Assurance Sensor GT GT-S Release Notes 25.07

These release notes cover the requirements, new features, and changes for the Cisco® Provider Connectivity Assurance Sensor GT/GT-S (formerly Accedian Skylight GT and GT-S Performance Elements) firmware version 25.07.

See Accedian Skylight is now Cisco Provider Connectivity Assurance for a table of all the new product names.

We highly recommend you read all release notes prior to installing this firmware version.

For more information, see: Cisco Provider Connectivity Assurance Sensor GT

Requirements

Assurance Sensor GT/GT-S 25.07 requires Legacy Orchestrator 23.12.3 or 24.09.1, or Sensor Management 25.07 or later.

Operational Considerations

Be aware of these operational considerations:

• IMPORTANT: If you are downgrading the firmware without performing a factory reset, you will not be able to connect to the board via CLI or WEB interfaces.
• IMPORTANT: Prior to upgrading the firmware on a unit where the History Buckets feature is enabled, certain precautions may need to be taken to prevent a loss of history data during the upgrade. Refer to ATRC-B10797 for details.
• In a G.8032 ring configuration, the Assurance Sensor GT-S supports a maximum of 62 policies on the LAG port (i.e. policies that govern how traffic is dropped from the ring to UNI ports). This limitation does not apply to the UNI ports (i.e. policies that govern how traffic is added to the ring) unless the VLAN-tagged customer traffic is passed transparently from the UNI port to the ring through one-to-one mapping.
  One way to avoid this limitation and maximize the number of usable UNI policies is to encapsulate multiple customer VLANs (coming from the UNI) under a single service provider VLAN on the ring. Doing so reduces the number of policies required by the LAG port.
• Redundant Parameter Handling: If you enter redundant parameters in a command line, the system applies only the value of the last instance. For example, in the command mode edit syslog-ng enable syslog-ng disable, the system applies the final parameter value syslog-ng disable.
• When the system starts and PCA-AAA is not yet configured, the pca-aaa-client show connection status command intentionally displays the default value of OK for last token status and last auth request, and 0D:00H:00M:00S for next token update. In contrast, similar parameters for the pca-aaa-client show session status command, such as Last status and Uptime, are empty.
• By default, the tcpdump application converts the Source IP address and Destination IP address from the IP Header into hostname strings if the capture is directed to the console (stdout).
• Safari is not a supported browser. Accessing the application with Safari may result in limited functionality or unexpected behavior.

New Features and Enhancements

This Assurance Sensor GT/GT-S release introduces the following new features and enhancements:

Cryptography, Encryption, and Key Management Enhancements
Enhanced cryptography, encryption, and key management capabilities, including:

• Key-pair generation for local certificates
• Management of local default and custom certificates
• Certificate revocation status checks
• Alarms for certificate expiration and expired certificates
• CLI support for certificate operations
• Trusted Root Store (TRS) bundle management via Management Web Interface

Identity and Access Management Enhancements
Implemented security improvements to identity and access management while maintaining backward compatibility. Key enhancements include:

• Secure storage of credentials
• Access management via password policies
• Removal of default credentials
• Prevention of undocumented access

Application and Interface Security Enhancements
Implemented a comprehensive set of application and interface security enhancements. Key features include

• Input validation
• Secure data handling
• Protection against injection attacks, cross-site scripting (XSS), CSRF, and click-jacking
• Enforcement of HTTP Strict Transport Security
• Safe URL handling

Digital Signature Verification for AFL Files
Software update procedure now supports digital signature verification for AFL files, enhancing product security with improved authenticity and integrity checks.

Syslog Data Streaming to Multiple Destinations and IPv6 Support
Enabled syslog data streaming to multiple destinations via TCP, allowing alerts to be forwarded to administrators and Information System Security Officers (ISSOs) and added syslog application support for the IPv6 protocol at the network and for the configuration of the RLS (Remote Logging Server) destination in a string-based format representing an IPv6 address.

Provider Connectivity Assurance AAA and MFA Integration
Added support for secure access to a centralized Authentication, Authorization, and Accounting (AAA) server and Multi-Factor Authentication (MFA) capabilities to Cisco Provider Connectivity Assurance Sensors.
This feature is available in the Alpha state intended for early field trials only and is not recommended for production environments. For further details, contact Cisco Technical Support.

Cisco SSL and Cisco SSH Library Integration and FIPs Mode Activation
Integrated Cisco SSL and Cisco SSH libraries to support FedRAMP (Federal Risk and Authorization Management Program) compliance. This feature includes a runtime switch to enable FIPS (Federal Information Processing Standards) mode for these libraries. FIPS mode can be enabled or disabled via the fips edit CLI command.

Corrected Issues

This Assurance Sensor GT/GT-S release corrects the following issues:

Management Web Interface Access Inaccessible with DNS Name
After upgrading to version 24.07, the Management Web Interface is inaccessible when using the DNS name, resulting in an 'Access Error: Site or page Not found' message.

Release 25.07 Lifecycle

This section lists the planned lifecycle dates for this release.