Release Notes PN 93000579_N Digi ConnectPort WAN VPN 82001276_N EOS October 15, 2010 INTRODUCTION This is a production release of firmware for the Digi ConnectPort WAN VPN. The ConnectPort WAN VPN is a hardened, upgradeable 3G cellular router that provides secure high speed wireless connectivity to remote sites and devices. It can be used for primary wireless broadband network connectivity to equipment at remote locations, as well as for a backup to existing landline communications. The ConnectPort WAN VPN is ideal for use where wired networks (e.g., leased line/frame relay, ISDN, DSL) are not feasible, or where alternative network connections are required. SUPPORTED PRODUCTS Digi ConnectPort WAN VPN SUPPORTED CELLULAR MODEMS Within the cellular product family, Digi has continued to add support for cellular modules as vendors make updates and improvements to support the latest chipsets and cellular technology. As new modules come on the market and older ones go obsolete, Digi is committed to supporting the products we have sold and continue to sell to our customers. The level of support that we are able to provide falls into one of the following categories: 1) Full Support These modules are shipping in Digi products. An essential part of our product testing is to make sure these modules are compatible and function properly. Operational and performance issues with these modules that are found by customers will be verified, scoped and scheduled to be fixed in an upcoming firmware release. Sierra Wireless: MC5725, p2005001,20224 [Sep 21 2006 15:43:22],, VID: PID: MC5727, Modem Revision: p2410701,51240 [Nov 08 2007] BOOT: SWI6800V2_PP.01.07.01 2007/11/08 APPL: SWI6800V2_PP.01.07.01 2007/11/08 MC8775, H1_1_9_3MCAP C:/WS/FW/H1_1_9_3MCAP/MSM6280/SRC 2007/12/12 MC8790, Revision ID: K1_0_2_8AP C:/WS/FW/K1_0_2_8AP/MSM6290/SRC 2008/09/17 Ericsson: F3507g, Revision ID: R1D06 Option Wireless: GTM382, Revision IDs: 1.4.6.0Hd (Date: Oct 1 2008, Time: 11:50:07) 1.8.0.0Hd (Date: Jan 14 2009, Time: 14:46:50) 1.9.1.0Hd (Date: Mar 26 2009, Time: 09:10:10) 2) Partial Support These modules had shipped in Digi products in the past but are no longer actively supported by the module vendor. Firmware testing no longer includes these modules, however every attempt is made to maintain support as features and improvements are implemented. Issues with these modules that are found by customers will be verified, scoped and either scheduled to be fixed or a newer, supported module offered as an upgrade option. Sierra Wireless: MC5720, MC8755 3) Limited Support These modules have never shipped in Digi products and have never been part of firmware testing and verification efforts. These modules may be similar to full/partially supported modules by the same vendor and may even have been informally tested and shown to work in Digi products. Operational and performance issues with these modules that are found by customers will be evaluated and scoped to be fixed on a business case basis. Sierra Wireless: MC8780, MC8781, MC8775V, MC5725V, MC8755V, MC8765, MC8785V, MC8700 Option Wireless: GTM378 Huawei: EM770W, Revision ID: 11.128.03.00.00 4) Not Supported These modules have never shipped in Digi products and are known to be incompatible. Sierra Wireless: EM3420, EM5625 Option Wireless: GTM501, GTM380 5) No Longer Supported These modules were supported in the past but are no longer supported by the Digi firmware, or are known to have operational issues with current Digi firmware. Last supported in Digi firmware 82001276_L3 (2.9.0.13) - March 16, 2010: Sierra Wireless: AC875, H1_1_8_3ACAP C:/WS/FW/H1_1_8_3ACAP/MSM6280/SRC 2007/03/08 AC881, F1_2_3_15AP C:/WS/FW/F1_2_3_15AP/MSM7200R3/SRC/AMSS 2008/07/09 AC597E Sony Ericsson: EC400g, Revision ID: R2A004 DISCONTINUED CELLULAR MODEM NOTICE Please read the SUPPORTED CELLULAR MODEMS section ("No Longer Supported" subsection) for a list of cellular modems for which support has been discontinued. The list identifies modems that were supported to some extent in the past, and it states the last Digi firmware revision that supported the modems. Support is discontinued in this release for these modems: - Sierra Wireless AC875 - Sierra Wireless AC881 - Sierra Wireless AC597E - Sony Ericsson EC400g ENHANCEMENTS Add a Network Port Scan Cloaking feature that permits users to prevent replies to various received packets for which there is no local service. On a global or per-network-interface basis, one can disable ping replies, TCP reset