Assurance Sensor Control Release Notes 25.07

Prev Next

These release notes cover the requirements, new features, changes, and corrected issues for the Assurance Sensor Control version 25.07. Read all release notes before installing this firmware version.

Requirements

This firmware version applies to Assurance Sensor Control.

Product Name

Software Version

Build Number

Software Files

Assurance Sensor Control

25.07

VCX_25.07_121591

FWSUITE_VCX_25.07_32007

FWSUITE_VCX_25.07_32007.afl

Accedian_MIBS_121591

AMD_25.07_121591.afl

VCX_25.07_121591.afl

VCX_25.07_121591_KVM.tar.bz2

VCX_25.07_121591_VMWare.ova

VCX_25.07_121591_SingleDiskKVM.tar.bz2

VCX_25.07_121591_SingleDiskVMWare.ova

Note: This firmware release includes the images needed to deploy the Assurance Sensor Control using a KVM or VMware Hypervisor, as well as the .afl upgrade file that is typically part of an Assurance Sensor Control release.

Assurance Sensor Control 25.07 requires Skylight orchestrator 23.12 or newer.

Important: In Sensor Control 25.07, remote device upgrades from firmware versions before the VCX 2.2 FWSuite (FWSUITE_VCX_2.2_10190) have been blocked to protect against a potential complete loss of connectivity/functionality that cannot be recovered. To upgrade a remote device from an older FWSuite version, an older version of Sensor Control must be used to first upgrade the remote device to FWSUITE_VCX_2.2_10190.

Upgrade Considerations

Upgrading the Sensor Control firmware version does not automatically upgrade the remote device firmware suite.

As of Sensor Control 22.12, you can use remote devices that have older firmware suite versions with the current release. For this release, the supported remote device firmware suite starts with version 22.06.

Caution: The upgrade process was hardened in VCX 2.7. Under specific circumstances, the remote device upgrade can still fail. This happens if the remote device management is lost, and the remote device performs an automatic rollback. The remote device can brick if the power is lost in a critical short period. This was seen in a lab environment only and never reported by a customer.

Before doing the upgrade, it is recommended to enable Extra Reconnection Delay with the previous release (refer to the Assurance Sensor Control user manual section “Adding Remote Devices” for more details on how to enable Extra Reconnection Delay).

The downgrade is still executed using the previous software that still has the update process deficiencies. The downgrade can still cause remote devices to fail and should be avoided at the exception of VCX 2.5.0.2 and VCX 2.6.0.1 for which the downgrade is supported without issue.

It is not recommended to change any other remote device configuration when operating with a different firmware version. Changing the configuration can result in unknown behavior. A factory reset using the Module Dock may be required in some cases. In a future release, Sensor Control software will prevent changing configuration for remote devices running a different firmware version.

For cases where all remote devices cannot be upgraded at the same time, it is recommended to run different Sensor Control instances with different software versions. Remote devices to be upgraded should be moved between Sensor Controls. When downgrading Sensor Control software, the remote devices firmware version shall also be downgraded. The downgrade process shall follow these steps to successfully downgrade Sensor Control software and remote devices firmware. Note that downgrades are not recommended (see Caution above).

Downgrade is not permitted for identical firmware suites. For example, the Sensor Control prevents downgrading the remote device firmware suite from version 24.11 to 24.09, as these versions are identical.

IMPORTANT: If you are downgrading the firmware without performing a factory reset, you will not be able to connect to the board via CLI or WEB interfaces.

Operational Considerations

Be aware of these operational considerations:

  • After deploying a new virtual machine from the OVA or QCOW2, the Assurance Sensor Control will not generate a default certificate. You will need to perform a factory reset after deploying the virtual machine in order to generate the certificate and access the web interface.
  • The remote device firmware suite can be upgraded to a version that is greater than the Sensor Control version. For example, you can upgrade the remote device firmware suite from version 23.12.0 to 24.09.0 using Sensor Control version 23.12.0.
  • When using hypervisor functions that involve dynamic load balancing of guest virtual appliances in a hypervisor cluster (i.e. VMWare DRS), the balancing policy should limit rebalancing operations to be done on virtual appliance startup and/or hypervisor host failures. The dynamic load balancing must follow the engineering guidelines for dedicated resources allocation. The user should also set MAC preservation. This is mandatory when using local licenses as the license is coupled with the MAC.
  • If multiple discovery methods are being used, it is possible that they will discover the same remote device. This can cause some confusion regarding the IP address being used to manage the unit, especially if a specific IP address is expected to be used for a specific remote device. It is important to note that the first discovery method used to discover the remote device is the one that will be used for management. For example, if DHCP advertisement is used at the time of an IP Agnostic discovery, then the IP address of that first method discovering the device is the one that will be used. It is good practice to use only one discovery method for a specific remote device.
  • When the user completes an upgrade to the latest build without configuration reset, they will get an error "CSRF Violation" when uploading the import files for the first time.
    • Press Ctrl + F5 to refresh the page.
  • The Sensor SFP 10G link can take 30 seconds to come up.
  • The Sensor SFP 10G reboot time can take up to 60 seconds.
  • SyncE:
    • Shall be used with no force link up disable and ESMC enabled.
    • Long term holdover not supported.
  • Internet Explorer 11 is no longer supported. The browser does not support newer technology and does not always work properly.
  • Loopback usage in the second-generation remote devices is limited to one loopback on both ports or two loopbacks on a unique port. Using two loopbacks on both ports at the same time will be removed in a future release.
  • The virtual machine MTU must be configured to a value greater than 1526 bytes to generate 1500-byte NFV probes over a Q-in-Q interface.
  • The virtual machine disk must be deployed using thin mode with ESXi to limit the storage to the configured size. Otherwise, the maximum configuration size will be reserved on the host.
  • The following table provides the traffic downtime associated with the upgrade of a Sensor Control 20.11 release firmware suite. All values are expressed in seconds.
    Note: The switching time (i.e., jump) between the PMON and TGEN firmware loads is equivalent to the FPGA downtime (third row below).

    Firmware Suite Upgrade Downtime
    Downtime Sensor SFP 1G Copper Sensor SFP 1G Optical Sensor Module 1G Copper Sensor Module 1G Combo Sensor Module 10G Sensor Module 1G Sensor SFP 10G
    MCU 4.30 3.92 5.08 2.14 3.97 4.28 2.27
    Baseload N/A N/A N/A N/A N/A N/A N/A
    FPGA 3.48 2.30 3.60 1.05 0.96 1.24 17.88
    Total 7.78 6.22 8.68 3.19 4.93 5.52 20.15

