Release Notes 2.1.2

Release Date: February 9, 2018

Important: If you are upgrading your hardware appliance to version 2.1.2 of our software, contact Tempered Networks Sales for updated licenses.

What's New

New in this release:

The HIPswitch 250 Series
The HIPswitch 250 Series is our newest hardware product and the industry’s first identity-based industrial IoT gateway for Industrial Control Systems, OT, SCADA, and critical infrastructure. The HIPswitch 250 includes highly available uplinks over ethernet and up to two different cellular carriers, all actively monitored using fast failover and the ability to prioritize across both cellular and wired links. It also provides 8 x 1 Gbps and 4 x SFP (fiber or copper) with PoE, eliminating the need for ethernet switches and additional power sources. The HIPswitch 250 can also act as a HIPrelay, a feature introduced in version 2.0 of our software.
HIPclient for macOS and iOS
With this release, the HIPclient is now available for macOS and iOS. Your devices now can natively connect to your IDN overlay, giving them a trusted and verifiable connection wherever you are. Multiple profiles allow you to easily switch between different IDN overlays as needed. Additionally, integration with HIPrelay gives you seamless and secure mobility for your computers running Apple's macOS and your devices running iOS.
Link Manager
Link Manager supports all cellular platforms, including our new HIPswitch 250 Series, providing uplink redundancy and intelligent monitoring for one wired and two cellular uplinks. Dynamic switching occurs based on which port provides the best performance. Default monitors can be customized with your own destinations.
Integration with AWS
You can now create, manage, and retire AWS HIP Services directly from the Conductor UI. After creating a template, you can easily create more HIP Services to function as HIPrelays or protect virtual machines in your VPCs.
HIP Invitations
HIP Invitations, a new feature in 2.1, allow you to add mobile phones, tablets, and computers running a HIPclient or HIPserver to your IDN solution by sending the user an email containing an invitation. When the user accepts the invitation, the Conductor automatically takes care of all the steps to provision, license, manage, name, group, and create policy for the new HIPapp without manual steps by the administrator. HIPinvitations can be sent in bulk to entire organizations, and the Conductor will handle the rest.
Improved alerts and monitoring
In this release we added additional monitors, such as the HTTP GET monitor that allows you to parse web responses from devices in an overlay. Monitors have been expanded to support device groups and HIPservice groups. The event history graphs will now display frequently or recently triggered monitors.
Improved performance
We made significant performance improvements across the board for all platforms, with virtual HIPswitches and the HIPswitch 400 roughly doubling in performance.

Upgrade Considerations

The 2.1.2 release includes all hotfixes from prior releases and addresses all known support cases at the time of release.
Note: You can now upgrade directly to 2.1.2 from either 1.12.6 or 2.0.x. If you are running an earlier version of 1.12.x, we recommend you upgrade to 1.12.6 before upgrading to 2.1.2.
Important: You must upgrade your Conductor to the latest 2.1.2 software if you plan on using the HIPswitch 250 in your environment.
We recommend you upgrade to 2.1.2 if:

You want to take advantage of performance and stability increases in 2.1, especially for our recently added features:

  • Adding our HIPswitch 250 to your environment
  • Increased HIPservice performance
  • HIPclients for additional operating systems
  • Simplified AWS deployments
  • Improved alerts and monitors

You were impacted by any issues discovered in prior releases, especially if you have any of the following:

  • Stability and connectivity issues with HIP Services
  • Issues with the HIPswitch 200

Extensive testing was conducted both in-house and with selected development partners, in lab and in production environments to ensure that performance is equivalent to 2.1. Additionally, 2.1.2 should be more stable than all prior releases.

Enhancements

ID Applies to Description
DEV-5368 Conductor UI An improved version of the import devices feature has been implemented in 2.1.
DEV-6509 Diagnostic mode Shared network ports have been renamed to underlay ports and device ports have been renamed to local device network ports in diagnostic mode.
DEV-3427 HIPclient, Windows Several enhancements have been made to the HIPclient for Windows:
  • Added IP/NIC/routing info, disk usage, memory usage, operating system version, and client installation version/date to event logging

  • Improved titles and formatting to align with other HIPservice diagnostic reports

  • Improved reporting so the log targets an active profile

DEV-3074 HIPclient, HIPserver Multiple profiles have been added to the HIPclient and HIPserver, allowing multiple Conductor configurations.

