Release Notes 2.1.4

Release Date: October 16, 2018

What's New

New in this release:

HIPclient for Android
With this release, the HIPclient is available for Android. Your Android devices can now natively connect to your IDN overlay, giving them a trusted and verifiable connection wherever you are. Multiple profiles allow you to easily switch between different IDN overlays as needed.
Improved Conductor UI Navigation
Several UI elements have been redone to improve navigation:
  • Conductor settings are now accessed from the gear icon in the upper right corner of the UI.
  • The logged in user profile, API docs, EULA, and sign-out are accessed from the user account icon in the upper right corner of the UI.
  • Item names in many lists throughout the UI now actively link to properties pages and dialogs. This greatly simplifies navigation between related elements.
Tags
Tags provide flexible asset management in the Conductor. Devices, Device Groups, HIPswitches, HIPswitch Groups, Overlay Networks, and People can be tagged directly. The Tag information dialog allows you to Navigate directly to any tagged item, perform bulk Actions (Enable, Disable, or Untag tagged items), and edit Properties. Items can be tagged permanently or until you untag them. You can also set an expiration date, which will untag a component after a configurable period of time. You can create tags from the Tags page, access from the tag icon in the upper right corner of the UI.

You can also create tags inline while modifying an item’s tag members by entering a new tag name and select colors for easy classification. Tags have been integrated into searching and filtering throughout Conductor.

Tags can be used in matching rules to greatly simplify Smart Device Groups. They can also be added to or removed from taggable items in Event Monitor Actions, which allows monitor results to affect overlay network policies. By using tags with these features, you can optimize your workflows. For example, you can create temporary network policies for specific devices, easily revoke policy directly from devices or HIPswitches without having to navigate to a network, and allow multiple admins to keep track of their assets in a single Conductor.

Relay Probes
A HIPswitch with this option selected will periodically send probe packets to all of its relays, and use the closest relay when initiating secure tunnels. This reduces the amount of network traffic used to build new tunnels, and allows auto-connect to be turned off. You can find this option in the Advanced settings section of a HIPswitch's settings page.
Conductor Diagnostics

Similar to diagnostics offered for HIPswitches, the Conductor now has a set of maintenance and diagnostic functions consolidated under the Diagnostics tab of the Settings page. These include Creation or Restoration of a DB Backup, downloading a Conductor support bundle, and viewing a Conductor diagnostic report. Network diagnostics allow you to generate a packet capture on the Conductor interface, ping, and traceroute.

Upgrade Considerations

The 2.1.4 release includes all hotfixes from prior releases and addresses all known support cases at the time of release.

Note: The Tempered Networks TERMS OF PRODUCT SALE, LICENSE AND WARRANTY has changed. The most recent version of the HIPclient for all platforms require you to accept the updated licence agreement before using the product. This applies to updates as well as new installations. For more information, see https://www.temperednetworks.com/resources/terms-of-product-sale-license-and-warranty
We recommend you upgrade to 2.1.4 if:

You want to take advantage of performance and stability increases in 2.1, especially for any of the following features:

  • Android HIPclient
  • Improved Conductor navigation
  • Tags
  • Conductor diagnostics
  • Relay probes

You were impacted by any issues discovered in prior releases, especially if you have any of the following:

  • If you experienced long UI start-up times in the browser (data management between the UI in the browser and the Conductor is more efficient).
  • Cellular connectivity and carrier selection on HIPswitch-250 models
Note: You may upgrade Conductor directly to 2.1.4 from version 1.12.6 or later. You may upgrade HIPswitches to 2.1.4 provided you are running Conductor 2.1.4.

Extensive testing was conducted both in-house and with selected development partners, in lab and in production environments to ensure that performance is equivalent to 2.1.3. Additionally, 2.1.4 should be more stable than all prior releases.

Enhancements

Component Description
Conductor, API Added a new node in the API, /api/v1/email_settings, containing methods for setting, updating, and retrieving Conductor email settings.
HIPclient, Windows The HIPclient for Windows has received the following improvements:
  • Updated the HIPclient allow for express installations, which requires only the license code and a confirmation.
  • Updated the HIPclient to allow you to set the log level in the UI.
HIPclient, macOS The HIPclient on macOS has received the following improvements:
  • Updated the HIPclient for to store the private key in the Keychain for newly created profiles.
  • Updated the HIPclient for macOS to include tnw-ctld, a launch daemon on macOS for running Tempered Networks CLI commands and monitoringtnw-hipd, the HIP service.
  • Updated the HIPclient to properly display activation code errors.
HIPclient, Windows and macOS Updated the HIPclient UI to allow you to double-click a profile in the configuration dialog to make a profile active.

