Fixes

This section lists released builds that include fixes found in this branch of the software. Software fixes are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all fixes added in earlier versions.

The Symptom statement describes what a user might experience if this is seen on the network. The Scenario statement provides additional environment details and trigger summaries. When available, the Workaround statement provides a workaround to the issue for customers who decide not to update to this version of software.

The number that precedes the fix description is used for tracking purposes.

Table 1: Fixed Issues

Version

Bug ID

Software

Description

Category

16.10.0025

-

KB

No fixes were included in version 16.10.0025.

-

16.10.0024

256574

KB

Symptom: The switch crashes if the ip tcp randomize-timestamp configuration is present on the switch.

Scenario: This issue occurred when the switch had the ip tcp randomize-timestamp configuration and SSH/Telnet/Web UI was established on the switch.

Workaround: Remove the ip tcp randomize-timestamp configuration.

Boot and Reload

16.10.0024

256897

KB

Symptom: The switch crashes with the message :

Software exception in ISR at Interrupts_fd.c:1145 -> Excessive FD 0 interupts.

Scenario: This issue occurred when the IPSEC traffic was tunneled via UBT.

Tunneled Node

16.10.0024

256872

KB

Symptom: The switch crashes with the message :

NMI event SW:IP=0x0ea80030 MSR:0x02029200 LR:0x0ea800cccr: 0x42000400 sp:0x1f5d46e8 xer:0x00000000Task='mDsnoopCtrl' Task ID=0x1f5d13a8.

Scenario: This issue occurred when the DHCP snooping was enabled and the switch was processing continuous DHCP packets.

Workaround: Disable the DHCP snooping.

DHCP Snooping

16.10.0024

256651

KB

Symptom: System memory depletes and the switch reboots after a few months of run-time.

Scenario: This issue occurred when the switch was connected to AirWave, and the AirWave was polling certain MIBs including ieee8021SpanningTreeDesignatedRoot and hpicfXpsSwitchModType.

Central Integration

16.10.0024

256574

KB

Symptom: The switch crashes if the ip tcp randomize-timestamp configuration is present on the switch.

Scenario: This issue occurred when the switch had the ip tcp randomize-timestamp configuration and SSH/Telnet/Web UI was established on the switch.

Workaround: Remove the ip tcp randomize-timestamp configuration.

Boot and Reload

16.10.0023

256543

KB

Symptom: IPTV stream freezes on a periodic basis as the querier information is lost.

Scenario: This issue occurred when the IGMPv3 query was sent with a QQIC value lower than the IGMPv2 configs.

Workaround: Change the querier interval value configured for IGMPv2 to a value higher than 60 seconds (default IGMPv2 querier interval).

IGMPv3

16.10.0023

256613

KB

Symptom/Scenario: Some IP addresses for save config and config change in the traps will not be displayed in AirWave.

AirWave

16.10.0023

256695

KB

Symptom: Dynamically learned routes will lose the nexthop and traffic will not be forwarded.

Scenario: This issue occurred when VRRP was configured in the owner mode along with the routing protocols.

Workaround: Configure VRRP in backup mode when using the routing protocols.

OSPFv2

16.10.0023

256733

KB

Symptom: IP SLA for reachability failed status shows garbage RTT value when polling using SNMP, i.e. hpicfIpSlaHistSummRTT returns non zero values even for unreachable history records.

Scenario: This issue occurred when the IP SLA target was reachable for 25 intervals and then became unreachable.

IPSLA

16.10.0023

256575

KB

Symptom: The switch does not respond to valid SNMP packets.

Scenario: This issue occurred when the UDP packets were sent without any data. After 65 packets, the switch stopped responding to the valid packets.

SNMPv3

16.10.0023

256600

KB

Symptom: Client will not be in authenticated state until cached-reauth period.

Scenario: This issue occurred when 802.1x authentication was configured with cached-reauth.

Workaround:

  • First, enable the user-role authentication and then configure the critical user-role for the authentication port.

  • Critical user-role should not have the reauth-period attribute and auth-order should be removed for the authentication port.

802.1x

16.10.0023

256732

KB

Symptom: Local-user with group cannot be configured via SNMP.

Scenario: This issue occurred when local-user with group using SNMP was configured.

Workaround: User can configure local-user with group using CLI configuration.

SNMPv2

16.10.0022

256590

KB

Symptom/Scenario: When a port is added to a VLAN from the Web UI, IPv6 will be enabled on the VLAN.

NextGen WebUI

16.10.0022

256541

KB

Symptom: Authentication or Accounting using RadSec server is delayed.

Scenario: This issue occurred when there was only one RadSec server configured and the TLS connection to that server was terminated.

Radius

16.10.0022

256509

KB

Symptom: The BSR and RP candidate cannot be configured with a VLAN ID greater than 999.

Scenario: This issue occurred when a VLAN ID greater than 999 was configured with ip pim-sparse enabled and bsr-candidate/rp-candidate was configured in router pim/pim6 with the respective VLAN ID.

PIM Sparse Mode

16.10.0022

256491

KB

Symptom: Multicast traffic stops for several seconds, causing the video stream to freeze.

Scenario: This issue occurred when multiple clients were connected to the same access switch (the access layer with AOS-S switches and distribution/core layer with CX switches) receiving the same multicast stream, and one of the clients sent an IGMP leave.

NOTE: This fix is only specific to IGMPv2.

IGMP

16.10.0022

256485

KB

Symptom: REST request over HTTPS fails as SSL connection is not established.

Scenario: This issue occurred when a GET request with an empty JSON payload was sent.

Workaround: Replace the empty JSON payload with None in the GET request.

REST APIs

16.10.0022

256372

KB

Symptom: Traffic from the secondary VLAN does not reach the primary VLAN.

Scenario: This issue occurred when there was a tagged trunk port in the secondary VLAN and the switch was rebooted.

Workaround: Remove the tagged trunk configuration from the secondary VLAN and re-add the tagged trunk configuration to the secondary VLAN.

PVLAN

16.10.0022

256358

KB

Symptom: An invalid username or password grants the operator access to the switch's Web UI.

Scenario: This issue occurred when a banner and a manager password were configured but not an operator password.

Workaround: Remove the banner configuration.

WEB UI

16.10.0021

256433

KB

Symptom: Authentication does not occur on the second switch when an end client is moved between two different switches.

Scenario: This issue occurred when the MAC address of the end client is learned on the uplink port first (where authentication was not enabled) and later learned on an access port (where authentication was enabled).

Mac Authentication

16.10.0021

256424

KB

Symptom: Device fingerprinting fails when the first RADIUS server in the list is unreachable.

Scenario: This issue occurred when there were more than one RADIUS server configured and the first server in the list was not reachable.

Workaround: Keep the unreachable RADIUS server as the last entry in the list.

Device Finger Printing

16.10.0021

256420

KB

Symptom/Scenario: Switch crashes after entering the ip-recv-mac-address command.

Workaround: Use an interval value greater than 2 when configuring ip-recv-mac-address.

Boot and Reload

16.10.0021

256406

KB

Symptom: Traffic is sent directly to the clients in VLANs that do not have an IP address configured instead of being sent to the gateway configured in the routing table.

Scenario: This issue occurred when the switch had both Layer 2 and Layer 3 VLANs and IP client tracker was enabled.

Workaround: Disable the IP client tracker.

Note: The IP address of silent clients being tracked may not be learnt unless a port bounce is performed after a redundancy failover.

Static Routing

16.10.0021

256366

KB

Symptom/Scenario: The switch crashes with a message similar to the following: Software exception at multMgmtUtil.c:259 – in 'mOobmCtrl' -> Internal error.

Coredump

16.10.0021

256349

KB

Symptom: The memory of the switch is slowly consumed until executing any CLI command results in an Out of memory message.

Scenario: This issue occurred when the switch had aaa configured, was connected to Aruba Central, and had neighbours that shared LLDP information.

VSF

16.10.0021

256122

KB

Symptom: Tx drops are seen on the port after the trunk member is removed.

Scenario: This issue occurred when the port was configured to be a member of the trunk and subsequently removed from the trunk when the port was down. The issue will be seen when a client is connected to the port.

Workaround: Configure the trunk while the port is up.

LACP

16.10.0021

256069

KB

Symptom: The switch reports a selftest failure on the transceiver ports with Rx timeout error.

Scenario: This issue occurred when the 3810 stack rebooted with SFP+ flex modules and J8177D transceivers.

Chassis Manager

16.10.0020

256274

KB

Symptom/Scenario: VSF Stack Member crashed with a message similar to the following:

Software exception at lava_chassis_slot_sm.c:3626 – in 'eChassMgr', task ID = 0x37b07bc0.

VSF

16.10.0020

256257

KB

Symptom/Scenario: Certain transceivers had link issues in unsupported transceiver mode.

Transceivers

16.10.0020

256234

KB

Symptom: The show rmon statistics <port no> command returns the wrong counter values.

Scenario:This issue occurred when the clear statistics global or clear statistics <port no> was executed first and then show rmon statistics <port no>.

CLI

16.10.0020

256233

KB

Symptom: Client ports may encounter packet drops when multicast sources stream video over 500 Mbps.

Scenario: This issue can occur when multiple clients from different ports subscribed to the same group, which streams using HD channels requiring high bandwidth. TX drops can occur when several clients change channels simultaneously.