replies for received connection requests to unused ports, and ICMP destination/port unreachable replies to received UDP datagrams destined for unused ports. This capability "cloaks" a device from being probed on such unused ports, and it reduces packet traffic by eliminating replies that may be billable to service accounts (e.g., cellular service). This feature is exposed in the CLI as the "scancloak" option, and it is supported in the web UI on the Advanced Network Settings page under the Network Configuration section. By default, this feature is disabled. Support cloaking for the DNS Proxy feature on a per-interface basis, so the proxy can be enabled for some interfaces yet disabled for others. Change the default state setting for the DNS Proxy feature to "disabled" (off) rather than enabled/on. The purpose for this change is to modify the "out-of-the-box" default to one that is safer from denial of service (DOS) attack on DNS servers. Improve the network stack to address the issue described in US-CERT Vulnerability Note VU#498440: Multiple TCP/IP implementations may use statistically predictable initial sequence numbers. The note can be viewed at: http://www.kb.cert.org/vuls/id/498440. (36183) For GPS support by the cell module, for Verizon service, add support for varying minimum intervals between fixes depending upon the user-selected position determination method: MSS - Standalone (no network assistance) 1 second MSB - Mobile-based (network assisted) 30 seconds MSA - Mobile-assisted (network calculated) 1800 seconds This support is for compliance with Verizon certification requirements. Enhance the Dynamic DNS update feature to permit the selection of any device network interface. Previously this feature was coupled with the cellular mobile interface and did not support a selection of the network interface for which the asociated IP address is registered with the DDNS service. (35346) Expand the description of iDigi keep-alives in the web help information. BUG FIXES Fix a problem in which Ethernet driver might lose synchronization between its interrupt handler and its packet receive processing thread. This could cause received packets to be held in the driver's receive buffer ring and not passed to the network stack in a timely manner. Under such a condition, network communication might appear to be broken for network protocols and applications. (35638) Fix a possible panic when using IPSEC with NAT-T. The problem could occur when multiple NAT-T vendor ID payloads are loaded into an IKE message (packet), resulting in a buffer overflow. (35594) Fix a possible panic that occurs while configuring the primary network interface (Ethernet) and saving the changes to NVRAM. (35715) Fix a bug in a previous fix to gettimeofday() that causes incorrect display and behavior in "set time" and the Date and Time web page. (35957) Fix a bug in uudecodeToFile() that causes RCI file transfers to fail when there is white space after the file data. (36147) Fix a bug in which the file system component was incorrectly accounting for open directories in the system. Due to this bug, it was possible that the open would fail regardless of actual resource availability. (31645) Fix bugs in "set vrrp" option validation in the CLI: - Verify VRID is 1-255 (not 254). - Verify priority is 1-254 (not 255). This matches similar validation in the web UI and configuration restore. KNOWN ISSUES Problems have been encountered with some Linksys VPN appliance models when using different Diffie-Hellman group settings for phase 1 and phase 2. To work around this issue and successfully establish the VPN tunnel, use the same Diffie-Hellman group for both phase 1 and phase 2 settings. DOCUMENTATION ERRATA None. ADDITIONAL INFORMATION It is recommended that you perform a backup of your device's settings prior to upgrading your firmware. If you should need to revert back to a previous version of firmware, this will ensure that you will be able to restore your device to its previous settings in the event that some settings are not restored properly after downgrading the firmware. To backup your device settings, follow this simple procedure: 1) Open the web user interface and navigate to the "Administration" section and select "Backup/Restore". 2) Click the "Backup" button and select the location to where you want to save your backup file. To restore: 1) Navigate to the same section within the web UI. 2) Click the "Browse" button to select the backup file you saved in the previous steps. 