Release Notes 2.1.7
Release Date: November 11, 2019
Tempered Networks has released 2.1.7 which is intended to be the last of the 2.1.x releases. This release addresses, exclusively, maintenance and stability issues for the Conductor & HIPswitch and provides enhanced security.
What's New
New in this release:
- Upgrade HIPswitch and Conductor to OpenSSL 1.1
-
OpenSSL 1.0 goes out of support at the end of 2019. This is a proactive upgrade to the new version of the library.
- Conductor Connection Failsafe
- HIPswitches now have a watchdog monitor for the Conductor connection that will force a re-connect if it determines the current connection is unresponsive or missing. This should allow HIPswitches to reconnect in more cases without requiring human intervention (e.g., manual rebooting or other diagnostic activities that can require physical access to the HIPswitch).
- Conductor database consistency checker
- Conductors now periodically check for and repair data consistency issues. This improves the reliability of the system and should allow more issues to be resolved without human intervention.
Upgrade Considerations
The 2.1.7 release includes all hotfixes from prior releases and addresses all known support cases at the time of release.
You may upgrade HIPswitches to 2.1.7 provided you are running Conductor 2.1.7.
| We recommend you upgrade to 2.1.7 if: | |
|---|---|
| You want to take advantage of performance and stability increases in 2.1.7, or use any of the following features: | You were impacted by any issues discovered in prior releases, especially if you have any of the following: |
|
|
Extensive testing was conducted both in-house and with selected development partners, in lab and in production environments to ensure that performance is equivalent to 2.1.6. Additionally, 2.1.7 should be more stable than all prior releases.
Fixes
| ID | Applies to | Description |
|---|---|---|
| DEV-11908 | Conductor | Fixed an issue where viewing a HIPservice group in Diagnostic mode now refreshes the list of available HIPservices, correctly. |
| DEV-11863 | HIPswitch-Cellular | A HIPswitch now connects via a newly installed Cell Module, when the new Cellular Module is installed after a firmware downgrade. |
| DEV-11182 | Cloud-Azure | Microsoft Azure now supports ICMP. You are able to add ICMP rules to the Conductor and HIPswitch security groups. |
| DEV-11756 | HIPswitch | For the HIPswitch-500 and Conductor-500 platforms: Fixed an issue where the hardware LAN bypass feature was turned on during power off. Ports 1-2, 3-4, 5-6, 7-8 were bypassed (physically connected together) when the system was powered off. |
| DEV-11478 | HIPswitch | Fixed a bug with the Conductor-HIPswitch Time Synchronization and added a Watchdog functionality for the Conductor connection on HIPswitches. |
| DEV-11305 | Cellular modem | Improved USB driver reliability, so Cellular Modems reliably recover from Modem Firmware crashes. |
| DEV-11194 | Conductor | This issue is fixed where Factory resetting a HIPswitch would sometimes delete Event Monitors targeted at Device Groups or HIPservice Groups. |
| DEV-11047 | Conductor | Added a Warning Dialog to the Conductor upgrade process if the customer has HIPswitches which are not compatible with 2.2.x. |
| DEV-10822 | HIPswitch | Fixed a bug where entering leading zeros, in the VLAN tag input fields on the Ports Configuration page, could the HIPswitch to be unable to function. |
| DEV-10770 | HIPswitch-Cellular | When downgrading a HIPswitch-150 from 2.2.0 to 2.1.6 the cellular link, LEDs are now functional. |
| DEV-10723 | Conductor | Fixed a bug where tags were removed from HIPswitches when performing Diagnostic actions. |
| DEV-10696 | HIPswitch | Relay probes will now probe all published addresses for a Multi-homed 2.2.x Relay. The 2.1.7 HS itself still does not support multi-homing, so probes only originate from one preferred (IPv4 or IPv6) address. |
| DEV-10588 | Conductor | When creating a Monitor action that is an HTTP Action (HTTP GET), the URL field now allows for both the Host names and IP address. |
