Upgrade and Downgrade Caveats

Platform-Specific Downgrade Limitations

Do not attempt to downgrade Communications Broker to a release not supported by your platform. See the section Supported PlatformsSupported Platforms table for a matrix of platforms and supported releases.

Connection Failures with SSH/SFTP Clients

If you upgrade, and your older SSH or SFTP client stops working, check that the client supports the minimum ciphers required in the ssh-config element. The current default HMAC algorithm is hmac-sha2-256. The current key exchange algorithm is diffie-hellman-group14-sha256. If a verbose connection log of an SSH or SFTP client shows that it cannot agree on a cipher with the SBC, upgrade your client.

SSH Host Key Algorithms

Session Border Controller offers rsa-sha2-512 as the default host key algorithm. SSH clients that offer only a SHA1 hash algorithm, such as ssh-rsa, are not supported; your SSH client must offer a SHA2 hash algorithm. If you see an error message: "no matching host key type found", upgrade your SSH client to one that supports SHA2 host key algorithms.

Diffie-Hellman Key Size

For TLS negotiations on SIP interfaces, the default Diffie-Hellman key size offered by the Communications Broker is 1024 bits. The key size is set in the diffie-hellman-key-size attribute in the tls-global configuration element. Increasing the key size by setting the key size to 2048 bits significantly decreases performance.

Default TLS Version

Releases prior to Communications Broker Release 4.1.0, do not support TLS1.3. Release Communications Broker does not support TLS 1.0 or TLS1.1. If you are downgrading from Communications Broker Release 4.2.0 to a release prior to Release 4.2.0, set your tls-version to compatibility.

Downgrade Caveat for NTP Configurations using an FQDN

If you create a realm-configuration for providing resolution of FQDNs for NTP servers using the wancom0 interface, Oracle recommends that you remove this wancom0 realm-config before downgrading to a version that does not support FQDNs for NTP servers.

If you retain this configuration, you will lose SSH and GUI access after the downgrade. To recover from this issue, use console access to remove the wancom0 realm-config. Also, remove the wancom0 phy-interface and network-interface. If you configure FQDN resolution for NTP servers through a media interface, you can downgrade to a version that does not support this resolution without removing the configuration.

During LDAP configuration, Address of the record and look-up queries are not available

SDM: In LDAP configuration, address of the record and look-up queries are not available.

Workaround: Configuration using the Web GUI and ACLI

LDAP SNMP Trap Support

HA Limitation

HA switchover causes TCP/TLS ports to be reset. This terminates the TCP/TLS calls that were in progress on the formerly active Communications Broker. New call setup over TCP/TLS, however, is successful.

Logging Limitation

Setting Logging to DEBUG simultaneously with greater than 300k configuration degrades system performance. Be sure to set Logging to WARNING or NOTICE under this condition, and only use DEBUG when absolutely required.

LDAP Support

Only the default "ecb" network can support LDAP. Additional networks cannot.

Registrar Support

Only the default "ecb" network can act as the registrar. Additional networks cannot.

ECB Sync Compatibility

ECB Sync is supported only between nodes with the same configuration platforms. For example, X8-2 to X8-2, X9-2 to X9-2, VM to VM are supported. Both Communications Brokers participating in ECB Sync must have the same number of Cores.

Deprecated Ciphers

The system deprecates the following ciphers, adhering to recent OpenSSL changes intended to eliminate weak ciphers: