Release Notes v3.2.4

Release Date: May, 2023

Update Considerations

Important: This release is a combination of 3.2.3 and 3.2.4.
You may want to update to this version to use the following features:

This update addresses the following issues:

  • API bypass device creation
  • incorrect connectivity checker graph display
  • traffic disruption from multiple hostnames with same IP
  • Airsh ssh-key add command cloud failure

What's New in 3.2.4

This version of the Airwall Solution includes several usability and functionality improvements that can simplify and streamline the setup and diagnostics for an Airwall secure network.

Region Bypass

Use bypass regions to group and load-balance bypass gateways by region. A bypass region is configured by creating a region tag. Add the region tag (or tags) to one or more bypass egress gateways and to the Airwalls you want to use with the region bypass egress gateways. See Region bypass and Create a Tag.

Airwall Agent Conductor toggle

You can now toggle between Conductors in the Airwall Agent (macOS) without opening Configure box, see Connecting with an Apple (OSX and macOS) Airwall Agent.

Airwall AV3200g Installation Guide

There is now a specific installation guide for Airwall AV3200g, see Airwall Gateway AV3200g Hardware Installation Guide.

Airwall AV3033 Installation Guide

There is now a specific installation guide for Airwall AV3033, see Airwall Gateway AV3033 Hardware Installation Guide

New and Updated Help

In addition to the content added for new features linked above, here’s the new and updated content published since our last major release:

Deprecations

Deprecating system setting for Preferred Airwall agent version. This setting indicated what version of the Airwall Agent would be linked from the remote user access portal. Beginning in v3.2, only the most recent version of each Airwall Agent will be available. Customers that want to distribute older versions of the Airwall Agent can still make those available to their users.

Fixes

ID Applies to Description
DEV-18688 Conductor Fixed an issue where agile devices did not show their identifier in the device discovery dialog.
DEV-18616 TMSTAT Fixed interger overflow in displayed timer values in tmstat / airsh table output on 32 bit platforms.
DEV-18536 API, Conductor Fixed an issue that prevented creaing bypass devices via the API.
DEV-18496 Conductor Fixed an issue where using the connectivity checker swap button would display an incorrect graph.
DEV-18484 Common Upgraded zlib to 1.2.13
DEV-18478 Airwall Gateway Improve reliability with complex overlay configurations and multiple port groups, added additional heartbeats when applying policy changes after applying configuration to each port group.
DEV-18477 Airwall Gateway We fixed a bug that could disrupt traffic to DNS bypass hosts if multiple hostnames resolve to the same IP.
DEV-18405 Conductor Fixed an issue where devices might not be added to or removed from a tag-based smart device group when Airwalls are added to or removed from an Airwall group with the specified tag.
DEV-18402 Conductor Fixed a bug that could cause Airwalls to appear offline while connected to the Conductor.
DEV-18394 Conductor Fixed an issue where a user would get a misleading set of recommendations from the connectivity checker if their Airwalls could not talk directly, were in a relay rule and the relay rule contained no relays.
DEV-18385 Conductor, Airwall Gateway Fixed an issue where the ping all devices diagnostic tool did not work with agile devices.
DEV-18379 Conductor Fixed an issue where updating the global API token expiration would extend the API token expiration of users that have a more specific expiration.
DEV-18218 Conductor Fixed a bug that caused the Airsh ssh-key add command to fail on cloud Airwalls.
DEV-18113 Conductor Fixed an issue where references to revoked or factory reset Airwalls could be left in bypass gateway configuration when they shouldn't be.

Known Issues

ID Applies to Description
DEV-18144 Conductor The Connectivity Checker.
DEV-17887 Cloud, Conductor If you use unrecognized credentials when calling jobs on a cloud Airwall Gateway, the Conductor sends multiple error messages when it tries to call route injection and validate cloud attributes. Workaround -- Make sure your cloud credentials are correct and update the credentials on the "Cloud providers" page under Conductor settings.
DEV-17648 Linux Airwall Servers Many Airshell functions (including changing log level) are non-functional until you have configured and licensed your Conductor.
DEV-17263 Conductor

If you fix a conflict in a smart device group by changing the IP of one of the conflicted devices, sometimes the change in IP does not result in the device being removed from the group and the change is not propagated to the Airwall Gateway.

Workaround – Fully remove the device from the smart device group and then add it back again.

DEV-16503 macOS Airwall Agent Deleting a profile does not immediately delete the associated private key.

Workaround - After deleting a profile, switch to a different profile before creating a new profile. If you've already created the new profile, delete it, switch, and then re-create it.

