These release notes cover the requirements, new features, changes, and corrected issues for the Assurance Sensor Control version 25.07. Read all release notes before installing this firmware version.
Requirements
This firmware version applies to Assurance Sensor Control.
Product Name | Software Version | Build Number | Software Files |
Assurance Sensor Control | 25.07 | VCX_25.07_121591 FWSUITE_VCX_25.07_32007 | FWSUITE_VCX_25.07_32007.afl Accedian_MIBS_121591 AMD_25.07_121591.afl VCX_25.07_121591.afl VCX_25.07_121591_KVM.tar.bz2 VCX_25.07_121591_VMWare.ova VCX_25.07_121591_SingleDiskKVM.tar.bz2 VCX_25.07_121591_SingleDiskVMWare.ova |
Note: This firmware release includes the images needed to deploy the Assurance Sensor Control using a KVM or VMware Hypervisor, as well as the .afl upgrade file that is typically part of an Assurance Sensor Control release.
Assurance Sensor Control 25.07 requires Skylight orchestrator 23.12 or newer.
Important: In Sensor Control 25.07, remote device upgrades from firmware versions before the VCX 2.2 FWSuite (FWSUITE_VCX_2.2_10190) have been blocked to protect against a potential complete loss of connectivity/functionality that cannot be recovered. To upgrade a remote device from an older FWSuite version, an older version of Sensor Control must be used to first upgrade the remote device to FWSUITE_VCX_2.2_10190.
Upgrade Considerations
Upgrading the Sensor Control firmware version does not automatically upgrade the remote device firmware suite.
As of Sensor Control 22.12, you can use remote devices that have older firmware suite versions with the current release. For this release, the supported remote device firmware suite starts with version 22.06.
Caution: The upgrade process was hardened in VCX 2.7. Under specific circumstances, the remote device upgrade can still fail. This happens if the remote device management is lost, and the remote device performs an automatic rollback. The remote device can brick if the power is lost in a critical short period. This was seen in a lab environment only and never reported by a customer.
Before doing the upgrade, it is recommended to enable Extra Reconnection Delay with the previous release (refer to the Assurance Sensor Control user manual section “Adding Remote Devices” for more details on how to enable Extra Reconnection Delay).
The downgrade is still executed using the previous software that still has the update process deficiencies. The downgrade can still cause remote devices to fail and should be avoided at the exception of VCX 2.5.0.2 and VCX 2.6.0.1 for which the downgrade is supported without issue.
It is not recommended to change any other remote device configuration when operating with a different firmware version. Changing the configuration can result in unknown behavior. A factory reset using the Module Dock may be required in some cases. In a future release, Sensor Control software will prevent changing configuration for remote devices running a different firmware version.
For cases where all remote devices cannot be upgraded at the same time, it is recommended to run different Sensor Control instances with different software versions. Remote devices to be upgraded should be moved between Sensor Controls. When downgrading Sensor Control software, the remote devices firmware version shall also be downgraded. The downgrade process shall follow these steps to successfully downgrade Sensor Control software and remote devices firmware. Note that downgrades are not recommended (see Caution above).
Downgrade is not permitted for identical firmware suites. For example, the Sensor Control prevents downgrading the remote device firmware suite from version 24.11 to 24.09, as these versions are identical.
IMPORTANT: If you are downgrading the firmware without performing a factory reset, you will not be able to connect to the board via CLI or WEB interfaces.
Operational Considerations
Be aware of these operational considerations:
- After deploying a new virtual machine from the OVA or QCOW2, the Assurance Sensor Control will not generate a default certificate. You will need to perform a factory reset after deploying the virtual machine in order to generate the certificate and access the web interface.
- The remote device firmware suite can be upgraded to a version that is greater than the Sensor Control version. For example, you can upgrade the remote device firmware suite from version 23.12.0 to 24.09.0 using Sensor Control version 23.12.0.
- When using hypervisor functions that involve dynamic load balancing of guest virtual appliances in a hypervisor cluster (i.e. VMWare DRS), the balancing policy should limit rebalancing operations to be done on virtual appliance startup and/or hypervisor host failures. The dynamic load balancing must follow the engineering guidelines for dedicated resources allocation. The user should also set MAC preservation. This is mandatory when using local licenses as the license is coupled with the MAC.
- If multiple discovery methods are being used, it is possible that they will discover the same remote device. This can cause some confusion regarding the IP address being used to manage the unit, especially if a specific IP address is expected to be used for a specific remote device. It is important to note that the first discovery method used to discover the remote device is the one that will be used for management. For example, if DHCP advertisement is used at the time of an IP Agnostic discovery, then the IP address of that first method discovering the device is the one that will be used. It is good practice to use only one discovery method for a specific remote device.
- When the user completes an upgrade to the latest build without configuration reset, they will get an error "CSRF Violation" when uploading the import files for the first time.
- Press Ctrl + F5 to refresh the page.
- The Sensor SFP 10G link can take 30 seconds to come up.
- The Sensor SFP 10G reboot time can take up to 60 seconds.
- SyncE:
- Shall be used with no force link up disable and ESMC enabled.
- Long term holdover not supported.
- Internet Explorer 11 is no longer supported. The browser does not support newer technology and does not always work properly.
- Loopback usage in the second-generation remote devices is limited to one loopback on both ports or two loopbacks on a unique port. Using two loopbacks on both ports at the same time will be removed in a future release.
- The virtual machine MTU must be configured to a value greater than 1526 bytes to generate 1500-byte NFV probes over a Q-in-Q interface.
- The virtual machine disk must be deployed using thin mode with ESXi to limit the storage to the configured size. Otherwise, the maximum configuration size will be reserved on the host.
- The following table provides the traffic downtime associated with the upgrade of a Sensor Control 20.11 release firmware suite. All values are expressed in seconds.
Note: The switching time (i.e., jump) between the PMON and TGEN firmware loads is equivalent to the FPGA downtime (third row below).
Firmware Suite Upgrade Downtime Downtime Sensor SFP 1G Copper Sensor SFP 1G Optical Sensor Module 1G Copper Sensor Module 1G Combo Sensor Module 10G Sensor Module 1G Sensor SFP 10G MCU 4.30 3.92 5.08 2.14 3.97 4.28 2.27 Baseload N/A N/A N/A N/A N/A N/A N/A FPGA 3.48 2.30 3.60 1.05 0.96 1.24 17.88 Total 7.78 6.22 8.68 3.19 4.93 5.52 20.15
The traffic downtime values shown above were calculated following firmware upgrade tests performed with Assurance Sensors (formerly Accedian Skylight performance elements) acting as the host devices. Traffic downtime can vary from one host device type/model to another. For example, downtime measurements using a Cisco 901 as the host device gave the following results:- Sensor SFP 1G copper Sensor Module downtime: 13.0
- Sensor SFP 1G optical Sensor Module downtime: 7.4
- SyncE clock transparency on Sensor SFP 1G copper Performance Modules may not work if the mastership is misconfigured.
- An XML file with the required Sensor Control virtual machine hardware information has been provided with this release to ease deployment of the Sensor Control on a KVM Hypervisor. Offered in libvirt-compatible format, this file can be used with any third-party tool that supports this format such as the virsh command line utility. For additional information, refer to libvirt.org.
- Prior to deploying the KVM image, you must configure your host networking settings to map to the Sensor Control network interfaces.
- Flow broker file transfer using FTPS:
- Ensure the FTPS server allows session re-creation. Otherwise, the file transfer aborts, and the file is empty.
- SAT RFC-2544:
- Due to the number of traffic filters available per remote device, SAT RFC-2544 Layer-3 (IP) tests using multiple (i.e., up to four) flows must use the same UDP source and destination ports on all flows, otherwise one of the flows will not function properly.
- Attempts by the SAT RFC-2544 traffic generator to send two flows (Layer-3 packets with two distinct IP address targets) may occasionally fail. If this happens, simply restart the test.
- System Alarms:
- The threshold period cannot be defined for raised or cleared alarms.
- As the system reboots, some Loss of Connectivity alarms may be raised for remote devices that are configured in the system, but not yet linked to the Sensor Control instance. These alarms are cleared when the remote devices are linked again.
- No alarm hierarchy mechanism has been implemented in the Sensor Control. As such, no alarms are filtered if a higher-priority alarm is raised.
- Remote Devices:
- The remote device will be deleted if you change the port used for managing the remote device.
- Due to the ageing mechanism used by the remote device inventory, a remote device may still appear in the inventory once it has been removed, depending on the discovery period.
- A Domain ID cannot be specified when creating a remote device discovery instance using the ACP-Layer2 method. The Domain ID is automatically set to Default Domain.
- When deleting a remote device, the link between the Sensor Control and the remote device must be properly closed before the same device can be added again. Remote devices added before the closure process has completed are not recognized by the Sensor Control. In such cases, simply allow a few seconds for the closure process to complete before trying again.
- Since the Accedian ACP Layer-2 protocol is used to discover remote devices, its discovery messages may reconfigure the Auto interface of Accedian units (like Skylight element: TE, as well as NE and CE Skylight performance elements) running legacy firmware such as v4.9.x or older.