    The traffic downtime values shown above were calculated following firmware upgrade tests performed with Assurance Sensors (formerly Accedian Skylight performance elements) acting as the host devices. Traffic downtime can vary from one host device type/model to another. For example, downtime measurements using a Cisco 901 as the host device gave the following results:
    • Sensor SFP 1G copper Sensor Module downtime: 13.0
    • Sensor SFP 1G optical Sensor Module downtime: 7.4
  • SyncE clock transparency on Sensor SFP 1G copper Performance Modules may not work if the mastership is misconfigured.
  • An XML file with the required Sensor Control virtual machine hardware information has been provided with this release to ease deployment of the Sensor Control on a KVM Hypervisor. Offered in libvirt-compatible format, this file can be used with any third-party tool that supports this format such as the virsh command line utility. For additional information, refer to libvirt.org.
  • Prior to deploying the KVM image, you must configure your host networking settings to map to the Sensor Control network interfaces.
  • Flow broker file transfer using FTPS:
    • Ensure the FTPS server allows session re-creation. Otherwise, the file transfer aborts, and the file is empty.
  • SAT RFC-2544:
    • Due to the number of traffic filters available per remote device, SAT RFC-2544 Layer-3 (IP) tests using multiple (i.e., up to four) flows must use the same UDP source and destination ports on all flows, otherwise one of the flows will not function properly.
    • Attempts by the SAT RFC-2544 traffic generator to send two flows (Layer-3 packets with two distinct IP address targets) may occasionally fail. If this happens, simply restart the test.
  • System Alarms:
    • The threshold period cannot be defined for raised or cleared alarms.
    • As the system reboots, some Loss of Connectivity alarms may be raised for remote devices that are configured in the system, but not yet linked to the Sensor Control instance. These alarms are cleared when the remote devices are linked again.
    • No alarm hierarchy mechanism has been implemented in the Sensor Control. As such, no alarms are filtered if a higher-priority alarm is raised.
  • Remote Devices:
    • The remote device will be deleted if you change the port used for managing the remote device.
    • Due to the ageing mechanism used by the remote device inventory, a remote device may still appear in the inventory once it has been removed, depending on the discovery period.
    • A Domain ID cannot be specified when creating a remote device discovery instance using the ACP-Layer2 method. The Domain ID is automatically set to Default Domain.
    • When deleting a remote device, the link between the Sensor Control and the remote device must be properly closed before the same device can be added again. Remote devices added before the closure process has completed are not recognized by the Sensor Control. In such cases, simply allow a few seconds for the closure process to complete before trying again.
    • Since the Accedian ACP Layer-2 protocol is used to discover remote devices, its discovery messages may reconfigure the Auto interface of Accedian units (like Skylight element: TE, as well as NE and CE Skylight performance elements) running legacy firmware such as v4.9.x or older.
    • When discovering more than 500 remote devices, it is strongly recommended to perform the discovery process, at most, once every 60 seconds. The three-second discovery feature is CPU intensive.
    • The maximum permitted number of daisy-chained remote devices is 255.
  • Time Synchronization:
    • Only NTP client instances are supported by this product: NTP server instances are not supported. The NTP client presents certain limitations compared to other Accedian products.
    • The date CLI command does not reject invalid dates.
  • CFM second-generation Sensor Modules:
    • The Sensor Control manages CFM in either point-to-point or E LAN topologies. These CFM messages are handled through an NFV tunnel established between a Sensor Control.
  • The dynamic firmware update feature may require up to five minutes per remote device to update the loads contained on the remote devices that are linked to an instance of the Sensor Control.
  • If a Sensor Module 1G has a combo port with one active port and one inactive port, both links will be shown as “up” because a remote partner is linked to each of them. The inactive port maintains an “up” link status to achieve faster media selection.
  • Sensor SFP 1G and Sensor Module 1G cannot loop back any TCP frames addressed to them (device primary IP).
  • A Sensor Control’s Node ID can be edited after the Probe agent has been disabled. For this reason, a nodeid edit command must be preceded by the agent server disable command and followed by the agent-server enable command.
  • Each instance of the Sensor Control will extract the value of the following dynamic settings stored on the Sensor Module:
    • TWAMP stateless reflection state (enable/disable) and UDP port
    • Default TWAMP stateful reflection state (enable/disable) and UDP port
    • ETH-DMM reflection state (enable/disable)
    • SyncE state (enable/disable) and clock source selection and QL state (enable/disable)
    • LLDP enable state (enable/disable) and rate
    • Any port PHY related settings
    • Any port SFP related settings, such as:
      • Laser state (enable/disable)
      • Force Link Up (enable/disable) with timeout period
  • Redundant Parameter Handling: If you enter redundant parameters in a command line, the system applies only the value of the last instance. For example, in the command mode edit syslog-ng enable syslog-ng disable, the system applies the final parameter value syslog-ng disable.
  • When the system starts and PCA-AAA is not yet configured, the pca-aaa-client show connection status command intentionally displays the default value of OK for last token status and last auth request, and 0D:00H:00M:00S for next token update. In contrast, similar parameters for the pca-aaa-client show session status command, such as Last status and Uptime, are empty.
  • By default, the tcpdump application converts the Source IP address and Destination IP address from the IP Header into hostname strings if the capture is directed to the console (stdout).
  • Safari is not a supported browser. Accessing the application with Safari may result in limited functionality or unexpected behavior.

System Capabilities

The Sensor Control offers the following system capabilities:

Feature

Maximum

Changes in Sensor Control 25.07

Remote Device

Remote devices configured and supported

1500

Remote device ports

6000

Interfaces, remote devices

3000

Discovery

Discovery instances

500

Discovered remote devices

2000

Sensor Control Local Port & Interface

Local ports (typically referred to as LOCAL-xyz)

10 (including the Management port)

Sensor Control local route

4092

Interfaces, local ports

100

CFM

Number of modules supporting CFM MEP session

500

CFM MEP session per second generation module

8

CFM Maximum number of Remote MEP

99

CFM MEP smallest interval

1 second

Number of CFM MEP per Sensor Control

4000

Number of Packet loss per Sensor Control

4000

Number of Packet loss per second generation module

8

Number of DMM session per Sensor Control

4000

Number of DMM session per second generation module

8

DMM smallest interval

1 second

Number of SLM session per Sensor Control

4000

Number of SLM session per Sensor Control

4000

Number of SLM session per second generation module

8

SLM smallest interval

100 ms

SAT

SAT Traffic Generation configuration (up to four flows)

1000

SAT Traffic Generation execution (up to four flows)

500

SAT Test Suites in the system (one test suite per device)

500

Y.1564 (8 flows)

500 (tested 4)

SAT reports

500

TWAMP reflection instances (module)

1500

TWAMP reflection, stateful per module

16

DMM reflection instances (module)