DEV-16431 Conductor When specifying a port mirror destination IP address, ensure that it doesn't conflict with any of the Airwall Gateway's local device IPs
DEV-16397 Conductor If you change the LSI prefix and have port mirroring configured, you need to either reboot the Conductor, or go to Settings > Diagnostics and select Restart metadata cache to update the LSI prefix.
DEV-16068 Amazon Web Services Conductor To enable enhanced networking for a cloud Amazon Web Services Airwall Gateway or Conductor, use the custom images instead of the marketplace image.
DEV-16067 Cloud, Conductor, Airwall Gateways If you are adding a new interface to an existing cloud Airwall Gateway, you must set the source and destination check to false (see your cloud provider for the terminology they use for source and destination checks).
DEV-16059 Airwall Gateways When HA-pairing two Airwall Gateways that do not have the HA link plugged in correctly, the Conductor displays no actionable error message and the HA setup never completes.
DEV-15982 Conductor Traffic stats reporting graphs generally show a smooth curve between data points. However, over time the graph can show up with sharper angles. The data is still correct, but this is a known issue with the graphing library used by the Conductor.
DEV-15945 Airwall Gateways If you configure port mirroring using a remote destination local device, GRE/ERSPAN traffic from remote Airwall Gateways will arrive with a source IP in the LSI prefix (defaults to 1.0.0.0/8).
DEV-15923 Airwall Gateways When you run Check secure tunnels on a v3.0 Airwall Gateway, the check falsely reports a bad tunnel status for any peer airwall running a firmware version that is v2.2.8 or lower.
DEV-15887 Airwall Gateways You cannot currently add VLAN interfaces to the Ruggedcom platform.
DEV-15808 Google Cloud Airwall Gateways Google Cloud Airwall Gateways with the same VM name have the same device serial number, which can result in a failure when you make a license request in the Conductor.

Workaround – In Google Cloud, use unique deployment names (VM names) for Airwall Gateways.

DEV-15791 AIrwall Gateway On the Airwall Gateway 100, Port 2 might be inactive after a factory-reset.

Workaround - After a factory reset, manually reboot the Airwall Gateway 100.

DEV-15705 iOS, Android Airwall Agent Establishing a tunnel TO a mobile Airwall Agent (iOS or Android) fails when there is no Airwall Relay involved.

Workaround - Establish the tunnel FROM the mobile Airwall Agent.

DEV-15572 Airwall Gateways If you do not specify a gateway in the DHCP server configuration, the DHCP client cannot configure a default gateway.

Workaround – Unless you want to configure a single isolated subnet, always specify a gateway. For example, a subnet for networked PDUs that should not have any outside connectivity aside from remote access through an Airwall Gateway, and used in conjunction with SNAT over the overlay port group. See DHCP server is not serving as a gateway.

DEV-15489 Windows Airwall Agent Windows 7 sends an extra Windows system popup when the Windows Airwall Agent UserAuth prompt appears. You can safely ignore this popup.
DEV-15357 macOS Airwall Agent If you update the macOS Airwall Agent to a release later than v2.2.11 on macOS Mojave using a Conductor-based update package, it may not report the updated version to the Conductor.

Workaround - Restart the Airwall Agent or reapply the update.

DEV-15302 macOS Airwall Agent The profile for a macOS Airwall Agent does not work correctly when restored to a new computer using Time Machine.

Workaround - Create a new profile on the Airwall Agent, and then on the Conductor, replace the old profile with the new one.

DEV-15219 Cellular 110g Airwall Gateways The Airwall Gateway 110g does not work on the Bell Mobility (Canada) cellular provider because they require the use of a http/https proxy.
DEV-15031 Airwall Gateways Remote syslog over TLS doesn't work when using keys stored in TPM.
DEV-14860 Conductor Airwall Gateways on older firmware (pre v2.2.0) may send passively-discovered device events to the Conductor even when the feature is off.
DEV-14835 Conductor Airwall Gateway 150 serial numbers look like exponentiated numbers to Windows Excel, so the column displaying the Serial number shows xxxEyyy instead of the full serial number.
DEV-14736 Cellular Airwall Gateways Cellular details may display as "unavailable" on the first boot after you update anAirwall Gateway. The cellular connections are not affected.

Workaround – Reboot the Airwall Gateway again to correctly display the cellular details.

DEV-14726 Conductor If you are viewing an Android Airwall Agent Ports tab and the Airwall Agent changes how it is connected to the Conductor (for example, from WiFi to cellular), the display does not update correctly.

Workaround – Refresh the page.

DEV-14610 Conductor After changing the Reporting traffic stats reporting time, the CPU graph does not display.

Workaround – Refresh your browser page.

