Release Notes 2.1.7

Release Date: November 11, 2019

Tempered Networks has released 2.1.7 which is intended to be the last of the 2.1.x releases. This release addresses, exclusively, maintenance and stability issues for the Conductor & HIPswitch and provides enhanced security.

What's New

New in this release:

Upgrade HIPswitch and Conductor to OpenSSL 1.1

OpenSSL 1.0 goes out of support at the end of 2019. This is a proactive upgrade to the new version of the library.

Conductor Connection Failsafe
HIPswitches now have a watchdog monitor for the Conductor connection that will force a re-connect if it determines the current connection is unresponsive or missing. This should allow HIPswitches to reconnect in more cases without requiring human intervention (e.g., manual rebooting or other diagnostic activities that can require physical access to the HIPswitch).
Conductor database consistency checker
Conductors now periodically check for and repair data consistency issues. This improves the reliability of the system and should allow more issues to be resolved without human intervention.

Upgrade Considerations

The 2.1.7 release includes all hotfixes from prior releases and addresses all known support cases at the time of release.

You may upgrade HIPswitches to 2.1.7 provided you are running Conductor 2.1.7.

We recommend you upgrade to 2.1.7 if:
You want to take advantage of performance and stability increases in 2.1.7, or use any of the following features: You were impacted by any issues discovered in prior releases, especially if you have any of the following:
  • If you have a HS that must remain on 2.1.x but work through a multi-homed 2.2.x relay.
  • HS-100 intermittently failing to execute diagnostic commands, or appearing to upgrade but not installing the upgrade.
  • Have intermittent issues with HS-150 cell modems
  • Need to use the HTTP GET monitor and point it at arbitrary IP addresses
  • Need HS-500 to not have ports 3/4, 5/6 go into hardware bypass when the unit is powered off
Note: You may upgrade Conductor directly to 2.1.7 from version 1.12.6 or later. You may upgrade HIPswitches to 2.1.7 provided you are running Conductor 2.1.7.

Extensive testing was conducted both in-house and with selected development partners, in lab and in production environments to ensure that performance is equivalent to 2.1.6. Additionally, 2.1.7 should be more stable than all prior releases.