1500

Loopback reflection per remote device

2

Flowmeter

Flowmeter flows supported per remote port

28 per device

Flowmeter flows supported per Sensor Control instance

4000

Flow broker

Flow broker Analyzers

100

Flow broker Analyzers in an Analyzer set

4

Flow broker rules per Sensor Control

1000

Flow broker capture bandwidth per 1G module

300 Mbps with 1 ms RTT

50 Mbps with 20 ms RTT

Flow broker capture bandwidth per Sensor SFP 1G

300 Mbps with 1 ms RTT

50 Mbps with 20 ms RTT

Flow broker capture bandwidth per 10G module

700 Mbps with 1 ms RTT

100 Mbps with 8 ms RTT

Flow broker capture bandwidth per Sensor SFP 10G

Not supported

Flow broker capture bandwidth per Skylight element: FSX

100 Mbps with 1 ms RTT

Flow broker ERSPAN streaming bandwidth

200 Mbps

Flow broker PCAP streaming bandwidth

150 Mbps using SCP

500 Mbps using FTP

Flow broker Port Streaming bandwidth

150 Mbps

Flow Probes

PM Accuracy direct actuation (i350)

50 us

NFV PM Accuracy

15 us

PM Accuracy with SR-IOV

500 µs for P99

Sensor Control Actuator maximum number of probes

4000

Sensor Control Actuator maximum number of packets per second (receive and transmit)

80 K in TX and 80 K in RX

Maximum number of probe reflection

4000

Maximum number of probes per module

2000

Maximum number of packets per second (receive and transmit) per module

40 K in TX and 40 K in RX for 128-byte frames

PPS accuracy

± 1.0 %

NFV TWAMP support

Yes

NFV ETH-DM support

Yes

NFV UDP Echo support

Yes

NFV ICMP Echo support

Yes

NFV ETH-VSP support

Yes

NFV ETH-LB support

Yes

NFV CFM maximum number of PPS

E-LINE 500 remote device per Sensor Control.

E-LAN 100 remote device per Sensor Control.

CFM instances: E-LAN:

1 MEP (each 99 RMEP) per RD

1 SLM per MEP per RD

1 DMM per MEP per RD.

Tx: 11 pps, RX: 111 pps per RD

CFM instances: E-LINE:

8 MEP per Module

6 SLM@10pps for 1 MEP per Module

8 DMM@1pps for 1 MEP per Module

Tx: 76 pps, Rx: 76 pps per Module

NFV Tunnel

Packet loss requirement

10^-6

RTT requirement

Validated with RTT between 5 ms and 50 ms

NFV Tunnel bandwidth

42 Mbps for NFV TWAMP deployment

84 Mbps for Reduced NFV PM footprint deployment

Virtual-Connection

VCE with IP domain enabled

500

VCE without IP domain

50000

Number of VCEs route

2500

VCA

30000

Synchronization

ARTS

500

PTP TC layer-2

Yes (Sensor Module 1G, Sensor Module 10G, Sensor SFP Copper and Sensor SFP Optical)

SyncE

Yes (Sensor Module 1G, Sensor SFP Copper and Sensor SFP Optical)

No (Sensor Module 10G)

PTP OC for module

NA

Service Creation

Policies and traffic filters per remote device

10 for second generation

2 for Sensor SFP 10G

Bandwidth Regulator per second generation module

16

Bandwidth Regulator per Sensor Control

24000

PCP CoS mapping per port

1

CoS mapping per Sensor Control

50

DSCP CoS mapping per port

1

Alarms

Number of trap alarm per second

1000

Users

Local users

15

User groups

8

Sessions

CLI sessions

5

WEB UI sessions

15

Total maximum sessions

20

Supported Filters

Layer-2 filter

6500

Ipv4 filter

6500

Ipv6 filter

6500

Total maximum sessions

19500

New Features

FIPS Mode Activation

Added support for FIPS (Federal Information Processing Standards)-compliant operation. FIPS mode can be enabled or disabled via the fips edit CLI command.

Cryptography, Encryption, and Key Management Enhancements

Enhanced cryptography, encryption, and key management capabilities, including:

  • Key-pair generation for local certificates

  • Management of local default and custom certificates

  • Certificate revocation status checks

  • Alarms for certificate expiration and expired certificates

  • CLI support for certificate operations

  • Trusted Root Store (TRS) bundle management via Management Web Interface

Identity and Access Management Enhancements

Implemented security improvements to identity and access management while maintaining backward compatibility. Key enhancements include:

  • Secure storage of credentials

  • Access management via password policies

  • Removal of default credentials

  • Prevention of undocumented access

Application and Interface Security Enhancements

Implemented a comprehensive set of application and interface security enhancements. Key features include:

  • Input validation

  • Secure data handling

  • Adoption of web security best practices

  • Protection against injection attacks, cross-site scripting (XSS), CSRF, and click-jacking

  • Enforcement of HTTP Strict Transport Security

  • Safe URL handling

Digital Signature Verification for AFL Files

Software update procedure now supports digital signature verification for AFL files, enhancing product security with improved authenticity and integrity checks.

