Release Notes 2.2.1

Release Date: September 16 , 2019

IMPORTANT: Migrating existing Deployments to 2.2

The 2.2 release brings a significant change to the base platform configuration and capabilities of a HIPswitch. HIPswitch versatility is dramatically increased. To achieve this, we had to give up some functional interoperability between version 2.2 and prior versions of HIP Services and Conductor. Also, Conductor 2.2 will no longer be able to manage HIP Services prior to version 2.0. While most things still work across versions 2.1.x and 2.2 during your upgrade, we recommend that 2.2.x deployments migrate completely as soon as possible using the following order:

Upgrade your Conductor to 2.1.6
Upgrade all HIP Services to 2.1.6
Before proceeding, ensure you have no MAP1 clients
Upgrade HIP Services to 2.2.1

For more information on upgrading your Conductor to 2.2.1 from prior versions, review Conductor and HIP Service Upgrades.

What’s New

HIP Tunnel Monitoring

New in this release is the ability to monitor HIP tunnel state changes directly. You can configure a monitor to watch the HIP tunnel to a particular remote HIP Service or to all trusted peer HIP Services. As with all monitors, you can create actions on events to alert, change policies, etc.

HIP tunnel stats graph

The tunnel stats introduced in 2.1.5 for HIP relays is now available for all HIP Services. You can see Tx and Rx bits between any pair of HIPswitches, allowing you to troubleshoot underlay and overlay connectivity issues.

OpenID Connect

Conductors now support OpenID Connect as an external authentication provider type. You can now use an Identity and Access Management tool such as Okta or OneLogin and integrate Single Sign-On (SSO) or Multi-Factor Authentication (MFA) support.

Multiple Underlay Networks

We now support active/standby multi-homed wired and wireless uplinks, even allowing communication between different ISPs. Multiple Underlay Networks give you more control over which link handles HIP tunnels and which link handles connection to the Conductor.

Multiple Overlay Networks

We now support isolation between port groups. Each overlay port group has its own overlay IP, static routes, and related network settings. Each overlay port group bridges its interfaces, but communication between port groups requires policy.

Portgroup Configuration

The HIPswitch > Ports user interface has been completely overhauled to enable the configuration of multiple underlay and overlay port groups. Several things that were configured in different places in 2.1.x are now consolidated in one location:

Port group
Port role
Link Manager settings
Wi-Fi
Cellular
802.1q VLAN tags
Overlay IP/Netmask

Interfaces appear on the screen with live status information from the HIP Service. Also, all configurations are committed only after the HIP Service validates and successfully implements the changes, eliminating disagreement between what is configured in the Conductor and what is actually implemented in the HIP Service.

Network Objects

You can now use a CIDR (like 10.3.5.0/24) instead of a /32 for a device address. The term Network Objects simply refers to a device that uses a CIDR, and this device can be used wherever you would use any other device, like in device groups and overlay networks. Using network objects, you can allowlist an entire IP network in one click. This should make policy migration from Firewalls and Routers during new deployments much easier. Site-to-site VPN becomes trivial. More specific policies are still supported, so you can create wide policies to open general site-to-site traffic and still segment traffic to HIP Services.

Negative policies are also supported so you can allow networks or individual IP addresses (like a router) and then create exceptions using a negative policy (like a firewall).

This makes it much easier to manage HIP Services. Configurations become simpler, shorter, and easier to maintain. For cloud-based HIP Services, route injection is much simpler because routes are summarized.

User Auth (Windows, Mac, Android; iOS to release shortly)

MacOS and Android now support the user authentication feature introduced in 2.1.3 Windows clients and HIPservers. OS will support this feature in a later release. This feature allows an admin to require client users to provide an additional factor of authentication, currently username and password, to access the overlay for a period of time. Since usernames and passwords are centrally managed, this mitigates concerns about stolen laptops or devices, giving an admin a centrally managed way to approve and deny overlay access.

New shell for HIPswitches (hipsh)

New in this release is HIPshell, a console that replaces the special login user accounts such as like mapconfig, macinfo, and factory reset. HIPshell provides tab-completion, inline help, and greatly expands your ability to deploy & configure a HIP Service directly without going into diagnostic mode.

Overlay Intrusion Prevention Monitor (snort)

Intrusion Prevention allows you to activate any number of pre-defined rule sets. Traffic on the overlay is inspected and if a rule matches, an event is created and sent to the Conductor. You can define event actions based on Snort events.