Workaround: Lower the bandwidth of the video streams to below 500 Mbps in order to avoid over-subscription of ports.

IGMP-NG

16.10.0020

256220

KB

Symptom: Missing OSPF routes.

Scenario: This issue occurred when both userbased tunneling and OSPF are configured and either of the uplinks to the controller is down.

NOTE: source-interface to be configured for tunneled node when the switch has more than one vlan to the reach the controller.

OSPFv2

16.10.0020

256205

KB

Symptom: A configuration template push from Aruba Central fails.

Scenario: This issue occurred when the end devices are connected to ports that are configured with port-security learn-mode static.

Central Integration

16.10.0020

256140

KB

Symptom: The switch crashes with an error message: NMI event.

Scenario: This issue occurred when the HP MSM 775 wireless controller was connected to the switch and snmpwalk was executed.

SNMPV2

16.10.0020

256167

KB

Symptom: Ports with per-port tunneled node (PPTN) configured might be disabled after a switch reboot.

Scenario: This issue occurred when a device profile was configured with tunneled-node.

Workaround: Disable and enable the problematic PPTN enabled port manually.

Tunneled Node

16.10.0020

255916

KB

Symptom/Scenario: Slot crashes with signatures OMFP LPTR Err Status = 0x00000310 (DEC_ERR_CNT) and

FR Error = 0x18000020 (ALLOC_CHIP_PORT_UNDERFLOW).

Basic Layer2

16.10.0019

256115

KB

Symptom: Although the switch does not react to pings or SSH commands, it continues to transit traffic. The event log contains a crash message.

Scenario: This issue occurred when device fingerprinting was configured with DHCP protocol.

CPPM

16.10.0019

256200

KB

Symptom: Per-port tunneled node (PPTN) disables the port for one second as part of tunnel deletion.

Scenario: This issue occurred when the device-profile application with tunneled-node was disabled on a PPTN enabled port.

Workaround: Disable and enable the problematic PPTN enabled port manually.

Tunneled Node

16.10.0019

256121

KB

Symptom: Web authentication fails when the switch is managed by Aruba Central (aruba-central support-mode disable).

Scenario: This issue occurred when the switch was connected to Aruba Central and aruba-central support-mode was disabled.

Workaround: Execute aruba-central support-mode enable command so the switch is longer managed by Aruba Central.

Web Authentication

16.10.0019

256144

KB

Symptom: Switch is unable to connect to Activate.

Scenario: This issue occurred during the initial onboarding of the switch, however it can also occur after the switch is visible on Aruba Central.

Activate

16.10.0018

256037

KB

Symptom: Clients are not authenticated on a switch port.

Scenario: This issue occurred when multiple clients were connected to a single port (for example, a Personal Computer (PC) was connected to a phone), both MAC authentication and 802.1X authentication methods were attempted at the same time on the PC, and both the authentication methods used the same user role attribute.

Workaround: Configure the auth-order parameter first with authenticator, and then with mac-based.

802.1X

16.10.0018

255928

KB

Symptom/Scenario: A switch is unable to connect to Aruba Central.

Aruba Central

16.10.0018

255940

KB

Symptom: A switch crashes with a message similar to the following:

Software exception at svc_misc.c:1088 – in 'mDHCPClint'

-> Failed to malloc 9202 bytes.

Scenario: This issue occurred when the switch attempted to reconnect to Aruba Central.

Aruba Central

16.10.0018

255978

KB

Symptom: A switch crashes with a message similar to the following:

Software exception in ISR at pvDmaV1Rx.c

-> ASSERT: No resources available!.

Scenario: This issue occurred when 802.1X and MAC authentication were enabled on the same port with auth-order, and the client was initially authenticated through MAC authentication with a user role having the port mode attribute.

Authentication

16.10.0018

255995

KB

Symptom: A switch crashes when the show port-access clients command is issued or when an SNMP GET operation is performed to get the MIB object hpicfUsrAuthMacAuthSessionStatsEntry.

Scenario: The switch crashed when a MAC-authenticated client had a username of more than 40 characters.

Authentication

16.10.0018

255896

KB

Symptom: A stack member loses connection to the stack and gets stuck in a boot loop.

Scenario: This issue occurred when the stacking links were configured as a full mesh, and two links went down leaving the stacking links in a chain configuration.

Back Plan Stacking

16.10.0018

254566

KB

Symptom: Traffic fails to pass through an IEEE 802.1ad tunnel.

Scenario: This issue occurred because of the following reasons:

  1. A Small Form-factor Pluggable+ (SFP+) port was configured as an uplink.
  2. IEEE 802.1ad was configured on the same port.
  3. The switch was rebooted without a transceiver in the slot.
  4. A 1G SFP transceiver was inserted during the runtime.

Workaround: Insert the 1G SFP transceiver, and then reboot the switch.

IEEE 802.1ad

16.10.0018

256123

KB

Symptom: Received packet drops are observed on a port.

Scenario: This issue occurred when the TCP traffic, with the push flag set, consumed 100% bandwidth on a 1G port of a V3 module.

Interfaces

16.10.0018

256016

KB

Symptom: When a private VLAN is configured on a switch, the traffic from the secondary VLAN does not reach the primary VLAN.

Scenario: This issue occurred when the switch was rebooted, and the secondary VLAN contained a tagged trunk or Link Aggregation Control Protocol (LACP) port.

Workaround: Remove and add the tagged trunk or LACP configuration to the secondary VLAN.

Private VLAN

16.10.0018

256034

KB

Symptom: SNMP MIB files are not reachable, and the MIB file returns some errors.

Scenario: This issue occurred when the customer used an SNMP monitoring tool to read or parse the MIB files.

SNMP

16.10.0018

256050

KB

Symptom: A switch crashes when the WebUI Security > Clientspage is accessed.

Scenario: The switch crashed when a MAC-authenticated client had a username of more than 40 characters.

Web UI

16.10.0017

255888

KB

Symptom/Scenario: When a proxy server is configured on the switch, the switch does not onboard into Aruba Central or Activate.

Aruba Central

16.10.0017

255762

KB

Symptom/Scenario: A switch crashes with the following message:

OMFP LPTR Err Status = 0x00000310 (DEC_ERR_CNT) .

Chassis

16.10.0017

255799

KB

Symptom: The user is unable to copy a configuration file to the switch using Secure File Transfer Protocol (SFTP) and the following error message is displayed.

Invalid input: grep usage error

Scenario: This issue occurred when the pipe character ( | ) was used as a part of the command input for some configuration commands, such as the banner motd and snmpv3 user commands.

Workaround: Do not use the pipe character (|) in the command input for the configuration commands.

Configuration

16.10.0017

255908

KB

Symptom/Scenario: A new multicast stream is initially broadcast on a VLAN even when no IGMP join is sent.

IGMP

16.10.0017

255195

KB

Symptom: The switch memory utilization spikes and might reach to 100%.

Scenario: This issue occurred when many ports were monitored and mirrored to one port.

Workaround: Disable mirroring on the ports.

Mirroring

16.10.0017

255825

KB

Symptom/Scenario: When a switch is rebooted through an SSH session, the show boot-history, show logging, and boot command outputs include the Operator cold reboot from TELNET session message instead of the Operator cold reboot from SSH session message.

SSH

16.10.0017

255827

KB

Symptom/Scenario: A switch crashes with the following message:

Health Monitor: Invalid Instr Misaligned Mem Access .......Task='InetServer'.

System

16.10.0017

255760

KB

Symptom/Scenario: A switch crashes with the following message:

Software exception at bsp_interrupts.c:90 – in 'fault_handler'.

Tunneled Node

16.10.0016

255682

KB

Symptom: The RADIUS accounting packets sent from the switch to the RADIUS server do not contain the correct client IP address.

Scenario: This issue occurred when both user authentication and MAC authentication were configured.

802.1X

16.10.0016

255400

KB

Symptom: The switch is unable to connect to Activate or Aruba Central.

Scenario: This issue occurred when the show crypto pki ta-profile command displayed Pending Root Certificate In... for the GEOTRUST_CA profile, and the following event was recorded in the event log:

05222 activate: ST1-CMDR: Error connecting to the Activate server: Activate TLS connection error.

Activate

16.10.0016

255653

KB

Symptom: The switch crashes with a Non-Maskable Interrupt (NMI) event.

Scenario: The switch crashed because of the following reasons:

  1. The switch was configured to receive a DHCP address.
  2. The activate provision force command was configured on the switch.
  3. The no activate software-update check command was executed.

Activate

16.10.0016

255554

KB

Symptom/Scenario: When the switch is powered on for the first time and ZTP is initiated, the switch does not come online in Aruba Central.

Workaround: Reboot the switch or execute the reset saved-configuration command.

Central

16.10.0016

255672

KB

Symptom/Scenario: A configuration push from Aruba Central fails when the configuration contains the crypto pki enroll-est-certificate command.

Workaround: Add a valid value for Enter Country (C) field in the subject fields of the crypto pki enroll-est-certificate command.

Central

16.10.0016

255697

KB

Symptom: The switch crashes with the following message:

Software exception in ISR at btmDmaApi.c:650 -> ASSERT: No resources available!.

Scenario: This issue occurred when there was a repeated hardware fault in one of the power supplies.

