Release Notes 2.2.10

Release Date: Nov 18, 2020

What’s New

Access Windows for authenticated users

Specify or restrict what days and times authenticated users can log in to access resources on your secure network using Access Windows.

See more: Set Times Authenticated Users can Access the Secure Network

Automatic Relay Rules

Enable all connections in an overlay network to use a group of relays. This provides a less-granular, but simple way to manage relay rules.

See more: Set an Overlay to Automatically Manage Relay Rules

Airwall Gateway Custom Certificates

By default, Airwall Gateways come with a Tempered factory-installed certificate. You can now add your own custom CA certificate to use for Conductor communication.

See more: Adding or Replacing a Signed Certificate on an Airwall Gateway for Conductor communication

Bulk Configuration of Airwall Gateways

Configure certain settings in bulk for Airwall Gateways or Airwall Gateway groups.

See more: Bulk Configuration of Airwall Edge Services

Enable DNS for Seamless Bypass

You can now enable DNS to use fully-qualified domain names (FQDN) for bypass destinations.

See more:

Setup Wizards for configuring Conductors and Airwall Gateways

2.2.10 has added two wizards to help you in deploying an Airwall secure network. The Conductor Deployment Wizard walks you through setting up, licensing, and provisioning a new Conductor, and the new Airshell (airsh) command setup-ui walks you through the most common Airwall Gateway setup options.

See more:

Airwall Status Indicators

There are new ways to see information and status on the Airwall Edge Services connecting to your Airwall secure network

See more: See Airwall Edge Service Information and Status

Cloud Improvements

This release includes improvements that make it easier to deploy cloud Conductors and Airwall Gateways, and includes support for AWS GovCloud (see below):
  • ENA and SR-IOV support – You can now deploy instances with enhanced networking configuration enabled with either ENA or SR-IOV, and see which machine types support or require ENA. Note that machine types marked as ENA may deploy as SR-IOV.
  • Disk IO has been improved – Cloud deployments now include NVMe (memory) disk options.
  • Cloud HA deployment has been automated – Simplified deployment for HA, eliminating many of the places where misconfiguration could happen.
  • New Azure cloud image names – Image names now reflect their use, making it easier to choose the correct image.
  • Additional information as images are created – More details are included in the status pane as the Conductor creates cloud images.
  • Can now choose resource groups – You can now choose a new or existing resource group when you create cloud Airwall Gateways and Conductors.

    Note: If you choose an existing resource group, make sure no resource names in the existing resource group conflict with the new Airwall Gateway and Conductor deployment name that you are creating.

  • More information available in the Conductor – New attributes are shown for cloud Airwall Gateways on the Diagnostics tab.

Preliminary IPv6 Support

If you have devices with IPv6 addresses, IPv6 is now supported for Airwall Gateways and Linux Airwall Linux Agents. The control for source NAT is shared for both IPv4 and IPv6. Configurations sourcing NAT IPv4 but not IPv6 are not supported.

Airwall Gatewaysnow support static IPv6 addresses for both the underlay and overlay (some cellular carriers may not support it). You also need to assign a static IPv6 address to the Airwall Gateway.

Since IPv6 only supports routed configurations, you need to assign an IPv6 overlay address to the Airwall Gateway to use IPv6 overlay. L2/subnet extensions are not supported.

See more: Set up a secure IPv6 overlay

AWS GovCloud Support

Cloud Conductors and Airwall Gateways can be now be deployed in AWS GovCloud. Follow the instructions for deploying in AWS:

Exponential Backoff

Added exponential backoff to the Airwall Gateway to/from Conductor management connection to comply with Verizon data retry requirements. This change means it could take up to 3 minutes to reconnect after an extended outage. (DEV-14648)

Upgrade Considerations

Consider upgrading to 2.2.10 if:

You want to use any of the following features: You were impacted by any issues discovered in prior releases, especially if you have any of the following:

  • Access windows for authenticated users

  • Automatic relay rules

  • Custom certificates for Airwall Gateways

  • Bulk configuration of Airwall Gateways

  • Enabling DNS for bypass destinations

  • Setup wizards for Airwall Gateways or the Conductor

  • Improved Airwall Status

  • Cloud deployment improvements

  • IPv6 support

  • AWS GovCloud deployment
Ran into the issues where:
  • Setting an Overlay default gateway breaks connected routes
  • Invites have incorrect links and configuration issues
  • Got errors on the Airwall Gateway 110g when running certain airsh commands
You want to:
  • Access the Conductor firmware update server via a proxy
  • Disable individual devices in a bypass configuration
  • Allow network admins to manage new devices or agents
  • Use serial over IP on an Airwall Gateway 110e or 110g.