HIPswitch Latency improvements

On certain platforms with a single CPU core, the data plane latency has been reduced from 7ms to approximately 2ms. However, it is important to note that the reduction in latency can vary and depends on concurrency, packet sizes, and various other factors, but in general the latency through a HIP Service is reduced.

HIP relay Performance improvements

In version 2.2, we improved the speed of HIP relay traffic using XDP acceleration, allowing HIP traffic to scale even more on your existing hardware.

Full tunnel Windows clients and HIPservers

In prior releases, a client or HIPserver needs policies to opt-in to the overlay network, the default being split tunnel. In version 2.2, an administrator can check a box on the client or HIPserver in the Conductor to make the default full tunnel and capture all network traffic into the overlay, allowing for a few exceptions that may be in the underlay like DNS, AD, etc. Please note this is Windows only; macOS clients and Linux HIPservers will be available in a future release.

Multiple VLAN Tags per interface

We now support trunk ports, allowing you to have two or more VLANs configured on an interface. Each VLAN tag makes a new sub-interface. For example, VLAN tag 25 on eth0 creates a virtual interface named eth0.25. These interfaces can go into various port groups. East-West policies in the Conductor can be built between devices in different VLANs. Please note that you can still create bridges between VLANs as you did in version 2.1.x and earlier.

MAPv1 no longer supported

Conductor version 2.2 and beyond will no longer be able to manage HIP Services running 2.0 and earlier. Please note that this requires you to upgrade your HIP Services to version 2.0 or later your Conductor to version 2.2. Review the upgrade section at the beginning of this document for more information about the recommended upgrade process.

Dual-use port mode deprecated

Dual-use mode for interfaces is no longer available. Using multiple port groups and trunk ports, it is now much easier to implement split-tunnel with East-West policies. You can add the DNS, AD, and other servers as protected devices to a HIP Service and give them a separate overlay port group connected to the underlay network. In Conductor, you can then give your protected devices policy to the DNS, AD, etc., servers.

Upgrade Considerations

We recommend that you upgrade to 2.2.1 if:


You want to use any of the following features:	You were impacted by any issues discovered in prior releases, especially if you have any of the following:
Multiple Overlays Multiple Underlays Port Groups Network Objects	Note: Due to the large number of changes in this release, we recommend you continue to use 2.1.x unless you need one or more of the new features described above.

Important: If you are using SHA-1 for the ESP transform, you should convert to SHA-256 before upgrading to 2.2.1.

Note: You may upgrade HIPswitches to 2.2.1 provided you are running Conductor 2.2.1. Prior versions do not properly manage HIPswitch 2.2.1.