DEV-14584 Cellular Airwall Gateways Hot-swapping the SIM on an Airwall Gateway 110 with firmware version v2.2.11 may not work.

Workaround – Reboot the Airwall Gateway after installing a new SIM card.

DEV-14551 Conductor The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message.
DEV-14426 Conductor, Airwall Gateways Bypass destinations with a hostname do not show device activity in the Conductor.
DEV-14308 OpenHIP Initial packets are dropped while building a new tunnel to a new peer Airwall Gateway.
DEV-14223 Google Cloud Add an overlay IP to agent in order to talk to device behind Google 300v.
DEV-14218 Airwall Gateways NAT broadcast applied to traffic between ports within a single port group. Use an external switch if you need to connect multiple devices to a single port group and use the NAT broadcast feature and require IP broadcast un-NATed between those local devices.
DEV-14015 OpenHIP If an Airwall Relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay.

Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate.

DEV-13775 Azure Cloud Airwall Gateways The Conductor might rarely give a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error doesn't indicate that the deployment has failed. If you get this error message, go to Azure portal and check the actual deployment result.
DEV-13650 Conductor SoIP device activity is not being reported on an Airwall Gateway Local Devices tab.
DEV-13640 Conductor Airwall Relay diagnostics do not work on a Standby Conductor.
DEV-13633 Conductor A standby Conductor shows available firmware downloads, but they cannot be downloaded.

Workaround – Download firmware from the active Conductor.

DEV-13620 Conductor In Airwall > Ports > Failover settings, the failover ping occurs only every "ping rate" + "ping timeout" seconds, somewhat unexpectedly.
DEV-13607 Conductor, Airwall Gateways Creating a link failover group (Airwall > Ports > Failover settings) does not apply the settings to any port groups. You must also assign the failover group to port groups on the Ports page.
DEV-13588 Conductor Opening the Conductor on Internet Explorer 11 can be very slow for medium to large deployments.

Workaround – Use the latest version of Chrome, Firefox, or Edge instead.

DEV-13536 Windows Airwall Agent When you uninstall the Windows Airwall Agent, it does not remove the tun-tap driver.

Workaround - Delete the driver from C:\Windows\System32\drivers\tnw-tap.sys.

DEV-13531 Cloud Conductor Automatically creating Cloud HA Conductors only works if you use the same cloud provider for both active and standby Conductors. For example, AWS HA Active and AWS HA Standby.

Workaround – You can manually set up different cloud providers as HA pair Conductors.

DEV-13474 Airwall Gateways If you configure multiple overlay port groups with the same overlay IP subnet (same or different IP addresses) and then create a local device equal to the entire subnet with port affinity set, it may not lead to the expected result.
DEV-13331 Alibaba Cloud Airwall Gateways The Alibaba Cloud Conductor system time is incorrect.

Workaround – Change the Conductor system time to browser time: In Conductor Settings, under System time, select Edit Settings, select Set browser time, and then select Update Settings.

DEV-13195 Conductor, Airwall Gateways When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become "Unavailable."

Workaround – Reboot and the details return.

DEV-13194 Conductor Check Connectivity > Ping Local Devices for an Airwall Gateway fails in Internet Explorer 11 if one of the devices is defined as a CIDR.

Workaround – Use one of the latest versions of Chrome, Firefox, Safari or Edge.

12852 Windows Airwall Agent Windows by default doesn't allow multiple 'active' interfaces. It prefers ethernet over cellular whenever possible.

Workaround - Set Windows to keep multiple interfaces open by editing the fMinimizeConnections registry value:

  1. Hold the Windows Key and Press R.
  2. In the run dialog, type regedit and click OK.
  3. Navigate to the following path in Registry Editor: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\4
  4. See if the GroupPolicy subkey exists. If not with, WcmSvc highlighted, right click on WcmSvc and Choose New > Key and name it GroupPolicy.
  5. Right-click GroupPolicy and choose New > DWORD (32-bit) > Create value.
  6. Name the value "fMinimizeConnections," and select OK. (The value should be 0, or false).
  7. Reboot and test.
DEV-10590 Cloud Airwall Gateways The Conductor does not display an error when adding a route that would exceed the maximum number of allowed routes in the cloud provider.
DEV-10039 Airwall Gateways An Airwall Gateway-150 can show "could not detect attached switch" intermittently.
DEV-9546 Airwall Gateways, Airwall Gateways 150 The Airwall Gateway-150 serial connection has an intermittent issue when large amounts of data are sent over the console.
DEV-9429 Windows Airwall Agent When you update the Overlay Device IP address for a Windows Airwall Server in the Conductor, it doesn't always update the first time.

Workaround - Open and update the address a second time.