Fixes

ID Component Description
DEV-8849 HIPswitch Fixed an issue on the HIPswitch 250 where using 100BASE-FX mode on port 8 could cause phantom link events.
DEV-8699 HIPclient, Linux Fixed an issue where 32-bit platforms would drop MAP connections after a certain amount of network traffic.
DEV-8221 OpenHIP Fixed an issue where changing the default UDP port under Settings > Advanced > Edit Settings > Host Identity Protocol Port in the Conductor was not respected by 2.1.3 HIPswitches.
DEV-8142 Conductor Fixed an issue where clicking Finish two times very quickly when upgrading Conductor firmware would cause the upgrade to fail.
DEV-8198 Licensing Fixed an issue where some email clients would insert additional lines in the encrypted_synced_package.json file and prevent the file from uploading to the Conductor correctly.
DEV-8120 HIPswitch, Azure Fixed an issue where in rare cases, an Azure HIPswitch may fail to reconnect to the Conductor after a firmware upgrade.
DEV-8119 Conductor Fixed an issue where a reactivated HIPclient configured with an overlay IP was listed as two devices, and you were unable to remove the overlay IP.
DEV-8067 HIPswitch Fixed an issue that caused overlay device NAT to fail if more than one device port was used, or if the port was configured as a VLAN.
DEV-8049 Conductor Fixed an issue where a network administrator may be able to view a HIPswitch group while restricted from viewing some of the HIPswitches in the group.
DEV-7962 HIPclient, Windows Fixed an issue where upon waking, a computer in sleep mode would cause the HIPservice to stop and start, taking 30-60 seconds to recover.
DEV-7959 HIPswitch 100 Fixed an issue where configuring a VLAN tag on a HIPswitch 100 would cause currently active tunnels to stop working.
DEV-7913 Conductor Fixed a UI error when creating a new Cloud HIPservice where the dialog box message would display Network create completed incorrectly when the deployment creation failed.
DEV-7814 HIPclient, Windows Fixed an issue where a user name was not retained between failed log in attempts.
DEV-6881 HIPswitch Fixed an issue where the LCD panels on the HIPswitch 500 and Conductor 500 displayed messages incorrectly.
DEV-6507 Conductor Fixed an issue where the throughput graph for a HIPservice would occasionally miss a data point and display it as a zero value.
DEV-6172 Conductor Fixed an issue where a HIPclient would incorrectly show the underlay IP as the overlay IP when it did not have an overlay IP set. They now correctly display they are NAT devices in the overlay IP column.
DEV-5448 Conductor Fixed an issue where navigating to an HA-paired secondary HIPswitch would allow you to select the Swap Roles option and cause the UI to stop responding.
DEV-5428 Conductor UI Fixed an issue where creating a Smart Device Group with Ignore auto-discovered devices until accepted checked and then removing the setting would cause the Smart Device Group to continue ignoring unaccepted devices.
DEV-5343 Conductor UI Fixed an issue where trying to log in after a session has timed out would generate the following error:

The change you wanted was rejected.

DEV-4548 HIPswitch HIPswitches now support 802.1p tagged traffic when using VLAN-tagged traffic in overlay networks.
DEV-4537 Conductor Fixed an issue where the UI would not update correctly when demoting a master Conductor to standby.

Known Issues

ID Component Description
DEV-9157 HIPclient, macOS Killing the hipctl daemon (tnw-cltd) will result in the HIPclient not functioning properly.

If you try and run any hipctl commands, the message Could not connect with Tempered Networks control process is displayed. No message is displayed when trying to make changes from the configuration UI.

Workaround: Restart the process by entering sudo launchctl start com.temperednetworks.ctld from the terminal.

DEV-9081 HIPclient, macOS (El Capitan) The HIPclient on macOS 10.11, El Capitan, does not provide the necessary cryptographic APIs to create and use a private key from the Keychain. Instead, the HIPclient for macOS will detect this case and store the private key in its own storage.

Workaround: To take advantage of the added protection using the Keychain, upgrade to macOS 10.12 (Sierra) or higher and create a new HIPclient profile.

DEV-8188 HIPswitch A HIPswitch in transparent mode will not update the version information reported in the Conductor UI. This causes upgrade issues from 1.12.x to 2.x.