New and updated Airwall help content

In addition to help for new features, here are the changes to content published since our last release:

New Topics
Updated

Fixes

ID Applies to Description
DEV-14703 OSX Airwall Agents macOS Big Sur – Modified the OSX installer to correctly install on macOS Big Sur.
DEV-14675 Cellular Airwall Gateways The Airwall 110g firmware now sets the DevInfo/Man and DevInfo/Mod OMA-DM strings when connected to Verizon.
DEV-14623 OpenHIP v2.2.8 Mac Airwall Agents may form unusable tunnels with older 2.1.7 (and possible other versions) peer Airwall Edge Services, if traffic is being sent when the Airwall Agent is starting up.
DEV-14590 Conductor Fixed an issue with JSON serialization of underlay and map IPs in the PCI Airwall reference.
DEV-14581 Airwall Gateways Fixed an issue where when failover groups were configured to not use the Conductor as a ping destination and with the Conductor address using a hostname, the Airwall Edge Service is unable to connect to the Conductor by hostname.
DEV-14558 Airwall Gateways Due to a bug in firmware versions 2.2.2 - 2.2.8, Airwalls using a TPM-backed keystore cannot update directly to firmware version 2.2.10. Should you run into this bug, you will see the following message on the Reporting -> Health Data page of the Conductor: "firmware_verify: The currently selected keystore is not compatible with the target software version. Please factory reset theAirwall Gateway with the keystore=file argument to downgrade." To install firmware version 2.2.10 on a TPM-enabled Airwall Gateway, apply Airwall Gateway Hotfix-14558 first and then install 2.2.10 normally. See Hotfixes.
DEV-14521 Conductor Fixed a health data setting for 2.2.8 Android and Windows Airwall Agents that may have had their health data inadvertently turned off.
DEV-14510 Airwall Gateways Source UDP and TCP port are now randomized when passing through a bypass configuration with SNAT enabled. This change fixes a rare case where both the bypass gateway and another Airwall Gateway behind it are trying to communicate with the same peer (for example, a relay).
DEV-14506 Android and Windows Airwall Agents Fixed an issue where modifying the reporting_interval for traffic stats via the Conductor would disable health data on the agents that supported it.
DEV-14461 Airwall Gateways Fixed an issue where if overlay device NAT was configured on a port group with multiple ports, the overlay device NAT was incorrectly applied to traffic between the two ports in the same port group.
DEV-14447 Linux Airwall Linux Agents Fixed an issue where the support bundle for a Linux Airwall Linux Agent was missing attributes.
DEV-14434 Airwall Gateways IPv6 bypass is now functional for cellular underlay links.
DEV-14424 Conductor Rate limited how often the bypass destinations traffic timestamp is updated to prevent negative performance impact on the Conductor.
DEV-14406 Conductor Disabling traffic stats and health data monitors now works.
DEV-14394 Conductor Fixed an issue that could cause revoked and re-activated Airwall Edge Services to fail to reconnect to the Conductor.
DEV-14389 Conductor Fixed an issue where unmanaged or revoked Airwall Edge Service attributes could be updated using the API.
DEV-14359 Android Airwall Agents Fixed an issue where switching underlays would cause the old underlay to be reported as unknown in the Traffic stats tab under reporting on the Conductor.
DEV-14356 Airwall Gateways Fixed an issue where you could enable STP on port groups that use only a single port interface.
DEV-14312 Conductor Fixed a broken download link in Linux Airwall Linux Agent setup.
DEV-14307 Airwall Gateways Now allow Airwall Gateways and Linux Airwall ServerAirwall Linux Agents to carry traffic within the LSI prefix (default to 1.0.0.0/8) across HIP tunnels, except for addresses that collide with peer Airwall Edge Service LSI addresses.
DEV-14291 Airwall Gateways Fixed an issue that could cause a service crash on Airwall Edge Services when there was a network-related HA failover/failback.
DEV-14278 Android Airwall Agents Fixed an issue where replacing an Android Airwall Agent while the Android Airwall Agent service was running required the Airwall Agent to be restarted to get its new configuration and restore pings.
DEV-14266 Airshell Fixed an issue preventing the 'diag-report' command from returning data under Airshell on the AW-110g. Diagnostic reports (system reports) take much longer to generate on cellular platforms.
DEV-14265 Airshell Fixed Airshell 'status cell' command on the AW-110g, which sometimes repeatedly produced an error response.
DEV-14254 Conductor Fixed an issue where Airwall Agents were showing up when creating a device discovery event monitor.
DEV-14251 Airwall Gateways Fixed an issue introduced in Airwall Gateway HF-1 that could cause traffic to get blocked onAirwall Gateways with multiple overlay port groups.
DEV-14244 Azure Cloud Conductor Fixed an issue where you were not able to select VNet when setting up a cloud Conductor.
DEV-14243 Airwall Gateways Fixed an issue where broadcast and multicast received on an L2 bypass port group was consuming unnecessary bandwidth.
