Assurance Sensor GT and GT-S Release Notes 24.07

These release notes cover the requirements, new features, and changes for the Cisco Provider Connectivity Assurance Sensor GT (formerly Skylight performance element: GT) firmware version 24.07.

Please see: Accedian Skylight is now Cisco Provider Connectivity Assurance for a table of all the new product names.

We highly recommend you read all release notes prior to installing this firmware version. For more information, refer to:

about this product, visit: For more information Cisco Provider Connectivity Assurance Sensor GT

Requirements

This firmware version applies to Assurance Sensor GT. It is compatible with Skylight orchestrator 23.12 and above.

Firmware Version 24.07.0_25861 (2024-08-09)

New Features and Enhancements

Assurance Sensor GT release 24.07 introduces the following new features and enhancements.

Change Release Number
Release naming convention has been changed to represent year and month of release and the release numbers will no longer be shown in an increasing numerical sequence, for example 8.0 to 8.1. Instead, they will represent the year and month of the release, for example: 24.07 for July 2024.

Performance Elements Official Change branding name
Product name for Skylight performance elements has changed to Cisco Provider Connectivity Assurance Sensors. This includes:
• Assurance Sensor LT-S
• Assurance Sensor LX-S
• Assurance Sensor GT
• Assurance Sensor GT-S

Cisco Branding
The graphical user interface and product name has been rebranded. The Skylight performance elements firmware has been rebranded to display the new name of Cisco Provider Connectivity Assurance Sensor and user interface branding changes have been made in alignment with Cisco branding.

Cisco Hardware Branding
Hardware units have been rebranded for the following Cisco Provider Connectivity Assurance Sensor models:
• GT, GT-S
• LT-S
• LX-S

Cisco UDI on elements
Added Cisco Unique Device Identifier (UDI) into the EEPROM, which is readable in software, using board show info or equivalent from the CLI or GUI only. This UDI is composed of the product ID, Version and Cisco serial number.

Test Assurance Sensor with Cisco SFP, 1G and 10G
The GT, GX, LT-S, LX-S software has been tested with Cisco 1G SFP (17 models) and LT-S and LX-S has been tested with Cisco 10G SFP (8 models).

Change default password
Upon initial login, the system shall force the user to change the default password when the unit is in the factory-default state

• The minimum password length is 1 character, and the maximum is 128 characters.
• Any character is acceptable
  Note: No leading and trailing spaces on the password should be used.

Note: The system shall NOT force the user to change the default password when the configuration is imported from another system or upgraded from a previous version.

Analyze Linux Vulnerabilities
The version for openssl has been updated to the correct version (3.0.14) and dropbear has been updated to the correct version 2024.85 and the following issues have also been fixed:
• CVE-2013-2094
• CVE-2014-3153

• Security compliances (CSDL/CSERV, Corona, TPSCRM)

Corrected Issues

Drop Opposite Traffic Warning Was Not Present
When enabling the checkbox of “Drop Opposite Traffic” in OAM Loopback, there was no warning that dropping opposite traffic would drop all the traffic entering the device on the opposite port. Warning has been added via pop-up: “Configuration changes are service affecting, Are you sure you want to proceed?” to warn users of the implications.

This issue has been fixed.

False PTP Alarm not Clearing
System-Configuration-Time was showing PTP synchronization status as synchronized, however the device was raising alarm error code 7.0001.05, even though there was no network changes or changes that would trigger this alarm.

This issue has been fixed.

Unable to use Netcraker to configure the device
The device is sending inaccurate information after performing unsuccessful configuration import via Netcracker. It shows import success and reboot success, however the device did not have the imported file and was then unable to reboot.

This issue has been fixed.

Security Vulnerabilities
The following issues have been fixed:

• Weak ssh--dss host key algorithm
• Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)
• GoAhead Server HTTP Header Injection Vulnerability (CVE-2019-16645)

Security Vulnerabilities
The following issues have been fixed:Local privilege escalation

• Insufficient input sanitization
• Read permissions for sensitive data

Security Vulnerabilities
Security vulnerabilities check. The following issues have been fixed:

• Maximum SSH connection to device (5 sessions): Verify able to connect up to 5 SSH session to device successfully

• Netconf connection to device: Enable Netconf on device, establish the Netconf connection to device by the below command:
  ssh admin@10.231.82.31 -p 830 -s netconf

• Terrapin Scanner tool to scan the issue (CVE-2023-48795)

• SSH to device with debug option

• Update dropbear to v2024.85

Operational Considerations

Important Notes

This section documents the operational considerations related to Assurance Sensor GT-S 24.07.

• IMPORTANT: Prior to upgrading the firmware on a unit where the History Buckets feature is enabled, certain precautions may need to be taken to prevent a loss of history data during the upgrade.
• In a G.8032 ring configuration, the Assurance Sensor LX-S supports a maximum of 62 policies on the LAG port (i.e. policies that govern how traffic is dropped from the ring to UNI ports). This limitation does not apply to the UNI ports (i.e. policies that govern how traffic is added to the ring) unless the VLAN-tagged customer traffic is passed transparently from the UNI port to the ring through one-to-one mapping.

One way to avoid this limitation and maximize the number of usable UNI policies is to encapsulate multiple customer VLANs (coming from the UNI) under a single service provider VLAN on the ring. Doing so reduces the number of policies required by the LAG port.