Upgrade and Downgrade Caveats

Syslog Transport Protocol

SCZ10.1.0 introduces TLS as a transport protocol for syslog messages. If you downgrade from 10.1 to a previous release, the transport protocol for syslog messages is set to UDP.

HMR Regex Matching

An upgrade to Lua in S-Cz10.0.0 affects how the SBC adds headers on outgoing messages. When the header contains multiple values, the order of the values cannot be guaranteed. As a result, your regex patterns must not assume any specific order to the values of a header.

Certificates Signature Algorithm

If you previously created a certificate using a weak signature algorithm or message digest like MD5 or SHA1, you must create a new certificate using SHA256. Use show security certificates to view which signature algorithm is used.

Downgrade Caveat on Central Certificate Authority Store Feature

The central CA certificate store feature was added to S-Cz9.3.0p5. When downgrading from a version that supports this feature to one that does not, any CA-certificates that you imported from the certificate-bundle remain in the SBC along with their corresponding certificate-records. To remove these certificates from your system, you must manually delete each certificate-record from your configuration.

SSH Host Key Algorithms

The SBC uses rsa-sha2-256 as the default host key algorithm. SSH clients that offer only a SHA1 hash algorithm, like ssh-rsa, are not supported; your SSH client must offer a SHA2 hash algorithm. If you receive a "no matching host key type found" error message, upgrade your SSH client to one that supports connecting to hosts with SHA2 host keys.

NPLI Sync During Upgrades

During an HA pair upgrade, when a switchover activates the standby which uses a newer image, the cached NPLI (Network Provided Location Information) will be deleted from the newly active SBC before it actively expires. If configured, the default-location-string will be sent in subsequent messages. This issue persists until both HA nodes use the new image.

TLS Secure Renegotiation

In release S-Cz9.3.0 and later, the SBC requires the use of TLS Secure Renegotiation as described in RFC 5746 in order to counter the prefix attack described in CVE-2009-3555. If the devices attempting a TLS connection to the SBC don’t support TLS Secure Renegotiation, the TLS handshake fails. Oracle recommends updating such devices to support TLS Secure Renegotiation.

SuppressAdditionalProvisional SPL Upgrade Caveat

If you are using the SuppressAdditionalProvisional SPL loaded on an SBC version prior to version S-Cz9.3.0, and are upgrading to S-Cz9.3.0 or later, remove this suppression SPL manually and reboot your system before you perform this upgrade. Instruction and explanation on removing an SPL is documented in the SBC Processing Language (SPL) Chapter of the SBC Configuration Guide.

Entitlement Caveat for MSRP B2BUA Sessions Entitlement

Before upgrading the Acme Packet 3900 platform to S-Cz9.3.0 or later, set your MSRP B2BUA Sessions entitlement on that system to zero. After the upgrade is complete, reset your MSRP B2BUA Sessions entitlements back to your desired value. That platform is not supporting this entitlement properly during upgrades.

Default TLS Version

Releases prior to S-Cz9.2.0 do not support TLS1.3.
Releases S-Cz9.3.0 and S-Cz10.0.0 do not support TLS 1.0 or TLS1.1.
If you are downgrading from this release to a release prior to S-Cz9.2.0, set your tls-version to compatibility.

Downgrade Caveat for NTP Configurations using an FQDN

If you create a realm-config for providing resolution of FQDNs for NTP servers through the wancom0 interface, Oracle recommends that you remove this wancom0 realm-config before downgrading to a version that does not support FQDNs for NTP servers. If you retain this configuration, you lose SSH and GUI access after the downgrade.

To recover from this issue, use console access to remove the wancom0 realm-config. Also remove the wancom0 phy-interface and network-interface.

If you configure FQDN resolution for NTP servers through a media interface, you can downgrade to a version that does not support this resolution without removing that configuration.

Upgrading Transcoding Jitter Settings to S-Cz10.0.0 or later

Most customers should benefit from the dynamic adaptive feature, and require no intervention. However, if you have customized the previous xcode-jitter-buffer-min and xcode-jitter-buffer-max jitter buffer options settings, the SBC retains these settings in the new configurations. Specifically:

xcode-jitter-buffer-min—mapped to xcode-jitter-buffer-low-min and xcode-jitter-buffer-high-min
xcode-jitter-buffer-max—mapped to xcode-jitter-buffer-low-max and xcode-jitter-buffer-high-max

This mapping results in the same transcoding jitter buffer behavior performed in versions prior to S-Cz9.3.0. These behaviors do not make full use of the new adaptive feature. Also, the SBC performs this mapping during boot-up in a way that does not permanently alter your configuration.

For a proper long-term migration, remove any previous xcode-jitter-buffer-min and xcode-jitter-buffer-max jitter buffer options settings from your configuration prior to your upgrade. This allows the new adaptive features to take effect.

If needed, you can then modify the new options settings from their default values. Oracle recommends, however, that you use the adaptive transcoding jitter buffer feature with the default settings, and only change those settings under the direction of Oracle support.

Connection Failures with SSH/SFTP Clients

If you upgrade and your older SSH or SFTP client stops working, check that the client supports the minimum ciphers required in the ssh-config element. The current default HMAC algorithm is hmac-sha2-256; the current key exchange algorithm is diffie-hellman-group14-sha256. If a verbose connection log of an SSH or SFTP client shows that it cannot agree on a cipher with the SBC, upgrade your SSH client.