Fixes

This section lists released builds that include fixes found in this branch of the software. Software fixes are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all fixes added in earlier versions.

The Symptom statement describes what a user might experience if this is seen on the network. The Scenario statement provides additional environment details and trigger summaries. When available, the Workaround statement provides a workaround to the issue for customers who decide not to update to this version of software.

The number that precedes the fix description is used for tracking purposes.

Table 1: Fixed Issues

Version

Bug ID

Software

Description

Category

16.10.0024

-

YA/YB

No fixes were included in version 16.10.0024.

-

16.10.0023

256613

YA/YB

Symptom/Scenario: Some IP addresses for save config and config change in the traps will not be displayed in AirWave.

AirWave

16.10.0023

256672

YA/YB

Symptom/Scenario: Switch fails to connect to activate with the error activate: EST enrollment with server failed because of Unable to generate CSR.

Central Integration

16.10.0023

256575

YA/YB

Symptom: The switch will stop responding to valid SNMP packets.

Scenario: This issue occurred when UDP packets were sent without any data. After 65 packets, switch will stop responding to valid packets.

SNMPv3

16.10.0023

256600

YA/YB

Symptom: Client will not be in authenticated state until cached-reauth period.

Scenario: This issue occurred when 802.1x authentication was configured with cached-reauth.

Workaround:

  • First, enable the user-role authentication and then configure the critical user-role for the authentication port.

  • Critical user-role should not have the reauth-period attribute and auth-order must be removed for the authentication port.

802.1x

16.10.0023

256732

YA/YB

Symptom: Local-user with group cannot be configured via SNMP.

Scenario: This issue occurred when local-user with group using SNMP was configured.

Workaround: User can configure local-user with group using CLI configuration.

SNMPv2

16.10.0022

256590

YA/YB

Symptom/Scenario: When a port is added to a VLAN from the Web UI, IPv6 will be enabled on the VLAN.

NextGen WebUI

16.10.0022

256561

YA/YB

Symptom: Network access is denied for a 802.1X authenticated client.

Scenario: This issue occurred when the 802.1X client was authenticated with the auth-vid and unauth-vid configurations.

Workaround: Configure a client limit for the authenticator-enabled port.

802.1X

16.10.0022

256485

YA/YB

Symptom: REST request over HTTPS fails as SSL connection is not established.

Scenario: This issue occurred when a GET request with an empty JSON payload was sent.

Workaround: Replace the empty JSON payload with None in the GET request.

REST APIs

16.10.0022

256358

YA/YB

Symptom: An invalid username or password grants the operator access to the switch's Web UI.

Scenario: This issue occurred when a banner and a manager password were configured but not an operator password.

Workaround: Remove the banner configuration.

WEB UI

16.10.0021

256406

YA/YB

Symptom: Traffic is sent directly to the clients in VLANs that do not have an IP address configured instead of being sent to the gateway configured in the routing table.

Scenario: This issue occurred when the switch had both Layer 2 and Layer 3 VLANs and IP client tracker was enabled.

Workaround: Disable the IP client tracker.

Static Routing

16.10.0021

256366

YA/YB

Symptom/Scenario: The switch crashes with a message similar to the following: Software exception at multMgmtUtil.c:259 – in 'mOobmCtrl' -> Internal error.

Coredump

16.10.0021

256122

YA/YB

Symptom: Tx drops are seen on the port after the trunk member is removed.

Scenario: This issue occurred when the port was configured to be a member of the trunk and subsequently removed from the trunk when the port was down. The issue will be seen when a client is connected to the port.

Workaround: Configure the trunk while the port is up.

LACP

16.10.0020

256257

YA/YB

Symptom/Scenario: Certain transceivers had link issues in unsupported transceiver mode.

Transceivers

16.10.0020

256234

YA/YB

Symptom: The show rmon statistics <port no> command returns the wrong counter values.

Scenario: This issue occurred when the clear statistics global or clear statistics <port no> was executed first and then show rmon statistics <port no>.

CLI

16.10.0020

256233

YA/YB

Symptom: Client ports may encounter packet drops when multicast sources stream video over 500 Mbps.

Scenario: This issue can occur when multiple clients from different ports subscribed to the same group, which streams using HD channels requiring high bandwidth. TX drops can occur when several clients change channels simultaneously.

Workaround: Lower the bandwidth of the video streams to below 500 Mbps in order to avoid over-subscription of ports.

IGMP-NG

16.10.0020

256310

YA/YB

Symptom: The switch fails to update the IDEVID_CERT certificate when it is about to expire.