Fixes


ID	Applies to	Description
DEV-11194	Conductor	Fixed a bug where performing a Factory Reset on a HIPswitch keeps the event monitors targeted at device groups or HIP Service groups.
DEV-11144	Conductor	Fixed an issue where policy data would become out-of-sync for HIP Services that had multiple-policy connections when the remote HIP Service is revoked.
DEV-11080	Cloud	Fixed a bug where a Conductor-reboot now performs the route injection to sync the route table.
DEV-11028	Diagnostic mode	Fixed an issue where newer firmware silently failed to install from Diagnostic Mode.
DEV-10981	API	Fixed the paginated API endpoints.
DEV-10962	Conductor	Fix regression in 2.2.0 where smart device groups CIDR and IP range match rules with "only match overlay device IP" selected did not select the correct devices.
DEV-10955	Conductor	Fixed a bug that caused Access Point Name (APN) changes for Cellular Ports not to have any effect. Also APN settings from 2.1.x HIP Services will be set correctly when firmware-upgrading a HIPswitch to 2.2.
DEV-10953	Diagnostic Mode	The APN setting is now only configurable through the platform config under Port > Settings. This setting is available from both Diagnostic Mode and the Conductor UI.
DEV-10931	HIPswitch	Included an output message informing the customer that Authentication failed.
DEV-10927	HIPswitch, Cellular	Fixed an issue that when the only active port groups are disabled, a customer will have to put the HIPswitch into Diagnostic Mode to recover it.
DEV-10913	HIPserver, Linux	Added Readme and License files and is now present on the disk.
DEV-10909	HIPswitch	Fixed a bug where the Conductor prevented the secondary HIPswitch in a HA pair from upgrading.
DEV-10905	HIPserver, Linux	A support URL was corrected for hip.service a systemd file.
DEV-10899	client/HIPserver, Windows	Fixed a bug where 'ipconfig /release', 'ipconfig /renew' - now works and NTP is able to synchronize system time DHCP broadcast is able to find DHCP server).
DEV-10898	HIPswitch-100	Fixed the ability for the HIPswitch to maintain Peers’ File Information about the Peer involved in the policy.
DEV-10854	HIPswitch	When trying to configure a HS-500 and HS-400-202 in an HA pair, customers will no longer get an error the HA ports are moved to the HA portgroup. You no longer have to reboot the HIPswitch.
DEV-10847	Conductor	There was an inconsistency in connectivity when a HIP Service has a device deleted from a monitored device group. HIP Service now maintains connection to the Conductor.
DEV-10826	HIPswitch	HIPswitch-250 SFP Ports 1,2,7, and 8 work at 100 and 1000 mbps speeds in 2.2.1.
DEV-10823	HIPswitch	Fixed a bug that required customers to disable Transparent Mode before attempting to enter Diagnostic Mode.
DEV-10807	Diagnostic mode	Added the Media settings back in. It now exists in the Port Configuration section. This column should only show up on a HS 250.
DEV-10797	Conductor	Fixed non-functional bandwidth check button on the Secure Tunnels Diagnostics page.
DEV-10792	HIPswitch	You are able to delete and add new DHCP server settings after configuring them.
DEV-10737	Conductor	A refresh of the browser restores proper functionality.
DEV-10726	HIPclient, macOS	Fixed the ability to uninstall the app from the About > Uninstall menu item. Additionally, you can continue to use a Command prompt: sudo /Applications/TemperedNetworksHIP.app/Contents/Resources/uninstall.sh
DEV-10720	Conductor, omapd	Fixed the ability to create a New Profile, a second time around, on the same Conductor.
DEV-10702	Conductor	The HIPswitch details page now displays the correct icon in the Underlay IP field, such as a Wi-Fi icon when the connection is wired.
DEV-10692	Conductor	On cell-connected HIP Services, cell details show on the Ports page as soon as they are available.
DEV-10640	HIPswitch	Able to set and maintain Conductor and Peers IP address to invisible when engaging 'Publish IPs to Conductor' to No.
DEV-10619	HIPswitch, Cellular	Fixed a USB driver issue that prevented reliable recovery from Cellular Modem Firmware crashes.
DEV-10575	Conductor	Fixed a bug that could prevent users from saving Overlay DHCP settings.
DEV-10548	Conductor	Fixed a bug where, in rare cases if a monitor is invalidated, it would never try running again.
DEV-10489	API	Fixed an issue where generating a token using basic authentication for a locally authenticated user required the username to be case sensitive. This is no longer the case.
DEV-10437	Conductor	Fixed an issue where the macOS HIPclient was missing packet statistics.
DEV-10435	Conductor	Fixed an issue where importing devices using a malformed *.CSV file would stop responding and provide an incorrect error message.
DEV-10391	HIPswitch 150, Cellular	Fixed an issue where, when applying power to the HIPswitch 150, while the micro USB console port was connected to a computer, the HIPswitch would fail to enable power to the expansion bay.