Fixes

ID Component Description
DEV-11908 Conductor Fixed an issue where viewing a HIPservice group in Diagnostic mode now refreshes the list of available HIPservices, correctly.
DEV-11863 HIPswitch-Cellular A HIPswitch now connects via a newly installed Cell Module, when the new Cellular Module is installed after a firmware downgrade.
DEV-11182 Cloud-Azure Microsoft Azure now supports ICMP. You are able to add ICMP rules to the Conductor and HIPswitch security groups.
DEV-11756 HIPswitch For the HIPswitch-500 and Conductor-500 platforms: Fixed an issue where the hardware LAN bypass feature was turned on during power off. Ports 1-2, 3-4, 5-6, 7-8 were bypassed (physically connected together) when the system was powered off.
DEV-11478 HIPswitch Fixed a bug with the Conductor-HIPswitch Time Synchronization and added a Watchdog functionality for the Conductor connection on HIPswitches.
DEV-11305 Cellular modem Improved USB driver reliability, so Cellular Modems reliably recover from Modem Firmware crashes.
DEV-11194 Conductor This issue is fixed where Factory resetting a HIPswitch would sometimes delete Event Monitors targeted at Device Groups or HIPservice Groups.
DEV-11047 Conductor Added a Warning Dialog to the Conductor upgrade process if the customer has HIPswitches which are not compatible with 2.2.x.
DEV-10822 HIPswitch Fixed a bug where entering leading zeros, in the VLAN tag input fields on the Ports Configuration page, could the HIPswitch to be unable to function.
DEV-10770 HIPswitch-Cellular When downgrading a HIPswitch-150 from 2.2.0 to 2.1.6 the cellular link, LEDs are now functional.
DEV-10723 Conductor Fixed a bug where tags were removed from HIPswitches when performing Diagnostic actions.
DEV-10696 HIPswitch Relay probes will now probe all published addresses for a Multi-homed 2.2.x Relay. The 2.1.7 HS itself still does not support multi-homing, so probes only originate from one preferred (IPv4 or IPv6) address.
DEV-10588 Conductor When creating a Monitor action that is an HTTP Action (HTTP GET), the URL field now allows for both the Host names and IP address.
DEV-10560 Conductor Fixed a bug that could prevent customers from saving Overlay DHCP settings.
DEV-10390 HIPswitch-Cellular Improved the functionality on the HIPswitch-150 and correctly applies power to the Expansion Bay on boot-up, even when the USB console cable has been connected, prior to applying main system power.
DEV-10203 HIPswitch Fixed an issue where the default Underlay Fail-safe (reboot) settings did not get applied correctly.
DEV-10159 HIPswitch Updated the HS-150 platform to allow multiple Underlay Interfaces (wired and cellular) to HA-pair.
DEV-9953 Conductor A check is in place to prevent a customer from adding a HIPSwitch’s Underlay IP address as a device IP for itself.
DEV-9949 HIPswitch-Cellular Enabled modem statistics collection for HIPswitch-150 with an MC7430 modem installed.
DEV-9876 OpenHIP Fixed an issue where broadcast/multicast packets being sent on a busy HIPswitch, having many tunnels (e.g., hub with many spokes), causes the HIPswitch to crash and restart.
DEV-9830 HS100 You can now reboot a HIPSwitch from both Diagnostic Mode and the Command Line.
DEV-9829 HIPswitch Diagnostic Mode now displays None, when there is no Part Number file.
DEV-9800 Conductor The HIPswitch displays the tags correctly, when you toggle between Transparent Mode and Protected Mode.
DEV-9524 HIPswitch Fixed a bug that caused Diagnostic Device pings to fail on HIPservices after an HA fail-over.
DEV-9939 Conductor Fixed a bug where opening and closing the Conductor Proxy settings will not save blank values.

Known Issues

ID Component Description
DEV-11350 HIPapp

UserAuth sometimes does not work with 2.1.6 HIPswitches.

Workaround: None

DEV-11095 HIPapp-Android

Android HIPclient 2.1.6 is not able to pass traffic with another HIPclient with User Authentication feature enabled.

Workaround: Upgrade Android HIPclient to 2.2.1 or later.

DEV-11196 HIPswitch HTTP GET monitor does not work as expected.Workaround: HTTP GET monitor on a 2.1.6 HS with a 2.1.7 Conductor will not work. Please upgrade the HS to 2.1.7.
DEV-11047 Conductor

A 2.1.6 Conductor with map1 HS is not blocked from upgrading to 2.2.

Workaround: None

DEV-10638 HIPswitch

CLONE (2.1.7) - Health data is sent when it is disabled in the Conductor.

Workaround: None

DEV-9813 Conductor

The Route Notice check does bit check the currently configured routes.

Workaround: The UI warns that you need an Overlay Gateway Address even though one is already configured.

DEV-9779 Conductor

Using the mvebu image as an example, it lists the 250 variants before the 150 variants.

The x86 image is fine.

Workaround: The list of platforms supported on a build image should list them in numerical order

DEV-9761 Conductor

The Conductor net/net utility incorrectly allows the setting of two (2) default routes.

Workaround: Set only one (1) default route and then apply static routes via the Setup page, under Conductor UI General Settings,.

DEV-9782 HIPclient, all platforms

HIPclient chooses an incorrect interface and cannot establish a connection with devices behind a HIPswitch running on the Google Cloud Platform (GCP). It has to do with having multiple active interfaces.

Workaround: In the HIPclient configuration, select your desired network interface instead of allowing the HIPclient to automatically choose an interface.