Chassis Manager

16.10.0016

255570

KB

Symptom/Scenario: The Rx Errors counter in the show interfaces command output is not cleared when the clear statistics global command is executed.

CLI

16.10.0016

255719

KB

Symptom: The IP address of the next server is not present in the DHCP response packet.

Scenario: This issue occurred when the DHCP server with option 66 and option 150 was configured in the server pool.

DHCP Server

16.10.0016

255417

KB

Symptom: The switch crashes with an NMI event.

Scenario: This issue occurred when the DHCP snooping traffic was sent continuously to the switch with DHCP option 82, and the DHCP clients rebooted frequently.

DHCP Snooping

16.10.0016

255552

KB

Symptom/Scenario: Mirrored egress packets are tagged even though the no-tag-added option is configured.

Workaround: Reapply the existing monitor configuration after removing the configuration using the no monitor all both mirror 1 command.

Port Mirroring

16.10.0016

255593

KB

Symptom: The switch crashes when the qos trust dscp configuration is applied.

Scenario: This issue occurred when the qos trust dscp command was configured on an admin disabled port of a v2 module.

Workaround: Enable the port before configuring the qos trust dscp command.

QoS

16.10.0016

255638

KB

Symptom: Some PBT clients experience traffic loss.

Scenario: This issue occurred when both VRRP and PBT were configured on the switch, and a VRRP failover event was recorded.

Workaround: Disable and enable PBT on the switch.

Tunneled Node

16.10.0016

255586

KB

Symptom: Running configuration does not display the local user roles.

Scenario: The issue occurred when the switch was configured to use both downloadable and local user roles.

Workaround: Reboot the switch.

User Roles

16.10.0016

255619

KB

Symptom: The Ports table on the Web UI does not display all the interfaces of the switch.

Scenario: This issue occurred when the Name and Id sent through LLDP contained a trailing backslash (\), and the same was configured on the port.

Workaround: Disable LLDP on the switch using the no lldp run command.

Web UI

16.10.0015

255511

KB

Symptom: Border Gateway Protocol (BGP) route updates do not contain the community value.

Scenario: This issue occurred when an unused route map was deleted.

BGP

16.10.0015

255500

KB

Symptom: BGP route updates are not sent with the community value.

Scenario: This issue occurred when a new route map was applied to a neighbor with the matching community rule.

BGP

16.10.0015

255124

KB

Symptom: Captive portal redirection does not work.

Scenario: This issue occurred when the ip client-tracker command was enabled, and the VLAN where the client onboarded had the disable layer3 command configured.

Workaround: Remove ip client-tracker or disable layer3 configuration from the client VLAN.

Captive Portal

16.10.0015

255259

KB

Symptom/Scenario: Executing the show tech all command resets the port counters in all sessions.

CLI

16.10.0015

255134

KB

Symptom: Switch crashes regularly with the following message:

Active/Commander system went down:

eSoftware exception at msgSys.c:641 -- in 'mNSR',

-> Can't get message buffer for msgSys_recv.

The event log indicates continuous removal and application of the device-profile.

Scenario: This issue occurred with a device profile for an AP enabled, with both interfaces of the AP connected to the switch through a trunk, and when the switch was rebooted.

Workaround: Disable and enable the device profile.

Device Profile

16.10.0015

255158

KB

Symptom: Multicast traffic with the source IP address 0.0.0.0 floods to all ports, even with IGMP snooping enabled.

Scenario: This issue occurred when the multicast traffic was sent with a NULL IP source from a device connected to a non-querier device.

IGMP

16.10.0015

255408

KB

Symptom: Unauthorized clients can connect and access the switch using the loopback address.

Scenario: This issue occurred when the ip authorized-managers command was configured and an unauthorized client attempted to connect to the loopback address.

IP Authorized Manager

16.10.0015

255105

KB

Symptom: Module reboots with the following message:

Ports A subsystem went down

Software exception at mrtm_shadow.c:500 -- in 'mAsicUpd'

-> MRT parity error.

Module crashes when the multicast traffic hits Port-Based Forwarding (PBF) rule.

Scenario: This issue occurred when the PBF rule is configured with the destination IP of any, a trunk interface is the next hop, and multicast traffic hits the PDF rule.

PBF

16.10.0015

255464

KB

Symptom/Scenario: A Quality of Service (QoS) policy, which has a space character in the name, cannot be removed from an interface or VLAN.

Policy Map

16.10.0015

255430

KB

Symptom: When the show radius command is executed, the output shows the RadSec server as a Dead server.

Scenario: This issue occurred because of the following reason:

  1. When the radius-server dead-time, aaa authentication and aaa accounting commands were configured.
  2. Accounting was disabled on the RADIUS server and a RadSec connection was established.
  3. When an SSH session was established and commands were executed from that session.

RADIUS

16.10.0015

255342

KB

Symptom: When an initial role is applied, clients do not attempt to reauthenticate.

Scenario: This issue occurred when the server-timeout value was less than the RADIUS request timeout.

Workaround: Configure a greater server-timeout value than the RADIUS request timeout.

RADIUS

16.10.0015

255171

KB

Symptom: The switch CPU spikes and the ClearPass RADIUS server shuts down.

Scenario: This issue occurred when MAC authentication used the peap-mschapv2 authentication method. As a result, Access-Request and Access-challenge messages were exchanged in a loop.

RADIUS

16.10.0015

255067

KB

Symptom: Switch does not respond to Simple Network Management Protocol version 3 (SNMPv3) queries.

Scenario: This issue occurred when there was a wrong value in the boot counter.

SNMPv3

16.10.0015

255072

KB

Symptom/Scenario: The following issues may be seen with a switch module:

  • When the no module command is executed for a module that is present in a VSF standby switch, the module reboots instead of staying in a powered down state.
  • When the no module command is executed for a module that is in a failed state in a VSF standby switch, the switch returns the following error:

Module unconfiguration is in progress.

Workaround: Remove the module physically, and execute the no module command.

VSF

16.10.0014

255376

KB

Symptom/Scenario: Traffic loss is observed in Port-Based Tunneling (PBT) and controller Virtual Router Redundancy Protocol (VRRP) topology.

Workaround: Disable and enable PBT on the switch.

Tunneled Node

16.10.0013

255031

KB

Symptom: Switch loses connectivity to Aruba Central after a template is pushed.

Scenario: This issue occurred when a template with netdestination commands were pushed to the switch.

Workaround: Add aruba-central url to the template that is applied.

Central

16.10.0013

254985

KB

Symptom: End devices (example, printer) become unreachable when they do not send or receive much traffic.

Scenario: This issue occurred when the switch stack was not rebooted after a new member was added to the stack.

Workaround:

  • Reboot the stack after adding a new member.
  • Bounce the port connecting to the end device.
  • Configure the MAC age time to match the ARP ageout time of the router.

ARP

16.10.0013

254974

KB

Symptom/Scenario: When the OOBM port is a DHCP client, The DHCP server receives an incorrect MAC address from the switch.

OOBM

16.10.0013

254868

KB

Symptom: When connection to the neighbor is lost, an incorrect OSPF route is removed from the routing table.

Scenario: This issue occurred when more than one point-to-point OSPF interface was configured with the same router.

Workaround: Configure broadcast OSPF interface instead of point-to-point OSPF interface.

OSPFv2

16.10.0013

255135

KB

Symptom: A MACsec connection is not established on the last fixed or last flex port of the switch.

Scenario: This issue occurred because of the following reasons:

  • MACsec was enabled on the last fixed or last flex port of the switch.
  • There was an intermediate device that filtered packets with null MAC address.

Workaround: Connect the MACsec peer switches without any devices in between.

MACsec

16.10.0013

255125

KB

Symptom: Clients authenticated by Aruba Central are not placed in the proper VLAN.

Scenario: This issue occurred because of the following reasons:

  • Both MAC authentication and 802.1X are configured on the same port.
  • There are two clients on the port, which had a tagged membership for a VLAN, and the user role for a client had an untagged membership for the same VLAN.

Central

16.10.0013

255123

KB

Symptom: The following event did not identify the affected module correctly: 00907 IpAddrMgr: ST3-CMDR: Module p BMP TCAM parity recovery.

Scenario: The following event was recorded in the event log when there was a hardware issue: 00907 IpAddrMgr: ST3-CMDR: Module p BMP TCAM parity recovery.

RMON Logging

16.10.0013

255115

KB

Symptom: Some VoIP phones did not receive an IP address from the Dynamic Host Configuration Protocol (DHCP) server.

Scenario: This issue occurred when user-based tunneling was configured on the port and DHCP snooping was enabled.

Workaround: Disable DHCP snooping.

DHCP Snooping

16.10.0013

255062

KB

Symptom: User-based tunnel (802.1X) is not established when MAC authentication is also configured on the port with a different VLAN assignment.

Scenario: This issue occurred when both MAC authentication and 802.1X were configured on a port, and the 802.1X authentication contained a VLAN change.

MAC Authentication

16.10.0013

255058

KB

Symptom: After a new template is applied to the switch, the switch is unable to connect to Aruba Central.

Scenario: This issue occurred because the primary VLAN on the switch was changed when the new template was applied.

Workaround: Reboot the switch.

Central

16.10.0013

254976

KB

Symptom/Scenario: The SSH, telnet, and console connections cannot be established with the switch, and the following event is recorded in the event log: maximum user session limit reached.

