Release Notes 2.2.12
Release Date: May 24, 2021
Update Considerations
Important: Update downtime – When you update the Conductor or
Airwall Edge Services, there may be database and configuration changes related to the new release
that require Airwall Edge Services to update their configuration data, resulting in downtime while secure
tunnels are re-established. Downtime is typically up to, and in most cases is
much less than, two minutes.
Consider updating to v2.2.12 if:
| You want to use any of the following features: | You were impacted by any issues discovered in prior releases, especially if you have any of the following: |
|
Ran into these issues:
|
Downloads
For firmware and software downloads for this version, see 2.2.12 firmware and software.
What's New in 2.2.12
Here are the new features and enhancements in this version.
Licensing Changes
- Port mirroring now requires an add-on license for any Airwall Gateway acting as a Mirror Source
- Licensing page changes:
- Licenses are now paginated as needed.
- Vouchers are automatically consolidated
Airwall Servers for Raspbian and Ubuntu ARM64
You can now get an Airwall Server that runs on Raspbian or Ubuntu ARM. For installation information, see Raspbian and RPi4/Ubuntu ARM64 – Install the Airwall Server.
Platform End of Life for 100 Series Appliances
Tempered announces the End of Life schedule for the HIPswitch 100 series platforms. For more information and a schedule, see Platform end-of-life for Airwall Gateway/ HIPswitch 100 series.
New and Improved Conductor Features
- Port mirroring
-
Airwall Gateways configured with port mirroring now show mirrored status in list and status views.
- OpenID Connect
- OpenID Connect tokens are now included in the webapp log at the debug level to assist with integration.
- User Preferences
- The Conductor now remembers user page size settings across sessions, browsers, and computers.
- Underlay Network view
- This view now visually separates the different underlay IPs to show their ping statuses, RTT, and count as they are being pinged.
- Device name now shown on Overlay and Device pages
- If you set a name for a device in an Airwall Agent or Server, it is now shown on the Overlays and Devices pages in the Conductor.
- CPU Graph Changes
- Starting with 2.2.12, the CPU graph on an Airwall Gateway Reporting page now shows CPU percentage, not the previously-shown CPU load average. The CPU percentage graph shows the percentage of CPU capacity being used on the Airwall Gateway over time.
New and Updated Help
In addition to the content added for new features linked above, here’s the new and updated content published since our last major release:
Updated –
- How Airwall Licensing Works
- Set up a virtual Airwall Gateway in VMware ESX/ESXi
- Set up a virtual Airwall Gateway in Microsoft Hyper-V
- Alibaba Cloud – Set up an Airwall Gateway
- Amazon Web Services – Set up an Airwall Gateway
- Microsoft Azure – Set up an Airwall Gateway
- Google Cloud (GCP) – Set up an Airwall Gateway
- Airwall Gateway Airshell Console Commands
- airsh - New
conf modelcommand - Mirror Traffic to a Dedicated Port
Fixes
| ID | Applies to | Description |
|---|---|---|
| DEV-16133 | Windows Airwall Agents and Servers | Fixed an issue where Windows Airwall Agents and Servers sometimes lock up. |
| DEV-16101 | Windows Airwall Agents and Servers | Fixed an issue where a Windows Airwall Agent or Server loses connectivity with the Conductor, or where the agent is still connected but cannot establish communications. |
| DEV-15680 | Airwall Gateways | The Airwall Gateway CPU Load graph has been revised for Airwall Gateways running v2.2.12 and later. This graph now reports the percentage of CPU used rather than the load average reported by previous releases. |
| DEV-15635 | Conductors | Fixed an issue where read-only system administrators were prevented from seeing license counts. |
| DEV-15579 | Conductors | Fixed an issue where an incorrect packet capture interface may get selected when using Firefox browser. |
| DEV-15563 | Conductors | Fixed an issue where the GRE key field wasn't being published for port mirror destinations. |
| DEV-15543 | Conductors | Fixed an issue where group validation fails if there is a comma in the group name. |
| DEV-15541 | macOS Airwall Agents | Fixed an issue where the macOS Airwall Agent wasn't cleaning up routes when shut down. |
| DEV-15538 | Conductors | Fixed an issue where you could not add a device group with bypass destinations to an overlay. |
| DEV-15503 | Airwall Gateways | Fixed an issue where Airwall Gateways were not always broadcasting all their monitor capabilities. |
| DEV-15467 | Conductors | Swapping between Airwall Gateways should correctly reset the owner setting |
| DEV-15448 | API, Conductors | API for port mirrors incorrectly used enumerable ID. It now uses a UUID. |
| DEV-15444 | Conductors | Fixed an issue that could cause the Conductor to refuse policy creation involving bypass destinations in some situations. |
| DEV-15385 | Airwall Gateways | Fixed an issue that could cause bad port and network configurations on Airwall Gateways with port expansion capabilities after inserting a network expansion module. |
| DEV-15378 | Airwall Gateways | Fixed an issue where you had to remove the Port Mirroring config before deleting a device. |
| DEV-15374 | Android and iOS Airwall Agents | Airwall Agents now automatically restart when the port for HIP is changed on Conductor. |
| DEV-15370 | Airwall Gateways | Fixed passive device discovery on routed traffic only port groups. |
| DEV-15367 | Conductors | The user is now blocked from completing user auth if they are within a negative access window on any people group. |
| DEV-15360 | Airwall Gateways | Fixed an issue where the port 1 and 2 labels were swapped on an AW-100 after it has been factory reset. |
| DEV-15352 | Conductors | Fixed a UI issue that prevented changes to bypass settings on a standby Conductor. |
| DEV-15348 | Conductors | The ping peer Airwalls diagnostic function in the UI should now enable/disable dynamically as the Airwall gains or loses peers. |
| DEV-15341 | Airwall Gateways | Fixed an ebm2 crash on a rare race condition encountered when updating ports configuration when port mirroring is enabled. |
| DEV-15316 | Airwall Gateways | Fixed an issue that caused Ping peer Airwalls to report a failure sending HIP traffic for HA-configured Airwall Gateways. |
| DEV-15314 | Conductors | Fixed an issue where when using user auth tags and access windows, a user logging in could gain transient (< 5 minutes) access to a tag when they are outside the access window, and therefore gain access to a resource via smart device groups when they should not.Also fixed an issue where when a user gains a user auth tag that is in multiple people groups with access windows, the user might only gain access for the shorter window depending on group ordering. |
| DEV-15305 | Conductors | The Conductor now validates the local device MAC address is a unicast address. |
| DEV-15179 | HIP tunnel, Diagnostic mode | Fixed an issue where 'airsh conf cell roaming=1' did not match Diagnostic Mode settings. New syntax is 'airsh conf cell roaming=true' (or '... roaming=false'). |
| DEV-15005 | Conductors, Android Airwall Agents | Fixed an issue where overlay stats were not showing on the Android Airwall Agent. |
| DEV-14994 | Android Airwall Agents | Fixed an issue where the cell port temporarily didn't show up on the Ports page in Conductor for an Android Airwall Agent. |
| DEV-14990 | Airwall Gateways | Fixed an issue where bypass policy was applied to outbound but not inbound traffic. |
| DEV-14952 | Airwall Agents and Servers | Fixed an issue where the Android Airwall Agent was not able to ping peer devices on Airwall Teams unless the communication was initiated from the peer devices. |
| DEV-14917 | Android Airwall Agents | Fixed an issue where you couldn't stop the packet capture for Android Airwall Agents. |
| DEV-14874 | Android Airwall Agents | Fixed an issue where the Android Airwall Agent was reporting the underlay IP as 0.0.0.0 when on cellular. |
| DEV-14816 | Conductors, Android and iOS Airwall Agents | The UI for the mobile agents need to be in either the background or foreground for the change to take effect without user interaction. |
| DEV-14806 | Android Airwall Agents | Fixed an issue where Android 6 & 7 devices were unable to ping peer device without an Overlay device IP set. |
| DEV-14800 | Android Airwall Agents | If an Android has multiple underlay IP addresses (like IPv4 and IPv6), the Conductor now pings them separately. |
| DEV-14795 | Android Airwall Agents | Reduced the timeout length for Check secure tunnel on the Conductor for Android Airwall Agents. |