DEV-14228 Conductor Fixed an issue where devices in smart device groups with tags may not have been removed correctly when the tags existed on both the devices and Airwalls or Airwall groups.
DEV-14222 OpenHIP Fixed an issue where DHCP configuration wasn't being updated.
DEV-14220 Conductor Fixed an issue where you could not update an existing rule order and create a new device match rule with the old order of the existing rule.
DEV-14209 Android Airwall Agents Fixed an issue where the Airwall Agent crashed the first time the user tried to start the service for a new profile.
DEV-14195 Conductor Conductor Firmware downloader and OUI updater will now use the Conductor proxy settings.
DEV-14194 Airshell Fixed an issue where the 'policy' command in Airshell returns an error under certain (larger, busier) deployments.
DEV-14191 Airwall Gateways Fixed an issue that could cause traffic problems in deployments with multiple overlay port groups on the same broadcast domain.
DEV-14179 Conductor Fixed an issue where the clock color indicating when a user last logged in was incorrect .
DEV-14172 Airwall Gateway 110g Disabled IMS when using the Airwall Gateway 110g on T-Mobile.
DEV-14167 Windows Airwall Agents Fixed an issue where the Conductor was showing Windows Airwall Agents had an update available when they already had that version installed. Note that you may still see updates available for x64 Windows if you have x32 firmware downloaded on the Conductor.
DEV-14166 Cellular Airwall Gateways Fixed an issue when using customer-specific Verizon APNs on the Airwall Gateway 110g.
DEV-14159 Airwall Gateways Fixed an issue where overlay traffic could flood out overlay ports.
DEV-14128 Conductor The traffic stats monitor alert now more clearly indicates what is being measured, that is, kB/s, pkts/s
DEV-14123 Conductor Notices on the login screen are now only displayed one time and disappear for your next visit to the page.
DEV-14119 Conductor Fixed an issue where Airwall groups were not applying tags as the group was created.
DEV-14115 Conductor Fixed an issue that could cause infrequent Conductor service issues resulting in all Airwall Edge Services needing to reconnect to the Conductor.
DEV-14113 Conductor Fixed an issue where you could create policy to a bypass destination from a gateway's device even though the gateway has bypass disabled on its underlay.
DEV-14103 Conductor Fixed an issue where disabling or re-enabling network communications for a device deleted any tags on it. This issue also was occurring when if you updated a device, device group, Airwall group, overlay network, or people group using the API.
DEV-14100 Conductor Fixed an issue where if you added a device directly to a device group in an Airwall invitation or during user onboarding, some of the necessary information was not being sent to the Airwall Agents to fully enable Airwall policies.
DEV-14095 Android Airwall Agents Fixed an issue where the Overlay networks page was showing inaccurate ping counts.
DEV-14073 Conductor Underlay IPs for 2.2.8 Airwall Gateways are now in the "underlay_ips" key in the API. IPs used for the map connection are now in the "map_ips" key in the API.
DEV-14070 Conductor Fixed an issue where Airwall Edge Services coming online were not being included in Recent Activity.
DEV-14068 Android Airwall Agents Fixed an issue where rotating the screen cleared the username and password when attempting to log in using User Auth.
DEV-14062 Conductor FIxed a display issue when changing the pagination size on the monitors page.
DEV-14044 Android Airwall Agents Fixed an issue where the ping status icon on the Overlay Networks/Edge Services page was always blue when pinging.
DEV-14032 Conductor Fixed an issue where viewing an overlay's details page in timeline view could cause an error.
DEV-14013 Conductor Standardized timestamps for Airwall Agents to display in the user’s locale.
DEV-14009 Conductor Fixed an issue where you couldn't remove static routes from a Conductor.
DEV-13984 Airwall Gateways Fixed an issue where specifying the gateway on an overlay IP prevented creating the local subnet/connected route.
DEV-13978 Conductor Fixed an issue where a device with an unknown OUI didn't update when the OUI list was updated.
DEV-13963 Linux Airwall Linux Agents Fixed an issue where HIP was restarting on the Centos7 Airwall Linux Agent.
DEV-13948 Cellular Airwall Gateways Fixed an issue where sometimes the IMEI is listed as "unavailable" in Airshell and diagnostic mode when the affected Airwall Gateway does not have a sim card installed.
DEV-13946 Conductor Fixed an issue where when when you disabled an Airwall Agent, it was not showing a disabled tag in the devices list.
DEV-13944 Conductor and Airwall Gateways Fixed an issue that caused device traffic to local devices (east/west) or bypass destinations to continue after disabling the device. Traffic to remote devices was not affected.
DEV-13943 Conductor Fixed an issue where the Tag actions did not list that devices would be impacted.
DEV-13942 Conductor People groups can now be added as managers when creating new overlay networks in the network creation wizard.
DEV-13935 API Fixed an issue where network admins were unable to get the job status of Airwall Edge Service support jobs that they started in the API.
DEV-13930 Alibaba Cloud Conductor

