Release Notes 2.1.7

Release Date: November 11, 2019

Tempered Networks has released 2.1.7 which is intended to be the last of the 2.1.x releases. This release addresses, exclusively, maintenance and stability issues for the Conductor & HIPswitch and provides enhanced security.

What's New

New in this release:

Upgrade HIPswitch and Conductor to OpenSSL 1.1: OpenSSL 1.0 goes out of support at the end of 2019. This is a proactive upgrade to the new version of the library.
Conductor Connection Failsafe: HIPswitches now have a watchdog monitor for the Conductor connection that will force a re-connect if it determines the current connection is unresponsive or missing. This should allow HIPswitches to reconnect in more cases without requiring human intervention (e.g., manual rebooting or other diagnostic activities that can require physical access to the HIPswitch).

Conductor database consistency checker: Conductors now periodically check for and repair data consistency issues. This improves the reliability of the system and should allow more issues to be resolved without human intervention.

Upgrade Considerations

The 2.1.7 release includes all hotfixes from prior releases and addresses all known support cases at the time of release.

You may upgrade HIPswitches to 2.1.7 provided you are running Conductor 2.1.7.


We recommend you upgrade to 2.1.7 if:
You want to take advantage of performance and stability increases in 2.1.7, or use any of the following features:	You were impacted by any issues discovered in prior releases, especially if you have any of the following:
If you have a HS that must remain on 2.1.x but work through a multi-homed 2.2.x relay.	HS-100 intermittently failing to execute diagnostic commands, or appearing to upgrade but not installing the upgrade. Have intermittent issues with HS-150 cell modems Need to use the HTTP GET monitor and point it at arbitrary IP addresses Need HS-500 to not have ports 3/4, 5/6 go into hardware bypass when the unit is powered off

Note: You may upgrade Conductor directly to 2.1.7 from version 1.12.6 or later. You may upgrade HIPswitches to 2.1.7 provided you are running Conductor 2.1.7.

Extensive testing was conducted both in-house and with selected development partners, in lab and in production environments to ensure that performance is equivalent to 2.1.6. Additionally, 2.1.7 should be more stable than all prior releases.

