Release Notes 2.2.2

Release Date: October 18 , 2019

IMPORTANT: Customers using LDAP on Conductor 2.2.1

If you are using LDAP and running Conductor version 2.2.1, you must upgrade your Conductor to 2.2.2, to resolve an issue that could prevent you from logging in to the Conductor.

IMPORTANT: Migrating existing Deployments to 2.2.2

The 2.2.2 release brings a significant change to the base platform configuration and capabilities of a HIPswitch. HIPswitch versatility is dramatically increased. To achieve this, we had to give up some functional interoperability between version 2.2.2 and prior versions of HIPservices and Conductor. Also, Conductor 2.2.2 will no longer be able to manage HIPservices prior to version 2.0. While most things still work across versions 2.1.x and 2.2.2 during your upgrade, we recommend that 2.2.x deployments migrate completely as soon as possible using the following order:

If your Conductor is running a version earlier than 2.1.6, upgrade it to 2.1.6 or 2.1.7
If any HIP Services are running a version earlier than 2.1.6, upgrade them to 2.1.6 or 2.1.7
Verify that your Conductor and all HIP Services you updated in steps 1 and 2 are running 2.1.6 or later
Upgrade your Conductor to 2.2.2
Upgrade your HIP Services to 2.2.2

For more information on upgrading your Conductor to 2.1.6 from prior versions, log in to your account and select the Documentation Center link at the top-right of the page. You should review both the Release Notes 2.1.6 and Conductor and HIP Service Upgrades pages.

What’s New

Cloud Marketplace: You can now purchase a Tempered Networks cloud-based Conductor or HIPswitch directly from the Azure or Google marketplace. This greatly simplifies the purchase and deployment of Conductors and HIPswitches in your own cloud account and the setup of an independent license-ready environment.
User-Configurable LSI Prefix: You can now change the LSI prefix from 1 to another digit usage the Conductor's Advanced Global HIPservice Settings. This is useful if you have underlay network traffic that uses the 1.x.x.x range of addresses, which is routable on the Internet and prevalent in Asia-Pacific regions. You may choose any suitable prefix (routable or non-routable) given the distribution of your HIP Services globally. For details on routable traffic ranges, please see RFC 1918.
Android and iOS HIPclients Updated for 2.2: You can now manage Android and iOS HIPclients using the new 2.2 features, such as network objects.
Custom Overlay Policy with People Groups: People groups can be used with HIPclient and HIPserver authentication to create custom overlay network policies based on the user authenticating via the HIPclient or HIPserver. Tags specified in the people group will be added to a HIPclient or HIPserver, when a member of the people group authenticates and will be removed automatically once the session ends. The tags can be used in smart device groups to give the HIPclient or HIPserver custom overlay network policies.
Windows Client Multi-Factor Authentication (MFA): OpenID Connect is now integrated into the Windows HIPclient and HIPserver authentication workflow. If enabled via an OpenID Connect provider, users will be required to use MFA to gain overlay access. Other HIPclient platforms will integrate client MFA for overlay access in future releases.
HIPclient and HIPserver Authentication Session Timeouts: Administrators can now configure how long a HIPclient or HIPserver authentication session will last, either globally or specific to a HIPclient or HIPserver.
Conductor Connection Failsafe: HIPswitches now have a watchdog monitor for the Conductor connection that will force a re-connect if it determines the current connection is unresponsive or missing. This should allow HIPswitches to reconnect in more cases without requiring human intervention (e.g. manual rebooting or other diagnostic activities that can require physical access to the HIPswitch).
More Resilient HIP Tunnels: HIP tunnel processes have been improved so that when a stale tunnel is detected, which may occur after reboots or carrier failures, it is rebuilt.
More Resilient Cellular Connectivity: Under certain circumstances (signal strength, cell-tower location, interruptions), Verizon based HIPswitches would experience frequent modem resets resulting in an occasional failure to recover. This release has safeguards to ensure that cellular connectivity is restored after these episodes.
OSX HIPclient no longer supports El Capitan with 2.2.x: If you are using the mac HIPclient on El Capitan, you should not upgrade to 2.2 until you upgrade the OS.

Upgrade Considerations

We recommend that you upgrade to 2.2.2 if:


You want to use any of the following features:	You were impacted by any issues discovered in prior releases, especially if you have any of the following:
Multiple Overlays Multiple Underlays Port Groups Network Objects Automatic policy creation based on user type Ability to change the LSI for regional compatibility Windows User auth MFA	Cellular carrier connection issues Modbus GUI settings or connectivity HS-100 connectivity issues Use the 1.0.0.0/8 network address space Network capture on Conductor 500

Important: If you are using SHA-1 for the ESP transform, you should convert to SHA-256 before upgrading to 2.2.1.