If you have created a new Alibaba Cloud Airwall Gateway with v2.2.8, there is an issue with the protected subnet id on the Cloud tab actually being the public subnet.

Workaround: You can avoid this issue by installing this hotfix on the Conductor before creating any Alibaba Cloud Airwall Gateways.

Workaround if you have already created an Alibaba Cloud Airwall Gateway:
  1. Apply this hotfix to your Conductor.
  2. If you are not using an NTP for system time, on the Settings page, General setting tab, under System time, select Edit Settings, and then Under Update date and time, select Set browser time and then select Update.
  3. For any cloud Alibaba Airwall Gateways, on the Cloud tab, Diagnostic subtab, click Refresh.
DEV-13926 OpenHIP Fixed a rare packet allocation failure issue on the Airwall Gateway 100.
DEV-13916 Airwall Gateways Fixed an issue where using DNSSRV records for Airwall Gateway provisioning caused the Conductor configuration to be lost.
DEV-13914 Conductor Fixed an issue where if you used multiple serial over IP devices on the same Airwall Gateway (only supported on some profiles), you could create an invalid configuration when both devices are configured with the same IP but different ports.
DEV-13910 Conductor You now receive a warning when creating a monitor on a device or Airwall group when some members of the group do not support the monitor. Previously, you only received such a warning for remote monitors (monitors run on the Airwall Edge Service).
DEV-13904 Google Cloud Conductor ​Fixed an issue in the Google Cloud images for 2.2.8 Conductor and Airwall Gateways.
DEV-13903 Airwall Gateways Airwall Gateway 110 models now can use the link failover monitor.
DEV-13893 Conductor Fixed an issue where you could select Airwall Edge Services that do not support health data for the health data monitor (for example, the Mac, Linux, or iOS platforms as of 2.2.8)
DEV-13860 Conductor Fixed an issue where when creating a new device, the Port affinity drop-down menu showed the first overlay port group, but the value set was "Detect automatically."
DEV-13850 Conductor Fixed an issue where network administrators couldn't manage an Airwall Edge Service from Recent events Dashboard notifications.
DEV-13844 Conductor When replacing a high-availability paired Airwall Gateway, the Conductor now only lists Airwall Gateways that have an HA port configured.
DEV-13817 Airwall Gateways Fixed an issue where the DHCP server on an Airwall Gateway Overlay Port Group was not restarting after changing the 'LSI prefix' on the Conductor.
DEV-13813 Airwall Gateways Fixed an issue with the serial ports of the Airwall Gateway 110 where RS232 with hardware flow control (RTS/CTS), RS422 (full duplex) and RS485 (half duplex) were not functional. Airwall Gateway firmware version 2.2.10 and later supports all three serial port modes.
DEV-13768 Airwall Gateways Fixed an issue where the source NAT setting on a bypass underlay port group was not updating the setting.
DEV-13765 Airwall Gateways Fixed an issue where bypass underlay port groups with source NAT enabled and routed mode disabled did not allow incoming connections from the underlay.
DEV-13759 Airwall Gateways Fixed an issue where the Detect Devices button sometimes incorrectly included devices attached to other port groups or peer Airwall Gateways if policy permitted traffic from an Overlay IP to those destinations.