Fixes


ID	Component	Description
DEV-11908	Conductor	Fixed an issue where viewing a HIPservice group in Diagnostic mode now refreshes the list of available HIPservices, correctly.
DEV-11863	HIPswitch-Cellular	A HIPswitch now connects via a newly installed Cell Module, when the new Cellular Module is installed after a firmware downgrade.
DEV-11182	Cloud-Azure	Microsoft Azure now supports ICMP. You are able to add ICMP rules to the Conductor and HIPswitch security groups.
DEV-11756	HIPswitch	For the HIPswitch-500 and Conductor-500 platforms: Fixed an issue where the hardware LAN bypass feature was turned on during power off. Ports 1-2, 3-4, 5-6, 7-8 were bypassed (physically connected together) when the system was powered off.
DEV-11478	HIPswitch	Fixed a bug with the Conductor-HIPswitch Time Synchronization and added a Watchdog functionality for the Conductor connection on HIPswitches.
DEV-11305	Cellular modem	Improved USB driver reliability, so Cellular Modems reliably recover from Modem Firmware crashes.
DEV-11194	Conductor	This issue is fixed where Factory resetting a HIPswitch would sometimes delete Event Monitors targeted at Device Groups or HIPservice Groups.
DEV-11047	Conductor	Added a Warning Dialog to the Conductor upgrade process if the customer has HIPswitches which are not compatible with 2.2.x.
DEV-10822	HIPswitch	Fixed a bug where entering leading zeros, in the VLAN tag input fields on the Ports Configuration page, could the HIPswitch to be unable to function.
DEV-10770	HIPswitch-Cellular	When downgrading a HIPswitch-150 from 2.2.0 to 2.1.6 the cellular link, LEDs are now functional.
DEV-10723	Conductor	Fixed a bug where tags were removed from HIPswitches when performing Diagnostic actions.
DEV-10696	HIPswitch	Relay probes will now probe all published addresses for a Multi-homed 2.2.x Relay. The 2.1.7 HS itself still does not support multi-homing, so probes only originate from one preferred (IPv4 or IPv6) address.
DEV-10588	Conductor	When creating a Monitor action that is an HTTP Action (HTTP GET), the URL field now allows for both the Host names and IP address.
DEV-10560	Conductor	Fixed a bug that could prevent customers from saving Overlay DHCP settings.
DEV-10390	HIPswitch-Cellular	Improved the functionality on the HIPswitch-150 and correctly applies power to the Expansion Bay on boot-up, even when the USB console cable has been connected, prior to applying main system power.
DEV-10203	HIPswitch	Fixed an issue where the default Underlay Fail-safe (reboot) settings did not get applied correctly.
DEV-10159	HIPswitch	Updated the HS-150 platform to allow multiple Underlay Interfaces (wired and cellular) to HA-pair.
DEV-9953	Conductor	A check is in place to prevent a customer from adding a HIPSwitch’s Underlay IP address as a device IP for itself.
DEV-9949	HIPswitch-Cellular	Enabled modem statistics collection for HIPswitch-150 with an MC7430 modem installed.
DEV-9876	OpenHIP	Fixed an issue where broadcast/multicast packets being sent on a busy HIPswitch, having many tunnels (e.g., hub with many spokes), causes the HIPswitch to crash and restart.
DEV-9830	HS100	You can now reboot a HIPSwitch from both Diagnostic Mode and the Command Line.
DEV-9829	HIPswitch	Diagnostic Mode now displays None, when there is no Part Number file.
DEV-9800	Conductor	The HIPswitch displays the tags correctly, when you toggle between Transparent Mode and Protected Mode.
DEV-9524	HIPswitch	Fixed a bug that caused Diagnostic Device pings to fail on HIPservices after an HA fail-over.
DEV-9939	Conductor	Fixed a bug where opening and closing the Conductor Proxy settings will not save blank values.

Known Issues


ID	Component	Description
DEV-11350	HIPapp	UserAuth sometimes does not work with 2.1.6 HIPswitches. Workaround: None
DEV-11095	HIPapp-Android	Android HIPclient 2.1.6 is not able to pass traffic with another HIPclient with User Authentication feature enabled. Workaround: Upgrade Android HIPclient to 2.2.1 or later.
DEV-11196	HIPswitch	HTTP GET monitor does not work as expected.Workaround: HTTP GET monitor on a 2.1.6 HS with a 2.1.7 Conductor will not work. Please upgrade the HS to 2.1.7.
DEV-11047	Conductor	A 2.1.6 Conductor with map1 HS is not blocked from upgrading to 2.2. Workaround: None
DEV-10638	HIPswitch	CLONE (2.1.7) - Health data is sent when it is disabled in the Conductor. Workaround: None
DEV-9813	Conductor	The Route Notice check does bit check the currently configured routes. Workaround: The UI warns that you need an Overlay Gateway Address even though one is already configured.
DEV-9779	Conductor	Using the mvebu image as an example, it lists the 250 variants before the 150 variants. The x86 image is fine. Workaround: The list of platforms supported on a build image should list them in numerical order
DEV-9761	Conductor	The Conductor net/net utility incorrectly allows the setting of two (2) default routes. Workaround: Set only one (1) default route and then apply static routes via the Setup page, under Conductor UI General Settings,.
DEV-9782	HIPclient, all platforms	HIPclient chooses an incorrect interface and cannot establish a connection with devices behind a HIPswitch running on the Google Cloud Platform (GCP). It has to do with having multiple active interfaces. Workaround: In the HIPclient configuration, select your desired network interface instead of allowing the HIPclient to automatically choose an interface.
DEV-9697	Conductor	Removing the Conductor HA does not remove the standby Conductor's address from the HIPswitch Conductor search list on HIPswitches running versions previous to 2.0. Workaround: De-configuring Conductor HA does not remove the Standby Conductor's address from the HIPswitch Conductor search list on HIPswitch versions older than v2.0. Customer should upgrade to 2.1x.
DEV-9397	Conductor	If you perform a factory reset on a Conductor that's in HA-mode, the database gets into a bad state and Postgres won't start. Note that a second factory reset fixes the issue. Workaround: Factory resetting a Conductor that's in an HA-pair doesn't work correctly the first time. To fix this, a second factory reset is required.
DEV-9200	HIPswitch	When attempting firmware upgrades get failure messages. Workaround: The first attempt to upgrade fails, reboot the HS and upgrade again. (this clears out old /tmp files)
DEV-9166	HIPswitch, Cloud	When route injection is enabled, a HIPswitch protected subnet must contain only one HIPswitch. Additionally, any custom routes added to the route table are deleted when route injection is enabled. Workaround: If you want to deploy multiple HIPswitches in the same protected subnet or keep your custom routes, disable route injection.
DEV-9125	HIPswitch	101g: Ping peer HIPswitches pings wrong Underlay IP. Workaround: On Mac and Linux HIPapp, if your computer has multiple active NICs and you select a specific NIC in HIPapp configuration, it instead lets the operating system chose the NIC for outbound traffic.
DEV-8097	HIPclient, macOS	If your computer has multiple active NICs and you select a specific NIC in your HIPclient configuration, the operating system will choose the NIC for outbound traffic. Workaround: None
DEV-8060	Conductor	In rare cases, the Conductor HA pair will stop syncing. Workaround: If this happens, promote the HA-secondary to a primary, then re-pair them.
DEV-8051	Conductor	The IP address field on associated with a HIPswitch may be blank on the HIPservices tab. Workaround: You can locate the IP address information under the Reporting tab.
DEV-7769	Conductor	Toggling policy on and off too quickly on a HIPswitch hosted in Google Cloud can result in the Route Table becoming out of sync when using route injection. Workaround: After toggling policy, wait 10 seconds before toggling it again.
DEV-7058	HIPswitch	When reconfiguring your Underlay network from one physical port to another in the Conductor, the changes may not be applied successfully and the configuration will revert back to the original settings. Workaround: Make the configuration changes in diagnostic mode.
DEV-6590	Conductor	You can add a voucher code more then once from the Licensing tab. This does not create additional licenses, but is visually confusing. Workaround: None
DEV-6587	Conductor	The Licensing tab may display invalid entries. Workaround: Remove the invalid items manually.
DEV-6533	Conductor	When creating or editing a smart device group, rules can have the same ordinal values. This can cause unintended issues in the processing results. Workaround: When creating rules, verify each rule has a unique ordinal value.
DEV-6226	Conductor	A fully qualified Domain name cannot be used for local or peer replication addresses on an HA Conductor pair. Workaround: FQDN for Local or Peer Replication address on an HA Conductor pair can be used ONLY IF the reverse lookup yields the same FQDN
DEV-5832	HIPswitch	Device NAT functionality currently does not work with layer two (2) traffic. Workaround: None
DEV-5530	Conductor UI	In some cases, allow incoming pings (ICMP) and SYN Flood Protection on the Firewall page may be disabled and won't toggle. Workaround: Refresh your browser to resolve the issue.
DEV-5430	Conductor	After configuring the Conductor for the first time, you may receive a Lost Connection to the original server message if you select Return to settings too quickly. Workaround. Wait at least 20 seconds before selecting Return to settings.
DEV-5008	PCI Reporting	PCI Reporting shows the UUID reference instead of the name when generating a PCI report from Settings > Advanced > PCI Reporting > Downloads > User Activities Report. Workaround: To view names, you can download object references from the same page where you generated the PCI report.