Delete-All Sub-Permission for Remote Devices

Introduced a new "delete-all" sub-permission in the Remote-Device-Management permission set. This permission is now required to access the Delete All button on the Remote Devices Configuration screen or to delete all remote devices via the CLI.

Syslog Data Streaming to Multiple Destinations

Enabled syslog data streaming to multiple destinations via TCP, allowing alerts to be forwarded to administrators and Information System Security Officers (ISSOs).

Web Server Disabling Option

Introduced the capability to disable the web server to support audit functionality and to achieve FIPS (Federal Information Processing Standards) and STIG (Security Technical Implementation Guidelines) compliance.

Provider Connectivity Assurance AAA and MFA Integration

Added support for secure access to a centralized Authentication, Authorization, and Accounting (AAA) server and Multi-Factor Authentication (MFA) capabilities to Cisco Provider Connectivity Assurance Sensors.

Cisco SSL and Cisco SSH Library Integration

Integrated Cisco SSL and Cisco SSH libraries to support FedRAMP (Federal Risk and Authorization Management Program) compliance. This feature includes a runtime switch to enable FIPS (Federal Information Processing Standards) mode for these libraries.

Corrected Issues

This Assurance Sensor Control release corrects the following issues:

Same Serial Number on All Sensor Control Instances

Multiple Sensor Control instances installed on Ubuntu 24.04 are showing the same serial number.

TCPDUMP Feature Missing in Sensor Control 24.11

The TCPDUMP tool, which was available in Sensor Control version 23.12, is not accessible via the CLI in Sensor Control version 24.11.

Copper Sensor SFP Incompatibility with ASR 9010 IOS 7.6.2

Cisco ASR 9010 routers may fail to detect Copper Sensor SFPs after upgrading from IOS 6.7.3 to IOS 7.6.2. This issue results in unlinked Sensor SFPs and an outage of services such as PM sessions and Flowmeter. The problem occurs with firmware suites newer than 19.12.

Stateful TWAMP Session Counts False Duplicate when Packet is Reordered Both Ways

When a packet as TWAMP stateful is first reordered on the uplink path and then the same packet encounters a second reordering on the downlink path, the session counts false duplicate packets in the uplink path (p2r).

Management Web Interface Access Inaccessible with DNS Name

After upgrading to version 24.07, the Management Web Interface is inaccessible when using the DNS name, resulting in an 'Access Error: Site or page Not found' message.

Sensor Control 22.12.2 Security Vulnerabilities

The following vulnerabilities were identified in Sensor Control version 22.12.2:

  • 7.4: Restricted Shell Escape to System Shell

  • 7.9: Insecure Password Hash Storage (partially resolved in Sensor Control 24.11 with the removal of shell access. Resolved by the Identity and Access Management improvements in 25.07)

  • 7.13: SSH Weak Algorithms Enabled (resolved by the Cisco SSH - FIPS feature in 25.07)

These issues prevent some users of Skylight Orchestrator 23.04.1 from upgrading Sensor Control, as they require the XML interface.

AC-31461 Y.1564 Not Showing All Test Configurations in Results Tab

When configuring more than eight Y.1564 tests in Sensor Control via Skylight Orchestrator, only the first eight test configurations are available for selection in the Test dropdown menu of the Results tab.

Release 25.07 Lifecycle

This section lists the planned lifecycle dates for this release.

Milestone

Description

Date

General Availability

Date where the product is available for general field deployment for both new installations and upgrades.

2025-08-01

End of Security Support

Date where security patches will no longer be delivered for this release. Any correctives for security defects required after this date will be delivered using the next major release of the software.

Next Major Release

Last Time Buy / Last Time Ship

Date where this release can no longer be purchased.

2027-08-01

End of Product Support

Date where functional patches will no longer be delivered for this release. Any correctives for functional defects required after this date will be delivered using the next major release of the software.

2027-08-01

End of Technical Support

Date where technical assistance is no longer available from the Technical Assistance Center for this release.

2030-08-01

© 2025 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms

For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks