Release Notes v3.0.1
Release Date: Feb 3, 2022
Update Considerations
Update to this version if you've experienced the following issues:
- Issues configuring an Airwall Gateway using a DNSSRV record.
- High disk usage using Conductor high-availability.
- Airwall Relay not relaying traffic to HA-pairedAirwall Gateways.
Downloads
For firmware and software downloads for this version, see 3.0.1 firmware and software.
Fixes
| ID | Applies to | Description |
|---|---|---|
| DEV-17147 | Conductor | Fixed an issue where a device match rule in smart device groups could match against a device on another Airwall Gateway when there are duplicates of the same IP address. |
| DEV-17146 | Airwall Gateways | Cellular Airwall Gateways continue to auto-repair the cellular ports even if the ports are not being assigned to a link manager failover group. They also auto-reboot if none of the ports are healthy. |
| DEV-16941 | Airwall Gateways | Fixed an issue that caused Airwall Relays to reject relaying traffic to HA-paired Airwall Gateways. |
| DEV-16938 | API, Conductor | Fixed an API issue where a system administrator could not add, update, or remove device match rules on a smart device group unless they were the rule editor. |
| DEV-16919 | Conductor | Fixed an issue where membership device count shown on overlay network index could double count devices if they were included in the network multiple times via device groups. |
| DEV-16895 | Conductor | Very long names no longer run off the screen. |
| DEV-16879 | Conductor | Reduced the standard expiration of stored tunnel stats to 1 week to improve database performance. You can adjust the expiration using the settings API. |
| DEV-16848 | BaseOS | Updated the mvebu64 firmware update description for clarity. |
| DEV-16832 | Conductor | Many tables have been updated to handle truncating and wrapping of important information (names, descriptions, etc) better. |
| DEV-16827 | Conductor | Fixed an issue where, on the device show page, an actions drop-down menu with no actions is available to users who cannot edit the device. |
| DEV-16826 | API, Conductor | API -- Devices of Airwall Agents now display the tags from the parent Airwall Gateway when serialized in the API (like they show in the UI). |
| DEV-16825 | API, Conductor | If an Airwall Agent is tagged, the device for that Airwall Agent is also tagged and returned when searching for tagged devices. |
| DEV-16824 | API, Conductor | Tagged devices, device groups, Airwalls, Airwall groups, people, and networks index endpoints are now all paginated. |
| DEV-16812 | Conductor | Fixed an issue where, for network administrators, some of the overlay networks they are a member of were not shown on their person page in the overlay networks panel. |
| DEV-16807 | Airwall Gateways | Fixed an issue affecting Airwall Gateways with a Conductor URL auto-configured using a DNS SRV record. The Airwall Gateway would appear for initial provisioning but failed to connect back
to the Conductor to be managed.The Airshell
command status conductor now displays 'Conductor
DNS SRV:' along with any URL discovered from DNS, otherwise the text
"(not used)". |
| DEV-16801 | Conductor | You can now disable spanning tree (by clearing the Enable spanning tree checkbox) for underlay bypasses with one interface. This setting is automatically enabled on an underlay with multiple ports or bypass port group with Routed_only disabled. |
| DEV-16781 | Conductor | Fixed an issue where tag names at the top of pages were being truncated, making them difficult to read. |
| DEV-16780 | Conductor | Fixed an issue where if you selected a device while the Airwall network graph was displayed, it would cause a console error. |
| DEV-16767 | Conductor | Device names in the Airwall local devices table no longer truncate unnecessarily. |
| DEV-16759 | Conductor | Fixed an issue where network administrators could create tags, possibly attached to smart device groups, that could then be used by network administrators in a different overlay in the system. Network administrators can now only create tags for use by themself. |
| DEV-16758 | Conductor | Fixed an issue where tags created by system administrators were defaulting to "anyone," which allowed network administrators access to resources they were not intended to have. Tags created by system administrators now default to only other system administrators. |
| DEV-16755 | Conductor | Fixed an issue where the default link failover group of new or factory-reset wireless Airwall Gateways was missing the bypass traffic type. |
| DEV-16753 | Airwall Gateways | Fixed an issue that allowed you to revoke HA-paired Airwall Gateways in the Conductor. |