| DEV-10560 | Conductor | Fixed a bug that could prevent customers from saving Overlay DHCP settings. |
| DEV-10390 | HIPswitch-Cellular | Improved the functionality on the HIPswitch-150 and correctly applies power to the Expansion Bay on boot-up, even when the USB console cable has been connected, prior to applying main system power. |
| DEV-10203 | HIPswitch | Fixed an issue where the default Underlay Fail-safe (reboot) settings did not get applied correctly. |
| DEV-10159 | HIPswitch | Updated the HS-150 platform to allow multiple Underlay Interfaces (wired and cellular) to HA-pair. |
| DEV-9953 | Conductor | A check is in place to prevent a customer from adding a HIPSwitch’s Underlay IP address as a device IP for itself. |
| DEV-9949 | HIPswitch-Cellular | Enabled modem statistics collection for HIPswitch-150 with an MC7430 modem installed. |
| DEV-9876 | OpenHIP | Fixed an issue where broadcast/multicast packets being sent on a busy HIPswitch, having many tunnels (e.g., hub with many spokes), causes the HIPswitch to crash and restart. |
| DEV-9830 | HS100 | You can now reboot a HIPSwitch from both Diagnostic Mode and the Command Line. |
| DEV-9829 | HIPswitch | Diagnostic Mode now displays None, when there is no Part Number file. |
| DEV-9800 | Conductor | The HIPswitch displays the tags correctly, when you toggle between Transparent Mode and Protected Mode. |
| DEV-9524 | HIPswitch | Fixed a bug that caused Diagnostic Device pings to fail on HIPservices after an HA fail-over. |
| DEV-9939 | Conductor | Fixed a bug where opening and closing the Conductor Proxy settings will not save blank values. |
Known Issues
| ID | Applies to | Description |
|---|---|---|
| DEV-11350 | HIPapp |
UserAuth sometimes does not work with 2.1.6 HIPswitches. Workaround: None |
| DEV-11095 | HIPapp-Android |
Android HIPclient 2.1.6 is not able to pass traffic with another HIPclient with User Authentication feature enabled. Workaround: Upgrade Android HIPclient to 2.2.1 or later. |
| DEV-11196 | HIPswitch | HTTP GET monitor does not work as expected.Workaround: HTTP GET monitor on a 2.1.6 HS with a 2.1.7 Conductor will not work. Please upgrade the HS to 2.1.7. |
| DEV-11047 | Conductor |
A 2.1.6 Conductor with map1 HS is not blocked from upgrading to 2.2. Workaround: None |
| DEV-10638 | HIPswitch |
CLONE (2.1.7) - Health data is sent when it is disabled in the Conductor. Workaround: None |
| DEV-9813 | Conductor |
The Route Notice check does bit check the currently configured routes. Workaround: The UI warns that you need an Overlay Gateway Address even though one is already configured. |
| DEV-9779 | Conductor |
Using the mvebu image as an example, it lists the 250 variants before the 150 variants. The x86 image is fine. Workaround: The list of platforms supported on a build image should list them in numerical order |
| DEV-9761 | Conductor |
The Conductor net/net utility incorrectly allows the setting of two (2) default routes. Workaround: Set only one (1) default route and then apply static routes via the Setup page, under Conductor UI General Settings,. |
| DEV-9782 | HIPclient, all platforms |
HIPclient chooses an incorrect interface and cannot establish a connection with devices behind a HIPswitch running on the Google Cloud Platform (GCP). It has to do with having multiple active interfaces. Workaround: In the HIPclient configuration, select your desired network interface instead of allowing the HIPclient to automatically choose an interface. |
| DEV-9697 | Conductor |
Removing the Conductor HA does not remove the standby Conductor's address from the HIPswitch Conductor search list on HIPswitches running versions previous to 2.0. Workaround: De-configuring Conductor HA does not remove the Standby Conductor's address from the HIPswitch Conductor search list on HIPswitch versions older than v2.0. Customer should upgrade to 2.1x. |
| DEV-9397 | Conductor |