Scenario: This issue occurred when a switch with an expiring IDEVID CERT certificate that is provisioned in Aruba Central is rebooted.

Workaround: Execute the command activate provision force to update the certificate manually.

Central Integration

16.10.0020

256205

YA/YB

Symptom: A configuration template push from Aruba Central fails.

Scenario: This issue occurred when the end devices are connected to ports that are configured with port-security learn-mode static.

Central Integration

16.10.0019

256121

YA/YB

Symptom: Web authentication fails when the switch is managed by Aruba Central (aruba-central support-mode disable).

Scenario: This issue occurred when the switch was connected to Aruba Central and aruba-central support-mode was disabled.

Workaround: Execute aruba-central support-mode enable command so the switch is longer managed by Aruba Central.

Web Authentication

16.10.0018

255819

YA/YB

Symptom: A switch crashes with a message similar to the following:

SubSystem 100 went down:

Health Monitor: Read Error Restr Mem Access

Scenario: This issue occurred because of the following actions:

  1. An AP was authenticated with 802.1X port mode.
  2. The AP was rebooted, and the 802.1X authentication configuration was removed from the port.

802.1X

16.10.0018

255940

YA/YB

Symptom: A switch crashes with a message similar to the following:

Software exception at svc_misc.c:1088 – in 'mDHCPClint'

-> Failed to malloc 9202 bytes.

Scenario: This issue occurred when the switch attempted to reconnect to Aruba Central.

Aruba Central

16.10.0018

255995

YA/YB

Symptom: A switch crashes when the show port-access clients command is issued or when an SNMP GET operation is performed to get the MIB object hpicfUsrAuthMacAuthSessionStatsEntry.

Scenario: The switch crashed when a MAC-authenticated client had a username of more than 40 characters.

Authentication

16.10.0018

255120

YA/YB

Symptom/Scenario: The Key Expansion Module of a Cisco 8851 phone does not power up.

Workaround: Configure poe-allocate-by command with class parameter on the ports, and reduce the number of powered devices connected to the switch.

PoE

16.10.0018

256034

YA/YB

Symptom: SNMP MIB files are not reachable, and the MIB file returns some errors.

Scenario: This issue occurred when the customer used an SNMP monitoring tool to read or parse the MIB files.

SNMP

16.10.0018

256050

YA/YB

Symptom: A switch crashes when the WebUI Security > Clientspage is accessed.

Scenario: The switch crashed when a MAC-authenticated client had a username of more than 40 characters.

Web UI

16.10.0017

255888

YA/YB

Symptom/Scenario: When a proxy server is configured on the switch, the switch does not onboard into Aruba Central or Activate.

Aruba Central

16.10.0017

255799

YA/YB

Symptom: The user is unable to copy a configuration file to the switch using Secure File Transfer Protocol (SFTP) and the following error message is displayed.

Invalid input: grep usage error.

Scenario: This issue occurred when the pipe character ( | ) was used as a part of the command input for some configuration commands, such as the banner motd and snmpv3 user commands.

Workaround: Do not use the pipe character (|) in the command input for the configuration commands.

Configuration

16.10.0017

255195

YA/YB

Symptom: The switch memory utilization spikes and might reach to 100%.

Scenario: This issue occurred when many ports were monitored and mirrored to one port.

Workaround: Disable mirroring on the ports.

Mirroring

16.10.0017

255825

YA/YB

Symptom/Scenario: When a switch is rebooted through an SSH session, the show boot-history, show logging, and boot command outputs include the Operator cold reboot from TELNET session message instead of the Operator cold reboot from SSH session message.

SSH

16.10.0017

255760

YA/YB

Symptom/Scenario: A switch crashes with the following message:

Software exception at bsp_interrupts.c:90 – in 'fault_handler'.

Tunneled Node

16.10.0016

255682

YA/YB

Symptom: The RADIUS accounting packets sent from the switch to the RADIUS server do not contain the correct client IP address.

Scenario: This issue occurred when both user authentication and MAC authentication were configured.

802.1X

16.10.0016

255400

YA/YB

Symptom: The switch is unable to connect to Activate or Aruba Central.

Scenario: This issue occurred when the show crypto pki ta-profile command displayed Pending Root Certificate In... for the GEOTRUST_CA profile, and the following event was recorded in the event log:

05222 activate: ST1-CMDR: Error connecting to the Activate server: Activate TLS connection error.