Workaround: Disable transparent mode for the HIPswitch. This updates the version information. You can then perform a firmware upgrade.

DEV-8122 Conductor When creating o modifying a cloud HIPservice, the Name and Network name fields do not check for the presence of invalid characters. This will be fixed in a later release.
Workaround: Do not include
  • Uppercase characters
  • Spaces
  • Special characters, except for a dash
DEV-8097 HIPclient, macOS If your computer has multiple active NICs and you select a specific NIC in your HIPclient configuration, the operating system will choose the NIC for outbound traffic.

Workaround: None

DEV-8060 Conductor In rare cases, a Conductor HA pair will stop syncing.

Workaround: If this happens, promote the HA-secondary to a primary, then re-pair them.

DEV-8051 Conductor The IP address field on associated with a HIPswitch may be blank on the HIP Services tab.

Workaround: You can locate the IP address information under the Reporting tab.

DEV-7955 Conductor If you ping a HIPswitch running in Azure from another HIPswitch, it will fail in the Conductor UI. This is due to ICMP being denied by Azure's security groups.

Workaround: None

DEV-7814 HIPclient, Windows If user authentication fails, your user name is not retained and you must re-enter it.

Workaround: None

DEV-7769 Conductor Toggling policy on and off too quickly on a HIPswitch hosted in Google Cloud can result in the route table becoming out of sync when using route injection.

Workaround: After toggling policy, wait 10 seconds before toggling it again.

DEV-7661 Conductor When replacing a HIPswitch, the new HIPswitch may take a few minutes to reconnect and appear online in the Conductor.

Workaround: Wait a few minutes after replacing the HIPswitch for it to display in the Conductor UI.

DEV-7499 HIPswitch The bandwidth check in the HIPswitch Diagnostics tab might fail for HA-paired HIPswitches.

Workaround: None

DEV-7125 Conductor, PCI When exporting PCI data, HIP Services references may not display correctly when viewing the CSV file in Microsoft Excel.

Workaround: None

DEV-7058 HIPswitch When reconfiguring your underlay network from one physical port to another in the Conductor, the changes may not be applied successfully and the configuration will revert back to the original settings.

Workaround: Make the configuration changes in diagnostic mode.

DEV-6590 Conductor You can add a voucher code more then once from the Licensing tab. This does not create additional licenses, but is visually confusing. This will be fixed in a later release.

Workaround: None

DEV-6587 Conductor The Licensing tab may display invalid entries.

Workaround: Remove the invalid items manually.

DEV-6533 Conductor When creating or editing a smart device group, rules can have the same ordinal values. This can cause unintended issues in the processing results.

Workaround: When creating rules, verify each rule has a unique ordinal value.

DEV-6446 HIPclient, iOS When viewing traffic stats in the iOS app, the chart may show negative values instead of zero.

Workaround: None

DEV-6226 Conductor A fully qualified domain name cannot be used for local or peer replication addresses on an HA Conductor pair.

Workaround: None

DEV-6195 Conductor The Conductor incorrectly displays an option to check bandwidth for HIPclients in diagnostic view. This option is not supported for HIPclients and will not function correctly if selected.

Workaround: None

DEV-6118 AWS The Forgot my password link can send an invalid Conductor location.

Workaround: Replace the location in the link with the correct Conductor address.

DEV-5832 HIPswitch Device NAT functionality currently does not work with layer 2 traffic.

Workaround: None

DEV-5530 Conductor UI In some cases, Allow incoming pings (ICMP) and SYN Flood Protection on the Firewall page may be disabled and won't toggle.

Workaround: Refresh your browser to resolve the issue.

DEV-5430 Conductor After configuring a Conductor for the first time, you may receive a Lost connection to the original server message if you select Return to settings too quickly.

Workaround. Wait at least 20 seconds before selecting Return to settings.

DEV-5008 PCI Reporting PCI Reporting shows the UUID reference instead of the name when generating a PCI report from Settings > Advanced > PCI Reporting > Downloads > User Activities Report.

Workaround: To view names, you can download object references from the same page where you generated the PCI report.

DEV-2417 Conductor UI The password reset email link defaults to the first web enabled interface, and will be successful only if an administrator configures the first interface with a publicly-facing default route.

Workaround: None.

DEV-1846 Conductor, HA The standby Conductor UI in an HA pair will not timeout. This issue does not affect the master Conductor UI.

Workaround: Log off manually when not using the standby Conductor UI.