Assurance Sensor Control Release Notes 24.09

These release notes cover the requirements, new features, changes, and corrected issues for the Assurance Sensor Control version 24.09. Read all release notes before installing this firmware version.

Requirements

This firmware version applies to Assurance Sensor Control.

Note: This firmware release includes the images needed to deploy the Assurance Sensor Control using a KVM or VMware Hypervisor, as well as the .afl upgrade file that is typically part of an Assurance Sensor Control release.

Assurance Sensor Control 24.09 requires Skylight orchestrator 23.12 or newer.

Important: In Sensor Control 24.09, remote device upgrades from firmware versions before the VCX 2.2 FWSuite (FWSUITE_VCX_2.2_10190) have been blocked to protect against a potential complete loss of connectivity/functionality that cannot be recovered. To upgrade a remote device from an older FWSuite version, an older version of Sensor Control must be used to first upgrade the remote device to FWSUITE_VCX_2.2_10190.

Upgrade Considerations

Upgrading the Sensor Control firmware version does not automatically upgrade the remote device firmware suite.

As of Sensor Control 22.12, you can use remote devices that have older firmware suite versions with the current release. For this release, the supported remote device firmware suite starts with version 19.12.

Caution: The upgrade process was hardened in VCX 2.7. Under specific circumstances, the remote device upgrade can still fail. This happens if the remote device management is lost, and the remote device performs an automatic rollback. The remote device can brick if the power is lost in a critical short period. This was seen in a lab environment only and never reported by a customer.

Before doing the upgrade, it is recommended to enable Extra Reconnection Delay with the previous release (refer to the Assurance Sensor Control user manual section “Adding Remote Devices” for more details on how to enable Extra Reconnection Delay).

The downgrade is still executed using the previous software that still has the update process deficiencies. The downgrade can still cause remote devices to fail and should be avoided at the exception of VCX 2.5.0.2 and VCX 2.6.0.1 for which the downgrade is supported without issue.

It is not recommended to change any other remote device configuration when operating with a different firmware version. Changing the configuration can result in unknown behavior. A factory reset using the Module Dock may be required in some cases. In a future release, Sensor Control software will prevent changing configuration for remote devices running a different firmware version.

For cases where all remote devices cannot be upgraded at the same time, it is recommended to run different Sensor Control instances with different software versions. Remote devices to be upgraded should be moved between Sensor Controls. When downgrading Sensor Control software, the remote devices firmware version shall also be downgraded. The downgrade process shall follow these steps to successfully downgrade Sensor Control software and remote devices firmware. Note that downgrades are not recommended (see Caution above).

System Capabilities

The Sensor Control offers the following system capabilities:

New Features

This Assurance Sensor Control release introduces the following new features and enhancements.

Cisco Branding for Sensor Control

The graphical user interface and product name has been rebranded. The Skylight sensor: control firmware has been rebranded to display the new name of Cisco Provider Connectivity Assurance Sensor Control and user interface branding changes have been made in alignment with Cisco branding.

Cisco Hardware Branding for Module Dock

Hardware units have been rebranded for the Cisco Provider Connectivity Assurance Module Dock.

Cisco Software Branding for Module Dock

Software has been rebranded for the Cisco Provider Connectivity Assurance Module Dock.

EVC Fault Propagation

This release supports EVC fault propagation upon a remote MEP failure. This feature addresses instances where connectivity is disrupted, the Sensor Module does not receive the ETH-CSF signal, and only the CCM alarm is triggered.

Cisco Hardware Branding for Sensor Modules

Hardware units have been rebranded for the following Cisco Provider Connectivity Assurance Sensor Modules:

• Module 1G

• Module 10G

Automatic Assignment of the TWAMP UDP Source Port

Added support for automatic discovery and assignment of the TWAMP sender's UDP port without requiring manual configuration by the user when performing TWAMP reflector sessions.

Cisco PIDs for Sensor SFP

Added Cisco Product Identification (PID) for Sensor SFP devices:

• S1G-TE-PM-D-I SFP-1GbE Performance Monitoring, 100/1000bT I-temp

• S1G-SX-PM-D-I SFP-1GbE Performance Monitoring, SX, 850nm, 550m I-temp

• S1G-LH-PM-D-I SFP-1GbE Performance Monitoring, LH, 1310nn, I-temp

• S10G-SR-PM-D-I SFP-10GbE Performance Monitoring, SR, MM, 850nm, 150/150/150m OM3/4/5, E-Temp

• S10G-LR-PM-D-I SFP-10GbE Performance Monitoring, LR, SM, 1310nm, 10km, I-Temp

• S10G-ER-PM-D-I SFP-10GbE Performance Monitoring, ER, SM, 1550nm, 40km, I-Temp

• S10G-10G-BD-PM-D-I SFP-10GbE Performance Monitoring, LR-BiDi, SM, 1310/1270nm, 10km, I-Temp