Switch Access

16.10.0013

254966

KB

Symptom: Applying a template from Aruba Central to a switch fails with the following reasons:

  • Failure Reason: Add and Remove commands have been failed
  • Reason: Invalid netdestination entry.

Scenario: This issue occurred when the template contained changes to the host configurations of the netdestination entries, which are used in an ACL.

Central

16.10.0013

254958

KB

Symptom: After the transition of 802.1X machine authentication to user authentication with User-Based Tunnel, the client username in the show command in the controller is not updated.

Scenario: This issue occurred when 802.1X with User-Based Tunneling was established and then the transition of machine authentication to user authentication was done.

Tunneled Node

16.10.0013

254893

KB

Symptom/Scenario: The switch crashes due to an MSTP NMI event.

Spanning Tree

16.10.0013

254797

KB

Symptom: The following event is recorded in the event file: Lease table is full, DHCP lease was not added.

Scenario: This issue occurred when DHCP snooping was configured.

DHCP Snooping

16.10.0013

254786

KB

Symptom: SSH fails to connect to the switch.

Scenario: This issue occurred because of the following reasons:

  • More than one RADIUS server was configured.
  • aaa authentication ssh enable was configured to use the other RADIUS server, instead of using the first one in the configuration.

AAA Authentication

16.10.0013

254780

KB

Symptom: When more number of MAC authentication clients (auth method: peap-mschapv2) get authenticated or reauthenticated, the following event is recorded multiple times in the event log: PEAP SSL socket connection limit reached.

Scenario: This issue occurred when more than 20 clients were authenticated or reauthenticated at the same time.

Workaround: Authenticate or reauthenticate less than 20 clients at the same time.

MAC Authentication

16.10.0013

254481

KB

Symptom: The switch CPU utilization increases to 80% or more, and CDP packet looping is observed across VLANs.

Scenario: This issue occurred when CDP pass-through was configured on two switches, which had more than one connection between them.

Workaround: Use no cdp run command to disable CDP globally, instead of configuring CDP mode pass-through.

CDP

16.10.0012

254360

KB

Symptom: A configuration push using the cfg-restore command from Aruba Central fails.

Scenario: This issue occurred when a switch configuration, containing radius server host commands, was pushed to Aruba Central or when the cfg-restore command was executed with the same radius server host configuration.

Workaround: Use the copy tftp config command to copy a configuration to the switch from Aruba Central, instead of the cfg-restore command for pushing a configuration.

Central

16.10.0012

254519

KB

Symptom: Aruba Central captures traffic only for one direction when a packet captured is performed.

Scenario: This issue occurred when traffic from a client in one subnet was sent to a client in another subnet, where the switch was acting as the gateway.

Central

16.10.0012

254198

KB

Symptom: A switch or management module crashes with the following message: Active/Commander system went down: ...
Health Monitor: Invalid Instr Misaligned Mem Access
.

Scenario: This issue occurred when the copy command-output show tech all tftp <ip-address> <filename> command was executed.

Workaround: Do not execute the copy command-output show tech all tftp <ip-address> <filename> command.

Chassis

16.10.0012

254508

KB

Symptom: Line card crashes due to LOST_COMM_HEARTBEAT.

Scenario: This issue occurred when there was a failover following a non-hitless failover.

Chassis

16.10.0012

254096

KB

Symptom: The Rx Drop Bytes parameter in the command output for show interface queues <port> displays very high values for the last few ports, even though these ports were down.

Scenario: This issue occurred when the show interface queues <port> command was issued.

CLI

16.10.0012

254278

KB

Symptom: The switch crashes when the show crypto client-public-key command is issued.

Scenario:This issue was observed when the show crypto client-public-key was issued when the \t: symbol was present in the client pub key file.

Workaround: Remove \t: symbol from the client public key file content.

Crypto

16.10.0012

254380

KB

Symptom: The switch crashes with the following message: Health Monitor: Read Error Restr Mem Access .... Task='mdevMntr'.

Scenario: This issue occurred when device-fingerprinting (DFP) was configured and DFP clients moved between ports.

Device Finger Printing

16.10.0012

254354

KB

Symptom: Although the packet is received before the MAC-age timeout interval expires, the MAC address of a peer is not available in the MAC table.

Scenario: This issue occurred when a packet of same source MAC address was sent on both the distributed trunk links alternatively at an interval close to the MAC-age timeout interval.

Workaround:

  • Increase the MAC-age timeout interval to a higher value.
  • Configure the MAC address statically.

Distribute Trunking

16.10.0012

254768

KB

Symptom: The switch crashes due to message buffer exhaustion.

Scenario: This issue occurred when the switch was configured with distributed trunking and VRRP.

Distribute Trunking

16.10.0012

254760

KB

Symptom: Removal of OSPF routes from the link-state database is delayed.

Scenario: This issue occurred when the switch received a Link-State Advertisement (LSA) that advertised routes with max age configured to remove the routes from the database.

OSPFv2

16.10.0012

254395

KB

Symptom: The switch does not send the configured NAS-ID while sending a request to the RADIUS server.

Scenario: This issue occurred for both login and enable when the switch was configured with a non-default server-group nas-id and ssh was configured with peap-mschapv2.

Radius

16.10.0012

254403

KB

Symptom: The HTTP GET for /system/status/power/supply returns an internal server error.

Scenario: This issue occurred when GET of /system/status/power/supply was executed when a stack member was down.

REST

16.10.0012

254665

KB

Symptom: REST connection fails when a Windows client makes an HTTP request.

Scenario: This issue occurred when a Windows client sent a REST HTTP request using PowerShell.

REST

16.10.0012

254525

KB

Symptom: The smartlink port stops forwarding VLAN traffic.

Scenario: This issue occurred when the:

  • The VLAN membership of a port was changed by removing it or adding it to any of the protected VLANs of the smartlink group.
  • STP was enabled and a non-default MSTP instance was created.

Workaround: Disable/enable the port.

Smartlinks

16.10.0012

253623

KB

Symptom/Scenario: When there is a change in backplane stacking, VSF topology, or removal of a power supply, no SNMP trap is sent.

SNMP

16.10.0012

254722

KB

Symptom/Scenario: When a user fails to login to the switch using SSH, no SNMP trap is sent.

SNMPv2

16.10.0012

254580

KB

Symptom/Scenario: A switch no longer accepts SSH connections.

Workaround: Reboot the switch.

SSH

16.10.0012

254393

KB

Symptom: Event messages are sent to a Syslog server.

Scenario: This issue occurred when a syslog server was configured with the TCP option, logging <IP-ADDR> tcp and ip source-interface syslog was configured.

Workaround: Remove ip source-interface syslog ... from the config or reboot the switch after configuring syslog over TCP.

Syslog

16.10.0012

254311

KB

Symptom: Gradual memory depletion on a switch is observed.

Scenario: This issue occurred when the telnet sessions were closed abruptly.

Workaround: Disable the telnet server on the switch.

Telnet

16.10.0011

253563

KB

Symptom: The switch crashes with the following message: Health Monitor: Misaligned Mem Access.

Scenario: This issue occurred when any of the 802.1X clients' MAC address had a NULL value due to corruption, and the authenticator configuration on a switch port was disabled.

802.1X

16.10.0011

254333, 254339

KB

Symptom: Switch crashes with a message similar to the following: Software exception at trlock.c -- in 'InetServer'.

Scenario: This issue occurred when the show tech all command was executed from Aruba Central.

Workaround: Execute the show tech all command through the switch CLI.

Central

16.10.0011

254255

KB

Symptom: Switch crashes with a message similar to the following: Software exception at multMgmtUtil.c -- in 'mOobmCtrl'.

Scenario: This issue occurred when continuous or frequent cfg-restore operations (with password or aaa authentication related configurations) were executed, and in parallel, the switch was accessed through local-authentication.

Workaround: Do not access the switch using local-authentication when cfg-restore operation is in progress.

Chassis

16.10.0011

253472

KB

Symptom/Scenario: The following event is recorded in the event log multiple times where xx% is an increasing value: 03008 system: Ports A,B packet buffer allocation has reached xx%.

Workaround: Reboot the switch.

Chassis

16.10.0011

253803

KB

Symptom: SSH connection (Remote Console) cannot be established from Aruba Central to the switch.

Scenario: This issue occurred when ip authorized-managers was configured on the switch and a Remote Console connection was attempted from Aruba Central.

Workaround: Add the following configuration to the switch:

ip authorized-managers 127.0.0.1 255.255.255.254 access manager

Console

16.10.0011

254196

KB

Symptom: Multicast traffic stops after a redundancy switchover.

Scenario: This issue occurred when the IGMP query-max-response-time was configured to be 128 seconds and a redundancy switchover was performed.

Workaround: Remove IGMP from the VLAN and reconfigure the query-max-response-time to the default value of 10 seconds.

IGMP

16.10.0011

253853

KB

Symptom: Continuous RADIUS access request packets are sent from the switch to the RADIUS server.

Scenario: This issue occurred when a MAC address limit was configured and a device was attempted to be authenticated beyond the configured limit.

MAC Authentication

16.10.0011

253844

KB

Symptom: Removal of OSPF link state prefix from the link state database is delayed.

