Cisco APIC 4.2(3j) released

9 min read
By prox

Release 4.2(3j) became available on December 9, 2019.

New software features

  • Enhancements for Match Prefix - Two new fields (From Prefix and To Prefix fields) are now available in the Match Prefix field to specify the mask range when you create a prefix match rule and enable aggregation. Cisco APIC Layer 3 Networking Configuration Guide, Release 4.2(x)
  • Filters-from-contract option in the service graph templates - The filters-from-contract option is available in the service graph templates using the Cisco APIC GUI. This option uses the specific filter of the contract subject where the service graph is attached, instead of the default filter for zoning-rules that do not include the consumer EPG class ID as the source or destination. Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.2(x)
  • Increased range for equal-cost multi-path (ECMP) routing paths - The range for the maximum number of equal-cost paths for eBGP and iBGP load sharing is now increased from 1 to 64, with a default value of 16. Cisco APIC Layer 3 Networking Configuration Guide, Release 4.2(x)
  • Incremental enhancements to the read-only admin user capability on spine and leaf switches - Cisco APIC now supports L1 access (read-only privilege for an admin user) for the following things:
    • acidiag fnvread command
    • vsh_lc with the show commands
    • Tech support collection
    • show events command
    • PCAP under the visibility and troubleshooting section
    • BGP advertised and received routes
    • CRC command to identify stomped CRC and genuine CRC
    • Read-only access to the log files, such as BGP, BFD, and IPv6
    • tcpdump command
  • Python SDK (Cobra) support for Python 3.x and Wheel - The Cisco APIC Python SDK adds support for Python 3.6 and later. A Wheel installation package is now included in addition to the egg files. (a.e. - Finally!)
  • Rogue EP Control in the First Time Setup wizard - The Rogue EP Control option is now part of the First Time Setup wizard. Cisco APIC Basic Configuration Guide, Release 4.2(x)
  • Stomped CRC errors and traditional CRC errors - CRC align errors in interface counters are now broken out into stomped CRC errors and traditional CRC errors. Stomped CRC errors refer to frames that were received and cut-through switched before the FCS trailer was received. Rather than rewriting the CRC field based on the corrupted frame, the switch will insert a special value into the CRC that indicates the frame should be stomped by the end device or the first device in the path that does store-and-forward switching.

    "CRC error" frames refer to corrupted frames that are dropped on the ingress interface and are not forwarded.

    You can view the split in error statistics in the Cisco APIC GUI or by directly querying the eqptIngrCrcErrPkts object. Additionally you can view the statistics directly on the switch by running the show interface command.
  • Support for custom EPG names for VMM domains - You can now give EPGs a custom name that carries over to a VMware vCenter port group or a Microsoft VM network. The feature is available for VMware vSphere Distributed Switch, Microsoft System Center Virtual Machine Manager (SCVMM), and Cisco ACI Virtual Edge. If you do not provide a custom name, the domain association assigns a name in the format of tenant|app_profgile|epg_name for a port group or tenant|application|epg|domain for a VM network. However, if you enter a custom name for the EPG, the same name is applied to the port group or VM network. Cisco ACI Virtualization Guide, Release 4.2(x)
  • Support for QoS MIBs - Selected OIDs from CISCO-CLASS-BASED-QOS-MIB and CISCO-SWITCH-QOS-MIB are added for leaf and spine switches.

Resolved issues


The stats for a given leaf switch rule cannot be viewed if a rule is double-clicked.


When authenticating with the Cisco APIC using ISE (TACACS), all logins over 31 characters fail.


The health status of DHCP was not updated after a leaf switch upgrade for some of the leaf switches.


There is no record of who acknowledged a fault in the Cisco APIC, nor when the acknowledgement occurred.


A port group cannot be renamed. This is an enhancement request to enable the renaming of port groups.


Inventory pull operations or VMware vCenter updates are delayed.


Configuration import fails due to a Global AES encryption key mismatch for pimIfPol.