DEV-9697 Conductor

Removing the Conductor HA does not remove the standby Conductor's address from the HIPswitch Conductor search list on HIPswitches running versions previous to 2.0.

Workaround: De-configuring Conductor HA does not remove the Standby Conductor's address from the HIPswitch Conductor search list on HIPswitch versions older than v2.0. Customer should upgrade to 2.1x.

DEV-9397 Conductor

If you perform a factory reset on a Conductor that's in HA-mode, the database gets into a bad state and Postgres won't start. Note that a second factory reset fixes the issue.

Workaround: Factory resetting a Conductor that's in an HA-pair doesn't work correctly the first time. To fix this, a second factory reset is required.

DEV-9200 HIPswitch

When attempting firmware upgrades get failure messages.

Workaround: The first attempt to upgrade fails, reboot the HS and upgrade again. (this clears out old /tmp files)

DEV-9166 HIPswitch, Cloud

When route injection is enabled, a HIPswitch protected subnet must contain only one HIPswitch. Additionally, any custom routes added to the route table are deleted when route injection is enabled.

Workaround: If you want to deploy multiple HIPswitches in the same protected subnet or keep your custom routes, disable route injection.

DEV-9125 HIPswitch

101g: Ping peer HIPswitches pings wrong Underlay IP.

Workaround: On Mac and Linux HIPapp, if your computer has multiple active NICs and you select a specific NIC in HIPapp configuration, it instead lets the operating system chose the NIC for outbound traffic.

DEV-8097 HIPclient, macOS

If your computer has multiple active NICs and you select a specific NIC in your HIPclient configuration, the operating system will choose the NIC for outbound traffic.

Workaround: None

DEV-8060 Conductor

In rare cases, the Conductor HA pair will stop syncing.

Workaround: If this happens, promote the HA-secondary to a primary, then re-pair them.

DEV-8051 Conductor

The IP address field on associated with a HIPswitch may be blank on the HIPservices tab.

Workaround: You can locate the IP address information under the Reporting tab.

DEV-7769 Conductor

Toggling policy on and off too quickly on a HIPswitch hosted in Google Cloud can result in the Route Table becoming out of sync when using route injection.

Workaround: After toggling policy, wait 10 seconds before toggling it again.

DEV-7058 HIPswitch

When reconfiguring your Underlay network from one physical port to another in the Conductor, the changes may not be applied successfully and the configuration will revert back to the original settings.

Workaround: Make the configuration changes in diagnostic mode.

DEV-6590 Conductor

You can add a voucher code more then once from the Licensing tab. This does not create additional licenses, but is visually confusing.

Workaround: None

DEV-6587 Conductor

The Licensing tab may display invalid entries.

Workaround: Remove the invalid items manually.

DEV-6533 Conductor

When creating or editing a smart device group, rules can have the same ordinal values. This can cause unintended issues in the processing results.

Workaround: When creating rules, verify each rule has a unique ordinal value.

DEV-6226 Conductor

A fully qualified Domain name cannot be used for local or peer replication addresses on an HA Conductor pair.

Workaround: FQDN for Local or Peer Replication address on an HA Conductor pair can be used ONLY IF the reverse lookup yields the same FQDN

DEV-5832 HIPswitch

Device NAT functionality currently does not work with layer two (2) traffic.

Workaround: None

DEV-5530 Conductor UI

In some cases, allow incoming pings (ICMP) and SYN Flood Protection on the Firewall page may be disabled and won't toggle.

Workaround: Refresh your browser to resolve the issue.

DEV-5430 Conductor

After configuring the Conductor for the first time, you may receive a Lost Connection to the original server message if you select Return to settings too quickly.

Workaround. Wait at least 20 seconds before selecting Return to settings.

DEV-5008 PCI Reporting

PCI Reporting shows the UUID reference instead of the name when generating a PCI report from Settings > Advanced > PCI Reporting > Downloads > User Activities Report.

Workaround: To view names, you can download object references from the same page where you generated the PCI report.