Activate

16.10.0016

255653

YA/YB

Symptom: The switch crashes with a Non-Maskable Interrupt (NMI) event.

Scenario: The switch crashed because of the following reasons:

  1. The switch was configured to receive a DHCP address.
  2. The activate provision force command was configured on the switch.
  3. The no activate software-update check command was executed.

Activate

16.10.0016

255770

YA/YB

Symptom: The switch fails to connect to Aruba Central, and the show aruba-central command output displays an Enrollment over Secured Transport (EST) enrollment error.

Scenario: This issue occurred when the switch software version is upgraded to version 16.10.0015.

Workaround: Downgrade to an older switch software version once the EST provisions IDEVID-CERT, you can upgrade the switch to the latest switch software version.

Central

16.10.0016

255417

YA/YB

Symptom: The switch crashes with an NMI event.

Scenario: This issue occurred when the DHCP snooping traffic was sent continuously to the switch with DHCP option 82, and the DHCP clients rebooted frequently.

DHCP Snooping

16.10.0016

255619

YA/YB

Symptom: The Ports table on the Web UI does not display all the interfaces of the switch.

Scenario: This issue occurred when the Name and Id sent through LLDP contained a trailing backslash (\), and the same was configured on the port.

Workaround: Disable LLDP on the switch using the no lldp run command.

Web UI

16.10.0015

255124

YA/YB

Symptom: Captive portal redirection does not work.

Scenario: This issue occurred when the ip client-tracker command was enabled, and the VLAN where the client onboarded had the disable layer3 command configured.

Workaround: Remove ip client-tracker or disable layer3 configuration from the client VLAN.

Captive Portal

16.10.0015

255259

YA/YB

Symptom/Scenario: Executing the show tech all command resets the port counters in all sessions.

CLI

16.10.0015

255134

YA/YB

Symptom: Switch crashes regularly with the following message:

Active/Commander system went down:

eSoftware exception at msgSys.c:641 -- in 'mNSR',

-> Can't get message buffer for msgSys_recv.

The event log indicates continuous removal and application of the device-profile.

Scenario: This issue occurred with a device profile for an AP enabled, with both interfaces of the AP connected to the switch through a trunk, and when the switch was rebooted.

Workaround: Disable and enable the device profile.

Device Profile

16.10.0015

255158

YA/YB

Symptom: Multicast traffic with the source IP address 0.0.0.0 floods to all ports, even with IGMP snooping enabled.

Scenario: This issue occurred when the multicast traffic was sent with a NULL IP source from a device connected to a non-querier device.

IGMP

16.10.0015

255408

YA/YB

Symptom: Unauthorized clients can connect and access the switch using the loopback address.

Scenario: This issue occurred when the ip authorized-managers command was configured and an unauthorized client attempted to connect to the loopback address.

IP Authorized Managers

16.10.0015

255342

YA/YB

Symptom: When an initial role is applied, clients do not attempt to reauthenticate.

Scenario: This issue occurred when the server-timeout value was less than the RADIUS request timeout.

Workaround: Configure a greater server-timeout value than the RADIUS request timeout.

RADIUS

16.10.0015

255171

YA/YB

Symptom: The switch CPU spikes and the ClearPass RADIUS server shuts down.

Scenario: This issue occurred when MAC authentication used the peap-mschapv2 authentication method. As a result, Access-Request and Access-challenge messages were exchanged in a loop.

RADIUS

16.10.0015

255067

YA/YB

Symptom: Switch does not respond to Simple Network Management Protocol version 3 (SNMPv3) queries.

Scenario: This issue occurred when there was a wrong value in the boot counter.

SNMPv3

16.10.0014

-

YA/YB

No fixes were included in version 16.10.0014.

NA

16.10.0013

255125

YA/YB

Symptom: Clients authenticated by Aruba Central are not placed in the proper VLAN.

Scenario: This issue occurred because of the following reasons:

  • Both MAC authentication and 802.1X are configured on the same port.
  • There are two clients on the port, which had a tagged membership for a VLAN, and the user role for a client had an untagged membership for the same VLAN.

Central

16.10.0013

255062

YA/YB

Symptom: User-based tunnel (802.1X) is not established when MAC authentication is also configured on the port with a different VLAN assignment.

Scenario: This issue occurred when both MAC authentication and 802.1X were configured on a port, and the 802.1X authentication contained a VLAN change.

MAC Authentication

16.10.0013

254976

YA/YB

Symptom/Scenario: The SSH, telnet, and console connections cannot be established with the switch, and the following event is recorded in the event log: maximum user session limit reached.