• S10G-10G-BU-PM-D-I SFP-10GbE Performance Monitoring, LR-BiDi, SM, 1270/1310nm, 10km, I-Temp

• S10G-10G-B40D-PM-D-I SFP-10GbE Performance Monitoring, ER-BiDi, SM, 1330/1270nm, 10km, I-Temp

• S10G-10G-B40U-PM-D-I SFP-10GbE Performance Monitoring, ER-BiDi, SM, 1270/1330nm, 10km, I-Temp

Metadata for VCE and Local Interface

Added a string field to the VCE and local interface to identify endpoint location.

Cisco UDI on Sensor Modules and Module Dock

Added Cisco Unique Device Identifier (UDI) into the EEPROM, which is readable in software, using board show info or equivalent from the CLI only. This UDI is composed of the product ID, Version, and Cisco serial number.

Test Sensor Modules with Cisco Standard SFP 1G

Sensor Modules have been tested with Cisco standard 1G SFP.

Test Sensor Module 10G with Cisco Standard SFP 10G

Sensor Module 10G has been tested with Cisco standard 10G SFP.

Sensor Control Official Change Branding Name

Product name for Skylight sensor: control has changed to Cisco Provider Connectivity Assurance Sensor Control. This includes:

• Assurance Sensor Modules (1G and 10G)

• Assurance Sensor SFP (1G and 10G)

• Module Dock

Change Default Password

Upon initial login, the system shall force the user to change the default password when the unit is in the factory-default state

• The minimum password length is 1 character, and the maximum is 128 characters.

• Any character is acceptable Note: No leading and trailing spaces on the password should be used.

Note: The system shall NOT force the user to change the default password when the configuration is imported from another system or upgraded from a previous version.

Update OpenSSL and Dropbear Libraries

The version for OpenSSL has been updated to the correct version (3.0.14) and dropbear has been updated to the correct version 2024.85 and the following issues have also been fixed:

• CVE-2013-2094

• CVE-2014-3153

* Security compliances (CSDL/CSERV, Corona, TPSCRM)

Corrected Issues

This Assurance Sensor Control release corrects the following issues:

Sensor SFP 10G Link Status

There are differences between the Accedian Skylight sensor: SFP compute 10G and the Cisco Provider Connectivity Assurance Sensor SFP 10G when establishing a link-up status.

Security Vulnerabilities

The following issues have been fixed:

• Local privilege escalation

• Insufficient input sanitization

• Read permissions for sensitive data

Unable to Use Netcracker to Configure the Device

The device is sending inaccurate information after performing unsuccessful configuration import via Netcracker. It shows import success and reboot success, however the device did not have the imported file and was then unable to reboot.

Some Cisco Standard SFP 10G Devices May Not Work with Sensor Module 10G

Inserting some Cisco standard SFP 10G devices to the Sensor Module 10G may not establish a link.

NNI Port Detected as 100M When Inserted into the Sensor Module

When discovering a new Sensor Module after inserting a Sensor SFP into the NNI side, the port comes up as 1G. However, SFP information shows that the actual speed is 100M.

Port Link Status Flapping in Cisco Nexus 9000 Switch

Hosting the Sensor SFP 10G in a Cisco Nexus 9000 switch causes a port link status flapping error.

Drop Opposite Traffic Warning Was Not Present

When enabling the checkbox of “Drop Opposite Traffic” in OAM Loopback, there was no warning that dropping opposite traffic would drop all the traffic entering the device on the opposite port. Warning has been added via pop-up: “Configuration changes are service affecting, Are you sure you want to proceed?” to warn users of the implications.

False PTP Alarm Not Clearing

System-Configuration-Time was showing PTP synchronization status as synchronized, however the device was raising alarm error code 7.0001.05, even though there was no network changes or changes that would trigger this alarm.

Security Vulnerabilities

The following issues have been fixed:

• Weak ssh--dss host key algorithm

• Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)

• GoAhead Server HTTP Header Injection Vulnerability (CVE-2019-16645)

Security Vulnerabilities

Security vulnerabilities check. The following issues have been fixed:

• Maximum SSH connection to device (5 sessions): Verify able to connect up to 5 SSH session to device successfully

• Netconf connection to device: Enable Netconf on device, establish the Netconf connection to device by the below command: ssh admin@10.231.82.31 -p 830 -s netconf

• Terrapin Scanner tool to scan the issue (CVE-2023-48795)

• SSH to device with debug option

• Update dropbear to v2024.85

Release 24.09 Lifecycle

This section lists the planned lifecycle dates for this release.