Release Notes 2.2.3
Release Date: Feb 6, 2020
Introducing Tempered Airwall
Tempered's fully encrypted, virtual air-gap network security solution is now called Airwall. Our product offerings are also changing to match our brand and make their functions clearer.
What’s New
- New Airwall help
-
If you're looking for the previous Tempered Networks Technical Documentation, most is included in the new Airwall Help. You can also click the link on the home page to get to the pre-Airwall Help.
- OpenID Connect support for Airwall Agents
-
We have added OpenID Connect support for authenticating remote sessions on Android, iOS and macOS Airwall Agents (formerly Android, iOS, and OSx HIPclients). There is also now a global option to lock out clients that do not support user auth.
- People groups as Overlay members/managers
- People Groups are now able to be members of Overlay Networks as well as Managers of Overlay Networks. Now user permissions can be configured entirely in an authentication provider such as LDAP or OpenID Connect via people group membership.
- Lockdown Mode
- Lockdown Mode is now configurable from the Airwall Conductor for Airwall Agents (formerly HIPclients) that support this feature (currently supported by the Windows Airwall Agent).
- Cloud Linux Airwall Linux Agents
- The Airwall Conductor can create and deploy Linux Airwall Linux Agents directly in any cloud provider, such as Azure, AWS, or Google.
Upgrade Considerations
We recommend that you upgrade to 2.2.3 if:
| You want to use any of the following features: | You were impacted by any issues discovered in prior releases, especially if you have any of the following: |
| Multifactor Authentication |
|
Important: If you are using SHA-1 for the ESP transform, you should convert
to SHA-256 before upgrading to 2.2.x.
IMPORTANT: Migrating existing Deployments to 2.2.x
The 2.2.2 release brought a significant change to the base platform configuration and capabilities of an Airwall Gateway/HIPswitch. Conductors after 2.2.2 will not be able to manage Airwall Edge Services prior to version 2.0. See the note in the Release Notes 2.2.2 for information on upgrading Airwall Edge Services prior to version 2.0.
Fixes
| ID | Applies to | Formerly Known As | Description |
|---|---|---|---|
| DEV-12852 | Windows Airwall Agent | HIPclient-Windows | Windows Airwall Agent wasn't handling re-address during interface (for example, cell to wi-fi) changes |
| DEV-12683 | Airwall Gateway | HIPswitch | Fixed an issue where large firmware update packages would sometimes fail to be installed via Conductor, Diagnostic mode, and airsh (hipsh). |
| DEV-12613 | Airwall Gateway-250 | HIPswitch-250 | Fixed an issue where port 8 (SFP portion) of the Airwall Gateway-250 does not get re-enabled after reconfiguring network interfaces. This issue affects firmware versions 2.2.0, 2.2.1, and 2.2.2. |
| DEV-12582 | iOS Airwall Agent | HIPapp-iOS | iOS Airwall Agent - 2x 'Sign-in Failed' pop up for invalid username & password |
| DEV-12579 | iOS Airwall Agent | HIPclient-iOS | iOS Airwall Agent not using 'DNS domain' from Conductor |
| DEV-12528 | Android and iOS Airwall Agents |
HIPclient-Android HIPclient-iOS |
Android and iOS Airwall Agents user auth status pages are not getting updated on toggling policies |
| DEV-12510 | Android Airwall Agent | HIPclient-Android | Android and iOS Airwall Agents user auth status pages are changing session expire time according to the current time of the phone. |
| DEV-12487 | Android Airwall Agent | HIPclient-Android | Android Airwall Agent user auth Notification showing symbols instead of profile name |
| DEV-12468 | Android Airwall Agent | HIPclient-Android | Android Airwall Agent crash on overlay networks page when you click refresh with no peers |
| DEV-12463 | Conductor | Syslog setting appears disabled after upgrade while it is still enabled | |
| DEV-12441 |
Linux, macOS, and Windows Airwall Agents OpenHIP |
HIPclient-Linux, HIPclient-OSX HIPclient-Win |
Mac, Linux and Windows Airwall Agents now use and select an optimal relay when the underlay interface is set to 'auto'. |
| DEV-12404 | Airwall Gateway-150 | HIPswitch-150 | A new cellular modem firmware (version 02.33.03.00) is available for Airwall Gateway-150 with the SFF-MOD-MC7430 modem. Please see the downloads page. |
| DEV-12399 | OpenHIP | Reject ARP responses for loopback, multicast, broadcast and 0.0.0.0 | |
| DEV-12382 | Conductor | Airwall Edge Services online bar graph displays, then goes blank. | |
| DEV-12376 | Conductor | HTTP 422 error for some accounts after 2.2.1 > 2.2.2 Conductor upgrade. | |
| DEV-12373 | iOS Airwall Agent | HIPclient-iOS | iOS status page seems to not be updating |
| DEV-12355 | OpenHIP | Broadcast IP packets not traversing tunnel properly | |
| DEV-12353 | Airwall Gateway-150 | HIPswitch-150 | Some Airwall Gateway-150s with part numbers (PLF-) ending in -02 and -03 were shipped with non-functional SFP ports due to a firmware bug. This is fixed in firmware version 2.2.3. Additionally, a hotfix is available to address this issue in firmware versions 2.1.6, 2.1.7, 2.2.0, 2.2.1, and 2.2.2. |
| DEV-12339 | Airwall Gateway-150 | HIPswitch-150 | A regression in firmware versions 2.2.0, 2.2.1, and 2.2.2 caused Airwall Gateway-150s to be unable to link with dual-speed or BiDi SFP/SFP+ modules. Support for these SFPs is fixed in firmware 2.2.3. |
| DEV-12326 | Conductor | Airwall Edge Services fail to reconnect to Conductor after re-provisioning | |
| DEV-12318 | Android Airwall Agent | HIPclient-Android | Android not using 'DNS domain' from Conductor |
| DEV-12311 | Airwall Gateway | HIPswitch | Fixed an issue that was causing serial or modbus configured overlay ports to stop working after performing a reconnect. |
| DEV-12301 | Airwall Gateway | HIPswitch | Fixed a bug that caused Airwall Gateways to lose their Conductor connection after installing a customer certificate requiring a reboot. |
| DEV-12293 | Airwall Gateway | HIPswitch | Modbus-RTU times out when multiple sessions are connected from one host. |
| DEV-12287 | Airwall Gateway-500 | HIPswitch-500 | Fixed a bug that caused some IP broadcasts on the overlay network to cross into different subnets. |
| DEV-12285 | macOS Airwall Agent | HIPclient-OSX | Mac unable to log in via username and password after switching to a different profile |
| DEV-12276 | Conductor | Do not allow a non-editor to be the rule editor of a Smart Device Group. | |
| DEV-12241 | iOS Airwall Agent | HIPclient-iOS | iOS needs to initiate pings for other side to reach it |
| DEV-12230 | Airwall Gateway | HIPswitch | Do not remove port group configs during port detection |
| DEV-12219 | OpenHIP | When processing concurrent traffic to or from multiple peers anAirwall Gateway may drop traffic for some tunnels. | |
| DEV-12217 | Airwall Invitations | HIPinvite | Poor messaging of license sync errors during invite activation |
| DEV-12214 | Conductor | Monitor alert (flapping) settings do not result in an indication of frequent alerts | |
| DEV-12205 | Conductor | Not able to remove NTP on the Standby | |
| DEV-12187 | Conductor | Airwall Edge Services uptime graph units scale incorrectly | |
| DEV-12179 | Conductor | Deleting SoIP/Modbus settings when a description is edited | |
| DEV-12167 | Conductor | Remove tags and end remote session on revoke | |
| DEV-12159 | Conductor | Doesn't log device traffic reported by High-Availability standby | |
| DEV-12146 | Windows Airwall Agent | HIPclient-Win | Windows Airwall Agent takes a very long time to appear in Conductor dashboard after license is granted |
| DEV-12127 | OpenHIP | Detect unidirection traffic through tunnels which may indicate an extremely rare issue that causes tunneled traffic to be be lost and attempt to recovery tunnel by initiating a rekey | |
| DEV-12104 | Conductor | Change license pop up blocking functionality to a temporarily dismissible banner | |
| DEV-12096 | Airwall Gateway | HIPswitch | Address Marvell WiFi "mwifiex" driver CVEs: CVE-2019-3846, CVE-2019-14814, CVE-2019-14815, CVE-2019-14816, and CVE-2019-14895 |