Fixes


ID	Applies to	Description
DEV-11660	HIPswitch	A second serial port is now available for use with the SoIP feature. The Serial over IP (SoIP) feature was previously not functional on the HIPswitch 400 Series and virtual HIPSwitches. Starting in version 2.2.2, the second serial port is available for use with the SoIP feature.
DEV-11631	Conductor	Fixed a firewall problem causing blocked serial connections when configured to use the Modbus communications protocol
DEV-11623	Conductor	Fixed an issue causing HIPswitches upgraded from 2.1.x while in Transparent Mode to lose their underlay network configuration, preventing them from reconnecting to the Conductor.
DEV-11596	Conductor	HIP Service online/offline alert messages now report how long they have been offline/online.
DEV-11444	Conductor	Fixed an issue where IPv4 addresses in the HIPswitch certificate conflict dialog displayed incorrectly.
DEV-11397	HIPrelay	Fixed an issue specific to the Telstra mobile network that prevented a HIPservice from connecting to its peers via a HIPrelay.
DEV-11389	Conductor	Fixed an issue where setting a HIPservice attribute rule in a Smart Device Group could prevent you from modifying HIPservice fields.
DEV-11355	Conductor	Fixed an issue where Spanning Tree Protocol was automatically enabled regardless of the previous setting during a HIPswitch upgrade.
DEV-11347	Conductor	Fixed an issue where user authentication token validation could fail if a HIPservice failed over multiple times between HA-paired Conductors.
DEV-11324	HIPswitch, Cellular	Fixed an issue where a HIPSwitch-250, or HIPswitch 150 with an NL7588 type module, could take an extended period of time to register on the Verizon network.
DEV-11318	Diagnostic mode	Changing the IP address of the Conductor no longer causes diagnostic mode to lose connection with the Conductor, however settings are no longer applied immediately. Note: You are prompted to restart the Conductor to apply the new network settings.
DEV-11317	Conductor	Fixed an issue where typing in a voucher code in lowercase when provisioning a Conductor could cause errors after re-syncing with the provisioning server.
DEV-11256	Conductor	Fixed an issue where the Snort frequency and port group setting would not be set when selected for the first time.
DEV-11218	HIPclient, Android	Fixed an issue where HIPclient profile data would not be updated when the Conductor initiates a configuration change.
DEV-11184	Conductor, Hyper-V	Conductor now correctly sets the primary interface IP address to the default 192.168.56.2 on first boot.
DEV-11169	HIPswitch, Virtual	Virtual machine host time synchronization on a HIPswitch no longer produces Conductor reconnects.
DEV-11150	Conductor	The HIPswitch the customer has access to is the only one that is disabled and not the one they can not edit.
DEV-11073	Diagnostic mode	Changed the Diagnostics Port tab to display Port # instead of ETH #.
DEV-11026	BaseOS	Updated BaseOS to OpenWrt 18.06.4. The CVEs addressed by this release are listed under Security Fixesat https://openwrt.org/releases/18.06/changelog-18.06.4
DEV-10985	Conductor	Device match rules are now correctly serialized in the PCI device groups reference.
DEV-10947	Conductor	EU-north-1 region is now supported in 2.2.2.
DEV-10940	OpenHIP	TCP maximum segment size (MSS) clamping is implemented to better support traffic from clients.
DEV-10866	Conductor	Fixed an issue where you could add non-relay HIPservices to a relay HIPservice group.
DEV-10804	Conductor, PCI	The PCI log will now show details of deleted policies by default.
DEV-10803	Conductor	Fixed an issue where some PCI log entry details – including firmware updates to HIPservices -- were displayed incorrectly in the user activities report.
DEV-10796	Conductor	Improved the functionality of API index filtering and sorting.
DEV-10776	Conductor	Fixed an issue where checking if a HIPservice was online triggered a HIPservice online monitor event.
DEV-10743	Conductor	The session expired message on the login page now only displays when appropriate.
DEV-10737	Conductor	You can now toggle a users network membership off after toggling it on.
DEV-10719	Conductor	Fixed an issue where opening and closing the Conductor Proxy settings could save an empty value, causing the Conductor to fail to communicate with the license server.
DEV-10701	Conductor	The port group list in the ping/traceroute drop-down will now contain each overlay port group and a single underlay option (since it is bridged) for 2.2.x HIPservices on pre 2.2 switches.
DEV-10660	Conductor, Cloud	Improved the route injection option to eliminate additional user actions. The new behavior is as follows: Route injection deletes all routes if you: Create a new credential provider with route injection disabled Update the route injection option from enabled to disabled Delete the existing credentials with route injection enabled Route injection adds all routes if you: Create a new credential provider with route injection enabled Update a route injection from disabled to enabled Route injection will not be performed if you: Update credentials without changing the route injection option Delete existing credentials with route injection disabled
DEV-10613	Conductor	Improved sorting of the Device and Device Groups pages.
DEV-10597	Conductor	Fixed an issue where cellular graphs displayed incorrect units.
DEV-10361	Diagnostic mode	Diagnostic mode should now display "None" if no part number file is found.
DEV-10186	HIPshell	The Run mode shown under the hipsh status command now shows major operating modes first. Minor operating modes are shown in parenthesis, in gray text.
DEV-9903	Conductor, 500 Series	The Conductor 500 is now able to run packet captures.
DEV-9577	HIPclient, iOS	Fixed an issue where you needed to deny VPN requests multiple times before the correct page appeared.
DEV-9470	HIPclient, Windows	Fixed an issue where hipctl profile create did not create profiles successfully.
DEV-9088	Conductor	LDAP groups are now case-insensitive.
DEV-9043	Conductor	The Delete button no longer displays next to your own account on the People page.
DEV-8659	Conductor, 100 Series	Fixed an issue where the Conductor displayed an incorrect time for the HIPswitch 100g cellular.
DEV-5607	Conductor	Fixed bug where pushing large amounts of data through a HIPrelay caused the byte-count to appear as a negative number. The numbers now present as positive.

