Release Notes 2.1.5
Release Date: December 13, 2018
What's New
New in this release:
- FIPS
- Tempered Networks now offers FIPS 140-2, based on the HIPswitch 500 and Conductor 500 platforms. With FIPS, private keys are stored on the FIPS-certified HSM (hardware security module). The HSM performs all cryptographic operations. For this added key security, performance may be noticeably slower in terms of data plane throughput and firmware update processing. Redundant HA FIPS is not supported at this time.
- Improved time management
- NTP sync is now configurable from the Conductor. Various improvements have
been made to ensure HIPswitch time is closely synchronized with the
Conductor, eliminating time-drift.Note: We recommend pointing your HIP-enabled servers and clients to the same NTP Time source to ensure proper synchronization.
- HIPswitch 75w Series
- We now offer the HIPswitch 75 Series with a built-in WiFi module. Software version 2.1.5 does not currently provide WiFi LED status on the outside of the unit, but the WiFi uplink functions correctly. This will be addressed in a future release.
- HIPswitch 150e Series
- We now offer the HIPswitch 150e base platform, suitable for ICS and SCADA environments and includes 4x Gig-E and 1x SFP port, 1x micro-USB console port, and can be powered by PoE or external single- or dual-power supply. The HIPswitch 150 can sustain 75 Mb/s, and burst up to 100 Mb/s. This new platform supports field-upgradeable expansion modules.
- HIPswitch 150 Series cellular module
-
This release supports a cellular expansion module suitable for North American cell carriers, which accepts 3FF Micro SIM cards. ATT, Verizon, T-Mobile, Rogers, and Telus have been field-tested at the time of this release.
- HIPswitch 250 Series single- and dual-modem automated recovery
- We added an internal watchdog monitor for cell carrier uplink connections. If a HIPswitch cannot connect to Conductor via any means, then occasionally (approx. once per day) it will perform a full reset, which may re-establish the carrier connection in certain environments. This will only occur when the HIPswitch 250 has no means of reaching the Conductor or peer HIPswitches.
- HIPrelay bandwidth reporting
- It is now possible to view the bandwidth of relayed connections between HIP Services in Conductor! An extra tab will appear in Conductor at for each HIPrelay. These statistics provide visibility into your network utilization with full-color, layered bandwidth graphs. They are also useful for troubleshooting underlay network relayed connection issues.
- Service-specific CPU and memory reporting
- For 2.1.5 and above, your HIP Services will report resource utilization more granularly, and you will be able to see this diagnostic information in the .
- Headless install for Windows HIPclient and HIPserver
- You can now perform non-interactive installations of the Windows 7 HIPclient or HIPserver using Microsoft’s System Center Configuration Manager (SCCM). Previous releases required manual acknowledgment by an administrator to complete the installation of an unsigned network tap (TAP) driver on Windows. We have patched the driver and obtained Microsoft certification, so this step is no longer necessary.
- Tags public API
- All basic tagging capabilities released in software version 2.1.4 are exposed in the public API. This includes the ability to index the tags, set or unset tags on taggable objects, such as devices, device groups, HIP Services, HIPservice groups, networks, and people. You can manage tags, retrieve various objects by tag, manage tag expirations, and perform other tag-based actions on several taggable objects at once. Advanced tag management, such as using tags in smart device group rules, or managing monitor event-actions that manipulate tags, will be added in a future release.
- Custom CA alerts & public API
- Though technically possible, it was difficult to use a non-Tempered CA at scale with your Conductor and HIP Services. Prior releases required you to manually copy/paste each CSR and cert from the Conductor GUI. Now you can automate the process using new public API calls. This enables a scriptable, scalable Conductor-centric workflow. Also, an admin alert is created in Conductor when custom CA certs are near expiration.
Upgrade Considerations
The 2.1.5 release includes all hotfixes from prior releases and addresses all known support cases at the time of release.
We recommend you upgrade to 2.1.5 if: | |
---|---|
You want to take advantage of performance and stability increases in 2.1.5, or use any of the following features: | You were impacted by any issues discovered in prior releases, especially if you have any of the following: |
|
|
Extensive testing was conducted both in-house and with selected development partners, in lab and in production environments to ensure that performance is equivalent to 2.1.4. Additionally, 2.1.5 should be more stable than all prior releases.
Fixes
ID | Component | Description |
---|---|---|
DEV-9462 | HIPswitch | Fixed an issue with the HIPswitch 250g where ports 1, 2, and/or 7 are non-functional following an upgrade from 2.1.3 to 2.1.4, if the 100M SFP PHY setting is in use. (Otherwise it is reverting to the default of 1000M mode.) |
DEV-9461 | HIPswitch | Fixed an issue where port 8 on the HIPswitch 250 would not reestablish a link after a soft reboot. |
DEV-9430 | Conductor | The PKI tab now only displays on models that support the feature. Previously, the PKI tab was visible in the Conductor UI for HIPclients and HIPservers. |
DEV-9378 | HIPswitch-Cellular | Fixed an issue where cellular modems in the HIPswitch 150 and HIPswitch 250 were not properly initialized. |
DEV-9370 | Conductor | Fixed an issue where Conductor-initiated port configurations would fail. |
DEV-9353 | Conductor | All users allowed to view an alert monitor can now receive alerts for that monitor. |
DEV-9333 | Conductor | Fixed an issue where a standby Conductor in an HA pair would not display the Diagnostics tab. |
DEV-9287 | Conductor | Fixed an issue where Conductors running software version 2.1.4 sent an incorrect DHCP server configuration data to HIPswitches running versions prior to 2.1.4. |
DEV-9263 | HIPswitch-Cellular | Fixed an issue where a HIPswitch 250 with a cellular modem may show abnormally high CPU usage. |
DEV-9246 | Conductor | Attempting to delete a HIPclient or HIPserver from the Devicespage no longer returns a permission denied error. |
DEV-9244 | HIPclient, iOS | The Conductor now correctly reports the version of the connected iOS HIPclient. |
DEV-9239 | Conductor | The Event Monitors view no longer prevents the Conductor UI from timing out. |
DEV-9152 | HIPswitch | The Conductor now rejects configuration changes that would add a 0.0.0.0 wildcard device to an overlay network if the network also has a 0.0.0.0/0 route on one of the connected HIP Services. |
DEV-9149 | HIPclient, Windows | The Windows HIPclient and HIPserver now report errors in the correct format. |
DEV-9136 | HIPserver, Linux | Fixed an issue where hipctl on Linux would not report an error when trying to reset the active profile. |
DEV-9120 | Conductor API | Improved the API filter and sort parameters. Sending a parameter that is not supported results in a more actionable message. |
DEV-9112 | Conductor | Fixed an issue where a PCI user activity report would not contain firmware upload information. |
DEV-9106 | HIPclient, iOS | Mobile devices running iOS now failover from wireless to cellular correctly. |
DEV-9053 | HIPswitch | HIPswitch HA configurations now verify the HA floating IP address is in range of the shared network IP address, and will display an error in the Conductor UI if it is not. |
Known Issues
ID | Component | Description |
---|---|---|
DEV-9887 | HIPswitch 150 | When applying power to a HIPswitch 150 while the microUSB console
port is connected to a computer, the HIPSwitch-150 fails to enable
power to the expansion bay. Workaround: Ensure your HIPswitch is connected to a power source prior to connecting to the console port. |
DEV-9875 | OpenHIP | When the Conductor's time is changed backwards by a large amount,
such as enabling NTP on the Conductor for the first time, all
connected HIPswitches will adjust their time accordingly and result
in HIPswitches being unable to establish tunnels with other
HIPswitches. Workaround: Reboot your connected HIPswitches whenever you make large time adjustments to the Conductor. |
DEV-9477 | Conductor |
The Health Data tab displays 28 lines with a link at the bottom stating +438 more. Clicking on the link does not expand the list Workaround: None |
DEV-9397 | Conductor |
Factory resetting a Conductor that's in an HA-pair doesn't work correctly the first time. Workaround: Factory reset the Conductor a second time to resolve the issue. |
DEV-9382 | Conductor |
Attempting to install a non-Azure firmware package in an Azure instance will produce an error message stating <inserv form image>. Workaround: None |
DEV-9157 | HIPclient, macOS | Killing the hipctl daemon (tnw-cltd) will result in the HIPclient
not functioning properly. If you try and run any hipctl commands, the message Could not connect with Tempered Networks control process is displayed. No message is displayed when trying to make changes from the configuration UI. Workaround: Restart the process by entering sudo launchctl start com.temperednetworks.ctld from a terminal. |
DEV-8097 | HIPclient, macOS | If your computer has multiple active NICs and you select a specific NIC in your HIPclient configuration, the operating system will choose the NIC for outbound traffic.Workaround: None |
DEV-8060 | Conductor |
In rare cases, a Conductor HA pair will stop syncing. Workaround: If this happens, promote the HA-secondary to a primary, then re-pair them. |
DEV-8051 | Conductor | The IP address field on associated with a HIPswitch may be blank on the HIP Services tab.Workaround: You can locate the IP address information under the Reporting tab. |
DEV-7955 | Conductor |
If you ping a HIPswitch running in Azure from another HIPswitch, it will fail in the Conductor UI. This is due to ICMP being denied by Azure's security groups. Workaround: None |
DEV-7769 | Conductor |
Toggling policy on and off too quickly on a HIPswitch hosted in Google Cloud can result in the route table becoming out of sync when using route injection. Workaround: After toggling policy, wait 10 seconds before toggling it again. |
DEV-7661 | Conductor |
When replacing a HIPswitch, the new HIPswitch may take a few minutes to reconnect and appear online in the Conductor. Workaround: Wait a few minutes after replacing the HIPswitch for it to display in the Conductor UI. |
DEV-7499 | HIPswitch | The bandwidth check in the HIPswitch Diagnostics tab might
fail for HA-paired HIPswitches. Workaround: None |
DEV-7125 | Conductor, PCI |
When exporting PCI data, HIP Services references may not display correctly when viewing the CSV file in Microsoft Excel. Workaround: None |
DEV-7058 | HIPswitch |
When reconfiguring your underlay network from one physical port to another in the Conductor, the changes may not be applied successfully and the configuration will revert back to the original settings. Workaround: Make the configuration changes in diagnostic mode. |
DEV-6590 | Conductor | You can add a voucher code more then once from the Licensing tab. This does not create additional licenses, but is visually confusing.Workaround: None |
DEV-6587 | Conductor | The Licensing tab may display invalid entries.Workaround: Remove the invalid items manually. |
DEV-6533 | Conductor |
When creating or editing a smart device group, rules can have the same ordinal values. This can cause unintended issues in the processing results. Workaround: When creating rules, verify each rule has a unique ordinal value. |
DEV-6446 | HIPclient, iOS |
When viewing traffic stats in the iOS app, the chart may show negative values instead of zero. Workaround: None |
DEV-6226 | Conductor |
A fully qualified domain name cannot be used for local or peer replication addresses on an HA Conductor pair. Workaround: None |
DEV-6195 | Conductor |
The Conductor incorrectly displays an option to check bandwidth for HIPclients in diagnostic view. This option is not supported for HIPclients and will not function correctly if selected. Workaround: None |
DEV-5832 | HIPswitch |
Device NAT functionality currently does not work with layer 2 traffic. Workaround: None |
DEV-5530 | Conductor UI | In some cases, Allow incoming pings (ICMP)and SYN Flood
Protection on the Firewall page may be disabled and won't
toggle. Workaround: Refresh your browser to resolve the issue. |
DEV-5430 | Conductor | After configuring a Conductor for the first time, you may receive
a Lost connection to the original server message if you select
Return to settings too quickly. Workaround. Wait at least 20 seconds before selecting Return to settings. |
DEV-5008 | PCI Reporting | PCI Reporting shows the UUID reference instead of the name when
generating a PCI report from Workaround: To view names, you can download object references from the same page where you generated the PCI report. |
.
DEV-1846 | Conductor, HA |
The standby Conductor UI in an HA pair will not timeout. This issue does not affect the master Conductor UI. Workaround: Log off manually when not using the standby Conductor UI. |