Switch Access

16.10.0013

254780

YA/YB

Symptom: When more number of MAC authentication clients (auth method: peap-mschapv2) get authenticated or reauthenticated, the following event is recorded multiple times in the event log: PEAP SSL socket connection limit reached.

Scenario: This issue occurred when more than 20 clients were authenticated or reauthenticated at the same time.

Workaround: Authenticate or reauthenticate less than 20 clients at the same time.

MAC Authentication

16.10.0013

254481

YA/YB

Symptom: The switch CPU utilization increases to 80% or more, and CDP packet looping is observed across VLANs.

Scenario: This issue occurred when CDP pass-through was configured on two switches, which had more than one connection between them.

Workaround: Use no cdp run command to disable CDP globally, instead of configuring CDP mode pass-through.

CDP

16.10.0012

254678

YA/YB

Symptom: An Aruba Central connection is not established and the Error Reason returned is TLS generic error (code: -1007).

Scenario: This issue occurred when the switch attempted to contact Aruba Central.

Workaround: Zerorize the local certificates using crypto pki zeroize and activate the connection to Central again (aruba-central enable).

Central

16.10.0012

254198

YA/YB

Symptom: A switch or management module crashes with the following message: Active/Commander system went down: ...
Health Monitor: Invalid Instr Misaligned Mem Access
.

Scenario: This issue occurred when the copy command-output show tech all tftp <ip-address> <filename> command was executed.

Workaround: Do not execute the copy command-output show tech all tftp <ip-address> <filename> command.

Chassis

16.10.0012

254096

YA/YB

Symptom: The Rx Drop Bytes parameter in the command output for show interface queues <port> displays very high values for the last few ports, even though these ports were down.

Scenario: This issue occurred when the show interface queues <port> command was issued.

CLI

16.10.0012

254278

YA/YB

Symptom: The switch crashes when the show crypto client-public-key command is issued.

Scenario:This issue was observed when the show crypto client-public-key was issued when the \t: symbol was present in the client pub key file.

Workaround: Remove \t: symbol from the client public key file content.

Crypto

16.10.0012

254395

YA/YB

Symptom: The switch does not send the configured NAS-ID while sending a request to the RADIUS server.

Scenario: This issue occurred for both login and enable when the switch was configured with a non-default server-group nas-id and ssh was configured with peap-mschapv2.

Radius

16.10.0012

254665

YA/YB

Symptom: REST connection fails when a Windows client makes an HTTP request.

Scenario: This issue occurred when a Windows client sent a REST HTTP request using PowerShell.

REST

16.10.0012

254722

YA/YB

Symptom/Scenario: When a user fails to login to the switch using SSH, no SNMP trap is sent.

SNMPv2

16.10.0012

254393

YA/YB

Symptom: Event messages are not printed on the Syslog server.

Scenario: This issue occurred when a syslog server was configured with the TCP option, logging <IP-ADDR> tcp and ip source-interface syslog was configured.

Workaround: Remove ip source-interface syslog ... from the config or reboot the switch after configuring syslog over TCP.

Syslog

16.10.0012

254311

YA/YB

Symptom: Gradual memory depletion on a switch is observed.

Scenario: This issue occurred when the telnet sessions were closed abruptly.

Workaround: Disable the telnet server on the switch.

Telnet

16.10.0012

254572

YA/YB

Symptom: The switch crashes with the following message: Health Monitor: Misaligned Mem Access.

Scenario: This issue occurred when a MAC address moved between aaa authenticated ports.

Telnet

16.10.0011

253563

YA/YB

Symptom: The switch crashes with the following message: Health Monitor: Misaligned Mem Access.....Task='mWebAuth'.

Scenario: This issue occurred when any of the 802.1X clients' MAC address had a NULL value due to corruption when authenticator configuration on a switch port was disabled.

802.1X

16.10.0011

254333, 254339

YA/YB

Symptom: Switch crashes with a message similar to the following: Software exception at trlock.c -- in 'InetServer'.

Scenario: This issue occurred when the show tech all command was executed from Aruba Central.

Workaround: Execute the show tech all command through the switch CLI.

Central

16.10.0011

254255

YA/YB

Symptom: Switch crashes with a message similar to the following: Software exception at multMgmtUtil.c -- in 'mOobmCtrl'.

Scenario: This issue occurred when continuous or frequent cfg-restore operations (with password or aaa authentication related configurations) were executed, and in parallel, the switch was accessed through local-authentication.