DEV-13755 Cellular Airwall Gateways Disabled LWM2M reporting on the Airwall Gateway 110g when using the AT&T carrier configuration. AT&T ODIS requirements are met by using a product specific IMEI TAC.
DEV-13748 Conductor Fixed an issue where if you disabled overlay MTU, the change was not immediately sent to Airwall Gateways.
DEV-13744 Conductor Fixed an issue where the Airwall group dialog allowed you to attempt to modify it even if you didn't have permissions.
DEV-13689 Conductor Overlays, Devices, Airwalls, and People pages now have a consistent scheme for button and filter placement, with actions on the left and filters on the right.
DEV-13682 Airshell Fixed an issue where multiple MAP URIs were not correctly displayed within Airshell ('status conductor', 'conductor status', and 'conductor set').
DEV-13664 Conductor Email colors have been adjusted to be more legible in more email applications.
DEV-13630 Cellular Airwall Gateways Fixed a problem related to signal strength reporting from Airwall Gateways with a Quectel modem connected to a 3G network.
DEV-13621 Airwall Gateways Improved the timing of link failure-related actions (like reboot or cellular session recycling) to reflect the configured timeouts more accurately.
DEV-13505 OpenHIP Fixed high CPU usage by hipd thread.
DEV-13332 Cellular Airwall Gateways Updated the Quectel EC25-AF firmware revision to EC25AFFDR07A09M4G_01.004.01.004, to address some AT&T related connection issues.
DEV-13297 Airwall Gateways Fixed an issue where when an Airwall Gateway with seamless bypass is configured as layer 2 "bump in the wire," traffic from the protected device to remote protected devices on different subnets was not working as expected.
DEV-13275 Airwall Gateways Fixed an issue where a misconfigured local device was corrupting the ARP cache entries for peer Airwall Gateways.
DEV-13272 Airwall Gateways Improved the reliability of firmware updates in very low bandwidth situations.
DEV-13109 Airwall Gateways Fixed Check secure tunnels diagnostic function: relays and relay clients are not longer included in the list.
DEV-10936 Airwall Gateways You no longer need to cable HA Airwall Gateways directly, and should no longer see situations where both Airwall Gateways are active.
DEV-6147 Conductor Fixed an issue where the placeholder text for an Airwall invitation "Generated Airwall name" was incorrect.
DEV-3342 Conductor Fixed an issue where the firewall settings become unresponsive when editing Airwall Gateway settings.

Known Issues

ID Applies to Description
New DEV-15302 macOS Airwall Agents

The macOS Airwall Agent profile will not work correctly when restored to a new machine via Timemachine.

Workaround -- Create a new profile on the Airwall Agent, and then on the Conductor, replace the old profile with the new one for that agent.
DEV-15039 Linux Airwall Linux Agents There is a small memory leak in the Airwall Linux Agent Server that might require a restart over the course of a month.
DEV-14981 Linux Airwall Linux Agents The Linux Airwall Linux Agent crashes when trying to ping peer Airwall Edge Services from the Conductor, and the server has around 15+ peers.
DEV-14818 Airwall Gateways, Open HIP

DNS-based Bypass opens up a possible security hole by allowing dynamic policy creations based on results of name lookup over the Internet. Combined with disabling Source NAT (SNAT), this leaves the Overlay open to attack from a sufficiently-technical attacker.