DEV-10361	HIPswitch 100, HIPswitch 500	This issue is fixed for the HS 100. The diagnostic mode now display None if no part number file is found. This will be the case for the 100 and any other HS that does not write a part number.
DEV-10342	HIPswitch	Removed syslog-ng syntax check from init script, now syslog and udhcp start concurrently, this should allow entropy generation from network interrupts.
DEV-10356	Conductor	Fixed an issue where the + more entries link in the Edit Tags dialog would not function correctly.
DEV-10210	HIPclient/HIPserver, Windows	Upgraded to the latest versions of openssl and curl used by the Windows HIPclient and HIPserver.
DEV-10163	HIPswitch	Fixed an issue where a broadcast storm occurred when multiple HIPswitches on same L2 broadcast domain received packets from a protected device.
DEV-10136	HIPclient, macOS	The HIPclient local device ID key file permissions have been adjusted to only allow user access.
DEV-10107	Conductor	Improved the error message to clearly indicate when the Conductor cannot access the licensing server.
DEV-10039	HIPswitch	Fixed an issue where HIPswitch-150 Ethernet ports would not enumerate correctly during the boot up sequence.
DEV-10023	Conductor	If you have a virtual Conductor configured with a boot drive less than 1gb in size, you will need to increase the size to 1GB or larger before Conductor version 2.2 will install. The following links provide instructions for resizing a virtual disk: · VMware reference: https://kb.vmware.com/s/article/1004047 · Hyper-V reference: https://docs.microsoft.com/en-us/powershell/module/hyper-v/resize-vhd?view=win10-ps Note: Azure, AWS, and Google Cloud Conductors already have their boot drive set to 1GB. This issue will only affect those with EXSi or Hyper-V Conductors.
DEV-9994	Conductor	Improved the error messages the Conductor adds to syslog for HIPswitches.
DEV-9993	Cloud, Google	Fixed an issue when deploying a cloud HIP Service where the Public network (VPC) drop-down would display networks with no subnets.
DEV-9922	Conductor	Cellular information now displays correctly in Ports > Underlay network.
DEV-9880	OpenHIP	Fixed an issue where a HIP Service could not establish tunnels with other HIP Services if the Conductor time was adjusted to an earlier value. This could happen when enabling NTP on the Conductor for the first time.
DEV-9876	OpenHIP	Fixed an issue where HIP would crash and restart when broadcast/multicast packets were sent on a busy HIPswitch having a large number of tunnels.
DEV-9867	Conductor	Fixed an issue where HIPrelay tunnel stats were not stored in the database for HIPswitches while the tunnel was forming or disconnecting.
DEV-9845	Cloud, AWS	Fixed an issue where machine types other than t2.nano displayed incorrectly as a micro instance.
DEV-9841	Conductor	Improved the error message when creating a Cloud HIP Service and no custom images exist for the account.
DEV-9772	HIPclient, Windows	Fixed an issue where the HIPclient would not prompt for credentials if the computer was restarted.
DEV-9715	Conductor, API	The API now displays a 403 response code rather than a 401 response code when permissions for the request are incorrect or missing.
DEV-9694	Conductor, API	The API now displays correct response codes when creating endpoints.
DEV-9673	Conductor, API	When destroying endpoints, invalid IDs are now ignored.
DEV-9665	HIPswitch	Fixed an issue where health data may not be properly disabled when changing the setting from the Conductor UI.
DEV-9531	Cloud, Azure	Fixed an issue where the Image ID field would not display the correct images when the region was changed
DEV-9511	Conductor	Fixed an issue where the Forgot your password? link would not send out an email if an LDAP username was provided.
DEV-9404	Conductor, API	Removed the 406 return code from the API documentation as it is not used.
DEV-9398	HIPclient, Windows	Reduced the possibility of the HIPclient tray icon remaining in the notification area when the client is terminated or uninstalled.
DEV-9392	Conductor	Fixed an issue where a HIP Service offline event may not be triggered if Check Online is used between the time a HIPswitch unexpectedly disconnects and a session timeout occurs.
DEV-9339	HIPswitch 75 Series	Resolved issues related to CPU frequency scaling on the HIPswitch 75.
DEV-9322	BaseOS	Fixed an issue where SFP ports 1 and 2 on the HIPswitch-250 did not link without 1000baseX auto-negotiation enabled on the connected switch.
DEV-9300	HIPctl	Improved the error message received when requesting a log file and it does not exist.
DEV-9159	Conductor	Fixed an issue where dropping a user who is a rule editor of a Smart Device Groups caused the group to stop functioning. The Smart Device Group will now downgrade to a standard device group to prevent possible loss of service due to permissions violations.