Known Issues


ID	Applies to	Description
DEV-11491	Conductor	Event Monitor of type HIP tunnel does not allow you to specify monitored peers. Workaround: None
DEV-10846	HIPclient, macOS	Currently, you cannot stop a packet capture once initiated from the Conductor UI for a macOS HIPclient. Workaround: Wait for the packet capture operation to terminate.
DEV-10764	HIPswitch, Cellular	When downgrading the HS-150 from 2.2.0 to 2.1.6, the cellular link LEDs may not be functional. Workaround: In order to restore LED functionality, in Conductor, change the "Underlay network" settings under the "Ports" tab. For example, adjust the priority. (Note that you may need to provide the "Access point name (APN)" since that field may appear blank, in order to successfully apply the settings.) After applying the settings, reboot the HS-150 for the Cellular LEDs to become functional again.
DEV-10703	Conductor	If a HIPswitch is factory reset, its details may not be removed from the Conductor UI. Workaround: none.
DEV-10618	Conductor	When downloading a support bundle, the dialog box contains two buttons, Download and Cancel. Cancel has the same effect as closing the dialog. Workaround: None.
DEV-10602	HIPswitch 400, HIPswitch 500	The HIPswitch 400 and HIPswitch 500 LCD menus do not support setting Conductor host names longer than 16 characters. Workaround: Configure the corresponding IP address instead.
DEV-10577	HIPshell	Currently, the hipsh console will not timeout and may become locked. Workaround: Reboot or power-cycle the HIPswitch.
DEV-10492	HIPrelay	Once a HIPrelay learns an IPv4 / IPv6 address for a peer, it will continue to use that address indefinitely for forwarding peer packets). If the peer is offline and doesn't update its address with the HIPrelay, the old or invalid address will continue have HIP control packets forwarded to it. Workaround: None
DEV-10442	Conductor	In rare cases, the Apply Firmware Updates dialog will show duplicate entries in the Upgrade Available drop-down. Workaround: None.
DEV-10404	OpenHIP	Retransmitted HIP I1 packets are only sent using one source address/destination pair. This differs from the initial I1 packets which attempt to use all source/destination address combinations. This issue occurs on multi-homed HIPswitches, with peer-auto connect turned on and relay probes off. Workaround: None.
DEV-10276	HIPclient/HIPserver, Windows	The tray application crashes repeatedly and prevents the configuration of the HIPclient or HIPserver. Workaround: Reinstall .NET to resolve the issue.
DEV-10236	Conductor	If you log in to multiple software HIP Services as the same user, the remote session for the first HIP Service will be terminated. Workaround: None.
DEV-10200	Conductor UI	Currently, users with the Network Administrator role in the Conductor can see and grant provisioning requests but are unable to view license vouchers and make top level licensing changes. Workaround: None.
DEV-10109	HIPclient, Windows	When uninstalling the HIPclient or HIPserver, the tray icon may disappear, and the application will restart. This occurs without selecting Yes or No from the dialog. Workaround: None.
DEV-10081	Conductor	When creating a Conductor certificate using the Create Conductor Certificate dialog, you must click Save. Pressing Enter will result in an error and the operation will not complete successfully. Workaround: None.
DEV-10078	Conductor	Currently, HIPswitch reporting graphs do not indicate temperatures below freezing. Workaround: None.
DEV-10047	HIPclient, macOS	he HIPclient may lose access to the macOS keychain following an update. Workaround: If this occurs, use the procedure below to resolve the issue. 1. Open the finder by pressing Command-N 2. Find the TemperedNetworksHIP application, right click it and select Show Package Contents 3. Double-click Contents 4. Double-click MacOS 5. Keep this window available, you will need it below 6. Start Keychain Access (Applications > Utilities > Keychain Access) 7. Navigate to the System keychain (on the upper left) 8. Click on Keys (on the lower left) 9. Click on the header named Kind to sort the keys 10. For each private key with the name com.temperednetworks do the following: a. Double-click the item to open it b. Click Access Control c. Enter your password d. Click the + e. Drag the tnw-hipd from the window opened earlier and drop it into the window you opened by tapping + f. Click tnw-hipd, then click Add - the window will close g. Click Save Changes h. Make a note of your username, you will need this in a moment. i. Enter your password and tap Allow j. You will be prompted to enter your username and password. Do so and close the com.temperednetworks window. Repeat step 10 for each private key named com.temperednetworks. You will have one key for each HIPclient profile you created.