Workaround: Do not access the switch using local-authentication when cfg-restore operation is in progress.

Chassis

16.10.0011

253803

YA/YB

Symptom: SSH connection (Remote Console) cannot be established from Aruba Central to the switch.

Scenario: This issue occurred when ip authorized-managers was configured on the switch and a Remote Console connection was attempted from Aruba Central.

Workaround: Add the following configuration to the switch:

ip authorized-managers 127.0.0.1 255.255.255.254 access manager

Console

16.10.0011

254196

YA/YB

Symptom: Multicast traffic stops after a redundancy switchover.

Scenario: This issue occurred when the IGMP query-max-response-time was configured to be 128 seconds and a redundancy switchover was performed.

Workaround: Remove IGMP from the VLAN and reconfigure the query-max-response-time to the default value of 10 seconds.

IGMP

16.10.0011

253853

YA/YB

Symptom: Continuous RADIUS access request packets are sent from the switch to the RADIUS server.

Scenario: This issue occurred when a MAC address limit was configured and a device was attempted to be authenticated beyond the configured limit.

MAC Authentication

16.10.0011

253965

YA/YB

Symptom: The switch closes the REST connection when the request is made from a Windows client.

Scenario: This issue occurred when a REST request was sent from PowerShell on a Windows client.

REST

16.10.0011

252721

YA/YB

Symptom: Attempts to SSH or telnet to the switch fail and the following message is displayed: Sorry, the maximum number of telnet sessions are active. Try again later.

Scenario: This issue occurred when

a vulnerability scan was run against the switch multiple times.

Workaround: Disable Telnet server.

Switch Access

16.10.0011

253970

YA/YB

Symptom: Ports can be added to a trunk using the web interface even if those ports are configured with IGMP fastlearn.

Scenario: This issue occurred when IGMP fastlearn was configured on a few ports of the switch, and the switch was accessed through the web interface to add the IGMP fastlearn enabled ports to the trunk.

Workaround: Use the CLI to add ports to a trunk.

Web Interface

16.10.0010

253641

YA/YB

Symptom: Clients that do not match an allowed entry in an ACL are not implicitly denied and are able to access the network.

Scenario: This issue occurred when a user-role was configured containing a policy that allowed network access to only select IP addresses.

Workaround: Create an ACL that specifically denies access to particular IP addresses.

ACLs

16.10.0010

253807

YA/YB

Symptom: Unsupported values are accepted as ACL numbers for both standard and extended ACLs when configuring ACLs from the REST interface (for example, Aruba Central). Once configured, these ACLs cannot be deleted using REST or the CLI.

Scenario: This issue occurred when the REST interface was used to configure an ACL with an unsupported value.

ACLs

16.10.0010

253425

YA/YB

Symptom: The username sent for a successful MAC-authenticated client is the MAC address, rather than the username.

Scenario: This issue occurred when a client was authenticated using MAC authentication.

Authentication

16.10.0010

253422

YA/YB

Symptom: When a show command is executed using | include <anyword> <anyword> the following error message is displayed: Invalid Input : grep usage error.

Scenario: This issue occurred when a show command was executed using | include <anyword> <anyword>.

Workaround: Execute the show command without | include <anyword> <anyword>.

CLI

16.10.0010

253303

YA/YB

Symptom: Peer device does not get an IP address when the port it is connected to is configured using a device-profile.

Scenario: This issue occurred when a port is configured using device profile and a peer device is connected to it.

Workaround:Disable device-profile and manually configure the port.

Device Profile

16.10.0010

253557

YA/YB

Symptom: Using REST to retrieve the resource identifier /lldp/remote-device fails to display the IPv4 address of the neighbor.

Scenario: This issue occurred when the REST resource operation GET was used to retrieve the data associated with /lldp/remote-device.

REST

16.10.0010

252993

YA/YB

Symptom: Some RADIUS accounting packets sent to the RADIUS server have a very large size.

Scenario: This issue occurred when a downloadable user role was configured with a user policy, network accounting was enabled, and a client was authenticated.

RADIUS

16.10.0010

253736

YA/YB

Symptom: Disconnect Change of Authorization (CoA) request is not honored.

Scenario: This issue occurred when the radius-server group was configured, a client was authenticated, and a disconnect CoA request with the default nas-id was sent.

Workaround: Configure aaa server-group radius <Group name> nas-id <NAS-ID> where the NAS-ID matches the NAS Identifier value shown in the output of the show radius authentication command.