F0467 fault is present on the infra overlay L3Out when the domain is not associated correctly. However, this fault should not be raised on infra overlay L3Out even when the domain association is incorrect.


When making a configuration change to an L3Out (such as contract removal or addition), the BGP peer flaps or the bgpPeerP object is deleted from the leaf switch. In the leaf switch policy-element traces, isClassic = 0, wasClassic = 1 is set post-update from the Cisco APIC.


Plugin-handler triggers pre-remove the lifecycle hook for a scale-out app that is being removed. It keeps checking the status of pre-remove lifecycle hook using a Kron API, but if Kron is down, the plugin-handler waits for Kron to come back in the same transaction. This can cause the APIC cluster to diverge.


The warning message for cloning a policy in the Clone dialog box is cut off and the entire message cannot be read.


A service cannot be reached by using the APIC out-of-band management that exists within the sub-net. This enhancement request implements the GUI option to change the Docker0 IP address. Bug CSCve84297 implements REST API way to change it.


There is a stale F2736 fault after configuring in-band IP addresses with the out-of-band IP addresses for the Cisco APIC.


When the VRF instance of both of the service device bridge domains is changed, the svcredirHealthGrp managed objects in the switch may not be created for the new VRF instance. As a result traffic will get impacted and there will be faults raised in the switch and in the APIC at the tenant level.


In an ACI fabric, the vPC IP address is managed by the dhcpd process. Sometimes when deleting vPC/vPC domains, the clean up does not complete. The fabricExplicitGEp managed object gets deleted, but the corresponding fabricVpcResource managed object does not get deleted. As a result, upon creating a new vPC pair, the dhcpd process might assign the same IP address that the deleted vPC had. The dhcpd process will crash while assigning a different IP address for second time because of this bug.


vmmPLInf objects are created with epgKey's and DN's that have truncated EPG names ( truncated at ".").


A static subnet can be configured under an EPG even if the EPG is a part of bridge domain that already is associated with another static subnet, and the subnet space is the same as or is a super range of the subnet space of the EPG. Therefore, there can be situations where both the bridge domain and associated EPG have the same subnets, or he EPG's subnet can be part of the bridge domain subnet at the same time.


Descending option will not work for the Static Ports table. Even when the user clicks descending, the sort defaults to ascending.


When using AVE with Cisco APIC, fault F0214 gets raised, but there is no noticeable impact on AVE operation:

descr: Fault delegate: Operational issues detected for OpFlex device: ..., error: [Inventory not available on the node at this time]


Policies may take a long time (over 10 minutes) to get programmed on the leaf switches. In addition, the APIC pulls inventory from the VMware vCenter repeatedly, instead of following the usual 24 hour interval.


While configuring a node in band address using a wizard, or while configuring a subnet under the bridge domain (tenant > BD > Subnet), if "x.x.x.0/subnet" is chosen as the range, the following message displays:

Incorrect message Error 400 - Broadcast IP x.x.x.0/subnet during inband config


A leaf switch still consumes the base license even in a multipod setup.


When there are standby APICs in the fabric, the show controller command will take time to process the command.


In some circumstances, fault F1188 is generated. This fault is cosmetic.


If the current VMware vCenter crashes and is not recoverable, then a new VMware vCenter with an identical configuration is built, the Cisco APIC pushes the DVS and Quarantine port-groups. However, the APIC does not push the EPG port group.


The Cisco ACI Simulator version 4.2 gets stuck at the "installing the APIC software, this may take a few minutes...." screen and the installation does not proceed.


Fault: F3060 "license-manager-license-authorization-expired" is raised although show license status shows the REGISTERED status and the license authorization shows AUTHORIZED.


The admin password of ACI fabric is initially configured using the setup-script during the APIC node initialization, for example pw1. After that, customer may choose to change the admin password to a new one such as pw2. The new password pw2 is not preserved in the event of a database clean-up, which causes pw1 to be required for after a clean reload. The impact to the operation team is that they may not always document the very first Cisco APIC password, hence they will not be able to login to the Cisco APIC again due to forgetting the original admin password if the Cisco APIC had to be clean reloaded.


