Release Notes 2.2.12

Release Date: May 24, 2021

Update Considerations

Important: Update downtime – When you update the Conductor or Airwall Edge Services, there may be database and configuration changes related to the new release that require Airwall Edge Services to update their configuration data, resulting in downtime while secure tunnels are re-established. Downtime is typically up to, and in most cases is much less than, two minutes.

Consider updating to v2.2.12 if:

You want to use any of the following features: You were impacted by any issues discovered in prior releases, especially if you have any of the following:
  • Use a Raspberry Pi as an Airwall Server
  • Plan on installing an 8-port module in an already in production Airwall Gateway-500
Ran into these issues:
  • Had issues with reconnecting previously revoked devices
  • Issues with Bypass in certain cases
  • Issues with port mirroring after deleting a destination
  • Have issues with Bypass and Device Discovery

What's New in 2.2.12

Here are the new features and enhancements in this version.

Licensing Changes

  • Port mirroring now requires an add-on license for any Airwall Gateway acting as a Mirror Source
  • Licensing page changes:
    • Licenses are now paginated as needed.
    • Vouchers are automatically consolidated

Airwall Servers for Raspbian and Ubuntu ARM64

You can now get an Airwall Server that runs on Raspbian or Ubuntu ARM. For installation information, see Raspbian and RPi4/Ubuntu ARM64 – Install the Airwall Server.

Platform End of Life for 100 Series Appliances

Tempered announces the End of Life schedule for the HIPswitch 100 series platforms. For more information and a schedule, see Platform end-of-life for Airwall Gateway/ HIPswitch 100 series.

New and Improved Conductor Features

Port mirroring

Airwall Gateways configured with port mirroring now show mirrored status in list and status views.


Port mirror badge

OpenID Connect
OpenID Connect tokens are now included in the webapp log at the debug level to assist with integration.
User Preferences
The Conductor now remembers user page size settings across sessions, browsers, and computers.
Underlay Network view
This view now visually separates the different underlay IPs to show their ping statuses, RTT, and count as they are being pinged.
Device name now shown on Overlay and Device pages
If you set a name for a device in an Airwall Agent or Server, it is now shown on the Overlays and Devices pages in the Conductor.
CPU Graph Changes
Starting with 2.2.12, the CPU graph on an Airwall Gateway Reporting page now shows CPU percentage, not the previously-shown CPU load average. The CPU percentage graph shows the percentage of CPU capacity being used on the Airwall Gateway over time.

New and Updated Help

In addition to the content added for new features linked above, here’s the new and updated content published since our last major release:

Fixes

ID Applies to Description
DEV-16133 Windows Airwall Agents and Servers Fixed an issue where Windows Airwall Agents and Servers sometimes lock up.
DEV-16101 Windows Airwall Agents and Servers Fixed an issue where a Windows Airwall Agent or Server loses connectivity with the Conductor, or where the agent is still connected but cannot establish communications.
DEV-15680 Airwall Gateways The Airwall Gateway CPU Load graph has been revised for Airwall Gateways running v2.2.12 and later. This graph now reports the percentage of CPU used rather than the load average reported by previous releases.
DEV-15635 Conductors Fixed an issue where read-only system administrators were prevented from seeing license counts.
DEV-15579 Conductors Fixed an issue where an incorrect packet capture interface may get selected when using Firefox browser.
DEV-15563 Conductors Fixed an issue where the GRE key field wasn't being published for port mirror destinations.
DEV-15543 Conductors Fixed an issue where group validation fails if there is a comma in the group name.
DEV-15541 macOS Airwall Agents Fixed an issue where the macOS Airwall Agent wasn't cleaning up routes when shut down.
DEV-15538 Conductors Fixed an issue where you could not add a device group with bypass destinations to an overlay.
DEV-15503 Airwall Gateways Fixed an issue where Airwall Gateways were not always broadcasting all their monitor capabilities.
DEV-15467 Conductors Swapping between Airwall Gateways should correctly reset the owner setting
DEV-15448 API, Conductors API for port mirrors incorrectly used enumerable ID. It now uses a UUID.
DEV-15444 Conductors Fixed an issue that could cause the Conductor to refuse policy creation involving bypass destinations in some situations.
DEV-15385 Airwall Gateways Fixed an issue that could cause bad port and network configurations on Airwall Gateways with port expansion capabilities after inserting a network expansion module.
DEV-15378 Airwall Gateways Fixed an issue where you had to remove the Port Mirroring config before deleting a device.
DEV-15374 Android and iOS Airwall Agents Airwall Agents now automatically restart when the port for HIP is changed on Conductor.
DEV-15370 Airwall Gateways Fixed passive device discovery on routed traffic only port groups.
DEV-15367 Conductors The user is now blocked from completing user auth if they are within a negative access window on any people group.
DEV-15360 Airwall Gateways Fixed an issue where the port 1 and 2 labels were swapped on an AW-100 after it has been factory reset.
DEV-15352 Conductors Fixed a UI issue that prevented changes to bypass settings on a standby Conductor.
DEV-15348 Conductors The ping peer Airwalls diagnostic function in the UI should now enable/disable dynamically as the Airwall gains or loses peers.
DEV-15341 Airwall Gateways Fixed an ebm2 crash on a rare race condition encountered when updating ports configuration when port mirroring is enabled.
DEV-15316 Airwall Gateways Fixed an issue that caused Ping peer Airwalls to report a failure sending HIP traffic for HA-configured Airwall Gateways.
DEV-15314 Conductors Fixed an issue where when using user auth tags and access windows, a user logging in could gain transient (< 5 minutes) access to a tag when they are outside the access window, and therefore gain access to a resource via smart device groups when they should not.Also fixed an issue where when a user gains a user auth tag that is in multiple people groups with access windows, the user might only gain access for the shorter window depending on group ordering.
DEV-15305 Conductors The Conductor now validates the local device MAC address is a unicast address.
DEV-15179 HIP tunnel, Diagnostic mode Fixed an issue where 'airsh conf cell roaming=1' did not match Diagnostic Mode settings. New syntax is 'airsh conf cell roaming=true' (or '... roaming=false').
DEV-15005 Conductors, Android Airwall Agents Fixed an issue where overlay stats were not showing on the Android Airwall Agent.
DEV-14994 Android Airwall Agents Fixed an issue where the cell port temporarily didn't show up on the Ports page in Conductor for an Android Airwall Agent.
DEV-14990 Airwall Gateways Fixed an issue where bypass policy was applied to outbound but not inbound traffic.
DEV-14952 Airwall Agents and Servers Fixed an issue where the Android Airwall Agent was not able to ping peer devices on Airwall Teams unless the communication was initiated from the peer devices.
DEV-14917 Android Airwall Agents Fixed an issue where you couldn't stop the packet capture for Android Airwall Agents.
DEV-14874 Android Airwall Agents Fixed an issue where the Android Airwall Agent was reporting the underlay IP as 0.0.0.0 when on cellular.
DEV-14816 Conductors, Android and iOS Airwall Agents The UI for the mobile agents need to be in either the background or foreground for the change to take effect without user interaction.
DEV-14806 Android Airwall Agents Fixed an issue where Android 6 & 7 devices were unable to ping peer device without an Overlay device IP set.
DEV-14800 Android Airwall Agents If an Android has multiple underlay IP addresses (like IPv4 and IPv6), the Conductor now pings them separately.
DEV-14795 Android Airwall Agents Reduced the timeout length for Check secure tunnel on the Conductor for Android Airwall Agents.
DEV-14794 Android Airwall Agents Fixed an issue where Check secure tunnel on the Conductor was not working on older Android devices.
DEV-14771 Android Airwall Agents Note that if you scroll to the top while the log viewer is scrolling it will not force you to the bottom. It will only auto-scroll if you are scrolled to the last line and new log messages come in, which is how most auto-scrolling works.
DEV-14758 Conductors, Android Airwall Agents Fixed an issue where the Conductor was sometimes not showing an IP for Android Airwall Agents.
DEV-14683 Airwall Gateways Fixed an issue causing missing ports in the selection drop-down of the packet capture dialog of newly managed Airwall Edge Services.
DEV-14509 Airwall Gateways Ping peer Airwalls (under Diagnostics > Check connectivity > Airwall peer connectivity) was fixed for Airwall Gateways and Linux Airwall Servers. Note that the other Airwall Agents and Servers (Windows, macOS, iOS, Android) may display a green checkboxes under HIP traffic when a HIP tunnel may not actually be available (false positives).

Known Issues

ID Applies to Description
DEV-16107 Windows Airwall Agents and Servers There is an issue on Windows Airwall Agents and Servers where when you set the log level, the agent loses its connection to the Conductor, and no longer writes anything to the log.

Workaround: Change the log level again, or close and restart the Airwall Agent or Server.

DEV-15808 Google Cloud Airwall Gateways In Google Cloud, use a unique deployment name (vm name) for Airwall Gateways. Airwall Gateways with the same vm name will have the same device serial number and this can result in a failure when you make a license request.
DEV-15803 Conductors When you replace an Airwall Gateway in the Conductor, it transfers the Underlay IP (NAT) during the Transfer port configuration step, even if you haven't checked Transfer public IP addresses.

Workaround – Update the Underlay IP (NAT) after completing the Airwall replace.

DEV-15791 Airwall Gateways On the Airwall Gateway-100, Port 2 might be inactive after a factory-reset.

Workaround – Manually reboot the Airwall Gateway after a factory-reset.

DEV-15705 Android and iOS Airwall Agents Establishing a tunnel TO a mobile agent (iOS / Android) will fail when there is no Airwall Relay involved.

Workaround – Establish the tunnel FROM the mobile agent.

DEV-15489 Windows Airwall Agents and Servers Windows 7 Users will see an extra Windows system popup when the UserAuth prompt appears on screen. This message can be safely ignored or the service can be disabled.
DEV-15357 macOS Airwall Agents If you update the macOS Airwall Agent to a release later than v2.2.11 on macOS Mojave using a Conductor-based update package, it may not report the updated version to the Conductor.

Workaround – Restart the agent or reapply the update.

DEV-15302 macOS Airwall Agents The macOS Airwall Agent profile will not work correctly when restored to a new machine via Timemachine.

Workaround – Create a new profile on the Airwall Agent, and then on the Conductor, replace the old profile with the new one for that agent.

DEV-15219 MAP2-Client, OpenHIP Airwall Gateways are not working on the Bell Mobility (Canada) cellular provider, due to the required use of a http/https proxy.
DEV-15031 Airwall Gateways Remote syslog over TLS doesn't work when using keys stored in TPM.
DEV-14892 Android Airwall Agents Network order for Ethernet connections on an Android Airwall Agent doesn't work.
DEV-14835 Conductors Airwall Gateway-150 serial numbers look like exponentiated numbers to Excel, so the column displaying the Serial number shows xxxEyyy instead of the full serial number.
DEV-14798 Conductors, Airwall Agents Airwall Gateways with negative policy will still be able to talk to each other via their LSI. The peer will also still show up in the UI.
DEV-14772 macOS Airwall Agents If the macOS Airwall Agent is set to "off on boot" and the computer is rebooted, DNS may not be correctly set at startup.

Workaround – Restart the agent to regain access to DNS. Stop the agent, if desired, to return to the DNS servers as given by DHCP.

DEV-14739 Airwall Gateways If you set IPv4 to DHCPv4 and set a static IP address for IPv6, the setting that you set second doesn't get saved.

Workaround – If you need both IPv4 and IPv6, set static IP addresses for both.

DEV-14736 Cellular Airwall Gateways Cellular details may display as "unavailable" on the first boot after you update an Airwall Gateway. The cellular connections are not affected.

Workaround – Reboot the Airwall Gateway again to correctly display the cellular details.

DEV-14726 Conductor If you're viewing an Android Airwall Gateway Ports tab and the Airwall Agent changes how it's connected to the Conductor (for example, from WiFi to cellular), the display doesn't update correctly.

Workaround – Refresh the page.

DEV-14715 macOS Airwall Agents Big Sur ARM64 Macs are not supported in this release
DEV-14610 Conductor After changing the Reporting traffic stats reporting time, the CPU graph will not display.

Workaround – Refresh your browser page.

DEV-14584 Cellular Airwall Gateways Hot-swapping the SIM on an Airwall Gateway 110 with firmware version 2.2.11 may not work.

Workaround – Reboot the Airwall Gateway after installing a new SIM card.

DEV-14570 Conductors If you set an Airwall Agent owner to a user (LDAP, local, or OIDC) and someone attempts to user authenticate with a different OIDC user, they will not be able to authenticate (which is the correct behavior), but they see a 500 instead of a helpful error message.
DEV-14551 Conductors The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message.
DEV-14426 Conductors, Airwall Gateways Bypass destinations with a hostname do not show device activity in the Conductor.
DEV-14361 Airwall Gateways The Build new tunnels if none exist option doesn't build tunnels to peer Airwall Edge Services with IPv6-only policy. This feature currently depends on having IPv4 policy between peer Airwall Edge Services.
DEV-14308 OpenHIP Initial packets dropped while building a new tunnel to a new peer Airwall Edge Service.
DEV-14249 iOS Airwall Agents Check Secure Tunnels / Tunnel Status may show as unavailable on iOS.

Workaround – You can determine tunnel status by checking packets sent or received.

DEV-14223 Cloud-Google Add an overlay IP to agent to talk to device behind Google Cloud Airwall Gateway 300v.
DEV-14218 Airwall Gateways NAT broadcast applied to traffic between ports within a single port group. Use an external switch if you need to connect multiple devices to a single port group and use the NAT broadcast feature and require IP broadcast un-NATed between those local devices.
DEV-14045 Android and iOS Airwall Agents iOS does not currently support overlay ping. This feature may be implemented in a future release.
DEV-14015 OpenHIP If a relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay.

Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate.

DEV-13970 Cloud-Alibaba, Conductors When you upgrade a Conductor on Alibaba Cloud, the Conductor system time gets out of sync.

Workaround – Go to Settings > Other settings > System time and date, click Edit Settings, then Update to resync.

DEV-13775 Cloud-Azure The Conductor might rarely give a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error doesn't indicate that the deployment has failed. If you get this error message, go to Azure portal and check the actual deployment result.
DEV-13760 Conductors Device export/import does not export or import Bypass Devices.
DEV-13754 Airwall Agents and Servers The Conductor can falsely report that the Airwall Agent is offline in some cases.
DEV-13699 Windows Airwall Agents and Servers The initial ping from the Windows Airwall Agent can be misleading since it currently includes the time to initially set up the connection.

Workaround – Ping a second time to see actual ping time.

DEV-13650 Conductors SoIP device activity is not being reported on an Airwall Gateway Local Devices tab.
DEV-13640 Conductors Airwall Relay diagnostics doesn't work on a Standby Conductor.
DEV-13633 Conductors A standby Conductor shows available firmware downloads, but cannot be downloaded.

Workaround – Download firmware from the active Conductor.

DEV-13620 Conductors In Airwall > Ports > Failover settings, the failover ping occurs only every "ping rate" + "ping timeout" seconds, somewhat unexpectedly.
DEV-13607 Conductors, Airwall Gateways Creating a link failover group (Airwall > Ports > Failover settings) does not apply the settings to any port groups. This is easy to miss since you have to set the failover group on the ports page.
DEV-13588 Conductors Opening the Conductor on Internet Explorer 11 can be very slow for medium to large deployments.

Workaround – Use the latest version of Chrome, Firefox, or Edge instead.

DEV-13544 Linux Airwall Servers If no relay is configured, checking Relay probe information on the Linux Airwall Server returns an error.
DEV-13536 Windows Airwall Agents and Servers Uninstalling the Windows Airwall Agent does not remove the tun-tap driver.

Workaround – Delete the driver from C:\Windows\System32\drivers\tnw-tap.sys.

DEV-13531 Cloud Automating creating Cloud HA Conductors only works with same cloud provider used for both active and standby. For example, having both your HA Active and HA Standby Conductors in AWS.

Workaround -- You can manually set up different cloud providers as HA pair Conductors.

DEV-13474 Airwall Gateways Configuring multiple overlay port groups with the same overlay IP subnet (same or different IP addresses) and then creating a local device equal to the entire subnet with port affinity set may not lead to the expected result.
DEV-13331 Cloud-Alibaba Alibaba Cloud Conductor system time is incorrect.
Workaround – Change the Conductor system time to browser time:
  1. In Conductor Settings, under System time, select Edit settings.
  2. Select Set browser time, and then select Update.
DEV-13195 Conductors, Airwall Gateways When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become unavailable.

Workaround – Reboot and the details return.

DEV-13194 Conductors Check Connectivity / Ping Local Devices on an Airwall Gateway will fail in Internet Explorer 11 if one of the devices is defined as a CIDR.

Workaround – use one of the latest versions of Chrome, Firefox, Safari or Edge.

DEV-12852 Windows Airwall Agents and Servers Windows by default doesn't allow multiple 'active' interfaces. It prefers ethernet over cellular whenever possible.
Workaround – Set Windows to keep multiple interfaces open by editing the fMinimizeConnections registry value:
  1. Hold the Windows key and press R.
  2. In the Run dialog, type regedit and click OK.
  3. Navigate to the following path in Registry Editor: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\
  4. See if the GroupPolicy subkey exists. If not with, WcmSvc highlighted, right-click on WcmSvc and select New > Key, and name it GroupPolicy.
  5. Right-click GroupPolicy and select New > DWORD(32-bit) > Create value.
  6. Name the value fMinimizeConnections, and select OK.
  7. Set the value to 0 (false).
  8. Save, reboot, and test.
DEV-11710 macOS Airwall Agents If you change the LSI prefix on the Conductor, the macOS Airwall Agent doesn't update the routes correctly.

Workaround – Close and reopen the macOS Airwall Agent.

DEV-10590 Cloud The Conductor does not display an error when adding a route that would exceed the maximum number of allowed routes in the cloud provider.
DEV-10039 Airwall Gateways An Airwall Gateway-150 can show a "Could not detect attached switch" message intermittently.
DEV-9546 Airwall Gateways, Airwall Gateway-150 The Airwall Gateway-150 serial connection has an intermittent issue when large amounts of data are sent over the console.
DEV-9429 Windows Airwall Agents and Servers Updating the Overlay Device IP address for a Windows Airwall Server in the Conductor doesn't update the first time.

Workaround – Open and update the address a second time.