RADIUS

16.10.0010

253789

YA/YB

Symptom: Switch serial number contains an extra space at the end when it is read using SNMP.

Scenario: This issue occurred when the switch serial number was read using SNMP.

Example:

MIB OID: 1.3.6.1.2.1.47.1.1.1.1.11.1

MIB File: ENTITY-MIB

SNMP

16.10.0010

253342

YA/YB

Symptom: SSH/Telnet/Console connections to the switch fail with an error message: Maximum session limit is reached.

Scenario: This issue occurred when multiple users logged in and out and RADIUS was configured as the primary authentication method.

Workaround: Reboot the switch.

Switch Access

16.10.0010

253407

YA/YB

Symptom: Unable to log in to the switch using TACACS credentials.

Scenario: This issue occurred when a source interface for TACACS was configured using the ip source-interface tacacs command and the switch was upgraded to 16.10.0009.

TACACS

16.10.0010

253290

YA/YB

Symptom: Switch crashes when it is accessed through the web interface.

Scenario: This issue occurred when the switch was accessed using the web interface and RADIUS authentication was configured for web access.

Workaround: Disable RADIUS authentication for web access.

Web UI

16.10.0010

253877

YA/YB

Symptom: The WebUI Security > Clients page displays incorrect MAC addresses, which results in the user role, IP address, and status columns to be empty.

Scenario: This issue occurred when a few workstations with higher value MAC addresses (for example, 9c:dc:71:fb:77:fe) are connected to the last ports of a 2930 stack or the last module of a 5400R.

Web UI

16.10.0009

252885

YA/YB

Symptom: Switch appears down in Aruba Central.

Scenario: This issue occurred because the system time was set to the year 2036, though NTP sync was successful, and the switch was connected to Aruba Central.

Workaround: Configure an NTP server in the switch.

Activate

16.10.0009

252226

YA/YB

Symptom: Switch does not respond during the ZTP process.

Scenario: This issue occurred when connecting to the switch using SSH, while Airwave was transferring the configuration to the switch.

AirWave

16.10.0009

251418

YA/YB

Symptom: Pushing a switch configuration template from Aruba Central fails and a 500 error code is returned.

Scenario: This issue occurred when a configuration template that had no untagged ports in VLAN 1 was pushed from Aruba Central.

Workaround: In the configuration template, add at least one untagged port in VLAN 1.

Central

16.10.0009

253174

YA/YB

Symptom/Scenario: The switch experienced an NMI crash with the following message: Task='ewsCloudRcv'.

Central

16.10.0009

253276

YA/YB

Symptom: Unable to copy crash-files, core-dump, and the show tech all command output from the switch.

Scenario: This issue occurred when executing the copy command with an invalid IP address, file name, hostname, or when parallelly executing the copy command in other sessions.

Workaround:

  • Copy the core file from the web interface.
  • Copy the show tech all command output from the console interface.

CLI

16.10.0009

252833

YA/YB

Symptom: MSTP does not work as expected and does not block ports when it should.

Scenario: This issue occurred when two ports in a loop were in a forwarding state with MSTP and port- security non-default learn mode enabled.

Workaround: Disable port-security.

Spanning Tree

16.10.0009

252613

YA/YB

Symptom: Unable to connect to the switch using SSH.

Scenario: This issue occurred when the switch is configured to use TACACS and a malformed TACACS packet is received by the switch.

Workaround: Reboot the switch.

SSH

16.10.0009

251966

YA/YB

Symptom: The switch sends logging events with a "Z" at the end of the timestamp when the it is not configured to use UTC.

Scenario: This issue occurred when the switch sent syslog messages over TLS.

Syslog

16.10.0009

252443

YA/YB

Symptom/Scenario: The Reboot button is displayed for a few seconds in the Web UI. Clicking it allowed an operator to reboot the switch.

Web UI

16.10.0008

-

YA/YB

Version 16.10.0008 was never released.

-

16.10.0007

252007

YA/YB

Symptom: The switch sends an incorrect CLASS attribute value in the RADIUS accounting packet.

Scenario: When the CLASS attribute is updated during re-authentication of a MAC-authenticated client session, the switch fails to send the new CLASS attribute value in the RADIUS accounting packet.

Workaround: Force a new client authentication session by disabling/enabling the port after the CLASS attribute value changes.

Accounting

16.10.0007

251273

YA/YB

Symptom: The switch incorrectly places clients in the configured authorized VLAN (auth-vid).