| DEV-12093 | Android Airwall Agent | HIPclient-Android | Add DNS setting back to Android and iOS Airwall Agents |
| DEV-12092 | Airwall Gateway-150 | HIPswitch-150 | Airwall Gateway-150 not maintaining HIP tunnels when configured with more than 10 peers |
| DEV-12090 | OpenHIP | In previous versions, HIP would buffer packets during the base exchange. This has been removed to mitigate a potential DoS from a local protected device, almost all protocols will re-transmit making the buffering unnecessary. If you encounter issues with esoteric protocols, please turn on auto-connect so the tunnels are brought up automatically. | |
| DEV-12077 | Airwall Gateway | HIPswitch | If fail-safe reboot is enabled in the Failover settings, the Airwall Gateway reboots whenever the initial reboot timeout is expired (assuming all links failing) ignoring the timeout for recurring reboot. |
| DEV-12076 | Conductor | Invalid license vouchers shouldn't prevent customers from loading new valid vouchers | |
| DEV-12075 | Licensing | Customer cannot remove invalid licenses due to license deficit | |
| DEV-12024 | Airwall Gateway-150 | HIPswitch-150 | Fixed a bug that was causing validation errors in the port configuration UI after factory-reseting and re-connecting an Airwall Gateway to the same Conductor. |
| DEV-12005 | Conductor | Device Match Rules rule "include Any Object without certain tag" does not include untagged devices | |
| DEV-12004 | Conductor | Device Match Rules "negative filter MAC_prefix" filters out devices without MAC address | |
| DEV-12000 | Conductor | Offline Airwall Agents are named incorrectly in Add Device to Network popup | |
| DEV-11994 | Conductor | Replacing Airwall Agent in Conductor doesn't update its capabilities | |
| DEV-11992 | Conductor | Conductor | Conductor breaks when upgrading to from 2.2.1 to 2.2.2 in a factory reset state. |
| DEV-11991 | Airwall Gateway | HIPswitch | Fixed an issue that causes dropped packets when traffic from the same MAC address is received on multiple ports of the same Airwall Gateway (regardless of the port group membership of those ports). |
| DEV-11982 | Conductor | The auto-generated Lockdown Mode Device Group doesn't appear to match new Airwall Gateways coming online. | |
| DEV-11969 | Conductor | NTPD terminates and won't come back. | |
| DEV-11968 | Cloud | Delay and fetch userdata causes slow Conductor refresh | |
| DEV-11951 | Conductor | Notifications Controller Validation failed: MTU must be greater than or equal to 100 when no MTU provided by 2.2.2 HIPapp | |
| DEV-11900 | Airwall Gateway | HIPswitch | Modbus-RTU does not work correctly when Overlay NAT is enabled. |
| DEV-11898 | Android and iOS Airwall Agents | HIPclient-Android, HIPclient-iOS | Unable to establish any Overlay connections with Android and iOS Airwall Agent |
| DEV-11893 | Android Airwall Agent | HIPclient-Android | Scale views on Overlay and Services page in Airwall Agent |
| DEV-11887 | Android Airwall Agent | HIPclient-Android | In Add Profile, error remains after you correct the field |
| DEV-11881 | Conductor | Keep user auth timeout within the range of 1 hour to 1 year | |
| DEV-11867 | Airwall Gateway | HIPswitch | Ruggedcom: Cannot enter diagnostic mode from hipsh (now airsh) |
| DEV-11864 | Airwall Gateway-150 | HIPswitch-150 | Fixed an Airwall Gateway-150 issue where the cellular LED indicators did not function properly following the first reboot after inserting the AW-150 cellular module. |
| DEV-11858 | Conductor | End Remote Session button activity is missing from PCI user activities | |
| DEV-11844 | Conductor | Blank Provider name for OpenID connect leads to blank dropdown list item | |
| DEV-11830 | Conductor | Able to authenticate user auth using expired password | |
| DEV-11829 | Conductor | Unable to log in legacy users without email | |
| DEV-11824 | Conductor | Deleting the people group doesn't remove the tag from the Airwall Edge Services | |