DEV-9877	Conductor, Azure, wireless HIPswitch	Link Manager default settings do not work between Conductors running on Azure using the Azure Network Security Group setting and wireless HIPswitches. Workaround: You must Disable pings on active link on each Wireless HIPswitch or set an alternate active ping target (e.g. 8.8.8.8).
DEV-9808	Conductor	You must be a manager of every overlay that contains any device associated with all HIPservices in a HIP Service group, otherwise you lose the ability to make edits to that HIP Service group. There is no error message or any explanation as to why you are not allowed to make edits. Workaround: None.
DEV-9688	Conductor	The HIPswitch Limit Bandwidthsetting currently displays as bytes per second instead of bits per second. Workaround: None.
DEV-9606	HIPswitch 150 Series	When connected via serial console to a HIPswitch 150, pasting text ~35+ characters into the console requires the console to be disconnected and reconnected to restore functionality. Workaround: None.
DEV-9362	Conductor	In tag properties, if you enter a month value in the Expire tag usage field, such as 1M, it is converted to weeks and days when the change is applied. Workaround: None
DEV-8929	HIPclient, Windows	After installing a windows HIPclient using the unintended install method, the tray application does not start. Workaround: Start the application manually after installation is complete
DEV-8810	HIPswitch, Cellular	Diagnostic mode displays a drop-down menu for selecting a preferred radio access technology, however the backend does not correctly handle this setting. Workaround: None.
DEV-8806	HIPclient, HIPserver	Client authentication does not display an error message when authentication fails due to the absence of a Conductor connection. Workaround: None
DEV-8805	HIPswitch	When enabling SNAT on a HIPswitch, new connections will begin to use the overlay gateway IP address of the HIPswitch, but existing connections will not use the SNAT address until the connection is idle for the specified connection TTL or if the HIPswitch is rebooted. Workaround: Reboot the HIPswitch after enabling SNAT.
DEV-8428	Conductor, HA	The time on a standby Conductor and master conductor can become out of sync and cause missing traffic stats and health data from HIPswitches. Workaround: When failing-over an HA-paired Conductor, verify that the timestamps are the same.
DEV-8120	Conductor, Azure	In rare cases, an HIPswitch running in Azure may fail to reconnect to the Conductor after a firmware upgrade. Workaround: Restart the HIPswitch VM. Please note it can take up to 10-15 minutes to come back online.
DEV-8106	Conductor	If a device stops communicating, the Conductor UI may not reset the activity display to gray, reporting online status incorrectly. Workaround: Reload the browser.
DEV-8060	Conductor	In rare cases, a Conductor HA pair may stop syncing. Workaround: If this occurs, promote the HA-secondary to primary, then re-pair them.
DEV-7955	Conductor	Pinging an Azure-hosted HIPswitch from another HIPswitch will fail in the Conductor UI. This is due to ICMP being denied by Azure's security groups. Workaround: None
DEV-7769	HIPswitch, Google Cloud	Toggling policy too quickly on a HIPswitch running on Google Cloud can result in the route table becoming out of sync when using route injection. Workaround: After toggling policy, wait 10 seconds before toggling it again.
DEV-7735	HIPclient, HIPserver, All platforms	HIPclients and HIPservers are currently not compatible with 1.1.1.1 DNS service. Workaround: None
DEV-7499	Conductor	The bandwidth check in the HIPswitch Diagnostics tab may fail for HA-paired HIPswitches. Workaround: None.
DEV-6927	Conductor	If you place a Conductor in diagnostic mode and have a non-standard port configuration defined, it may not respond to ping commands. The diagnostic mode functionality should be otherwise unaffected. Workaround: None.
DEV-5866	HIPswitch	When configuring Wi-Fi settings in diagnostic mode, the HIPswitch may override the configuration on reboot if Wi-Fi configuration was configured in the Conductor previously. Workaround: Factory reset the HIPswitch before entering diagnostic mode.