| DEV-16752 | Airwall Gateways | Factory reset now clears activation codes. |
| DEV-16751 | Conductor | Fixed an issue where viewing the details of sent Airwall Invitations would show a name schema even if one wasn't set. |
| DEV-16667 | Airwall Gateways | Fixed an issue where the Airshell
command conf password returned an error "The
password for airsh cannot be changed yet" due to clock skew
issues. |
| DEV-16639 | Conductor | Fixed an issue where device groups created in one browser window did not display in other Conductor browser windows without a refresh. |
| DEV-16540 | Conductor | Fixed graph performance issues. |
| DEV-16521 | OpenHIP | Improved path MTU discovery. |
| DEV-16456 | Airwall Gateways | Fixed an issue where when you specify a BPF expression on both a port mirroring source and its port mirroring destination, then clear the expression from the port mirroring source, the BPF expression from the port mirroring destination isn't used. |
| DEV-16455 | Airwall Gateways | Fixed an issue where an ERSPAN session ID/GRE key specified on a port mirroring destination was ignored when not overridden on the port mirroring source. |
| DEV-16379 | Airwall Gateways | During a factory reset, configured log levels are now reset. |
| DEV-16365 | Conductor | Fixed an issue where the error message from a failed user authentication from an agent or server was not clear when LDAP was configured on the Conductor. |
| DEV-16327 | Conductor | Fixed an issue where user onboarding activation codes from a person group were not using the specified hostname if it did not match the default. |
| DEV-16322 | Conductor | Fixed an issue where if a person is in more than one person group that has access windows set, they can only authenticate for a remote session during times that are inside all of the access windows for those person groups. |
| DEV-16308 | Airwall Gateways | Fixed an issue where SNAT was not applied to routed traffic bypass traffic when SNAT was enabled and L3 only was disabled on a bypass port group. SNAT is not applied to L2 traffic. |
| DEV-16204 | Conductor | The overlay Add Devices page and the overlay search box should now return the same results |
| DEV-15984 | Cellular Airwall Gateways | Fixed an issue that could block bypass traffic on cellular ports. |
| DEV-14570 | Conductor | Fixed an issue where if you set an Airwall Agent owner to a user (LDAP, local, or OIDC) and someone attempted to authenticate as a different OIDC user, they could not authenticate (which is the correct behavior), but they got a 500 error instead of a helpful error message. |
Known Issues
| ID | Applies to | Description |
|---|---|---|
| DEV-17450 | Airwall Gateways | If you are upgrading an AWS cloud Airwall Gateway
with NVMe, the update from v2.2.12 to v3.0.1 fails.
Workaround -- Skip the v3.0.1 release and update to v3.0.2. |
| DEV-16999 | Airwall Gateways | AW-150 port 5 SFP LEDs are non-functional when the port may be actually linked and active. |
| DEV-16503 | macOS Airwall Agents | Deleting a profile does not immediately delete the associated
private key. Workaround – Switch to a different profile before creating a profile after deleting one. |
| DEV-16397 | Conductor | If you change the LSI prefix and have port mirroring configured, you need to either reboot the Conductor, or go to and select Restart metadata cache to update the LSI prefix. |
| DEV-16068 | Amazon Web Services Conductor | To enable enhanced networking for a cloud Amazon Web Services Airwall Gateway or Conductor, use the custom images instead of the marketplace image. |
| DEV-16067 | Cloud, Conductor, Airwall Gateways | If you are adding a new interface to an existing cloud Airwall Gateway, you must set the source and destination check to false (see your cloud provider for the terminology they use for source and destination checks). |
| DEV-16059 | Airwall Gateways | When HA-pairing two Airwall Gateways that do not have the HA link plugged in correctly, the Conductor displays no actionable error message and the HA setup never completes. |
| DEV-15982 | Conductor | Traffic stats reporting graphs generally show a smooth curve between data points. However, over time the graph can show up with sharper angles. The data is still correct, but this is a known issue with the graphing library used by the Conductor. |
| DEV-15945 | Airwall Gateways | If you configure port mirroring using a remote destination local device, GRE/ERSPAN traffic from remote Airwall Gateways will arrive with a source IP in the LSI prefix (defaults to 1.0.0.0/8). |
| DEV-15923 | Airwall Gateways | When you run Check secure tunnels on a v3.0 Airwall Gateway, the check falsely reports a bad tunnel status for any peer airwall running a firmware version that is v2.2.8 or lower. |
| DEV-15887 | Airwall Gateways | You cannot currently add VLAN interfaces to the Ruggedcom platform. |
| DEV-15808 | Google Cloud Airwall Gateways | Google Cloud Airwall Gateways with the same VM name have the same device serial number, which
can result in a failure when you make a license request in the Conductor. Workaround – In Google Cloud, use unique deployment names (VM names) for Airwall Gateways. |
| DEV-15791 | Airwall Gateways | On the Airwall Gateway 100, Port 2 might be inactive after a
factory-reset. Workaround – After a factory reset, manually reboot the Airwall Gateway 100. |
| DEV-15787 | macOS Airwall Agents | If a person who already has a profile makes a Request to Connect
from the Remote Access User portal on the same Conductor, no profile is created. Workaround – If the user wants a second profile, they can use an invite code or enter the Conductor information manually. |
| DEV-15705 | macOS Airwall Agents | Establishing a tunnel TO a mobile Airwall Agent (iOS or Android) fails when there is no Airwall Relay involved. Workaround – Establish the tunnel FROM the mobile Airwall Agent. |
| DEV-15572 | Airwall Gateways | If you do not specify a gateway in the DHCP server configuration,
the DHCP client cannot configure a default
gateway. Workaround – Unless you want to configure a single isolated subnet, always specify a gateway. For example, a subnet for networked PDUs that should not have any outside connectivity aside from remote access through an Airwall Gateway, and used in conjunction with SNAT over the overlay port group. See https://tempered.force.com/TemperedSupportCenter/s/article/DHCP-server-isn-t-serving-as-a-gateway. |
| DEV-15489 | Windows Airwall Agents and Servers | Windows 7 sends an extra Windows system popup when the Windows Airwall Agent UserAuth prompt appears. You can safely ignore this popup, or can disable the Windows 7 service as described in this article from Broadcom: https://knowledge.broadcom.com/external/article/153693/interactive-services-detection-a-progra.html |
| DEV-15357 | macOS Airwall Agents | If you update the macOS Airwall Agent to a release later than v2.2.11 on macOS Mojave using a Conductor-based update package, it may not report the updated version to
the Conductor. Workaround – Restart the Airwall Agent or reapply the update. |
| DEV-15338 | Linux Airwall Servers | If using a recent systemd-based Linux distribution including Fedora 33 and Debian 11, disable systemd-networkd MAC address randomization of the hip1 interface. |
| DEV-15302 | macOS Airwall Agents | The profile for a macOS Airwall Agent does not work correctly when restored to a new computer using
Time Machine. Workaround – Create a new profile on the Airwall Agent, and then on the Conductor, replace the old profile with the new one. |
| DEV-15219 | Cellular 110g Airwall Gateways | The Airwall Gateway 110g does not on the Bell Mobility (Canada) cellular provider because they require the use of a http/https proxy. |
| DEV-15031 | Airwall Gateways | Remote syslog over TLS doesn't work when using keys stored in TPM. |
| DEV-14860 | Conductor | Airwall Gateways on older firmware (pre v2.2.0) may send passively-discovered device events to the Conductor even when the feature is off. |
| DEV-14835 | Conductor | Airwall Gateway 150 serial numbers look like exponentiated numbers to Windows Excel, so the column displaying the Serial number shows xxxEyyy instead of the full serial number. |
| DEV-14739 | Airwall Gateways | If you set IPv4 to DHCPv4 and set a static IP address for IPv6,
the setting that you set second doesn't get saved.
Workaround – If you need both IPv4 and IPv6, set static IP addresses for both. |
| DEV-14736 | Cellular Airwall Gateways | Cellular details may display as "unavailable" on the first boot
after you update anAirwall Gateway. The cellular connections are not affected. Workaround – Reboot the Airwall Gateway again to correctly display the cellular details. |
| DEV-14726 | Conductor | If you're viewing an Android Airwall Agent
Ports tab and the Airwall Agent changes how it is connected to the Conductor (for example, from WiFi to cellular), the display does not update
correctly. Workaround – Refresh the page. |
| DEV-14715 | macOS Airwall Agents | Big Sur ARM64 Macs are not supported in this release |
| DEV-14610 | Conductor | After changing the Reporting traffic stats reporting time, the
CPU graph does not display. Workaround – Refresh your browser page. |
| DEV-14584 | Cellular Airwall Gateways | Hot-swapping the SIM on an Airwall Gateway 110 with firmware version v2.2.11 may not work.