Scenario: When using chap-radius authorized option, if the route to the RADIUS server is not resolved during the switch boot up, clients are incorrectly placed in the configured authorized VLAN (auth-vid) rather than the guest VLAN (unauth-vid) or initial-role.

Workaround: Reauthenticate the affected clients.

Authentication

16.10.0007

251927

YA/YB

Symptom: The switch fails to remove CDP configuration for a port.

Scenario: When a port is added to a trunk interface, the switch fails to remove the previous non-default CDP configuration for that port (example: no cdp enable <PORT-NUM>).

Workaround: Remove the non-default CDP configuration from the individual port before adding it to trunk interface.

CDP

16.10.0007

252053

YA/YB

Symptom/Scenario: The switch crashes with an error message similar to:

Software exception in ISR at pvDmaV1Rx.c <...> ASSERT:    No resources available!.

Central

16.10.0007

252267

YA/YB

Symptom: The switch experiences high CPU utilization.

Scenario: In conditions of low network bandwidth or network congestion that cause frequent disconnections from the Aruba Central Portal, the switch experiences high CPU utilization while attempting to reconnect to Aruba Central and while being managed by other NMS applications such as Solarwinds at the same time.

Workaround: Use only one NMS application to manage the switch if network bandwidth capacity or congestion cannot be improved.

Central

16.10.0007

251876

YA/YB

Symptom: The switch may fail to apply the correct VLAN to dynamic trunks.

Scenario: After a reboot of a switch configured for dynamic trunks with device profile enabled on ports, the switch may fail to apply the correct VLAN configured in the device-profile, after the port is joined to the dynamic trunk.

Workaround: Disable and enable device-profile.

Dynamic Trunks

16.10.0007

251972

YA/YB

Symptom: Some clients using the PEAP authentication mechanism are not successfully authenticated.

Scenario: When concurrent authentication requests are sent to the switch using peap-mschapv2, some clients may not be successfully authenticated, even though ACCESS ACCEPT is sent from the RADIUS server.

MAC Authentication

16.10.0007

252131

YA/YB

Symptom: REST API calls may experience some slight delay in execution response.

Scenario: When multiple REST API commands are executed over the same HTTPS session, they may experience a slight delay in execution response.

Workaround: Use a new HTTPS session for each REST API call.

REST

16.10.0007

251475

YA/YB

Symptom: The switch experiences high CPU utilization and possible console connectivity issues.

Scenario: When configuring or modifying aggregated interfaces (trunks) with more than 3 member ports on a switch where there is a very high number of configured VLANs, the switch experiences high CPU utilization and possible console connectivity issues while applying the configuration.

VLAN

16.10.0007

251505

YA/YB

Symptom: The WebUI contains an XSS vulnerability.

Scenario: Configure the editable parameters in the WebUI with values that can cause an XSS attack.

Web UI

16.10.0007

251524

YA/YB

Symptom: The switch fails to display some ports on the Ports page of the WebUI.

Scenario: When aSysName with trailing zeroes is received in the LLDP packet from a neighboring device, the switch fails to list some ports in the Ports page when using the WebUI.

Workaround: To get the information for all ports use one of the following options:

  • Disable LLDP on the port where the device with invalidSysName is connected.
  • Use the traditional web UI to get the information for the affected/missing ports.
  • Use switch CLI commands to get the information for the affected/missing ports.

Web UI

16.10.0006

-

YA/YB

Version 16.10.0006 was never released.

-

16.10.0005

-

YA/YB

Version 16.10.0005 was never released.

-

16.10.0004

-

YA/YB

Version 16.10.0004 was never released.

-

16.10.0003

251317

 

Symptom: A Windows client that joins a domain other than the one defined in Cisco ISE fails to authenticate. The client will also wait more than 5 minutes before attempting MAC address authentication.

Scenario: This issue is observed when MAC and 802.1X authentication are enabled on the port and the configured auth-order is 802.1X-MAC and an initial role.

802.1X

16.10.0003

251280

YA/YB

Symptom: Deploying a switch template through Airwave/Aruba Central fails.

Scenario: This issue is observed when the IP address from VLAN1 is removed from a new configuration template and is pushed to the switch with the "ntpserver-name <server name>".

Workaround: Do not remove the IP address from VLAN 1 in the new template.

Central

16.10.0003

250816

YA/YB

Symptom: Authenticated users are disconnected from the switch.