Scenario: This issue occurred when the switch received an OSPF Link-State Advertisement (LSA) with MaxAge configured to 3600 from a neighbor, and there were multiple OSPF sessions to the same router.

OSPFv2

16.10.0011

253965

KB

Symptom: The switch closes the REST connection when the request is made from a Windows client.

Scenario: This issue occurred when a REST request was sent from PowerShell on a Windows client.

REST

16.10.0011

253921

KB

Symptom: MAC addresses are not learned on some ports and spanning tree shows the port in a BLOCKED LISTEN state.

Scenario: This issue occurred when the switch was configured to use RPVST.

Workaround: Reboot the switch.

Spanning Tree Protocol

16.10.0011

252721

KB

Symptom: Attempts to SSH or telnet to the switch fail and the following message is displayed: Sorry, the maximum number of telnet sessions are active. Try again later.

Scenario: This issue occurred when a vulnerability scan was run against the switch multiple times.

Workaround: Disable Telnet server.

Switch Access

16.10.0011

254174

KB

Symptom: The CPU utilization is elevated and the switch crashes with a No msg buffer message.

Scenario: This issue occurred when the switch was configured to use user-based tunnels (tunneled-node server).

Tunneling

16.10.0011

253970

KB

Symptom: Ports can be added to a trunk using the web interface even if those ports are configured with IGMP fastlearn.

Scenario: This issue occurred when IGMP fastlearn was configured on a few ports of the switch, and the switch was accessed through the web interface to add the IGMP fastlearn enabled ports to the trunk.

Workaround: Use the CLI to add ports to a trunk.

Web Interface

16.10.0010

253775

KB

Symptom/Scenario: Switch does not get provisioned to Activate.

Activate

16.10.0010

253807

KB

Symptom: Unsupported values are accepted as ACL numbers for both standard and extended ACLs when configuring ACLs from the REST interface (for example, Aruba Central). Once configured, these ACLs cannot be deleted using REST or the CLI.

Scenario: This issue occurred when the REST interface was used to configure an ACL with an unsupported value.

ACLs

16.10.0010

253425

KB

Symptom: The username sent for a successful MAC-authenticated client is the MAC address, rather than the username.

Scenario: This issue occurred when a client was authenticated using MAC authentication.

Authentication

16.10.0010

250901

KB

Symptom: Switch randomly loses connectivity to Activate and Aruba Central.

Scenario: This issue occurred when configuring the switch to connect to Aruba Central.

Central

16.10.0010

253659

253925

KB

Symptom: Switch fails to connect to Aruba Central.

Scenario: This issue occurred when the switch was configured to connect to Aruba Central.

Central

16.10.0010

252143

KB

Symptom: One of the following symptoms are seen:

  • When the command show system power-supply is executed, the output displays one or more power supplies with a state of Not Powered even though all modules are powered and PoE is functioning normally.
  • One or more port modules is stuck in a booting or failed state.

Scenario: This issue occurred when all power supplies in the switch lost and regained power at the same time. This scenario was most commonly experienced with very brief power loss or brownout events.

Workaround:

  • Distribute PSU power sources to different power circuits to prevent simultaneous power down/power up.
  • Reboot switch, remove and insert power cords, or remove and insert power supplies that are in a Not powered state.
  • Modules may recover after an undetermined period of time. Otherwise, resetting the affected slots, resetting the affected modules, or rebooting the switch may be required to recover.

Chassis

16.10.0010

253422

KB

Symptom: The following error message is displayed: Invalid Input : grep usage error when executing show command.

Scenario: This issue occurred when a show command was executed with include <anyword> <anyword>.

Workaround: Execute the show command without include <anyword> <anyword>.

CLI

16.10.0010

253485

KB

Symptom: When more than 3000 VLANs are configured, executing the show run command takes one or two minutes to begin displaying output.

Scenario: This issue occurred when show run command was executed after configuring a minimum of 3000 VLANs.

CLI

16.10.0010

252317

KB

Symptom: Connectivity to end devices may be lost due to MAC learn inconsistencies between the InterSwitch-Connect (ISC) link and a trunk member link.

Scenario: This issue occurred when the distributed trunking was configured and one of the DT member switches was upgraded.

Workaround: Clear the incorrect MAC entries in both of the DT switches using the clear mac-address command.

Distributed Trunking

16.10.0010

253303

KB

Symptom: Peer device does not get an IP address when the port it is connected to is configured using a device-profile.

Scenario: This issue occurred when a port is configured using device profile and a peer device is connected to it.

Workaround: Disable device-profile and manually configure the port.

Device Profile

16.10.0010

253507

KB

Symptom: Devices connected to the switch are unable to send or receive packets.

Scenario: This issue occurred when a multicast listener query was received with an unspecified source IP address.

Workaround: Stop sending malformed multicast listener query packets to the switch.

Multicast

16.10.0010

252993

KB

Symptom: Some RADIUS accounting packets sent to the RADIUS server have a very large size.

Scenario: This issue occurred when a downloadable user role was configured with a user policy, network accounting was enabled, and a client was authenticated.

RADIUS

16.10.0010

253736

KB

Symptom: Disconnect Change of Authorization (CoA) request is not honored.

Scenario: This issue occurred when the radius-server group was configured, a client was authenticated, and a disconnect CoA request with the default nas-id was sent.

Workaround: Configure aaa server-group radius <Group name> nas-id <NAS-ID> where the NAS-ID matches the NAS Identifier value shown in the output of the show radius authentication command.

RADIUS

16.10.0010

253557

KB

Symptom: Using REST to retrieve the resource identifier /lldp/remote-device fails to display the IPv4 address of the neighbor.

Scenario: This issue occurred when the REST resource operation GET was used to retrieve the data associated with /lldp/remote-device.

REST

16.10.0010

253789

KB

Symptom: Switch serial number contains an extra space at the end when it is read using SNMP.

Scenario: This issue occurred when the switch serial number was read using SNMP.

Example:

MIB OID: 1.3.6.1.2.1.47.1.1.1.1.11.1

MIB File: ENTITY-MIB

SNMP

16.10.0010

253342

KB

Symptom: SSH/Telnet/Console connections to the switch fail with an error message: Maximum session limit is reached.

Scenario: This issue occurred when multiple users logged in and out and RADIUS was configured as the primary authentication method.

Workaround: Reboot the switch.

Switch Access

16.10.0010

253407

KB

Symptom: Unable to log in to the switch using TACACS credentials.

Scenario: This issue occurred when a source interface for TACACS was configured using the ip source-interface tacacs command and the switch was upgraded to 16.10.0009.

TACACS

16.10.0010

253001

KB

Symptom: When there are continuous link flaps on the link-to-monitor ports within a fraction of a second, some link-to-disable ports may not come up once the link-to-monitor port stabilizes.

Scenario: This issue occurred when the link-to-monitor port used a transceiver connected by fibre and flapped continuously at a high rate.

Workaround: Use Fault-Finder to disable the link-to-monitor if it is flapping too often. The link-to-disable port can be disabled and re-enabled to bring it back up.

UFD

16.10.0010

253290

KB

Symptom: Switch crashes when it is accessed through the web interface.

Scenario: This issue occurred when the switch was accessed using the web interface and RADIUS authentication was configured for web access.

Workaround: Disable RADIUS authentication for web access.

Web UI

16.10.0010

253577

KB

Symptom: When the VLAN edit option is clicked in the web interface, the screen is greyed out, and no pop-up menu is displayed.

Scenario: This issue occurred when the switch is configured to use meshing and the web interface is accessed to select the Edit option on the Interface > VLAN page.

Workaround: Configure VLANs using the CLI or the traditional web interface.

Web UI

16.10.0010

253877

KB

Symptom: The WebUI Security > Clients page displays incorrect MAC addresses, which results in the user role, IP address, and status columns to be empty.

Scenario: This issue occurred when a few workstations with higher value MAC addresses (for example, 9c:dc:71:fb:77:fe) are connected to the last ports of a 2930 stack or the last module of a 5400R.

Web UI

16.10.0009

252885

KB

Symptom: Switch appears down in Aruba Central.

Scenario: This issue occurred because the system time was set to the year 2036, though NTP sync was successful, and the switch was connected to Aruba Central.

Workaround: Configure an NTP server in the switch.

Activate

16.10.0009

252226

KB

Symptom: Switch does not respond during the ZTP process.

Scenario: This issue occurred when connecting to the switch using SSH, while Airwave was transferring the configuration to the switch.

AirWave

16.10.0009

252825

KB

Symptom: A switch crashes and displays the following message:

Software exception at bgp_med.c: 629 -- in 'eRouteCtrl' …. Routing Stack: Assert Failed.

Scenario: This issue occurred when the maximum prefix for BGP was configured to limit the number of routes BGP learns, in an environment with many route flaps.

Workaround: Eliminate the frequent BGP route flaps.

BGP

16.10.0009

253081

KB

Symptom: Switch reports self test failure or unsupported module in the event log.

Scenario: This issue occurred when the module is booted with a JL308A xcvr.

Boot

16.10.0009

251418

KB

Symptom: Pushing a switch configuration template from Aruba Central fails and a 500 error code is returned.

Scenario: This issue occurred when a configuration template that had no untagged ports in VLAN 1 was pushed from Aruba Central.

Workaround: In the configuration template, add at least one untagged port in VLAN 1.