DEV-9157	HIPclient, macOS	Agent GUI talks to the control daemon start-up to kill existing instances of the tnw-hipd daemon that it is supposed to control.
DEV-9123	HIPswitch 250	No longer dropping packets when both the fiber and copper ports of a combo port are connected.
DEV-9122	HIPclient, macOS	Fixed an issue where setting the HIPclient Network selector to auto could result in selecting the wrong interface, if more than one was available.
DEV-9085	HIPclient, macOS	Fixed an issue that caused the control daemon to crash on shutdown.
DEV-9078	HIPclient, macOS	Fixed an issue where a support bundle could not be created support bundle due to insufficient permissions.
DEV-9006	Conductor	Added more descriptive error messages due to incorrect credentials when creating cloud providers in the Conductor UI.
DEV-8804	HIPctl	Added more descriptive text to error messages received when trying to modify a profile that doesn't exist.
DEV-8633	Conductor	Regenerating an API token now requires the user to provide authentication credentials.
DEV-8561	Cloud	Added a warning message to Cloud > Diagnostics when there are no cloud provider credentials available for the HIP Service.
DEV-8529	Conductor	Currently, you cannot remove email and syslog settings in the Conductor once they are configured. Workaround: You can work around this issue by entering invalid values in the settings fields, click the disable button, or delete the settings using the API.
DEV-8294	Conductor	Improved syslog device_event messages to provide more useful information.
DEV-8262	Cloud, AWS, Google	Fixed an issue when deploying a HIP Service on AWS or Google Cloud where the route table was unavailable if the default region in the cloud connector was different from the HIP Service’s region.
DEV-8203	Conductor	Fixed an issue in the Conductor UI where pop-up information boxes would not disappear, resulting in multiple boxes on the screen.
DEV-8202	HIPserver, Linux	Fixed an issue where a newly created profile would not be set as the default profile after completing the HIPserver installation.
DEV-8105	HIPclient, Windows	Improved the HIP Networks View to display the Overlay name instead of the ID.
DEV-8085	HIPclient, HIPserver	HIPclients and HIPservers are now blocked from accepting inbound Overlay connections when an Overlay IP is not set.
DEV-8051	Conductor	Port addresses are displayed in 2.2.0.
DEV-8044	Conductor	Fixed an issue where selecting the refresh button for either cellular configurations on the Ports > Underlay network page would trigger both refresh buttons.
DEV-8012	Conductor	In rare circumstances, the traffic stat graph values can be off by a factor of 1000. If this occurs, refresh your browser.
DEV-7968	Conductor	Fixed an issue where authenticating with LDAP credentials logged the user out of the Conductor sessions.
DEV-7956	Conductor	Fixed a display issue where deleting the primary port would result in the secondary cellular interface not displaying an IP address.
DEV-7955	Conductor, Azure	If you ping an HIPswitch running Azure from another HIPswitch, the ping will now connect to the Conductor UI. This is due to ICMP being allowed by Azure's security groups.
DEV-7919	Conductor	In previous versions of the product, if a discovered device was added to a smart device group and caused an IP conflict, the device was not detected. This behavior has been improved and device will now be detected but not added to the smart device group.
DEV-7774	HIPctl	The output from hipctl has been improved. On the command line the error and status messages are now simplified for clarity, and detailed output is sent to syslog.
DEV-7720	Conductor	Fixed an issue where the + more entries link did not function correctly when selected.
DEV-7681	HIPclient, Windows	The HIPclient has been updated to improve protection against possible local threats.
DEV-7661	Conductor	Fixed an issue where after replacing a HIPswitch, it could take several minutes to reconnect and appear online in the Conductor.
DEV-7507	Conductor	Upgraded our current products to support OpenSSL, version 1.1.0.
DEV-7233	Conductor	Fixed an issue where the Conductor displayed an erroneous message if the login timed-out and the user attempted to log in again without refreshing the browser.
DEV-7063	HIPclient, Windows	Added a new HIPclient control window for easier access to the HIPclient features. You can access this window by left-clicking on the tray icon.
DEV-5607	Conductor	Fixed a cosmetic issue where when pushing large amounts of data through a HIPrelay can cause the byte-count to appear as a negative number.
DEV-5713	Conductor	In rare cases, a shared network traffic graph may fail to draw data for the Conductor 400 if the 10G option card is installed. Reboot the Conductor to refresh.