Workaround – Enable SNAT on the Underlay when using DNS-based bypass destinations to prevent potential inbound access from arbitrary sources.
DEV-14772 OSX Airwall Agents If the Airwall Agent is set to "off on boot" and the mac is rebooted, DNS may not be correctly set at startup.

Workaround – Restart the agent to regain access to DNS. Stop the agent, if desired, to return to the DNS servers as given by DHCP.
DEV-14767 AWS Cloud Conductor

ENA required instance types won't be available in us-gov-east-1 region for GovCloud customers, and ap-east-1 & eu-north-1 regions for commercial cloud customers. ENA supported and unsupported instance types still work with these new regions.
DEV-14743 Conductor The Airwall Gateway setting for DHCPv6 uses DHCPv4.
DEV-14739 Airwall Gateways If you set IPv4 to DHCPv4 and set a static IP address for IPv6, the setting that you set second doesn't get saved.

Workaround – If you need both IPv4 and IPv6, set static IP addresses for both.
DEV-14736 Cellular Airwall Gateway 150s

Cellular details may display as "unavailable" on the first boot after upgrade. Cellular connections are not affected.

Workaround – Reboot the Airwall Gateway a 2nd time.
DEV-14692 Airshell In the new Airshell 'conf network' menu system, when editing a port group, it is possible to enter unsupported or duplicate interfaces, or interfaces already in use by another port group.

Workaround – Check the `status network` output to check for duplicates to avoid unsupported or conflicting configurations.
DEV-14688 Cellular Airwall Gateways After factory resetting a Verizon 101g, you must change the APN to 'vzwinternet' in diagnostic mode.
DEV-14636 Conductor When adding Access windows to a people group, if you add a blocked window, you also need to add an Access window for the times you do want to give access. Otherwise users will always be blocked.
DEV-14610 Conductor After changing the Reporting traffic stats reporting time, the CPU graph will not display.

Workaround – Refresh your browser.
DEV-14608 Airwall Gateways If the parent port of a VLAN-tagged sub-port is placed in a disabled port group, the VLAN-tagged child-port will not be initialized correctly in all cases.

Workaround – To work around this issue, do not place parent-ports that have VLAN sub-ports in a disabled port group. Instead, remove unneeded parent-ports from all port groups. This issue will be fixed in a future firmware revision.
DEV-14606 Airwall Gateways When attempting to replace a HA member with a new Airwall Gateway, the Conductor allows you to select an Airwall Gateway that does not have an Overlay or HA port configured.

Workaround – Make sure the Airwall Gateway you select has a workable HA port configuration.
DEV-14595 Cellular Airwall Gateways When an Airwall Gateway 110g is started without a SIM card installed and Verizon selected as the carrier, the cellular modem will restart every 2 minutes until a SIM card is installed.
DEV-14584 Cellular Airwall Gateways SIM hot-swap functionality is not guaranteed on firmware version 2.2.10 with the Airwall Gateway 110. Please reboot the Airwall Gateway after installing a new SIM card.
DEV-14577 Airwall Gateways Device activity doesn't report activity on bypass port groups with routed only disabled.
DEV-14570 Conductor If an Airwall Agent owner is set as any user (LDAP, local, or OIDC) and someone attempts to user authenticate with a different OIDC user, they will not be able to authenticate (which is the correct behavior), but they see a 500 error message instead of a helpful error message.
DEV-14564 Conductor The following log messages can be safely ignored: [ERROR] error parsing message: msg= [ERROR] JsonRpcDispatcher: received unknown method: method= msg=
DEV-14560 Airwall Gateways Assigning block policies to bypass destinations has no effect.

Workaround – Create a bypass destination using the resolved IP address of the hostname and create blocking policy for it.
DEV-14549 Android Airwall Agent Cellular details are not currently available on the Ports tab for Android Airwall Agents.
DEV-14518 Android Airwall Agent The Ports tab is now available for Android Airwall Agents with the following drawbacks:
  • The cellular interface data is not available.
  • You cannot change anything on the Agent Ports tab.
DEV-14509 Airwall Gateways Diagnostics: Ping peer Airwall Gateways may return false negatives
DEV-14504 Conductor Filtering alerts by name always includes new alerts, even if they do not match the filter keyword.
DEV-14483 Airwall Gateways When you configure device NAT for devices on multi-port port groups, NAT is applied to the initial flow of intra-port group packets from those devices. Subsequent conversations will correctly omit the NAT.
DEV-14467 Airwall Gateways Connecting an access port interface and a VLAN-tagged port interface within the same Airwall Gateway port group to an STP-enabled Cisco switch will trigger a Cisco port disable.