Workaround – Reboot the Airwall Gateway after installing a new SIM card. |
| DEV-14551 | Conductor | The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message. |
| DEV-14426 | Conductor, Airwall Gateways | Bypass destinations with a hostname do not show device activity in the Conductor. |
| DEV-14308 | OpenHIP | Initial packets are dropped while building a new tunnel to a new peer Airwall Gateway. |
| DEV-14249 | iOS Airwall Agents | Tunnel Status may show as
unavailable on iOS. Workaround – You can determine tunnel status by checking packets sent or received. |
| DEV-14223 | Google Cloud | Add an overlay IP to agent in order to talk to device behind Google 300v. |
| DEV-14218 | Airwall Gateways | NAT broadcast applied to traffic between ports within a single port group. Use an external switch if you need to connect multiple devices to a single port group and use the NAT broadcast feature and require IP broadcast un-NATed between those local devices. |
| DEV-14045 | Android and iOS Airwall Agents | iOS does not currently support overlay ping. |
| DEV-14015 | OpenHIP | If an Airwall Relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay.
Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate. |
| DEV-13775 | Azure Cloud Airwall Gateways | The Conductor might rarely give a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error doesn't indicate that the deployment has failed. If you get this error message, go to Azure portal and check the actual deployment result. |
| DEV-13699 | Windows Airwall Agents and Servers | The initial ping from the Windows Airwall Agent can be misleading since it currently includes the time to
initially set up the connection. Workaround – Ping a second time to see actual ping time. |
| DEV-13650 | Conductor | SoIP device activity is not being reported on an Airwall Gateway Local Devices tab. |
| DEV-13640 | Conductor | Airwall Relay diagnostics do not work on a Standby Conductor. |
| DEV-13633 | Conductor | A standby Conductor shows available firmware downloads, but they cannot be
downloaded. Workaround – Download firmware from the active Conductor. |
| DEV-13620 | Conductor | In , the failover ping occurs only every "ping rate" + "ping timeout" seconds, somewhat unexpectedly. |
| DEV-13607 | Conductor, Airwall Gateways | Creating a link failover group () does not apply the settings to any port groups. You must also assign the failover group to port groups on the Ports page. |
| DEV-13588 | Conductor | Opening the Conductor on Internet Explorer 11 can be very slow for medium to large
deployments. Workaround – Use the latest version of Chrome, Firefox, or Edge instead. |
| DEV-13536 | Windows Airwall Agents and Servers | When you uninstall the Windows Airwall Agent, it does not remove the tun-tap driver. Workaround – Delete the driver from C:\Windows\System32\drivers\tnw-tap.sys. |
| DEV-13531 | Cloud Conductor | Automatically creating Cloud HA Conductors only works if you use the same cloud provider for both active and
standby Conductors. For example, AWS HA Active and AWS HA
Standby. Workaround – You can manually set up different cloud providers as HA pair Conductors. |
| DEV-13474 | Airwall Gateways | If you configure multiple overlay port groups with the same overlay IP subnet (same or different IP addresses) and then create a local device equal to the entire subnet with port affinity set, it may not lead to the expected result. |
| DEV-13331 | Alibaba Cloud Airwall Gateways | The Alibaba Cloud Conductor system time is incorrect. Workaround – Change the Conductor system time to browser time: In Conductor Settings, under System time, select Edit Settings, select Set browser time, and then select Update Settings. |
| DEV-13195 | Conductor, Airwall Gateways | When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become
"Unavailable." Workaround – Reboot and the details return. |
| DEV-13194 | Conductor | for an Airwall Gateway fails in Internet Explorer 11 if one of the devices is defined as
a CIDR. Workaround – Use one of the latest versions of Chrome, Firefox, Safari or Edge. |
| DEV-12852 | Windows Airwall Agents | Windows by default doesn't allow multiple 'active' interfaces. It
prefers ethernet over cellular whenever
possible. Workaround – Set Windows to keep multiple interfaces open by editing the fMinimizeConnections registry value:
|
| DEV-11710 | macOS Airwall Agents | If you change the LSI prefix on the Conductor, the macOS Airwall Agent doesn't update the routes correctly. Workaround – Close and reopen the macOS Airwall Agent. |
| DEV-10590 | Cloud Airwall Gateways | The Conductor does not display an error when adding a route that would exceed the maximum number of allowed routes in the cloud provider. |
| DEV-10039 | Airwall Gateways | An Airwall Gateway-150 can show "could not detect attached switch" intermittently. |
| DEV-9546 | Airwall Gateways, Airwall Gateways 150 | The Airwall Gateway-150 serial connection has an intermittent issue when large amounts of data are sent over the console. |
| DEV-9429 | Windows Airwall Agents | When you update the Overlay Device IP address for a Windows Airwall Server in the Conductor, it doesn't always update the first time. Workaround -- Open and update the address a second time. |