Network Management

It appears that AirWave 8.2.9.0 enables stronger SSH ciphers. 

Specifically: 

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512

KexAlgorithms diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384

 

AOS 8.2.1.1 (Aruba Activate's default image as of June 2019) does not support any of these ciphers.

 

The config will backup with proper SNMP configuration, but the flashbackup which uses SCP will fail.

 

Aruba TAC does not have an answer yet as to what the highest level of SSH cipher 8.2.1.1 will support to be able to add to AirWave /etc/ssh/sshd_config just yet.

 

So if you're flashbackups, and SCP firmware upgrades are failing after upgrading to 8.2.9.0 you'll likely need to downgrade the SSH cipher suites in use. 

 

For those using FTP to upgrade we are also running into issues with the ncftpget  process on the controllers and receiving a 

"could not accept data socket." error, switching over to SCP resolved the issue. 

 

Please open an Aruba TAC case. If what you describe is true, it should be fixed in the near future and TAC may be able to provide a workaround for now.

Already have a TAC Case open, awaiting a response from them on the SSH Ciphers that 8.2.1.1 supports..

Looks like the offending ciphers is aes128-cbc, aes256-cbc.

CBC was removed from AirWave 8.2.9.0, and the config / initial setup from Aruba Activate deploys 8.2.1.1 that does not appear to be using/supporting aes128-ctr or aes256-ctr.

Resolution is to add aes128-ctr and/or aes256-ctr Ciphers back to /etc/ssh/sshd_config

Last update from TAC was that they may add these back I'm the next patch release.