Central

16.10.0009

253174

KB

Symptom/Scenario: The switch experienced an NMI crash with the following message:

Task='ewsCloudRcv'.

Central

16.10.0009

250966

KB

Symptom: The switch fails to display the power supply details.

Scenario: In a stack or VSF configuration, the switch failed to display the power supply details for all stack member switches when using the show system power-supply detailed command.

CLI

16.10.0009

253276

KB

Symptom: Unable to copy crash-files, core-dump, and the show tech all command output from the switch.

Scenario: This issue occurred when executing the copy command with an invalid IP address, file name, hostname, or when parallelly executing the copy command in other sessions.

Workaround:

  • Copy the core file from the web interface.
  • Copy the show tech all command output from the console interface.

CLI

16.10.0009

252430

KB

Symptom: Invalid MAC address entries are seen in the DHCP snooping binding table.

Scenario: This issue occurred when switch received malformed DHCP or BOOTP packets.

Workaround: Configure a DHCP authorized server so that requests only from authorized servers are processed.

DHCP Snooping

16.10.0009

252265

KB

Symptom: The switch does not forward DHCP packets.

Scenario: This issue occurred when both DHCP snooping and IP client tracker trusted were configured, and the client was authenticated.

IP Client Tracker

16.10.0009

252701

KB

Symptom/Scenario: User tunnel is lost when a controller fail-over is performed in a two node controller cluster.

Workaround: Re-establish the tunnel with a port flap and re-authentication.

Jumbo Frames

16.10.0009

252833

KB

Symptom: MSTP does not work as expected and does not block ports when it should.

Scenario: This issue occurred when two ports in a loop were in a forwarding state with MSTP and port- security non-default learn mode enabled.

Workaround: Disable port-security.

Spanning Tree

16.10.0009

252338

KB

Symptom: Incorrect message Rejected because maximum session limit is reached is printed when attempting to establish an SSH connection to the VSF standby OOBM IP address.

Scenario: This issue occurred when establishing an SSH connection to the standby OOBM IP address.

SSH

16.10.0009

252613

KB

Symptom: Unable to connect to the switch using SSH.

Scenario: This issue occurred when the switch is configured to use TACACS and a malformed TACACS packet is received by the switch.

Workaround: Reboot the switch.

SSH

16.10.0009

251966

KB

Symptom: The switch sends logging events with a "Z" at the end of the timestamp when the it is not configured to use UTC.

Scenario: This issue occurred when the switch sent syslog messages over TLS.

Syslog

16.10.0009

252410

KB

Symptom: The switch either reboots or fails over from the active to standby management module and records a Watchdog Reset entry in the event log.

Scenario: This issue occurred when IP directed-broadcast was configured in the switch and Wake On LAN traffic was sent to a directly connected subnet.

Workaround: Disable IP directed-broadcast.

VSF

16.10.0009

252762

KB

Symptom: Although the VXLAN tunnel name was configured, it was not displayed.

Scenario: This issue occurred when the VXLAN tunnel name was configured before configuring the source and destination IP addresses for the tunnel.

VXLAN

16.10.0009

252443

KB

Symptom/Scenario: The Reboot button is displayed for a few seconds in the Web UI. Clicking it allowed an operator to reboot the switch.

Web UI

16.10.0008

-

KB

Version 16.10.0008 was never released.

-

16.10.0007

252007

KB

Symptom: The switch sends an incorrect CLASS attribute value in the RADIUS accounting packet.

Scenario: When the CLASS attribute is updated during re-authentication of a MAC-authenticated client session, the switch fails to send the new CLASS attribute value in the RADIUS accounting packet.

Workaround: Force a new client authentication session by disabling/enabling the port after the CLASS attribute value changes.

Accounting

16.10.0007

251765

KB

Symptom: The show runnig-config output does not display some access list entries (ACEs).

Scenario: When the switch is configured with extended ACLs and connect-rate-filter, some ACEs are not displayed in the output of the show runnig-config command.

Workaround: Use the show access-list config command to get the complete extended ACL configuration.

ACLs

16.10.0007

251273

KB

Symptom: The switch incorrectly places clients in the configured authorized VLAN (auth-vid).

Scenario: When using chap-radius authorized option, if the route to the RADIUS server is not resolved during the switch boot up, clients are incorrectly placed in the configured authorized VLAN (auth-vid) rather than the guest VLAN (unauth-vid) or initial-role.

Workaround: Reauthenticate the affected clients.

Authentication

16.10.0007

251659

KB

Symptom: Switch fails to move the client MAC address from one port to another.

Scenario: When addr-move is configured to enable roaming for authenticated clients from one port to another, with Private VLAN enabled, the switch fails to move the client MAC address.

Workaround: Disable and re-enable the switch interface where the affected client moved to.

Authentication

16.10.0007

252183

KB

Symptom: The switch experiences traffic loss after an indirect nexthop peer failure.

Scenario: If an older ECMP route is removed due to an indirect nexthop peer failure, the switch fails to correctly update the IP route description table with the newer nexthop route.

BGP

16.10.0007

251927

KB

Symptom: The switch fails to remove CDP configuration for a port.

Scenario: When a port is added to a trunk interface, the switch fails to remove the previous non-default CDP configuration for that port (example: no cdp enable <PORT-NUM>).

Workaround: Remove the non-default CDP configuration from the individual port before adding it to trunk interface.

CDP

16.10.0007

252053

KB

Symptom/Scenario: The switch crashes with an error message similar to: Software exception in ISR at pvDmaV1Rx.c <...> ASSERT:    No resources available!

Central

16.10.0007

252267

KB

Symptom: The switch experiences high CPU utilization.

Scenario: In conditions of low network bandwidth or network congestion that cause frequent disconnections from the Aruba Central Portal, the switch experiences high CPU utilization while attempting to reconnect to Aruba Central and while being managed by other NMS applications such as Solarwinds at the same time.

Workaround: Use only one NMS application to manage the switch if network bandwidth capacity or congestion cannot be improved.

Central

16.10.0007

252066

KB

Symptom/Scenario: The switch crashes with a message similar to: Health Monitor:    Restr Mem Access ... Task='mdevMntr'.

Device finger printing

16.10.0007

251876

KB

Symptom: The switch may fail to apply the correct VLAN to dynamic trunks.

Scenario: After a reboot of a switch configured for dynamic trunks with device profile enabled on ports, the switch may fail to apply the correct VLAN configured in the device-profile, after the port is joined to the dynamic trunk.

Workaround: Disable and enable device-profile.

Dynamic Trunks

16.10.0007

251579

KB

Symptom: The switch port LEDs light amber (self-test failure).

Scenario: In rare conditions, random ports may fail self-test after a switch reboot causing the port LED to be lit amber and triggering a warning event message similar to: 00371 chassis: Port <PORT-NAME> self test failure ERR: 10191800

Workaround: Reboot the switch.

Interfaces

16.10.0007

252187

KB

Symptom: PoE LED is incorrectly lit green on the management module.

Scenario: In a VSF stack, when the respective switch member does not have any PoE capable line modules installed.

LEDs

16.10.0007

251972

KB

Symptom: Some clients using the PEAP authentication mechanism are not successfully authenticated.

Scenario: When concurrent authentication requests are sent to the switch using peap-mschapv2, some clients may not be successfully authenticated, even though ACCESS ACCEPT is sent from the RADIUS server.

MAC Authentication

16.10.0007

252170

KB

Symptom: Some multicast traffic is incorrectly flooded on all ports belonging to a VLAN.

Scenario: Multicast packets received with aTTL <= 1 are indefinitely flooded to all ports of a PIM enabled VLAN.

Multicast

16.10.0007

249716

KB

Symptom: The switch fails to pass traffic through a promiscuous port.

Scenario: After a reboot event, the switch fails to pass traffic trough a promiscuous port in the primary VLAN.

Workaround: Remove and re-add the affected promiscuous port from/to the primary VLAN.

Private VLAN

16.10.0007

251339

KB

Symptom: The switch or the switch module may crash with an error message similar to: Read Error Restr Mem Access <...> Task='mAdMUpCtrl'.

Scenario: When qos trust dscp on a 40G port is enabled, the switch or switch module may crash with an error message similar to: Read Error Restr Mem Access <...> Task='mAdMUpCtrl.

QoS

16.10.0007

252090

KB

Symptom: Switch fails to flag the unreachable RADIUS servers.

Scenario: When RADIUS server tracking is enabled, the switch fails to flag those RADIUS servers configured using the fully qualified domain name (FQDN) when they are unreachable with an asterisk (*) in the output of the show radius command.

Workaround: Use IP address for RADIUS server configuration when RADIUS server tracking is enabled.

RADIUS

16.10.0007

252131

KB

Symptom: REST API calls may experience some slight delay in execution response.

Scenario: When multiple REST API commands are executed over the same HTTPS session, they may experience a slight delay in execution response.

Workaround: Use a new HTTPS session for each REST API call.

REST

16.10.0007

251899

KB

Symptom: Switch fails to return the serial number of the power supply.

Scenario: When configured in a stack, the switch does not return the serial number of power supplies for the stack member switches when polling the entPhysicalSerialNum SNMP object.

Workaround: The power supply serial number can be found in the show system power-supply output.