If you perform a factory reset on a Conductor that's in HA-mode, the database gets into a bad state and Postgres won't start. Note that a second factory reset fixes the issue. Workaround: Factory resetting a Conductor that's in an HA-pair doesn't work correctly the first time. To fix this, a second factory reset is required. |
| DEV-9200 | HIPswitch |
When attempting firmware upgrades get failure messages. Workaround: The first attempt to upgrade fails, reboot the HS and upgrade again. (this clears out old /tmp files) |
| DEV-9166 | HIPswitch, Cloud |
When route injection is enabled, a HIPswitch protected subnet must contain only one HIPswitch. Additionally, any custom routes added to the route table are deleted when route injection is enabled. Workaround: If you want to deploy multiple HIPswitches in the same protected subnet or keep your custom routes, disable route injection. |
| DEV-9125 | HIPswitch |
101g: Ping peer HIPswitches pings wrong Underlay IP. Workaround: On Mac and Linux HIPapp, if your computer has multiple active NICs and you select a specific NIC in HIPapp configuration, it instead lets the operating system chose the NIC for outbound traffic. |
| DEV-8097 | HIPclient, macOS |
If your computer has multiple active NICs and you select a specific NIC in your HIPclient configuration, the operating system will choose the NIC for outbound traffic. Workaround: None |
| DEV-8060 | Conductor |
In rare cases, the Conductor HA pair will stop syncing. Workaround: If this happens, promote the HA-secondary to a primary, then re-pair them. |
| DEV-8051 | Conductor |
The IP address field on associated with a HIPswitch may be blank on the HIPservices tab. Workaround: You can locate the IP address information under the Reporting tab. |
| DEV-7769 | Conductor |
Toggling policy on and off too quickly on a HIPswitch hosted in Google Cloud can result in the Route Table becoming out of sync when using route injection. Workaround: After toggling policy, wait 10 seconds before toggling it again. |
| DEV-7058 | HIPswitch |
When reconfiguring your Underlay network from one physical port to another in the Conductor, the changes may not be applied successfully and the configuration will revert back to the original settings. Workaround: Make the configuration changes in diagnostic mode. |
| DEV-6590 | Conductor |
You can add a voucher code more then once from the Licensing tab. This does not create additional licenses, but is visually confusing. Workaround: None |
| DEV-6587 | Conductor |
The Licensing tab may display invalid entries. Workaround: Remove the invalid items manually. |
| DEV-6533 | Conductor |
When creating or editing a smart device group, rules can have the same ordinal values. This can cause unintended issues in the processing results. Workaround: When creating rules, verify each rule has a unique ordinal value. |
| DEV-6226 | Conductor |
A fully qualified Domain name cannot be used for local or peer replication addresses on an HA Conductor pair. Workaround: FQDN for Local or Peer Replication address on an HA Conductor pair can be used ONLY IF the reverse lookup yields the same FQDN |
| DEV-5832 | HIPswitch |
Device NAT functionality currently does not work with layer two (2) traffic. Workaround: None |
| DEV-5530 | Conductor UI |
In some cases, allow incoming pings (ICMP) and SYN Flood Protection on the Firewall page may be disabled and won't toggle. Workaround: Refresh your browser to resolve the issue. |
| DEV-5430 | Conductor |
After configuring the Conductor for the first time, you may receive a Lost Connection to the original server message if you select Return to settings too quickly. Workaround. Wait at least 20 seconds before selecting Return to settings. |
| DEV-5008 | PCI Reporting |
PCI Reporting shows the UUID reference instead of the name when generating a PCI report from Settings > Advanced > PCI Reporting > Downloads > User Activities Report. Workaround: To view names, you can download object references from the same page where you generated the PCI report. |