Fixes

ID Applies to Description
DEV-7070 HIPclient, iOS Fixed an issue where an iOS HIPclient would stop passing traffic through a HIP relay after the relay was restarted.
DEV-7064 HIPswitch, 250 Series Fixed an issue where configuration of multiple ethernet underlay ports in diagnostic mode did not work as expected.
DEV-7061 HIPswitch, 250 Series Fixed an issue where port 7 on the HIPswitch 250 could not be set to 100 Mbps SFP mode.
DEV-6767 HIPserver, Windows Fixed an issue that caused the HIP service process to stop responding, preventing the HIPserver from restarting properly and coming back online.
DEV-6726 HIPswitch Fixed an issue where the ping tool did not work correctly from the Tools page in diagnostic mode.
DEV-6704 Conductor Fixed an issue where you could no longer edit the underlay port of a HIPswitch in one-arm mode if one-armed mode removed and multiple underlay network ports were configured.
DEV-6653 Conductor Fixed an issue where a deleted HIPswitch that comes back online does not report traffic stats.
DEV-6524 HIPswitch, 400 Series Fixed an issue where a HIPswitch 400 loses connectivity to the Conductor when configuring the HIPswitch to use one-arm mode.
DEV-6523 HIPswitch, 400 Series Fixed an issue where changing the port configuration on a HIPswitch 400 would not revert back to its previous configuration if it was unable to contact the Conductor.
DEV-6505 Conductor Fixed an issue where PCI reporting logs may include some passwords in the output.
DEV-6376 HIPclient, Windows Fixed an issue where HIPclients continue to report health data at five minute intervals, regardless of changes made in the Conductor.
DEV-6268 Conductor Fixed an issue where two devices in two different device groups with policy to each other would cause the connection between the HIP Services and Conductor connection to restart repeatedly.
DEV-6174 Conductor Fixed an issue where a smart device group containing a HIPswitch group in its rules would prevent any device activated from a HIP invite to be added to the group automatically.
DEV-6073 Conductor Fixed an issue where HIPswitch connections to Conductor would fail if network latency was greater than 500ms.
DEV-5965 Conductor Fixed an issue where re-enabling a revoked HIPclient would not preserve its external IP address.
DEV-5891 HIPswitch HIPswitches will now advertise their NAT underlay IP address, if set.
DEV-5857 HIPswitch A HIPswitch 200 diagnostic report does not display CPU temperature.
DEV-5541 Conductor Fixed an issue where the Limit upload bandwidth option would disallow a packet capture on a HIPswitch until the it reboots.
DEV-5529 HIPswitch Fixed an issue where adding an invalid overlay route to a HIPswitch from the Conductor UI would not create a route on the HIPswitch.
DEV-5526 Conductor UI Fixed an issue where the Conductor would show devices that became active in real-time, not when active devices became inactive.
DEV-5425 BaseOS Fixed security vulnerability CVE-2017-8890

https://nvd.nist.gov/vuln/detail/CVE-2017-8890

DEV-3989 Conductor Fixed an issue where you could pair HIPswitches in HA if there was no HA interface.
DEV-3619 Conductor Fixed an issue where a recent activity email would include notifications for offline HIPclients.

Known Issues

ID Applies to Description
DEV-7153 HIPswitch 400,HIPswitch 500
You may experience the following issues when configuring expansion ports in diagnostic mode on the HIPswitch 500 and the HIPswitch 400 with an 8-port expansion module:
  • The priority field is visible while the expansion port is disabled.
  • Changing an expansion port to an underlay port does not enable editing of the priority field. Apply the change and then refresh your browser to allow edits to the priority field.
  • Due to the issue above, multiple ports may temporarily have the same priority until you have finished changing the priority field, which is normally not allowed.
DEV-7157 HIPclient, Windows Underlay traffic stats are not displayed in the Conductor if MTU is set to greater than 9000.

Workaround: None

DEV-7145 HIPswitch 400, HIPswitch 500 The HIPswitch 400 and HIPswitch 500 may display Manage in Conductor on the LCD display panel before being configured with a Conductor URL.

Workaround: None

DEV-7143 HIPswitch 400 The HIPswitch 400 LCD panel may continuously display Firmware Updating after applying a Hotfix from the Conductor.

Workaround: None

DEV-7125 PCI When exporting PCI data, HIP Services references may not display correctly when viewing the CSV file in Microsoft Excel.

Workaround: None

DEV-7092 Conductor On the Check Connectivity section of the Diagnostic tab for a HIPservice, auto-discovered devices may display as protected devices.