SNMP

16.10.0007

252377

KB

Symptom: The switch fails to send traffic over some switch interfaces.

Scenario: After a redundancy switchover to the standby VSF switch while spanning tree is enabled in PVST mode, the switch fails to forward traffic over the switch ports transitioned from Blocking to Forwarding state.

Workaround: Disable and re-enable the affected switch ports.

Spanning Tree

16.10.0007

250797

KB

Symptom: The switch sends an incorrect checksum when forwarding certain UDP frames.

Scenario: If a received UDP frame has no checksum or the checksum value of zero (0), the switch incorrectly calculates the checksum when forwarding it.

UDP

16.10.0007

252409

KB

Symptom: The switch fails to override the initial-role.

Scenario: When an existing per-port initial-role is modified, the switch fails to re-apply the new initial-role to ports with clients already authenticated in the previous initial-role.

Workaround: Remove the existing per-port initial-role config and configure the new initial-role on the port.

User Roles

16.10.0007

251475

KB

Symptom: The switch experiences high CPU utilization and possible console connectivity issues.

Scenario: When configuring or modifying aggregated interfaces (trunks) with more than 3 member ports on a switch where there is a very high number of configured VLANs, the switch experiences high CPU utilization and possible console connectivity issues while applying the configuration.

VLAN

16.10.0007

251505

KB

Symptom: The WebUI contains an XSS vulnerability.

Scenario: Configure the editable parameters in the WebUI with values that can cause an XSS attack.

Web UI

16.10.0007

251524

KB

Symptom: The switch fails to display some ports on the Ports page of the WebUI.

Scenario: When aSysName with trailing zeroes is received in the LLDP packet from a neighboring device, the switch fails to list some ports in the Ports page when using the WebUI.

Workaround: To get the information for all ports use one of the following options:

  • Disable LLDP on the port where the device with invalidSysName is connected.
  • Use the traditional web UI to get the information for the affected/missing ports.
  • Use switch CLI commands to get the information for the affected/missing ports.

Web UI

16.10.0006

-

KB

Version 16.10.0006 was never released.

-

16.10.0005

251473

KB

Symptom: End devices periodically lose access to the network.

Scenario: When ports are configured with user-based tunneling in addition to 802.1X and MAC authentication, end devices connected to those parts periodically lose access to the network.

Tunneling

16.10.0004

-

KB

Version 16.10.0004 was never released.

-

16.10.0003

251317

 

Symptom: A Windows client that joins a domain other than the one defined in Cisco ISE fails to authenticate. The client will also wait more than 5 minutes before attempting MAC address authentication.

Scenario: This issue is observed when MAC and 802.1X authentication are enabled on the port and the configured auth-order is 802.1X-MAC and an initial role.

802.1X

16.10.0003

251464

KB

Symptom: VSF stack members crash intermittently during 802.1X client reauthentication and the following message is displayed: Software exception in ISR at pvDmaV1Rx.c: -> ASSERT: No resources available!.

Scenario: This issue is observed when ports with LLDP traffic are configured with 802.1X and MAC authentication, and the RADIUS VSA HP-Port-Client-Limit-MA value is zero.

802.1X

16.10.0003

251498

KB

Symptom: A client is unable to pass traffic.

Scenario: This issue is observed when the clear mac-address vlan 1 mac command is issued to clear the switch’s base MAC address from VLAN 1.

Basic Layer 2

16.10.0003

251280

KB

Symptom: Deploying a switch template through Airwave/Aruba Central fails.

Scenario: This issue is observed when the IP address from VLAN1 is removed from a new configuration template and is pushed to the switch with the "ntpserver-name <server name>".

Workaround: Do not remove the IP address from VLAN 1 in the new template.

Central

16.10.0003

249172

KB

Symptom: The Event log lists fan failure events and the amber LED is displayed on the front panel of the switch.

Scenario: The switch operates normally with no change in the environmental temperature.

Chassis Manager

16.10.0003

251393

KB

Symptom: A switch crashes with the following message Software exception in ISR at pvDmaV1Rx.c -> ASSERT: No resources available.

Scenario: This issue is observed when a switch is configured with an initial role with a captive-portal-profile and a client is placed in this initial role because the RADIUS server is unreachable.

Classifier

16.10.0003

250816

KB

Symptom: Authenticated users are disconnected from the switch.

Scenario: This issue is observed when users disable and enable the interface which connects to the dhcp- relay switch, after configuring the DHCP server, DHCP relay, and DHCP snooping with ip-source lockdown.

Workaround: Disable ip-source lockdown.

DIPLD

16.10.0003

251662

KB

Symptom: Unable to configure a /31 subnet address as source/destination address for tunnel interfaces.

Scenario: This issue is observed when users attempt to configure a /31 subnet address as source/ destination address for a tunnel interface.

Workaround: Configure a /30 subnet address.

L3 Addressing

16.10.0003

249465

KB

Symptom: A switch crashes and displays the following message: Software exception at ospf2.c -- in 'eRouteCtrl' -> Routing Stack: Assert Failed.

Scenario: This issue is observed when a switch is configured with OSPF and one of the OSPF neighbors is disconnected.

OSPF

16.10.0003

251615

KB

Symptom: An attacker is able to obtain sensitive data without providing valid login credentials after a successful REST query.

Scenario: This issue is observed when web management is enabled on the switch.

REST

16.10.0003

251340

KB

Symptom: Tunneled clients lose network connectivity.

Scenario: This issue is observed when user tunnels are configured in addition to ip client-tracker trusted and ip client-tracker probe-delay.

Workaround:

  1. Remove ip client-tracker probe-delay from the configuration.
  2. Disable the port.
  3. Clear ARP.
  4. Re-enable the port.

Tunneled Node

16.10.0003

251893

KB

Symptom: A switch port is in the Disabled state.

Scenario: This issue is observed when spanning tree is enabled and Per-Port Tunneled Node (PPTN) is configured on two ports that are connected.

Workaround: Do not connect two PPTN ports.

Tunneled Node

16.10.0003

251325

KB

Symptom: Users are unable to modify the vlan-id-tagged list of a user role.

Scenario: This issue is observed when the user applies a template that adds VLANs to the vlan-id-tagged list of a user role.

Workaround: Use a template that does not extend the list of VLANs in vlan-id-tagged.

User Roles

16.10.0003

251030

KB

Symptom: The output of the show interface command differs for a VSF and a non-VSF interface.

Scenario: This issue is observed when a switch is configured for VSF.

Workaround: Execute the clear statistics global command and output of  show interface command will be the same for both VSF and non-VSF interfaces.

VSF

16.10.0003

251506

KB

Symptom: The switch manager password is altered to an attack-controlled value.

Scenario: This issue is observed when the user clicks a malicious hyperlink.

Web UI

16.10.0003

251314

KB

Symptom: Switches appear offline in Aruba Central.

Scenario: This issue is observed after the switch software is upgraded from 16.04 to 16.08.

Workaround: Reboot the switch.

ZTP

16.10.0002

250366

KB

Symptom: An Apple MacOS device (desktop or laptop) is unable to maintain authentication with APs.

Scenario: When an AP is connected to a switch port that has been configured with device-identity bypass, an Apple MacOS device (desktop or laptop) receives EAP request ID packets after 802.1X authentication and is unable to maintain authentication with the AP.

Workaround: Configure a MAC-based ACL to block the EAP request identity to multicast MAC address.

802.1X

16.10.0002

250681

KB

Symptom/Scenario: The Topology section of Airwave shows spanning tree details for a switch that does not have spanning tree enabled.

AirWave

16.10.0002

250934

KB

Symptom: The switch does not respond to commands from a console or SSH session.

Scenario: After updating the switch configuration using Aruba Central while clients are authenticated, the switch may not respond to commands from a console or SSH session.

Workaround:

  1. Apply a template disabling MAC authentication on all ports.
  2. Apply a template with AAA config changes.
  3. Apply a template enabling MAC authentication on all ports.

Central

16.10.0002

251313

KB

Symptom: The switch experiences a high CPU utilization and loses connection with Central.

Scenario: when the switch is upgraded to 16.08.0001 and a template with tls and cwmp commands is pushed from Central, the switch experiences high CPE utilization and loses the connection to Aruba Central.

Workaround: Remove tls application cloud lowest-version tls1.2 and cwmp from the switch template.

Central

16.10.0002

250247

KB

Symptom/Scenario: The switch crashes with a message similar to: Software exception in ISR at interrupts_om.c-> Excessive OM FP interrupts.

Chassis

16.10.0002

250514

KB

Symptom: The show running config and show modules commands report false information.

Scenario: When a VSF configuration has been loaded to the switch without MAC addresses specified and the switch is rebooted, the show running config command returns incorrect data and the show modules command reports a module as failed.

Workaround: Download a VSF configuration that includes member MAC addresses.

Config

16.10.0002

250542

KB

Symptom: The switch is unable to classify Aruba APs.

Scenario: After configuring device fingerprinting, the switch is unable to classify Aruba APs.

Device finger printing

16.10.0002

250600

KB

Symptom/Scenario: The help text for the device-identity lldp oui command indicates that the required input is a MAC-OUI.

Device finger printing

16.10.0002

251075

KB

Symptom: The switch crashes with a message similar to Task='mdevMntr'.