- When discovering more than 500 remote devices, it is strongly recommended to perform the discovery process, at most, once every 60 seconds. The three-second discovery feature is CPU intensive.
- The maximum permitted number of daisy-chained remote devices is 255.
- Time Synchronization:
- Only NTP client instances are supported by this product: NTP server instances are not supported. The NTP client presents certain limitations compared to other Accedian products.
- The date CLI command does not reject invalid dates.
- CFM second-generation Sensor Modules:
- The Sensor Control manages CFM in either point-to-point or E LAN topologies. These CFM messages are handled through an NFV tunnel established between a Sensor Control.
- The dynamic firmware update feature may require up to five minutes per remote device to update the loads contained on the remote devices that are linked to an instance of the Sensor Control.
- If a Sensor Module 1G has a combo port with one active port and one inactive port, both links will be shown as “up” because a remote partner is linked to each of them. The inactive port maintains an “up” link status to achieve faster media selection.
- Sensor SFP 1G and Sensor Module 1G cannot loop back any TCP frames addressed to them (device primary IP).
- A Sensor Control’s Node ID can be edited after the Probe agent has been disabled. For this reason, a nodeid edit command must be preceded by the agent server disable command and followed by the agent-server enable command.
- Each instance of the Sensor Control will extract the value of the following dynamic settings stored on the Sensor Module:
- TWAMP stateless reflection state (enable/disable) and UDP port
- Default TWAMP stateful reflection state (enable/disable) and UDP port
- ETH-DMM reflection state (enable/disable)
- SyncE state (enable/disable) and clock source selection and QL state (enable/disable)
- LLDP enable state (enable/disable) and rate
- Any port PHY related settings
- Any port SFP related settings, such as:
- Laser state (enable/disable)
- Force Link Up (enable/disable) with timeout period
- Redundant Parameter Handling: If you enter redundant parameters in a command line, the system applies only the value of the last instance. For example, in the command mode edit syslog-ng enable syslog-ng disable, the system applies the final parameter value syslog-ng disable.
- When the system starts and PCA-AAA is not yet configured, the pca-aaa-client show connection status command intentionally displays the default value of OK for last token status and last auth request, and 0D:00H:00M:00S for next token update. In contrast, similar parameters for the pca-aaa-client show session status command, such as Last status and Uptime, are empty.
- By default, the tcpdump application converts the Source IP address and Destination IP address from the IP Header into hostname strings if the capture is directed to the console (stdout).
- Safari is not a supported browser. Accessing the application with Safari may result in limited functionality or unexpected behavior.
System Capabilities
The Sensor Control offers the following system capabilities:
Feature | Maximum | Changes in Sensor Control 25.07 |
Remote Device | ||
Remote devices configured and supported | 1500 | |
Remote device ports | 6000 | |
Interfaces, remote devices | 3000 | |
Discovery | ||
Discovery instances | 500 | |
Discovered remote devices | 2000 | |
Sensor Control Local Port & Interface | ||
Local ports (typically referred to as LOCAL-xyz) | 10 (including the Management port) | |
Sensor Control local route | 4092 | |
Interfaces, local ports | 100 | |
CFM | ||
Number of modules supporting CFM MEP session | 500 | |
CFM MEP session per second generation module | 8 | |
CFM Maximum number of Remote MEP | 99 | |
CFM MEP smallest interval | 1 second | |
Number of CFM MEP per Sensor Control | 4000 | |
Number of Packet loss per Sensor Control | 4000 | |
Number of Packet loss per second generation module | 8 | |
Number of DMM session per Sensor Control | 4000 | |
Number of DMM session per second generation module | 8 | |
DMM smallest interval | 1 second | |
Number of SLM session per Sensor Control | 4000 | |
Number of SLM session per Sensor Control | 4000 | |
Number of SLM session per second generation module | 8 | |
SLM smallest interval | 100 ms | |
SAT | ||
SAT Traffic Generation configuration (up to four flows) | 1000 | |
SAT Traffic Generation execution (up to four flows) | 500 | |
SAT Test Suites in the system (one test suite per device) | 500 | |
Y.1564 (8 flows) | 500 (tested 4) | |
SAT reports | 500 | |
TWAMP reflection instances (module) | 1500 | |
TWAMP reflection, stateful per module | 16 | |
DMM reflection instances (module) | 1500 | |
Loopback reflection per remote device | 2 | |
Flowmeter | ||
Flowmeter flows supported per remote port | 28 per device | |
Flowmeter flows supported per Sensor Control instance | 4000 | |
Flow broker | ||
Flow broker Analyzers | 100 | |
Flow broker Analyzers in an Analyzer set | 4 | |
Flow broker rules per Sensor Control | 1000 | |
Flow broker capture bandwidth per 1G module | 300 Mbps with 1 ms RTT 50 Mbps with 20 ms RTT | |
Flow broker capture bandwidth per Sensor SFP 1G | 300 Mbps with 1 ms RTT 50 Mbps with 20 ms RTT | |
Flow broker capture bandwidth per 10G module | 700 Mbps with 1 ms RTT 100 Mbps with 8 ms RTT | |
Flow broker capture bandwidth per Sensor SFP 10G | Not supported | |
Flow broker capture bandwidth per Skylight element: FSX | 100 Mbps with 1 ms RTT | |
Flow broker ERSPAN streaming bandwidth | 200 Mbps | |
Flow broker PCAP streaming bandwidth | 150 Mbps using SCP 500 Mbps using FTP | |
Flow broker Port Streaming bandwidth | 150 Mbps | |
Flow Probes | ||
PM Accuracy direct actuation (i350) | 50 us | |
NFV PM Accuracy | 15 us | |
PM Accuracy with SR-IOV | 500 µs for P99 | |
Sensor Control Actuator maximum number of probes | 4000 | |
Sensor Control Actuator maximum number of packets per second (receive and transmit) | 80 K in TX and 80 K in RX | |
Maximum number of probe reflection | 4000 | |
Maximum number of probes per module | 2000 | |
Maximum number of packets per second (receive and transmit) per module | 40 K in TX and 40 K in RX for 128-byte frames | |
PPS accuracy | ± 1.0 % | |
NFV TWAMP support | Yes | |
NFV ETH-DM support | Yes | |
NFV UDP Echo support | Yes | |
NFV ICMP Echo support | Yes | |
NFV ETH-VSP support | Yes | |
NFV ETH-LB support | Yes | |
NFV CFM maximum number of PPS | E-LINE 500 remote device per Sensor Control. E-LAN 100 remote device per Sensor Control. CFM instances: E-LAN: 1 MEP (each 99 RMEP) per RD 1 SLM per MEP per RD 1 DMM per MEP per RD. Tx: 11 pps, RX: 111 pps per RD CFM instances: E-LINE: 8 MEP per Module 6 SLM@10pps for 1 MEP per Module 8 DMM@1pps for 1 MEP per Module Tx: 76 pps, Rx: 76 pps per Module | |
NFV Tunnel | ||
Packet loss requirement | 10^-6 | |
RTT requirement | Validated with RTT between 5 ms and 50 ms | |
NFV Tunnel bandwidth | 42 Mbps for NFV TWAMP deployment 84 Mbps for Reduced NFV PM footprint deployment | |
Virtual-Connection | ||
VCE with IP domain enabled | 500 | |
VCE without IP domain | 50000 | |
Number of VCEs route | 2500 | |
VCA | 30000 | |
Synchronization | ||
ARTS | 500 | |
PTP TC layer-2 | Yes (Sensor Module 1G, Sensor Module 10G, Sensor SFP Copper and Sensor SFP Optical) | |
SyncE | Yes (Sensor Module 1G, Sensor SFP Copper and Sensor SFP Optical) No (Sensor Module 10G) | |
PTP OC for module | NA | |
Service Creation | ||
Policies and traffic filters per remote device | 10 for second generation 2 for Sensor SFP 10G | |
Bandwidth Regulator per second generation module | 16 | |
Bandwidth Regulator per Sensor Control | 24000 | |
PCP CoS mapping per port | 1 | |
CoS mapping per Sensor Control | 50 | |
DSCP CoS mapping per port | 1 | |
Alarms | ||
Number of trap alarm per second | 1000 | |
Users | ||
Local users | 15 | |
User groups | 8 | |
Sessions | ||
CLI sessions | 5 | |
WEB UI sessions | 15 | |
Total maximum sessions | 20 | |
Supported Filters | ||
Layer-2 filter | 6500 | |
Ipv4 filter | 6500 | |
Ipv6 filter | 6500 | |
Total maximum sessions | 19500 |
New Features
FIPS Mode Activation
Added support for FIPS (Federal Information Processing Standards)-compliant operation. FIPS mode can be enabled or disabled via the fips edit
CLI command.