Workaround: None

DEV-7050 Conductor When configuring a new Conductor, you may receive an error when trying to accept the EULA.

Workaround: Change the URL in your browser to <ConductorURL>/app to continue.

DEV-6590 Conductor You can add a voucher code more then once from the Licensing tab. This does not create additional licenses, but is visually confusing. This will be fixed in a later release.

Workaround: None

DEV-6587 Conductor The Licensing tab may display invalid entries.

Workaround: Remove the invalid items manually.

DEV-6533 Conductor When creating or editing a smart device group, rules can have the same original values. This can cause unintended issues in the processing results.

Workaround: When creating rules, verify each rule has a unique ordinal value.

DEV-6507 Conductor The throughput graph for a HIPservice may occasionally miss a data point and draws it as a zero value.

Workaround: Refresh the page to properly display the data point.

DEV-6459 Conductor Devices configured with serial-over-IP do not display in the Add devices list when attempting to add them to an overlay.
Workaround:
  1. Create a new Smart Device Group (SDG)
  2. Add a CIDR rule to the SDG and set the argument to deviceIP/32
  3. Check only match overlay device IP
  4. Click Save
  5. You chould now be able to sucessfully add the group containing the device to your overlay
DEV-6446 HIPclient, iOS When viewing traffic stats in the iOS app, the chart may show negative values instead of zero.

Workaround: None

DEV-6226 Conductor Currently a fully qualified domain name cannot be used for local or peer replication addresses on an HA Conductor pair.

Workaround: None

DEV-6196 Conductor When configuring the Conductor URL in diagnostic mode, you are able to enter an invalid IP address without receiving an error message.

Workaround: None

DEV-6195 Conductor The Conductor incorrectly displays an option to check bandwidth for HIPclients in diagnostic view. This option is not supported for HIPclients and will not function correctly if selected.

Workaround: None

DEV-6172 Conductor When assigning a 1.x.x.x local device IP address to a HIPclient, the Conductor may continue to display the previous IP of the device.

Workaround: None

DEV-6130 HIPclient, Windows Setting or removing a Local Device IP on a Windows HIPclient may cause the client to report that the HIPservice is not running.

Workaround: Restart the HIPclient to resolve the issue.

DEV-5832 HIPswitch Device NAT functionality currently does not work with layer 2 traffic.

Workaround: None

DEV-5530, DEV-5441 Conductor UI In some cases, Allow incoming pings (ICMP) and SYN Flood Protection on the Firewall page may be disabled and won't toggle.

Workaround: Refresh your browser to resolve the issue.

DEV-5448 Conductor UI Clicking the Swap roles button for a secondary HA-paired HIPswitch will cause the UI to stop responding.

Workaround: Refresh your browser.

DEV-5434 Conductor UI Clicking Detect Devices repeatedly on the HIPswitch properties page will generate excess traffic.

Workaround: Give the Conductor time to complete the operation.

DEV-5430 Conductor After configuring a Conductor for the first time, you may receive a Lost connection to the original server message if you select Return to settings too quickly.

Workaround. Wait at least 20 seconds before selecting Return to settings.

DEV-5428 Conductor UI When you create a Smart Device Group with Ignore auto-discovered devices until accepted checked and then remove the setting, the Smart Device Group will continue to ignore unaccepted devices.

Workaround: None

DEV-5343 Conductor UI If you try and log in after your session has timed out, you may receive the following error:

The change you wanted was rejected.

Workaround: Refresh your browser and log in.

DEV-5008 PCI Reporting PCI Reporting shows the UUID reference instead of the name when generating a PCI report from Settings > Advanced > PCI Reporting > Downloads > User Activities Report > .

Workaround: To view names, you can download object references from the same page where you generated the PCI report.

DEV-4846 HIPswitch If a HIPswitch is in port one-arm mode and device discovery is enabled, the HIPswitch will report an error.

Workaround: None

DEV-4537 Conductor When demoting a master Conductor to standby, the processing screen might not correctly update.

Workaround: Refresh your browser.

DEV-2417 Conductor UI The password reset email link defaults to the first web enabled interface, and will be successful only if an administrator configures the first interface with a publicly-facing default route.

Workaround: None.

DEV-1846 Conductor, HA Currently the standby Conductor UI in an HA pair will not timeout. This issue does not affect the master Conductor UI.

Workaround: Log off manually when not using the standby Conductor UI.