Release Notes 2.1.5

Release Date: December 13, 2018

What's New

New in this release:

FIPS
Tempered Networks now offers FIPS 140-2, based on the HIPswitch 500 and Conductor 500 platforms. With FIPS, private keys are stored on the FIPS-certified HSM (hardware security module). The HSM performs all cryptographic operations. For this added key security, performance may be noticeably slower in terms of data plane throughput and firmware update processing. Redundant HA FIPS is not supported at this time.
Improved time management
NTP sync is now configurable from the Conductor. Various improvements have been made to ensure HIPswitch time is closely synchronized with the Conductor, eliminating time-drift.
Note: We recommend pointing your HIP-enabled servers and clients to the same NTP Time source to ensure proper synchronization.
HIPswitch 75w Series
We now offer the HIPswitch 75 Series with a built-in WiFi module. Software version 2.1.5 does not currently provide WiFi LED status on the outside of the unit, but the WiFi uplink functions correctly. This will be addressed in a future release.
HIPswitch 150e Series
We now offer the HIPswitch 150e base platform, suitable for ICS and SCADA environments and includes 4x Gig-E and 1x SFP port, 1x micro-USB console port, and can be powered by PoE or external single- or dual-power supply. The HIPswitch 150 can sustain 75 Mb/s, and burst up to 100 Mb/s. This new platform supports field-upgradeable expansion modules.
HIPswitch 150 Series cellular module

This release supports a cellular expansion module suitable for North American cell carriers, which accepts 3FF Micro SIM cards. ATT, Verizon, T-Mobile, Rogers, and Telus have been field-tested at the time of this release.

HIPswitch 250 Series single- and dual-modem automated recovery
We added an internal watchdog monitor for cell carrier uplink connections. If a HIPswitch cannot connect to Conductor via any means, then occasionally (approx. once per day) it will perform a full reset, which may re-establish the carrier connection in certain environments. This will only occur when the HIPswitch 250 has no means of reaching the Conductor or peer HIPswitches.
HIPrelay bandwidth reporting
It is now possible to view the bandwidth of relayed connections between HIP Services in Conductor! An extra tab will appear in Conductor at HIPservice > Reporting > HIPrelay Stats for each HIPrelay. These statistics provide visibility into your network utilization with full-color, layered bandwidth graphs. They are also useful for troubleshooting underlay network relayed connection issues.
Service-specific CPU and memory reporting
For 2.1.5 and above, your HIP Services will report resource utilization more granularly, and you will be able to see this diagnostic information in the HIPservice > Reporting > Graphs.
Headless install for Windows HIPclient and HIPserver
You can now perform non-interactive installations of the Windows 7 HIPclient or HIPserver using Microsoft’s System Center Configuration Manager (SCCM). Previous releases required manual acknowledgment by an administrator to complete the installation of an unsigned network tap (TAP) driver on Windows. We have patched the driver and obtained Microsoft certification, so this step is no longer necessary.
Tags public API
All basic tagging capabilities released in software version 2.1.4 are exposed in the public API. This includes the ability to index the tags, set or unset tags on taggable objects, such as devices, device groups, HIP Services, HIPservice groups, networks, and people. You can manage tags, retrieve various objects by tag, manage tag expirations, and perform other tag-based actions on several taggable objects at once. Advanced tag management, such as using tags in smart device group rules, or managing monitor event-actions that manipulate tags, will be added in a future release.
Custom CA alerts & public API
Though technically possible, it was difficult to use a non-Tempered CA at scale with your Conductor and HIP Services. Prior releases required you to manually copy/paste each CSR and cert from the Conductor GUI. Now you can automate the process using new public API calls. This enables a scriptable, scalable Conductor-centric workflow. Also, an admin alert is created in Conductor when custom CA certs are near expiration.

Upgrade Considerations

The 2.1.5 release includes all hotfixes from prior releases and addresses all known support cases at the time of release.

We recommend you upgrade to 2.1.5 if:
You want to take advantage of performance and stability increases in 2.1.5, or use any of the following features: You were impacted by any issues discovered in prior releases, especially if you have any of the following:
  • Relay bandwidth reporting
  • HIPswitch 75w
  • HIPswitch 150e
  • HIPswitch 250gd carrier monitoring
  • Windows SCCM HIPclient installs
  • Public API for Tags or Custom CA
  • Time drift issues with Conductor or HIP Services
  • Cell carrier connection flapping
  • Issues switching cell carriers (e.g. changing SIM cards) on the HIPswitch 250
  • Issues with SFP ports on the HIPswitch 250
  • DHCP configuration on the overlay network
  • Problems setting one-arm mode on any multi-port HIPswitch
  • Event monitor permissions / usability problems
  • Difficult to detect misconfiguration problems pairing HA HIPswitches
Note: You may upgrade Conductor directly to 2.1.5 from version 1.12.6 or later. You may upgrade HIPswitches to 2.1.5 provided you are running Conductor 2.1.5.

Extensive testing was conducted both in-house and with selected development partners, in lab and in production environments to ensure that performance is equivalent to 2.1.4. Additionally, 2.1.5 should be more stable than all prior releases.

Fixes

ID Component Description
DEV-9462 HIPswitch Fixed an issue with the HIPswitch 250g where ports 1, 2, and/or 7 are non-functional following an upgrade from 2.1.3 to 2.1.4, if the 100M SFP PHY setting is in use. (Otherwise it is reverting to the default of 1000M mode.)
DEV-9461 HIPswitch Fixed an issue where port 8 on the HIPswitch 250 would not reestablish a link after a soft reboot.
DEV-9430 Conductor The PKI tab now only displays on models that support the feature. Previously, the PKI tab was visible in the Conductor UI for HIPclients and HIPservers.
DEV-9378 HIPswitch-Cellular Fixed an issue where cellular modems in the HIPswitch 150 and HIPswitch 250 were not properly initialized.
DEV-9370 Conductor Fixed an issue where Conductor-initiated port configurations would fail.
DEV-9353 Conductor All users allowed to view an alert monitor can now receive alerts for that monitor.
DEV-9333 Conductor Fixed an issue where a standby Conductor in an HA pair would not display the Diagnostics tab.
DEV-9287 Conductor Fixed an issue where Conductors running software version 2.1.4 sent an incorrect DHCP server configuration data to HIPswitches running versions prior to 2.1.4.
DEV-9263 HIPswitch-Cellular Fixed an issue where a HIPswitch 250 with a cellular modem may show abnormally high CPU usage.
DEV-9246 Conductor Attempting to delete a HIPclient or HIPserver from the Devicespage no longer returns a permission denied error.
DEV-9244 HIPclient, iOS The Conductor now correctly reports the version of the connected iOS HIPclient.
DEV-9239 Conductor The Event Monitors view no longer prevents the Conductor UI from timing out.
DEV-9152 HIPswitch The Conductor now rejects configuration changes that would add a 0.0.0.0 wildcard device to an overlay network if the network also has a 0.0.0.0/0 route on one of the connected HIP Services.
DEV-9149 HIPclient, Windows The Windows HIPclient and HIPserver now report errors in the correct format.
DEV-9136 HIPserver, Linux Fixed an issue where hipctl on Linux would not report an error when trying to reset the active profile.
DEV-9120 Conductor API Improved the API filter and sort parameters. Sending a parameter that is not supported results in a more actionable message.
DEV-9112 Conductor Fixed an issue where a PCI user activity report would not contain firmware upload information.
DEV-9106 HIPclient, iOS Mobile devices running iOS now failover from wireless to cellular correctly.
DEV-9053 HIPswitch HIPswitch HA configurations now verify the HA floating IP address is in range of the shared network IP address, and will display an error in the Conductor UI if it is not.

Known Issues

ID Component Description
DEV-9887 HIPswitch 150 When applying power to a HIPswitch 150 while the microUSB console port is connected to a computer, the HIPSwitch-150 fails to enable power to the expansion bay.

Workaround: Ensure your HIPswitch is connected to a power source prior to connecting to the console port.

DEV-9875 OpenHIP When the Conductor's time is changed backwards by a large amount, such as enabling NTP on the Conductor for the first time, all connected HIPswitches will adjust their time accordingly and result in HIPswitches being unable to establish tunnels with other HIPswitches.

Workaround: Reboot your connected HIPswitches whenever you make large time adjustments to the Conductor.

DEV-9477 Conductor

The Health Data tab displays 28 lines with a link at the bottom stating +438 more. Clicking on the link does not expand the list

Workaround: None

DEV-9397 Conductor

Factory resetting a Conductor that's in an HA-pair doesn't work correctly the first time.

Workaround: Factory reset the Conductor a second time to resolve the issue.

DEV-9382 Conductor

Attempting to install a non-Azure firmware package in an Azure instance will produce an error message stating <inserv form image>.

Workaround: None

DEV-9157 HIPclient, macOS Killing the hipctl daemon (tnw-cltd) will result in the HIPclient not functioning properly.

If you try and run any hipctl commands, the message Could not connect with Tempered Networks control process is displayed. No message is displayed when trying to make changes from the configuration UI.

Workaround: Restart the process by entering sudo launchctl start com.temperednetworks.ctld from a terminal.

DEV-8097 HIPclient, macOS If your computer has multiple active NICs and you select a specific NIC in your HIPclient configuration, the operating system will choose the NIC for outbound traffic.Workaround: None
DEV-8060 Conductor

In rare cases, a Conductor HA pair will stop syncing.

Workaround: If this happens, promote the HA-secondary to a primary, then re-pair them.

DEV-8051 Conductor The IP address field on associated with a HIPswitch may be blank on the HIP Services tab.Workaround: You can locate the IP address information under the Reporting tab.
DEV-7955 Conductor

If you ping a HIPswitch running in Azure from another HIPswitch, it will fail in the Conductor UI. This is due to ICMP being denied by Azure's security groups.

Workaround: None

DEV-7769 Conductor

Toggling policy on and off too quickly on a HIPswitch hosted in Google Cloud can result in the route table becoming out of sync when using route injection.

Workaround: After toggling policy, wait 10 seconds before toggling it again.

DEV-7661 Conductor

When replacing a HIPswitch, the new HIPswitch may take a few minutes to reconnect and appear online in the Conductor.

Workaround: Wait a few minutes after replacing the HIPswitch for it to display in the Conductor UI.

DEV-7499 HIPswitch The bandwidth check in the HIPswitch Diagnostics tab might fail for HA-paired HIPswitches.

Workaround: None

DEV-7125 Conductor, PCI

When exporting PCI data, HIP Services references may not display correctly when viewing the CSV file in Microsoft Excel.

Workaround: None

DEV-7058 HIPswitch

When reconfiguring your underlay network from one physical port to another in the Conductor, the changes may not be applied successfully and the configuration will revert back to the original settings.

Workaround: Make the configuration changes in diagnostic mode.

DEV-6590 Conductor You can add a voucher code more then once from the Licensing tab. This does not create additional licenses, but is visually confusing.Workaround: None
DEV-6587 Conductor The Licensing tab may display invalid entries.Workaround: Remove the invalid items manually.
DEV-6533 Conductor

When creating or editing a smart device group, rules can have the same ordinal values. This can cause unintended issues in the processing results.

Workaround: When creating rules, verify each rule has a unique ordinal value.

DEV-6446 HIPclient, iOS

When viewing traffic stats in the iOS app, the chart may show negative values instead of zero.

Workaround: None

DEV-6226 Conductor

A fully qualified domain name cannot be used for local or peer replication addresses on an HA Conductor pair.

Workaround: None

DEV-6195 Conductor

The Conductor incorrectly displays an option to check bandwidth for HIPclients in diagnostic view. This option is not supported for HIPclients and will not function correctly if selected.

Workaround: None

DEV-5832 HIPswitch

Device NAT functionality currently does not work with layer 2 traffic.

Workaround: None

DEV-5530 Conductor UI In some cases, Allow incoming pings (ICMP)and SYN Flood Protection on the Firewall page may be disabled and won't toggle.

Workaround: Refresh your browser to resolve the issue.

DEV-5430 Conductor After configuring a Conductor for the first time, you may receive a Lost connection to the original server message if you select Return to settings too quickly.

Workaround. Wait at least 20 seconds before selecting Return to settings.

DEV-5008 PCI Reporting PCI Reporting shows the UUID reference instead of the name when generating a PCI report from Settings > Advanced > PCI Reporting > Downloads > User Activities Report.

Workaround: To view names, you can download object references from the same page where you generated the PCI report.

DEV-1846 Conductor, HA

The standby Conductor UI in an HA pair will not timeout. This issue does not affect the master Conductor UI.

Workaround: Log off manually when not using the standby Conductor UI.