| DEV-11823 | Android and iOS Airwall Agents | HIPclient-Android, HIPclient-iOS | Prevent users from clicking multiple times on Login and Sign in |
| DEV-11819 | macOS Airwall Agent | HIPclient-OSX | Doing anything in the macOS Airwall Agent closes your user auth session |
| DEV-11815 | Conductor | Add notice or block transparent mode when multiple overlay port groups are configured. | |
| DEV-11807 | Airwall Gateway | HIPswitch | Ping all devices on High-Availability Standby in failover mode |
| DEV-11804 | Cloud | Route injection was not performed on Conductor reboot or upgrade | |
| DEV-11794 | Linux Airwall Agent | HIPclient-Linux | WiFi scanning is now available on the Linux Airwall Agent |
| DEV-11785 | Conductor | Conductor should remove remote session button on disabling global user auth | |
| DEV-11778 | Airwall Gateway | HIPswitch | HTTP GET overlay monitor confused when multiple port groups |
| DEV-11772 | iOS Airwall Agent | HIPclient-iOS | iOS Airwall Agent user auth alert icon on Dashboard doesn't work on click |
| DEV-11769 | iOS Airwall Agent | HIPclient-iOS | iOS Airwall Agent not getting overlay device IP updates |
| DEV-11733 | Conductor | Airwall Gateway High-Availability, you get incorrect status after failover: primary Airwall Gateway status reports OK (tunneling) | |
| DEV-11732 | Airwall Gateway-150 | HIPswitch-150 | Fixed an issue where Quectel cellular expansion modules would sometimes fail to connect to AT&T's LTE network and instead fall back to 3g / UMTS. |
| DEV-11727 | Licensing | Denied license request not cleared after import of synced encrypted package | |
| DEV-11698 | Airwall Gateway-300v HA | HIPswitch-300v | Airwall Gateway-300v High-Availability member went offline after removing High Availability settings |
| DEV-11684 | Conductor | Starting concurrent packet captures on the same Airwall Gateway appears to work, then fails with "An error occurred communicating with the server" | |
| DEV-11680 | Android Airwall Agent | HIPapp-Android | Airwall Agent Invitations Decline and Conductor hidden in landscape view |
| DEV-11677 | Conductor | Conductor ports config permits network address as overlay IP | |
| DEV-11656 | Airwall Gateway-150 | HIPswitch-150 | In firmware versions 2.2.0, 2.2.1, and 2.2.2, a regression caused the link LEDs for Airwall Gateway-150 port 5 (SFP) to not operate when port 5 is assigned to an Overlay port group. This is fixed in firmware version 2.2.3. Note: The SFP port LEDs turn on and stay solid when the Airwall Gateway has not been managed in a Conductor. This issue will be addressed in a future release. |
| DEV-11651 | Conductor | Airwall Gateway Ports page doesn't display IP or MAC address after configuring | |
| DEV-11645 | Conductor | OpenID user auth login requires re-authentication | |
| DEV-11516 | Conductor | Device import allows device with arbitrary name/description length | |
| DEV-11499 | iOS Airwall Agent | HIPclient-iOS | iOS Airwall Agent shows LSI for NAT'd devices on overlay networks page |
| DEV-11470 |
Airwall Agents Airwall Servers |
HIPclients HIPservers |
Changing overlay IP conf. back to NAT requires Airwall Agent restart |
| DEV-11459 | Conductor | iOS Airwall Agent doesn't show up on Conductor | |
| DEV-11343 | Airwall Gateway | HIPswitch | The port detection part of hardware detection was made more reliable, for upgrades and during each boot on certain platforms. |
| DEV-11103 | Conductor | A device's port group can now be seen and edited from the Airwall Gateway's "local devices" tab. | |
| DEV-11013 | macOS Airwall Agent | HIPclient-OSX | Switching profile doesn't forget about user auth sign-in |
| DEV-10960 | macOS Airwall Agent | HIPclient-OSX | If you add wrong credentials for user auth on macOS, it won't ask you to enter again |
| DEV-10887 | Linux Airwall Linux Agent | HIPserver-Linux | Linux Airwall Linux Agent DNS server settings do not seem to have any effect |
| DEV-10665 | macOS Airwall Agent | HIPclient-OSX | macOS 10.15 requires app notarization by default |