Cisco ACI plugin containers do not get updated.


When configuring a vzAny contract (regardless of the details) as a "Provided" contract, the command show vrf XYZ detail executed directly in the APIC CLI will display it as "Consumed", and if configured as "Consumed", it will show it as "Provided".


vPod deployment fails in the VMware vCenter plugin with the following error:

"Deploy ACI Virtual Pod - An Error Occured"

In the logs (/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log), the following error can be seen:

The following PortGroup could not be resolved


When trying to track an AVE endpoint IP address, running the show endpoint ip x.x.x.x command in the Cisco APIC CLI to see the IP address and checking the IP address on the EP endpoint in the GUI shows incorrect or multiple VPC names.


Process vmmmgr crashes while processing a DvsUpgradedEvent from VMware vCenter.


If a Cisco APIC is receiving a large number of DHCP requests with unique client addresses, each request will result in a unique dhcpClient managed object being created on the APIC in the requesting state. Depending on the number of unique requests, these could add up over time and cause the dhcpd process on the APIC to hit scale issues, potentially crashing, although the APIC itself will not crash and the dhcpd process will crash and recover. The dhcpd crashing issue was observed with the dhcpClient managed object count was over 4 million.


An APIC tenant purge fails after the OpenStack project is deleted if the public OpenStack endpoint URL access is blocked from the OpenStack mgmt network.


The scope for host routes should be configurable; however, the option to define the scope is not available.


Active uplinks are removed for a portgroup in VMware vCenter after changing the security settings (macChanges|forgedTransmits) in the "Edit VMM Domain Association" tab under the EPG domain configuration.


Configuring a static endpoint through the Cisco APIC CLI fails with the following error:

Error: Unable to process the query, result dataset is too big

Command execution failed.


When migrating an AVS VMM domain to Cisco ACI Virtual Edge, the Cisco ACI Virtual Edge that gets deployed is configured in VLAN mode rather than VXLAN Mode. Because of this, you will see faults for the EPGs with the following error message:

"No valid encapsulation identifier allocated for the epg"


F2928 "KeyRing Certificate expired" faults raised and do not get cleared.


While using the UCSM plugin/VMM domain, during a vPC link failover test, VLANs from the vNIC template are removed. However, global (uplink) VLANs and the VLAN group remain untouched. In addition, the VMM domain is removed.


An error is raised while building an ACI container image because of a conflict with the /opt/ciscoaci-tripleo-heat-templates/tools/ package.


The vmmmgr process crashes, and the process is unable to restart properly and crashes after every restart.

Compatibility information

Product Supported release
Cisco NX-OS 14.2(3)
Cisco AVS 5.2(1)SV3(4.10)
For more information about the supported AVS releases, see the AVS software compatibility information in the Cisco AVS Release Notes, Release 5.2(1)SV3(4.10).
Cisco UCS Manager 2.2(1c) or later is required for the Cisco UCS Fabric Interconnect and other components, including the BIOS, CIMC, and the adapter.
  • 4.0(4e) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
  • 4.0(2g) CIMC HUU ISO (recommended) for UCS C220/C240 M4 and M5 (APIC-L2/M2 and APIC-L3/M3)
  • 4.0(1a) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
  • 3.0(4l) CIMC HUU ISO (recommended) for UCS C220/C240 M3 (APIC-L1/M1)
  • 3.0(4d) CIMC HUU ISO for UCS C220/C240 M3 and M4 (APIC-L1/M1 and APIC-L2/M2)
  • 3.0(3f) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
  • 3.0(3e) CIMC HUU ISO for UCS C220/C240 M3 (APIC-L1/M1)
  • 2.0(13i) CIMC HUU ISO
  • 2.0(9c) CIMC HUU ISO
  • 2.0(3i) CIMC HUU ISO