra/nodeauthpol-default, due to failedEPg or failedVlan is empty" is raised in the fabric when using the default 802.1x Node Authentication policy in the Switch Policy Group. In this scenario, Fail-auth EPG and VLAN has not been configured, as the 802.1x feature is not in use.


APIC running 4.1(2g) throws fault for pingcheck failed.


ACI running 4.1.1j.


When toggling the "legacy mode" option on a bridge domain, there should be a warning message that displays.


VMM inventory-related faults are raised for VMware vCenter inventory, which is not managed by the VMM.


Configuration import fails due to a Global AES encryption key mismatch for pimIfPol.


The SNMP process repeatedly crashes on the APICs. The cluster and shards look healthy and do not have any CPU or memory utilization issues.


When using Open vSwitch, which is used as part of ACI integration with Kubernetes or Red Hat Open Shift, there are some instances when memory consumption of the Open vSwitch grows over a time.


The GUI navigates to the incorrect tree item from Virtual Networking -> domains - container domains.


When creating a subject and leaving "Wan SLA Policy" as unspecified (field not required), Fault F3330 is raised.

Fault code: F3330

Description: Failed to form relation to MO uni/tn-common/sdwanpolcont/sdwanslapol- of class extdevSDWanSlaPol

Type: Config