Known Issues


ID	Applies to	Description
DEV-10887	HIPserver, Linux	Configuring DNS servers for a Linux HIPserver via the Conductor may not retain the settings once saved. Workaround: None.
DEV-10857	OpenHIP	Under certain conditions, a HIP Service may take up to 30 seconds to probe its active relays. This may result in longer initial connection delays. Workaround: None
DEV-10846	HIPclient, macOS	Currently, you cannot stop a packet capture once initiated from the Conductor UI for a macOS HIPclient. Workaround: Wait for the packet capture operation to terminate.
DEV-10764	HIPswitch, Cellular	When downgrading the HS-150 from 2.2.0 to 2.1.6, the cellular link LEDs may not be functional. Workaround: In order to restore LED functionality, in Conductor, change the "Underlay network" settings under the "Ports" tab. For example, adjust the priority. (Note that you may need to provide the "Access point name (APN)" since that field may appear blank, in order to successfully apply the settings.) After applying the settings, reboot the HS-150 for the Cellular LEDs to become functional again.
DEV-10703	Conductor	If a HIPswitch is factory reset, its details may not be removed from the Conductor UI. Workaround: none.
DEV-10696	HIPswitch	A Conductor and multi-homed HIPrelay is incompatible with 2.1.x HIPswitches and HIPclients and will cause potential connectivity issues. Workaround: None.
DEV-10618	Conductor	When downloading a support bundle, the dialog box contains two buttons, Download and Cancel. Cancel has the same effect as closing the dialog. Workaround: None.
DEV-10602	HIPswitch 400, HIPswitch 500	The HIPswitch 400 and HIPswitch 500 LCD menus do not support setting Conductor host names longer than 16 characters. Workaround: Configure the corresponding IP address instead.
DEV-10592	HIPswitch, Azure	If you deploy a HIPswitch using a script instead of the Conductor UI and have not configured the user credentials for the cloud provider before granting a license, it is likely you will need to reboot the HIPswitch as the route table ID will be missing in the cloud attribute. Workaround: Deploy the HIPswitch using the Conductor UI.
DEV-10577	HIPshell	Currently, the hipsh console will not timeout and may become locked. Workaround: Reboot or power-cycle the HIPswitch.
DEV-10492	HIPrelay	Once a HIPrelay learns an IPv4 / IPv6 address for a peer, it will continue to use that address indefinitely for forwarding peer packets). If the peer is offline and doesn't update its address with the HIPrelay, the old or invalid address will continue have HIP control packets forwarded to it. Workaround: None
DEV-10442	Conductor	In rare cases, the Apply Firmware Updates dialog will show duplicate entries in the Upgrade Availabledrop-down. Workaround: None.
DEV-10405	OpenHIP	When sending HIP I1 packets to all peer addresses, a HIPswitch will try all source/destination address combinations and does not query the routing table. This may cause I1 packets to be sent to the wrong interface, because the source address may not match the interface address. This issue occurs on multi-homed HIPswitches, with peer-auto connect turned on and relay probes off. Workaround: None.
DEV-10404	OpenHIP	Retransmitted HIP I1 packets are only sent using one source address/destination pair. This differs from the initial I1 packets which attempt to use all source/destination address combinations. This issue occurs on multi-homed HIPswitches, with peer-auto connect turned on and relay probes off. Workaround: None.
DEV-10276	HIPclient/HIPserver, Windows	The tray application crashes repeatedly and prevents the configuration of the HIPclient or HIPserver. Workaround: Reinstall .NET to resolve the issue.
DEV-10236	Conductor	If you log in to multiple software HIP Services as the same user, the remote session for the first HIP Service will be terminated. Workaround: None.
DEV-10200	Conductor UI	Currently, users with the Network Administrator role in the Conductor can see and grant provisioning requests but are unable to view license vouchers and make top level licensing changes. Workaround: None.
DEV-10186	HIPshell	The Run mode shown when using the hipsh status command may contain multiple operating modes. This is normal and not indicative of any issue. Workaround: None.
DEV-10109	HIPclient, Windows	When uninstalling the HIPclient or HIPserver, the tray icon may disappear, and the application will restart. This occurs without selecting Yes or No from the dialog. Workaround: None.
DEV-10081	Conductor	When creating a Conductor certificate using the Create Conductor Certificate dialog, you must click Save. Pressing Enter will result in an error and the operation will not complete successfully. Workaround: None.
DEV-10078	Conductor	Currently, HIPswitch reporting graphs do not indicate temperatures below freezing. Workaround: None.
DEV-10047	HIPclient, macOS	The HIPclient may lose access to the macOS keychain following an update. Workaround: If this occurs, use the procedure below to resolve the issue. Open the finder by pressing Command-N Find the TemperedNetworksHIP application, right click it and select Show Package Contents Double-click Contents Double-click MacOS Keep this window available, you will need it below Start Keychain Access (Applications > Utilities > Keychain Access) Navigate to the System keychain (on the upper left) Click on Keys (on the lower left) Click on the header named Kind to sort the keys For each private key with the name com.temperednetworks do the following: Double-click the item to open it Click Access Control Enter your password Click the + Drag the tnw-hipd from the window opened earlier and drop it into the window you opened by tapping + Click tnw-hipd, then click Add - the window will close Click Save Changes Make a note of your username, you will need this in a moment Enter your password and tap Allow You will be prompted to enter your username and password. Do so and close the com.temperednetworks window. Repeat step 10 for each private key named com.temperednetworks. You will have one key for each HIPclient profile you created.
DEV-9877	Conductor, Azure, wireless HIPswitch	Link Manager default settings do not work between Conductors running on Azure using the Azure Network Security Group setting and wireless HIPswitches. Workaround: You must Disable pings on active link on each Wireless HIPswitch or set an alternate active ping target (e.g. 8.8.8.8).
DEV-9853	Diagnostic mode	In diagnostic mode, if you set a static IP address using either the subnet ID or the broadcast address for a configured subnet there is no warning this setting is invalid. Workaround: None. (Replaced by the platform configuration).
DEV-9808	Conductor	You must be a manager of every overlay that contains any device associated with all HIP Services in a HIP Service group, otherwise you lose the ability to make edits to that HIP Service group. There is no error message or any explanation as to why you are not allowed to make edits. Workaround: None.
DEV-9688	Conductor	The HIPswitch Limit Bandwidthsetting currently displays as bytes per second instead of bits per second. Workaround: None.
DEV-9606	HIPswitch 150 Series	When connected via serial console to a HIPswitch 150, pasting text ~35+ characters into the console requires the console to be disconnected and reconnected to restore functionality. Workaround: None.
DEV-9362	Conductor	In tag properties, if you enter a month value in the Expire tag usage field, such as 1M, it is converted to weeks and days when the change is applied. Workaround: None
DEV-8929	HIPclient, Windows	After installing a windows HIPclient using the unintended install method, the tray application does not start. Workaround: Start the application manually after installation is complete
DEV-8810	HIPswitch, Cellular	Diagnostic mode displays a drop down menu for selecting a preferred radio access technology, however the backend does not correctly handle this setting. Workaround: None.
DEV-8805	HIPswitch	When enabling SNAT on a HIPswitch, new connections will begin to use the overlay gateway IP address of the HIPswitch, but existing connections will not use the SNAT address until the connection is idle for the specified connection TTL or if the HIPswitch is rebooted. Workaround: Reboot the HIPswitch after enabling SNAT.
DEV-8428	Conductor, HA	The time on a standby Conductor and master conductor can become out of sync and cause missing traffic stats and health data from HIPswitches. Workaround: When failing-over an HA-paired Conductor, verify that the timestamps are the same.
DEV-8120	Conductor, Azure	In rare cases, an HIPswitch running in Azure may fail to reconnect to the Conductor after a firmware upgrade. Workaround: Restart the HIPswitch VM. Please note it can take up to 10-15 minutes to come back online.
DEV-8106	Conductor	If a device stops communicating, the Conductor UI may not reset the activity display to gray, reporting online status incorrectly. Workaround: Reload the browser.
DEV-8060	Conductor	In rare cases, a Conductor HA pair may stop syncing. Workaround: If this occurs, promote the HA-secondary to primary, then re-pair them.
DEV-7769	HIPswitch, Google Cloud	Toggling policy too quickly on a HIPswitch running on Google Cloud can result in the route table becoming out of sync when using route injection. Workaround: After toggling policy, wait 10 seconds before toggling it again.
DEV-7499	Conductor	The bandwidth check in the HIPswitch Diagnostics tab may fail for HA-paired HIPswitches. Workaround: None.
DEV-6927	Conductor	If you place a Conductor in diagnostic mode and have a non-standard port configuration defined, it may not respond to ping commands. The diagnostic mode functionality should be otherwise unaffected. Workaround: None.
DEV-5866	HIPswitch	When configuring Wi-Fi settings in diagnostic mode, the HIPswitch may override the configuration on reboot if Wi-Fi configuration was configured in the Conductor previously. Workaround: Factory reset the HIPswitch before entering diagnostic mode.