Cryptography, Encryption, and Key Management Enhancements
Enhanced cryptography, encryption, and key management capabilities, including:
Key-pair generation for local certificates
Management of local default and custom certificates
Certificate revocation status checks
Alarms for certificate expiration and expired certificates
CLI support for certificate operations
Trusted Root Store (TRS) bundle management via Management Web Interface
Identity and Access Management Enhancements
Implemented security improvements to identity and access management while maintaining backward compatibility. Key enhancements include:
Secure storage of credentials
Access management via password policies
Removal of default credentials
Prevention of undocumented access
Application and Interface Security Enhancements
Implemented a comprehensive set of application and interface security enhancements. Key features include:
Input validation
Secure data handling
Adoption of web security best practices
Protection against injection attacks, cross-site scripting (XSS), CSRF, and click-jacking
Enforcement of HTTP Strict Transport Security
Safe URL handling
Digital Signature Verification for AFL Files
Software update procedure now supports digital signature verification for AFL files, enhancing product security with improved authenticity and integrity checks.
Delete-All Sub-Permission for Remote Devices
Introduced a new "delete-all" sub-permission in the Remote-Device-Management permission set. This permission is now required to access the Delete All button on the Remote Devices Configuration screen or to delete all remote devices via the CLI.
Syslog Data Streaming to Multiple Destinations
Enabled syslog data streaming to multiple destinations via TCP, allowing alerts to be forwarded to administrators and Information System Security Officers (ISSOs).
Web Server Disabling Option
Introduced the capability to disable the web server to support audit functionality and to achieve FIPS (Federal Information Processing Standards) and STIG (Security Technical Implementation Guidelines) compliance.
Provider Connectivity Assurance AAA and MFA Integration
Added support for secure access to a centralized Authentication, Authorization, and Accounting (AAA) server and Multi-Factor Authentication (MFA) capabilities to Cisco Provider Connectivity Assurance Sensors.
Cisco SSL and Cisco SSH Library Integration
Integrated Cisco SSL and Cisco SSH libraries to support FedRAMP (Federal Risk and Authorization Management Program) compliance. This feature includes a runtime switch to enable FIPS (Federal Information Processing Standards) mode for these libraries.
Corrected Issues
This Assurance Sensor Control release corrects the following issues:
Same Serial Number on All Sensor Control Instances
Multiple Sensor Control instances installed on Ubuntu 24.04 are showing the same serial number.
TCPDUMP Feature Missing in Sensor Control 24.11
The TCPDUMP tool, which was available in Sensor Control version 23.12, is not accessible via the CLI in Sensor Control version 24.11.
Copper Sensor SFP Incompatibility with ASR 9010 IOS 7.6.2
Cisco ASR 9010 routers may fail to detect Copper Sensor SFPs after upgrading from IOS 6.7.3 to IOS 7.6.2. This issue results in unlinked Sensor SFPs and an outage of services such as PM sessions and Flowmeter. The problem occurs with firmware suites newer than 19.12.
Stateful TWAMP Session Counts False Duplicate when Packet is Reordered Both Ways
When a packet as TWAMP stateful is first reordered on the uplink path and then the same packet encounters a second reordering on the downlink path, the session counts false duplicate packets in the uplink path (p2r).
Management Web Interface Access Inaccessible with DNS Name
After upgrading to version 24.07, the Management Web Interface is inaccessible when using the DNS name, resulting in an 'Access Error: Site or page Not found' message.
Sensor Control 22.12.2 Security Vulnerabilities
The following vulnerabilities were identified in Sensor Control version 22.12.2:
7.4: Restricted Shell Escape to System Shell
7.9: Insecure Password Hash Storage (partially resolved in Sensor Control 24.11 with the removal of shell access. Resolved by the Identity and Access Management improvements in 25.07)
7.13: SSH Weak Algorithms Enabled (resolved by the Cisco SSH - FIPS feature in 25.07)
These issues prevent some users of Skylight Orchestrator 23.04.1 from upgrading Sensor Control, as they require the XML interface.
AC-31461 Y.1564 Not Showing All Test Configurations in Results Tab
When configuring more than eight Y.1564 tests in Sensor Control via Skylight Orchestrator, only the first eight test configurations are available for selection in the Test dropdown menu of the Results tab.
Release 25.07 Lifecycle
This section lists the planned lifecycle dates for this release.
Milestone | Description | Date |
General Availability | Date where the product is available for general field deployment for both new installations and upgrades. | 2025-08-01 |
End of Security Support | Date where security patches will no longer be delivered for this release. Any correctives for security defects required after this date will be delivered using the next major release of the software. | Next Major Release |
Last Time Buy / Last Time Ship | Date where this release can no longer be purchased. | 2027-08-01 |
End of Product Support | Date where functional patches will no longer be delivered for this release. Any correctives for functional defects required after this date will be delivered using the next major release of the software. | 2027-08-01 |
End of Technical Support | Date where technical assistance is no longer available from the Technical Assistance Center for this release. | 2030-08-01 |
© 2025 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks