Release Notes 2.2.2

Release Date: October 18 , 2019

IMPORTANT: Customers using LDAP on Conductor 2.2.1

If you are using LDAP and running Conductor version 2.2.1, you must upgrade your Conductor to 2.2.2, to resolve an issue that could prevent you from logging in to the Conductor.

IMPORTANT: Migrating existing Deployments to 2.2.2

The 2.2.2 release brings a significant change to the base platform configuration and capabilities of a HIPswitch. HIPswitch versatility is dramatically increased. To achieve this, we had to give up some functional interoperability between version 2.2.2 and prior versions of HIPservices and Conductor. Also, Conductor 2.2.2 will no longer be able to manage HIPservices prior to version 2.0. While most things still work across versions 2.1.x and 2.2.2 during your upgrade, we recommend that 2.2.x deployments migrate completely as soon as possible using the following order:
  1. If your Conductor is running a version earlier than 2.1.6, upgrade it to 2.1.6 or 2.1.7
  2. If any HIP Services are running a version earlier than 2.1.6, upgrade them to 2.1.6 or 2.1.7
  3. Verify that your Conductor and all HIP Services you updated in steps 1 and 2 are running 2.1.6 or later
  4. Upgrade your Conductor to 2.2.2
  5. Upgrade your HIP Services to 2.2.2

For more information on upgrading your Conductor to 2.1.6 from prior versions, log in to your account and select the Documentation Center link at the top-right of the page. You should review both the Release Notes 2.1.6 and Conductor and HIP Service Upgrades pages.

What’s New

Cloud Marketplace
You can now purchase a Tempered Networks cloud-based Conductor or HIPswitch directly from the Azure or Google marketplace. This greatly simplifies the purchase and deployment of Conductors and HIPswitches in your own cloud account and the setup of an independent license-ready environment.
User-Configurable LSI Prefix
You can now change the LSI prefix from 1 to another digit usage the Conductor's Advanced Global HIPservice Settings. This is useful if you have underlay network traffic that uses the 1.x.x.x range of addresses, which is routable on the Internet and prevalent in Asia-Pacific regions. You may choose any suitable prefix (routable or non-routable) given the distribution of your HIP Services globally. For details on routable traffic ranges, please see RFC 1918.
Android and iOS HIPclients Updated for 2.2
You can now manage Android and iOS HIPclients using the new 2.2 features, such as network objects.
Custom Overlay Policy with People Groups
People groups can be used with HIPclient and HIPserver authentication to create custom overlay network policies based on the user authenticating via the HIPclient or HIPserver. Tags specified in the people group will be added to a HIPclient or HIPserver, when a member of the people group authenticates and will be removed automatically once the session ends. The tags can be used in smart device groups to give the HIPclient or HIPserver custom overlay network policies.
Windows Client Multi-Factor Authentication (MFA)
OpenID Connect is now integrated into the Windows HIPclient and HIPserver authentication workflow. If enabled via an OpenID Connect provider, users will be required to use MFA to gain overlay access. Other HIPclient platforms will integrate client MFA for overlay access in future releases.
HIPclient and HIPserver Authentication Session Timeouts
Administrators can now configure how long a HIPclient or HIPserver authentication session will last, either globally or specific to a HIPclient or HIPserver.
Conductor Connection Failsafe
HIPswitches now have a watchdog monitor for the Conductor connection that will force a re-connect if it determines the current connection is unresponsive or missing. This should allow HIPswitches to reconnect in more cases without requiring human intervention (e.g. manual rebooting or other diagnostic activities that can require physical access to the HIPswitch).
More Resilient HIP Tunnels
HIP tunnel processes have been improved so that when a stale tunnel is detected, which may occur after reboots or carrier failures, it is rebuilt.
More Resilient Cellular Connectivity
Under certain circumstances (signal strength, cell-tower location, interruptions), Verizon based HIPswitches would experience frequent modem resets resulting in an occasional failure to recover. This release has safeguards to ensure that cellular connectivity is restored after these episodes.
OSX HIPclient no longer supports El Capitan with 2.2.x
If you are using the mac HIPclient on El Capitan, you should not upgrade to 2.2 until you upgrade the OS.

Upgrade Considerations

We recommend that you upgrade to 2.2.2 if:

You want to use any of the following features: You were impacted by any issues discovered in prior releases, especially if you have any of the following:
  • Multiple Overlays
  • Multiple Underlays
  • Port Groups
  • Network Objects
  • Automatic policy creation based on user type
  • Ability to change the LSI for regional compatibility
  • Windows User auth MFA
  • Cellular carrier connection issues
  • Modbus GUI settings or connectivity
  • HS-100 connectivity issues
  • Use the 1.0.0.0/8 network address space
  • Network capture on Conductor 500
Important: If you are using SHA-1 for the ESP transform, you should convert to SHA-256 before upgrading to 2.2.1.

Fixes

ID Applies to Description
DEV-11660 HIPswitch A second serial port is now available for use with the SoIP feature. The Serial over IP (SoIP) feature was previously not functional on the HIPswitch 400 Series and virtual HIPSwitches. Starting in version 2.2.2, the second serial port is available for use with the SoIP feature.
DEV-11631 Conductor Fixed a firewall problem causing blocked serial connections when configured to use the Modbus communications protocol
DEV-11623 Conductor Fixed an issue causing HIPswitches upgraded from 2.1.x while in Transparent Mode to lose their underlay network configuration, preventing them from reconnecting to the Conductor.
DEV-11596 Conductor HIP Service online/offline alert messages now report how long they have been offline/online.
DEV-11444 Conductor Fixed an issue where IPv4 addresses in the HIPswitch certificate conflict dialog displayed incorrectly.
DEV-11397 HIPrelay Fixed an issue specific to the Telstra mobile network that prevented a HIPservice from connecting to its peers via a HIPrelay.
DEV-11389 Conductor Fixed an issue where setting a HIPservice attribute rule in a Smart Device Group could prevent you from modifying HIPservice fields.
DEV-11355 Conductor Fixed an issue where Spanning Tree Protocol was automatically enabled regardless of the previous setting during a HIPswitch upgrade.
DEV-11347 Conductor Fixed an issue where user authentication token validation could fail if a HIPservice failed over multiple times between HA-paired Conductors.
DEV-11324 HIPswitch, Cellular Fixed an issue where a HIPSwitch-250, or HIPswitch 150 with an NL7588 type module, could take an extended period of time to register on the Verizon network.
DEV-11318 Diagnostic mode Changing the IP address of the Conductor no longer causes diagnostic mode to lose connection with the Conductor, however settings are no longer applied immediately. Note: You are prompted to restart the Conductor to apply the new network settings.
DEV-11317 Conductor Fixed an issue where typing in a voucher code in lowercase when provisioning a Conductor could cause errors after re-syncing with the provisioning server.
DEV-11256 Conductor Fixed an issue where the Snort frequency and port group setting would not be set when selected for the first time.
DEV-11218 HIPclient, Android Fixed an issue where HIPclient profile data would not be updated when the Conductor initiates a configuration change.
DEV-11184 Conductor, Hyper-V Conductor now correctly sets the primary interface IP address to the default 192.168.56.2 on first boot.
DEV-11169 HIPswitch, Virtual Virtual machine host time synchronization on a HIPswitch no longer produces Conductor reconnects.
DEV-11150 Conductor The HIPswitch the customer has access to is the only one that is disabled and not the one they can not edit.
DEV-11073 Diagnostic mode Changed the Diagnostics Port tab to display Port # instead of ETH #.
DEV-11026 BaseOS Updated BaseOS to OpenWrt 18.06.4. The CVEs addressed by this release are listed under Security Fixesat https://openwrt.org/releases/18.06/changelog-18.06.4
DEV-10985 Conductor Device match rules are now correctly serialized in the PCI device groups reference.
DEV-10947 Conductor EU-north-1 region is now supported in 2.2.2.
DEV-10940 OpenHIP TCP maximum segment size (MSS) clamping is implemented to better support traffic from clients.
DEV-10866 Conductor Fixed an issue where you could add non-relay HIPservices to a relay HIPservice group.
DEV-10804 Conductor, PCI The PCI log will now show details of deleted policies by default.
DEV-10803 Conductor Fixed an issue where some PCI log entry details – including firmware updates to HIPservices -- were displayed incorrectly in the user activities report.
DEV-10796 Conductor Improved the functionality of API index filtering and sorting.
DEV-10776 Conductor Fixed an issue where checking if a HIPservice was online triggered a HIPservice online monitor event.
DEV-10743 Conductor The session expired message on the login page now only displays when appropriate.
DEV-10737 Conductor You can now toggle a users network membership off after toggling it on.
DEV-10719 Conductor Fixed an issue where opening and closing the Conductor Proxy settings could save an empty value, causing the Conductor to fail to communicate with the license server.
DEV-10701 Conductor The port group list in the ping/traceroute drop-down will now contain each overlay port group and a single underlay option (since it is bridged) for 2.2.x HIPservices on pre 2.2 switches.
DEV-10660 Conductor, Cloud

Improved the route injection option to eliminate additional user actions. The new behavior is as follows:

Route injection deletes all routes if you:
  • Create a new credential provider with route injection disabled
  • Update the route injection option from enabled to disabled
  • Delete the existing credentials with route injection enabled
Route injection adds all routes if you:
  • Create a new credential provider with route injection enabled
  • Update a route injection from disabled to enabled
Route injection will not be performed if you:
  • Update credentials without changing the route injection option
  • Delete existing credentials with route injection disabled
DEV-10613 Conductor Improved sorting of the Device and Device Groups pages.
DEV-10597 Conductor Fixed an issue where cellular graphs displayed incorrect units.
DEV-10361 Diagnostic mode Diagnostic mode should now display "None" if no part number file is found.
DEV-10186 HIPshell The Run mode shown under the hipsh status command now shows major operating modes first. Minor operating modes are shown in parenthesis, in gray text.
DEV-9903 Conductor, 500 Series The Conductor 500 is now able to run packet captures.
DEV-9577 HIPclient, iOS Fixed an issue where you needed to deny VPN requests multiple times before the correct page appeared.
DEV-9470 HIPclient, Windows Fixed an issue where hipctl profile create did not create profiles successfully.
DEV-9088 Conductor LDAP groups are now case-insensitive.
DEV-9043 Conductor The Delete button no longer displays next to your own account on the People page.
DEV-8659 Conductor, 100 Series Fixed an issue where the Conductor displayed an incorrect time for the HIPswitch 100g cellular.
DEV-5607 Conductor Fixed bug where pushing large amounts of data through a HIPrelay caused the byte-count to appear as a negative number. The numbers now present as positive.

Known Issues

ID Applies to Description
DEV-11491 Conductor

Event Monitor of type HIP tunnel does not allow you to specify monitored peers.

Workaround: None

DEV-10846 HIPclient, macOS

Currently, you cannot stop a packet capture once initiated from the Conductor UI for a macOS HIPclient.

Workaround: Wait for the packet capture operation to terminate.

DEV-10764 HIPswitch, Cellular

When downgrading the HS-150 from 2.2.0 to 2.1.6, the cellular link LEDs may not be functional.

Workaround: In order to restore LED functionality, in Conductor, change the "Underlay network" settings under the "Ports" tab. For example, adjust the priority. (Note that you may need to provide the "Access point name (APN)" since that field may appear blank, in order to successfully apply the settings.) After applying the settings, reboot the HS-150 for the Cellular LEDs to become functional again.

DEV-10703 Conductor

If a HIPswitch is factory reset, its details may not be removed from the Conductor UI.

Workaround: none.

DEV-10618 Conductor

When downloading a support bundle, the dialog box contains two buttons, Download and Cancel. Cancel has the same effect as closing the dialog.

Workaround: None.

DEV-10602 HIPswitch 400, HIPswitch 500

The HIPswitch 400 and HIPswitch 500 LCD menus do not support setting Conductor host names longer than 16 characters.

Workaround: Configure the corresponding IP address instead.

DEV-10577 HIPshell

Currently, the hipsh console will not timeout and may become locked.

Workaround: Reboot or power-cycle the HIPswitch.

DEV-10492 HIPrelay

Once a HIPrelay learns an IPv4 / IPv6 address for a peer, it will continue to use that address indefinitely for forwarding peer packets). If the peer is offline and doesn't update its address with the HIPrelay, the old or invalid address will continue have HIP control packets forwarded to it.

Workaround: None

DEV-10442 Conductor

In rare cases, the Apply Firmware Updates dialog will show duplicate entries in the Upgrade Available drop-down.

Workaround: None.

DEV-10404 OpenHIP

Retransmitted HIP I1 packets are only sent using one source address/destination pair. This differs from the initial I1 packets which attempt to use all source/destination address combinations.

This issue occurs on multi-homed HIPswitches, with peer-auto connect turned on and relay probes off.

Workaround: None.

DEV-10276 HIPclient/HIPserver, Windows

The tray application crashes repeatedly and prevents the configuration of the HIPclient or HIPserver.

Workaround: Reinstall .NET to resolve the issue.

DEV-10236 Conductor

If you log in to multiple software HIP Services as the same user, the remote session for the first HIP Service will be terminated.

Workaround: None.

DEV-10200 Conductor UI

Currently, users with the Network Administrator role in the Conductor can see and grant provisioning requests but are unable to view license vouchers and make top level licensing changes.

Workaround: None.

DEV-10109 HIPclient, Windows

When uninstalling the HIPclient or HIPserver, the tray icon may disappear, and the application will restart. This occurs without selecting Yes or No from the dialog.

Workaround: None.

DEV-10081 Conductor

When creating a Conductor certificate using the Create Conductor Certificate dialog, you must click Save. Pressing Enter will result in an error and the operation will not complete successfully.

Workaround: None.

DEV-10078 Conductor

Currently, HIPswitch reporting graphs do not indicate temperatures below freezing.

Workaround: None.

DEV-10047 HIPclient, macOS

he HIPclient may lose access to the macOS keychain following an update.

Workaround: If this occurs, use the procedure below to resolve the issue.

1. Open the finder by pressing Command-N

2. Find the TemperedNetworksHIP application, right click it and select Show Package Contents

3. Double-click Contents

4. Double-click MacOS

5. Keep this window available, you will need it below

6. Start Keychain Access (Applications > Utilities > Keychain Access)

7. Navigate to the System keychain (on the upper left)

8. Click on Keys (on the lower left)

9. Click on the header named Kind to sort the keys

10. For each private key with the name com.temperednetworks do the following:

a. Double-click the item to open it

b. Click Access Control

c. Enter your password

d. Click the +

e. Drag the tnw-hipd from the window opened earlier and drop it into the window you opened by tapping +

f. Click tnw-hipd, then click Add - the window will close

g. Click Save Changes

h. Make a note of your username, you will need this in a moment.

i. Enter your password and tap Allow

j. You will be prompted to enter your username and password. Do so and close the com.temperednetworks window.

Repeat step 10 for each private key named com.temperednetworks. You will have one key for each HIPclient profile you created.

DEV-9877 Conductor, Azure, wireless HIPswitch

Link Manager default settings do not work between Conductors running on Azure using the Azure Network Security Group setting and wireless HIPswitches.

Workaround: You must Disable pings on active link on each Wireless HIPswitch or set an alternate active ping target (e.g. 8.8.8.8).

DEV-9808 Conductor

You must be a manager of every overlay that contains any device associated with all HIPservices in a HIP Service group, otherwise you lose the ability to make edits to that HIP Service group. There is no error message or any explanation as to why you are not allowed to make edits.

Workaround: None.

DEV-9688 Conductor

The HIPswitch Limit Bandwidthsetting currently displays as bytes per second instead of bits per second.

Workaround: None.

DEV-9606 HIPswitch 150 Series

When connected via serial console to a HIPswitch 150, pasting text ~35+ characters into the console requires the console to be disconnected and reconnected to restore functionality.

Workaround: None.

DEV-9362 Conductor

In tag properties, if you enter a month value in the Expire tag usage field, such as 1M, it is converted to weeks and days when the change is applied.

Workaround: None

DEV-8929 HIPclient, Windows

After installing a windows HIPclient using the unintended install method, the tray application does not start.

Workaround: Start the application manually after installation is complete

DEV-8810 HIPswitch, Cellular

Diagnostic mode displays a drop-down menu for selecting a preferred radio access technology, however the backend does not correctly handle this setting.

Workaround: None.

DEV-8806 HIPclient, HIPserver

Client authentication does not display an error message when authentication fails due to the absence of a Conductor connection.

Workaround: None

DEV-8805 HIPswitch

When enabling SNAT on a HIPswitch, new connections will begin to use the overlay gateway IP address of the HIPswitch, but existing connections will not use the SNAT address until the connection is idle for the specified connection TTL or if the HIPswitch is rebooted.

Workaround: Reboot the HIPswitch after enabling SNAT.

DEV-8428 Conductor, HA

The time on a standby Conductor and master conductor can become out of sync and cause missing traffic stats and health data from HIPswitches.

Workaround: When failing-over an HA-paired Conductor, verify that the timestamps are the same.

DEV-8120 Conductor, Azure

In rare cases, an HIPswitch running in Azure may fail to reconnect to the Conductor after a firmware upgrade.

Workaround: Restart the HIPswitch VM. Please note it can take up to 10-15 minutes to come back online.

DEV-8106 Conductor

If a device stops communicating, the Conductor UI may not reset the activity display to gray, reporting online status incorrectly.

Workaround: Reload the browser.

DEV-8060 Conductor

In rare cases, a Conductor HA pair may stop syncing.

Workaround: If this occurs, promote the HA-secondary to primary, then re-pair them.

DEV-7955 Conductor

Pinging an Azure-hosted HIPswitch from another HIPswitch will fail in the Conductor UI. This is due to ICMP being denied by Azure's security groups.

Workaround: None

DEV-7769 HIPswitch, Google Cloud

Toggling policy too quickly on a HIPswitch running on Google Cloud can result in the route table becoming out of sync when using route injection.

Workaround: After toggling policy, wait 10 seconds before toggling it again.

DEV-7735 HIPclient, HIPserver, All platforms

HIPclients and HIPservers are currently not compatible with 1.1.1.1 DNS service.

Workaround: None

DEV-7499 Conductor

The bandwidth check in the HIPswitch Diagnostics tab may fail for HA-paired HIPswitches.

Workaround: None.

DEV-6927 Conductor

If you place a Conductor in diagnostic mode and have a non-standard port configuration defined, it may not respond to ping commands. The diagnostic mode functionality should be otherwise unaffected.

Workaround: None.

DEV-5866 HIPswitch

When configuring Wi-Fi settings in diagnostic mode, the HIPswitch may override the configuration on reboot if Wi-Fi configuration was configured in the Conductor previously.

Workaround: Factory reset the HIPswitch before entering diagnostic mode.