Scenario: When the switch has been configured with a device finger printing policy on a port with clients, if the port is bounced multiple times, the switch may crash with a message similar to Task='mdevMntr'.

Device finger printing

16.10.0002

250957

KB

Symptom: Host packets are denied with a message similar to dlpld: AM1: Access denied.

Scenario: When the switch has been configured using the aaa port-access and ip source-lockdown commands and clients authenticate to the switch, if more than one client is placed in a VLAN provided by the RADIUS server, host packets are denied.

Workaround: Disable Dynamic IP Lockdown on the switch using the no ip source-lockdown command.

DIPLD

16.10.0002

250550

KB

Symptom: Primary and secondary VLANs do not have MAC address entries.

Scenario: When a port has been configured with PVLAN and port security and the port is subsequently disabled and re-enabled, MAC address entries are not present in the primary and secondary VLANs.

Workaround: Reconfigure the port security configuration of the port.

MAC address

16.10.0002

250392

KB

Symptom: The switch crashes with a message similar to: Health Monitor: Invalid Instr Misaligned Mem Access.

Scenario: After an IP address has been reassigned from one VLAN to another VLAN using the menu interface, the switch may crash with a message similar to: Health Monitor: Invalid Instr Misaligned Mem Access.

Workaround: Disable the first VLAN and save the configuration from the menu interface. Then, configure the deleted IP address on the second VLAN.

Menu

16.10.0002

245830

KB

Symptom: The switch fails to list the switch ports in the Ports web management page.

Scenario: When a peer device that advertises information in LLDP has a sysName string with special characters, the switch fails to display the port list table on the Ports web management page.

Workaround: Remove the special characters from the peer device sysName or use CLI commands to get specific port information.

Next Gen GUI

16.10.0002

250833

KB

Symptom: After a switch reboot, OSPF is stuck in the INIT state.

Scenario: When a switch that is configured with OSPF, but ip router-id has not been configured, is rebooted OSPF remains in the INIT state.

Workaround: Configure the router ID manually.

OSPF

16.10.0002

250958

KB

Symptom: The hit counters in the output of the show statistics policy command shows all zeros.

Scenario: If a QoS policy with several class entries across all ports on multiple modules has been applied, the output of the show statistics policy command shows all zeros in the hit counters.

QoS

16.10.0002

251017

KB

Symptom: The event log displays lpAddrMgr: Failed to add FIB entry - neighbor matches existing route (vrf:0 A.B.C.D/32).

Scenario: When the switch has been configured with a VRRP master and the connected routes are redistributed using routing protocols, the event log will display a lpAddrMgr message.

VRRP

16.10.0002

251203

KB

Symptom: Pings to the VRRP virtual IP address fail.

Scenario: If a switch module is reloaded, added, or hot-swapped, if a VSF stack member joins the stack after a stack split event or after a switch reboot with expansion module present, the switch fails to respond to ping packets to the VRRP virtual IP address.

VRRP

16.10.0002

250489

KB

Symptom: High utilization of a VSF link is reported by the switch.

Scenario: When VSF is configured with one link having multiple ports and then a VSF link port toggle is performed by disabling then re-enabling the VSF interface, the switch reports a high link utilization.

VSF

16.10.0002

250754

KB

Symptom: The switch cannot be found in Aruba Central even though the CLI reports the switch as being connected.

Scenario: When a VSF stack is already checked into Aruba Central with the same stack ID as another VSF stack, switches in the stack cannot be found in Aruba Central.

Workaround: Ensure all switches are running 16.06 or later and then form the VSF stack.

VSF

16.10.0002

250896

KB

Symptom: Switch ports are not listed in the web interface.

Scenario: If a peer device advertises an LLDP port ID containing special characters, switch ports are not listed in the web interface.

Web UI

16.10.0001

250366

KB

Symptom: An Apple MacOS device (desktop or laptop) is unable to maintain authentication with APs.

Scenario: When an AP is connected to a switch port that has been configured with device-identity bypass, an Apple MacOS device (desktop or laptop) receives EAP request ID packets after 802.1X authentication and is unable to maintain authentication with the AP.

Workaround: Configure a MAC-based ACL to block the EAP request identity to multicast MAC address.

802.1X

16.10.0001

250681

KB

Symptom/Scenario: The Topology section of Airwave shows spanning tree details for a switch that does not have spanning tree enabled.

AirWave

16.10.0001

250934

KB

Symptom: The switch does not respond to commands from a console or SSH session.

Scenario: After updating the switch configuration using Aruba Central while clients are authenticated, the switch may not respond to commands from a console or SSH session.

Workaround:

  1. Apply a template disabling MAC authentication on all ports.
  2. Apply a template with AAA config changes.
  3. Apply a template enabling MAC authentication on all ports.

Central

16.10.0001

250247

KB

Symptom/Scenario: The switch crashes with a message similar to: Software exception in ISR at interrupts_om.c-> Excessive OM FP interrupts.

Chassis

16.10.0001

250154

KB

Symptom: The global status LED on all members of a VSF stack turns amber.

Scenario: When one member of a VSF stack experiences an over temperature, the global status LED on all members of the stack turns amber.

Chassis Manager

16.10.0001

250514

KB

Symptom: The show running config and show modules commands report false information.

Scenario: When a VSF configuration has been loaded to the switch without MAC addresses specified and the switch is rebooted, the show running config command returns incorrect data and the show modules command reports a module as failed.

Workaround: Download a VSF configuration that includes member MAC addresses.

Config

16.10.0001

250542

KB

Symptom: The switch is unable to classify Aruba APs.

Scenario: After configuring device fingerprinting, the switch is unable to classify Aruba APs.

Device finger printing

16.10.0001

251075

KB

Symptom: The switch crashes with a message similar to Task='mdevMntr'.

Scenario: When the switch has been configured with a device finger printing policy on a port with clients, if the port is bounced multiple times, the switch may crash with a message similar to Task='mdevMntr'.

Device finger printing

16.10.0001

250600

KB

Symptom/Scenario: The help text for the device-identity lldp oui command indicates that the required input is a MAC-OUI.

Device identity

16.10.0001

250957

KB

Symptom: Host packets are denied with a message similar to dlpld: AM1: Access denied.

Scenario: When the switch has been configured using the aaa port-access and ip source-lockdown commands and clients authenticate to the switch, if more than one client is placed in a VLAN provided by the RADIUS server, host packets are denied.

Workaround: Disable Dynamic IP Lockdown on the switch using the no ip source-lockdown command.

DIPLD

16.10.0001

250550

KB

Symptom: Primary and secondary VLANs do not have MAC address entries.

Scenario: When a port has been configured with PVLAN and port security and the port is subsequently disabled and re-enabled, MAC address entries are not present in the primary and secondary VLANs.

Workaround: Reconfigure the port security configuration of the port.

MAC address

16.10.0001

250392

KB

Symptom: The switch crashes with a message similar to: Health Monitor: Invalid Instr Misaligned Mem Access.

Scenario: After an IP address has been reassigned from one VLAN to another VLAN using the menu interface, the switch may crash with a message similar to: Health Monitor: Invalid Instr Misaligned Mem Access.

Workaround: Disable the first VLAN and save the configuration from the menu interface. Then, configure the deleted IP address on the second VLAN.

Menu

16.10.0001

250833

KB

Symptom: After a switch reboot, OSPF is stuck in the INIT state.

Scenario: When a switch that is configured with OSPF, but ip router-id has not been configured, is rebooted OSPF remains in the INIT state.

Workaround: Configure the router ID manually.

OSPF

16.10.0001

250958

KB

Symptom: The hit counters in the output of the show statistics policy command shows all zeros.

Scenario: If a QoS policy with several class entries across all ports on multiple modules has been applied, the output of the show statistics policy command shows all zeros in the hit counters.

QoS

16.10.0001

251017

KB

Symptom: The event log displays lpAddrMgr: Failed to add FIB entry - neighbor matches existing route (vrf:0 A.B.C.D/32)..

Scenario: When the switch has been configured with a VRRP master and the connected routes are redistributed using routing protocols, the event log will display a lpAddrMgr message.

VRRP

16.10.0001

251203

KB

Symptom: Pings to the VRRP virtual IP address fail.

Scenario: If a switch module is reloaded, added, or hot-swapped, if a VSF stack member joins the stack after a stack split event or after a switch reboot with expansion module present, the switch fails to respond to ping packets to the VRRP virtual IP address.

VRRP

16.10.0001

250489

KB

Symptom: High utilization of a VSF link is reported by the switch.

Scenario: When VSF is configured with one link having multiple ports and then a VSF link port toggle is performed by disabling then re-enabling the VSF interface, the switch reports a high link utilization.

VSF

16.10.0001

250754

KB

Symptom: The switch cannot be found in Aruba Central even though the CLI reports the switch as being connected.

Scenario: When a VSF stack is already checked into Aruba Central with the same stack ID as another VSF stack, switches in the stack cannot be found in Aruba Central.

Workaround: Ensure all switches are running 16.06 or later and then form the VSF stack.

VSF

16.10.0001

245830

KB

Symptom: The switch fails to list the switch ports in the Ports web management page.

Scenario: When a peer device that advertises information in LLDP has a sysName string with special characters, the switch fails to display the port list table on the Ports web management page.

Workaround: Remove the special characters from the peer device sysName or use CLI commands to get specific port information.

Web UI