| DEV-10592 | Cloud-Azure | do not require reboot to get the route table ID | |
| DEV-10555 | Cloud-AWS | Better user error for auth failure due to time difference | |
| DEV-9927 |
Linux, macOS, and Windows Airwall Agents Airwall Gateways |
HIPclient-Linux HIPclient-OSX HIPclient-Win HIPswitch |
Mac Airwall Agent receives routes for disabled overlays |
| DEV-9857 | iOS Airwall Agent | HIPclient-iOS | do not allow access to private key when phone is locked |
| DEV-9253 | Conductor | Smart Device Groups will not add Airwall Agents and Airwall Linux Agents using tag matches. | |
| DEV-9204 | Conductor | Airwall Gateway Underlay IP NAT field shouldn't accept CIDRs | |
| DEV-9122 | macOS Airwall Agent | HIPclient-OSX | macOS Airwall Agent publishes IP of random interface as an Underlay IP |
| DEV-8929 | Windows Airwall Agent | HIPclient-Win | Tray app doesn't start after unattended install |
| DEV-8742 | Conductor | Add better error messaging for the initial Conductor voucher failures |
Known Issues
| ID | Applies to | Formerly Known As | Description |
|---|---|---|---|
| DEV-12744 | Airwall Gateways | HIPswitches | Customers with Conductor HA and Airwall Gateways version 2.2.1 or earlier might see connectivity issues when using User Authentication. Recommendation: Upgrade Conductors and Airwall Gateways to version 2.2.3 Workaround: After upgrades, if you still see connectivity issues, restart the primary Conductor. |
| DEV-12710 | airsh | hipsh | Customers need to update each cell value individually when using airsh to configure the cell modems |
| DEV-12697 | airsh | hipsh | The console command "airsh log" does not display the log file on a virtual Airwall Gateway. The 300v log file is now located at /etc/asguard/system/messages. |
| DEV-12692 | API | The API docs navigation section does not work properly in Chrome v80. Use Firefox or Safari to view the API docs. | |
| DEV-12645 | Android Airwall Agent | HIPClient-Android | When creating a new profile and starting the app for the first time there is a chance the "Upgrade Needed" page will be displayed. This is an error and the user should simply click cancel and start the app again. This may only happen the first time you create the profile. |
| DEV-12521 | Airwall Gateway | HIPswitch | TPM usage is disabled by default for all Airwall Gateways due to the amount of time it takes to complete an RSA signature and frequency of RSA signatures when connected via a relay. This will be addressed in a future version. |
| DEV-12513 | Cloud Azure | Conductor occasionally gives "Net::ReadTimeout" error when user tries to deploy an Azure Airwall Gateway 300v or server. This doesn't indicate that the deployment has failed. Go to the Azure portal and check the actual deployment result. | |
| DEV-12303 | macOS Airwall Agent | HIPclient-OSX | Upgrading macOS Airwall Agent from 2.2.1 to 2.2.3 requires uninstalling the 2.2.1 Airwall Agent, installing the 2.2.3 Airwall Agent, and replacing the old profile with new profile on Conductor. |
| DEV-12290 | macOS Airwall Agent | HIPclient-OSX | User approval needed to complete macOSAirwall Agent installation. From macOS High Sierra onwards, you need to allow the system extension com.tempered.tuntaposx.tap, or simply tap.kext, required by the Airwall Agent. In the System Preferences, on the Security and Privacy page, open the General tab. Where it says system software was blocked from loading, click Allow. macOS only shows this allow message for a limited time (30mins). The installer will wait for you to allow the extension. |
| DEV-12268 | Conductor | Firmware version on Conductor is not getting updated until macOS Airwall Agent is restarted | |
| DEV-11578 | Android Airwall Agent | HIPclient-Android | Do not change the LSI prefix to match a peer address. |
| DEV-9542 | iOS Airwall Agent | HIPclient-iOS | Cannot generate a Support Bundle from the Conductor for an iOS Airwall Agent when the Conductor is in High Availability mode. You can instead generate a Support Bundle from the iOS Airwall Agent |