Scenario: This issue is observed when users disable and enable the interface which connects to the dhcp- relay switch, after configuring the DHCP server, DHCP relay, and DHCP snooping with ip-source lockdown.

Workaround: Disable ip-source lockdown.

DIPLD

16.10.0003

251615

YA/YB

Symptom: An attacker is able to obtain sensitive data without providing valid login credentials after a successful REST query.

Scenario: This issue is observed when web management is enabled on the switch.

REST

16.10.0003

251506

YA/YB

Symptom: The switch manager password is altered to an attack-controlled value.

Scenario: This issue is observed when the user clicks a malicious hyperlink.

Web UI

16.10.0003

251314

YA/YB

Symptom: Switches appear offline in Aruba Central.

Scenario: This issue is observed after the switch software is upgraded from 16.04 to 16.08.

Workaround: Reboot the switch.

ZTP

16.10.0002

250681

YA/YB

Symptom/Scenario: The Topology section of Airwave shows spanning tree details for a switch that does not have spanning tree enabled.

AirWave

16.10.0002

251313

YA/YB

Symptom: The switch experiences a high CPU utilization and loses connection with Central.

Scenario: when the switch is upgraded to 16.08.0001 and a template with tls and cwmp commands is pushed from Central, the switch experiences high CPE utilization and loses the connection to Aruba Central.

Workaround: Remove tls application cloud lowest-version tls1.2 and cwmp from the switch template.

Central

16.10.0002

250600

YA/YB

Symptom/Scenario: The help text for the device-identity lldp oui command indicates that the required input is a MAC-OUI.

Device finger printing

16.10.0002

250392

YA/YB

Symptom: The switch crashes with a message similar to Health Monitor: Invalid Instr Misaligned Mem Access.

Scenario: After an IP address has been reassigned from one VLAN to another VLAN using the menu interface, the switch may crash with a message similar to Health Monitor: Invalid Instr Misaligned Mem Access.

Workaround: Disable the first VLAN and save the configuration from the menu interface. Then, configure the deleted IP address on the second VLAN.

Menu

16.10.0002

245830

YA/YB

Symptom: The switch fails to list the switch ports in the Ports web management page.

Scenario: When a peer device that advertises information in LLDP has a sysName string with special characters, the switch fails to display the port list table on the Ports web management page.

Workaround: Remove the special characters from the peer device sysName or use CLI commands to get specific port information.

Next Gen GUI

16.10.0002

250995

YA/YB

Symptom: Speed-duplex configuration on the port is lost.

Scenario: After configuring an HPE X121 1G SFP LC SX Transceiver ( J4858C) to 1000-full and rebooting the switch, the speed-duplex configuration on the port is lost.

Transceivers

16.10.0002

250896

YA/YB

Symptom: Switch ports are not listed in the web interface.

Scenario: If a peer device advertises an LLDP port ID containing special characters, switch ports are not listed in the web interface.

Web UI

16.10.0001

250681

YA/YB

Symptom/Scenario: The Topology section of Airwave shows spanning tree details for a switch that does not have spanning tree enabled.

AirWave

16.10.0001

250600

YA/YB

Symptom/Scenario: The help text for the device-identity lldp oui command indicates that the required input is a MAC-OUI.

Device identity

16.10.0001

250392

YA/YB

Symptom: The switch crashes with a message similar to Health Monitor: Invalid Instr Misaligned Mem Access.

Scenario: After an IP address has been reassigned from one VLAN to another VLAN using the menu interface, the switch may crash with a message similar to Health Monitor: Invalid Instr Misaligned Mem Access.

Workaround: Disable the first VLAN and save the configuration from the menu interface. Then, configure the deleted IP address on the second VLAN.

Menu

16.10.0002

250995

YA/YB

Symptom: Speed-duplex configuration on the port is lost.

Scenario: After configuring an HPE X121 1G SFP LC SX Transceiver ( J4858C) to 1000-full and rebooting the switch, the speed-duplex configuration on the port is lost.

Transceivers

16.10.0001

245830

YA/YB

Symptom: The switch fails to list the switch ports in the Ports web management page.

Scenario: When a peer device that advertises information in LLDP has a sysName string with special characters, the switch fails to display the port list table on the Ports web management page.

Workaround: Remove the special characters from the peer device sysName or use CLI commands to get specific port information.

Web UI

16.10.0001

250896

YA/YB

Symptom: Switch ports are not listed in the web interface.

Scenario: If a peer device advertises an LLDP port ID containing special characters, switch ports are not listed in the web interface.

Web UI