Workaround – Set “no spanning-tree VLAN <#>” on the Cisco switch’s affected VLANs to prevent the port shutdown.
DEV-14427 Conductor IPv6 DHCP settings sometimes show IPv4 options after choosing the 'Select one...' option.

Workaround – Refresh the browser window and try again.
DEV-14426 Conductor, Airwall Gateways Bypass destinations with a hostname do not show device activity in the user interface.
DEV-14361 Airwall Gateways The Build new tunnels if none exist setting doesn't trigger building tunnels on peer Airwall Edge Services with IPv6-only policy.

Workaround – Add IPv4 policy between the peer Airwall Edge Services.
DEV-14336 AWS Cloud Conductor If you choose an ENA machine type when creating a cloud Conductor on Amazon Web Services, you cannot downgrade or change it back to a non-ENA type. However, for a cloud Airwall Gateway, if you choose an ENA machine type, you can downgrade it if you first change it to a non-ENA machine type in Amazon Web Services.
DEV-14308 OpenHIP Initial packets may be dropped while building a new tunnel to a new peer Airwall.
DEV-14249 iOS Airwall Agents Check Secure Tunnels or Tunnel Status may be unavailable on iOS.

Workaround – You can determine Tunnel status by checking packets sent/received.
DEV-14233 Virtual Airwall Gateways Amazon EC2 Airwall Gateways using ENA network drivers will start with the second interface disabled instead of defaulting to an overlay port group.
DEV-14218 Airwall Gateways NAT broadcast applies to traffic between ports within a single port group. Use an external switch if you need to connect multiple devices to a single port group and use the NAT broadcast feature and require IP broadcast un-NATed between those local devices.
DEV-14210 Conductor Currently, when you set Source NAT, it configures it for both IPv4 and IPv6.
DEV-14208 Airwall Gateways Bypass port groups do not currently support IPv6.
DEV-13970 Alibaba Cloud Conductor When you upgrade a Conductor on Alibaba Cloud, the Conductor system time gets out of sync.

Workaround – Go to Settings > Other settings > System time and date, click Edit Settings, then Update to resync.
DEV-13880 Diagnostic mode on Airwall Gateways EAP-TLS does not work with current or previous WiFi Airwall Gateways (75w), so is now disabled. This setting will be reenabled once this feature is fixed.
DEV-13775 Azure Cloud Conductor Conductor might rarely give "Net::ReadTimeout" error when user tries to deploy an Azure Airwall Gateway 300v or server. This doesn't indicate that the deployment has failed. If you get this error message, go to the Azure portal and check the actual deployment result.
DEV-13753 Azure Cloud Conductor During cloud Airwall Gateway deployment, you can now choose an existing resource group, as long as you make sure the name of the Airwall Gateway deployment does not conflict with any resources in the existing resource group.
DEV-13271 Airwall Gateways The Airwall Gateway 110 has CPU frequency scaling enabled, which allows it to save power under low load conditions. This results in high load average / CPU usage figures in Conductor when the Airwall Gateway 110 CPU is in its lowest power state. Future releases may improve CPU utilization.
DEV-12852 Windows Airwall Agents

The Windows Airwall Agent may not connect when multiple interfaces are active

This issue can be caused by a Windows default that doesn't allow multiple simultaneous active network interfaces, and prefers ethernet over cellular or WiFi. It can be bypassed by editing a registry value. See the troubleshooting steps in I am having trouble connecting.
DEV-8824 Android Airwall Agents The implicit SNAT for Airwall Agents without an Overlay IP is not applied from a pre 2.2.10 Android Airwall Agent to a 2.2.10 Airwall Gateway with SNAT disabled: please upgrade the Android Airwall Agent to 2.2.10 or later.