| DEV-14794 | Android Airwall Agents | Fixed an issue where Check secure tunnel on the Conductor was not working on older Android devices. |
| DEV-14771 | Android Airwall Agents | Note that if you scroll to the top while the log viewer is scrolling it will not force you to the bottom. It will only auto-scroll if you are scrolled to the last line and new log messages come in, which is how most auto-scrolling works. |
| DEV-14758 | Conductors, Android Airwall Agents | Fixed an issue where the Conductor was sometimes not showing an IP for Android Airwall Agents. |
| DEV-14683 | Airwall Gateways | Fixed an issue causing missing ports in the selection drop-down of the packet capture dialog of newly managed Airwall Edge Services. |
| DEV-14509 | Airwall Gateways | Ping peer Airwalls (under Diagnostics > Check connectivity > Airwall peer connectivity) was fixed for Airwall Gateways and Linux Airwall Servers. Note that the other Airwall Agents and Servers (Windows, macOS, iOS, Android) may display a green checkboxes under HIP traffic when a HIP tunnel may not actually be available (false positives). |
Known Issues
| ID | Applies to | Description |
|---|---|---|
| DEV-16107 | Windows Airwall Agents and Servers | There is an issue on Windows Airwall Agents and Servers where when you set the log level, the agent loses its connection
to the Conductor, and no longer writes anything to the log. Workaround: Change the log level again, or close and restart the Airwall Agent or Server. |
| DEV-15808 | Google Cloud Airwall Gateways | In Google Cloud, use a unique deployment name (vm name) for Airwall Gateways. Airwall Gateways with the same vm name will have the same device serial number and this can result in a failure when you make a license request. |
| DEV-15803 | Conductors | When you replace an Airwall Gateway in the Conductor, it transfers the Underlay IP (NAT) during
the Transfer port configuration step, even if you have not
checked Transfer public IP addresses.
Workaround – Update the Underlay IP (NAT) after completing the Airwall replace. |
| DEV-15791 | Airwall Gateways | On the Airwall Gateway-100, Port 2 might be inactive after a
factory-reset. Workaround – Manually reboot the Airwall Gateway after a factory-reset. |
| DEV-15705 | Android and iOS Airwall Agents | Establishing a tunnel TO a mobile agent (iOS / Android) will fail
when there is no Airwall Relay involved. Workaround – Establish the tunnel FROM the mobile agent. |
| DEV-15489 | Windows Airwall Agents and Servers | Windows 7 Users will see an extra Windows system popup when the UserAuth prompt appears on screen. This message can be safely ignored or the service can be disabled. |
| DEV-15357 | macOS Airwall Agents | If you update the macOS Airwall Agent to a release later than v2.2.11 on macOS Mojave using a Conductor-based update package, it may not report the updated version to
the Conductor. Workaround – Restart the agent or reapply the update. |
| DEV-15302 | macOS Airwall Agents | The macOS Airwall Agent profile will not work correctly when restored to a new machine
via Timemachine. Workaround – Create a new profile on the Airwall Agent, and then on the Conductor, replace the old profile with the new one for that agent. |
| DEV-15219 | MAP2-Client, OpenHIP | Airwall Gateways are not working on the Bell Mobility (Canada) cellular provider, due to the required use of a http/https proxy. |
| DEV-15031 | Airwall Gateways | Remote syslog over TLS doesn't work when using keys stored in TPM. |
| DEV-14892 | Android Airwall Agents | Network order for Ethernet connections on an Android Airwall Agent doesn't work. |
| DEV-14835 | Conductors | Airwall Gateway-150 serial numbers look like exponentiated numbers to Excel, so the column displaying the Serial number shows xxxEyyy instead of the full serial number. |
| DEV-14798 | Conductors, Airwall Agents | Airwall Gateways with negative policy will still be able to talk to each other via their LSI. The peer will also still show up in the UI. |
| DEV-14772 | macOS Airwall Agents | If the macOS Airwall Agent is set to "off on boot" and the computer is rebooted, DNS may not
be correctly set at startup. Workaround – Restart the agent to regain access to DNS. Stop the agent, if desired, to return to the DNS servers as given by DHCP. |
| DEV-14739 | Airwall Gateways | If you set IPv4 to DHCPv4 and set a static IP address for IPv6,
the setting that you set second doesn't get saved.
Workaround – If you need both IPv4 and IPv6, set static IP addresses for both. |
| DEV-14736 | Cellular Airwall Gateways | Cellular details may display as "unavailable" on the first boot
after you update an Airwall Gateway. The cellular connections are not affected. Workaround – Reboot the Airwall Gateway again to correctly display the cellular details. |
| DEV-14726 | Conductor | If you're viewing an Android Airwall Gateway
Ports tab and the Airwall Agent changes how it is connected to the Conductor (for example, from Wi-Fi to cellular), the display does not
update correctly. Workaround – Refresh the page. |
| DEV-14715 | macOS Airwall Agents | Big Sur ARM64 Macs are not supported in this release |
| DEV-14610 | Conductor | After changing the Reporting traffic stats reporting time, the
CPU graph will not display. Workaround – Refresh your browser page. |
| DEV-14584 | Cellular Airwall Gateways | Hot-swapping the SIM on an Airwall Gateway 110 with firmware version 2.2.11 may not work.
Workaround – Reboot the Airwall Gateway after installing a new SIM card. |
| DEV-14570 | Conductors | If you set an Airwall Agent owner to a user (LDAP, local, or OIDC) and someone attempts to user authenticate with a different OIDC user, they will not be able to authenticate (which is the correct behavior), but they see a 500 instead of a helpful error message. |
| DEV-14551 | Conductors | The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message. |
| DEV-14426 | Conductors, Airwall Gateways | Bypass destinations with a hostname do not show device activity in the Conductor. |
| DEV-14361 | Airwall Gateways | The Build new tunnels if none exist option doesn't build tunnels to peer Airwall Edge Services with IPv6-only policy. This feature currently depends on having IPv4 policy between peer Airwall Edge Services. |
| DEV-14308 | OpenHIP | Initial packets dropped while building a new tunnel to a new peer Airwall Edge Service. |
| DEV-14249 | iOS Airwall Agents | Check Secure Tunnels / Tunnel
Status may show as unavailable on iOS.
Workaround – You can determine tunnel status by checking packets sent or received. |
| DEV-14223 | Cloud-Google | Add an overlay IP to agent to talk to device behind Google Cloud Airwall Gateway 300v. |
| DEV-14218 | Airwall Gateways | NAT broadcast applied to traffic between ports within a single port group. Use an external switch if you need to connect multiple devices to a single port group and use the NAT broadcast feature and require IP broadcast un-NATed between those local devices. |
| DEV-14045 | Android and iOS Airwall Agents | iOS does not currently support overlay ping. This feature may be implemented in a future release. |
| DEV-14015 | OpenHIP | If a relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay.
Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate. |
| DEV-13970 | Cloud-Alibaba, Conductors | When you upgrade a Conductor on Alibaba Cloud, the Conductor system time gets out of sync. Workaround – Go to , click Edit Settings, then Update to resync. |
| DEV-13775 | Cloud-Azure | The Conductor might rarely give a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error doesn't indicate that the deployment has failed. If you get this error message, go to Azure portal and check the actual deployment result. |
| DEV-13760 | Conductors | Device export/import does not export or import Bypass Devices. |
| DEV-13754 | Airwall Agents and Servers | The Conductor can falsely report that the Airwall Agent is offline in some cases. |
| DEV-13699 | Windows Airwall Agents and Servers | The initial ping from the Windows Airwall Agent can be misleading since it currently includes the time to
initially set up the connection. Workaround – Ping a second time to see actual ping time. |
| DEV-13650 | Conductors | SoIP device activity is not being reported on an Airwall Gateway Local Devices tab. |
| DEV-13640 | Conductors | Airwall Relay diagnostics doesn't work on a Standby Conductor. |
| DEV-13633 | Conductors | A standby Conductor shows available firmware downloads, but cannot be downloaded.
Workaround – Download firmware from the active Conductor. |
| DEV-13620 | Conductors | In , the failover ping occurs only every "ping rate" + "ping timeout" seconds, somewhat unexpectedly. |
| DEV-13607 | Conductors, Airwall Gateways | Creating a link failover group () does not apply the settings to any port groups. This is easy to miss since you have to set the failover group on the ports page. |
| DEV-13588 | Conductors | Opening the Conductor on Internet Explorer 11 can be very slow for medium to large
deployments. Workaround – Use the latest version of Chrome, Firefox, or Edge instead. |
| DEV-13544 | Linux Airwall Servers | If no relay is configured, checking Relay probe information on the Linux Airwall Server returns an error. |
| DEV-13536 | Windows Airwall Agents and Servers | Uninstalling the Windows Airwall Agent does not remove the tun-tap driver. Workaround – Delete the driver from C:\Windows\System32\drivers\tnw-tap.sys. |
| DEV-13531 | Cloud | Automating creating Cloud HA Conductors only works with same cloud provider used for both active and
standby. For example, having both your HA Active and HA Standby Conductors in AWS. Workaround -- You can manually set up different cloud providers as HA pair Conductors. |
| DEV-13474 | Airwall Gateways | Configuring multiple overlay port groups with the same overlay IP subnet (same or different IP addresses) and then creating a local device equal to the entire subnet with port affinity set may not lead to the expected result. |
| DEV-13331 | Cloud-Alibaba | Alibaba Cloud Conductor system time is incorrect. Workaround – Change the Conductor system time to browser time:
|
| DEV-13195 | Conductors, Airwall Gateways | When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become
unavailable. Workaround – Reboot and the details return. |
| DEV-13194 | Conductors | Check Connectivity / Ping Local Devices on an Airwall Gateway will fail in Internet Explorer 11 if one of the devices is
defined as a CIDR. Workaround – use one of the latest versions of Chrome, Firefox, Safari or Edge. |
| DEV-12852 | Windows Airwall Agents and Servers | Windows by default doesn't allow multiple 'active' interfaces. It
prefers ethernet over cellular whenever
possible. Workaround – Set Windows to keep
multiple interfaces open by editing the
fMinimizeConnections registry value:
|
| DEV-11710 | macOS Airwall Agents | If you change the LSI prefix on the Conductor, the macOS Airwall Agent doesn't update the routes correctly. Workaround – Close and reopen the macOS Airwall Agent. |
| DEV-10590 | Cloud | The Conductor does not display an error when adding a route that would exceed the maximum number of allowed routes in the cloud provider. |
| DEV-10039 | Airwall Gateways | An Airwall Gateway-150 can show a "Could not detect attached switch" message intermittently. |
| DEV-9546 | Airwall Gateways, Airwall Gateway-150 | The Airwall Gateway-150 serial connection has an intermittent issue when large amounts of data are sent over the console. |
| DEV-9429 | Windows Airwall Agents and Servers | Updating the Overlay Device IP address for a Windows Airwall Server in the Conductor doesn't update the first time. Workaround – Open and update the address a second time. |