3) Click the "Restore" button to upload the configuration settings contained in your backup file. On initial boot of this device, it will generate some encryption key material: an RSA key for SSL/TLS operations, and a DSA key for SSH operations. This process can take as long as 40 minutes to complete. Until the corresponding key is generated, the device will be unable to initiate or accept that type of encrypted connection. It will also report itself as 100% busy but, since key generation takes place at a low priority, the device will still function normally. On subsequent reboots, the device will use its existing keys and will not need to generate another unless a reset to factory defaults is done, which will cause a new key to be generated on the next reboot. HISTORY 82001276_N (2.12.0.6) - October 15, 2010 See ENHANCEMENTS and BUG FIXES information above. 82001276_M1 (2.10.0.10) - August 24, 2010 ENHANCEMENTS: Add iDigi connection status items for send and receive idle times. Add an optional interface name list to "display pppstats" so individual specific interfaces can be displayed. The absence of interface name parameters causes all valid PPP interfaces to be displayed. BUG FIXES: The value returned by the Python time.time() function is no longer modified by the offset option of "set time". The function gettimeofday() was returning UTC biased by "offset". (34994) A few of the Python modules would block all Python activity during certain lengthy operations unnecessarily. Components that have been examined and addressed include the digicli module; the power control module; and the battery voltage sense, accelerometer, GPS summary and ignition sense portions of the digihw module. Not all modules or functions are available in all products, dependent on the available hardware components. (35505) Fix a panic problem that occurred running RealPort through a VPN tunnel. (35412, 33130) 82001276_M (2.10.0.7) - July 23, 2010 ENHANCEMENTS: Added Ethernet switch & MDIX configuration feature to ConnectPort WAN VPN. Add limited support for the Sierra Wireless MC8700 cellular (GSM) modem. SMS is supported for this modem. Add limited support for Huawei EM770W and EM770U cellular (GSM) modems. SMS is supported for this modem. Add "Bell Mobility HSPA" to the list of supported mobile carriers in the Mobile Settings web UI. Provides optional PAP/CHAP support. (33916) Update the SSL/TLS implementation with enhancements and bug fixes. Enhance filesystem support: - Add POSIX APIs. - Enhance Python interfaces. - Extend the "ls" command for file systems in RCI to request a hash value be returned for files in the listing. At present, the only hash methods supported are "none" (the default) and "crc32". - Extend all RCI implementations in NDS to supporting requesting a specific file rather than just a directory in a "ls" command request. The "dir" attribute of the "ls" command has been deprecated as a result, with the more applicable synonym "path" now taking its place as the standard attribute tag to use to choose what should be listed. Enhance the DHCP server feature to support user configurable selection of the default gateway (DHCP Option 3: Routers on Subnet) in leases given to clients. The default selection matches what was implicitly offered in all previous firmware releases with DHCP server support. Enhance PPP support: - Add PPP server for standard serial ports. - Add PPP server port profile to web UI. - Display statistics for all PPP instances on CLI "display pppstats". - Rename CLI set/show/revert "pppoutbound" commands to "ppp". - Encrypt PPP passwords in RCI and backup files. Add a new info command to the CLI, "info time". This command displays SNTP Client statistics when SNTP is configured as a time tource. Enable TCP keep-alives by default for these services: ssh, telnet. This provides default cleanup of orphaned sessions. Clarify description: the serial statistics page displays the current port settings. (32689) The Connectware Manager (also referred to as Remote Management) has been rebranded in the Digi device firmware as "iDigi". This corresponds with the service being offered by Digi dor this purpose. A number of enhancements are added for the iDigi client in the Digi device firmware: - iDigi activity is recorded in the Event Log. - An iDigi client entry appears in the "Connections" list when: - The client is connected to the iDigi server. - The client is trying to connect to the iDigi server. - The client is waiting (listening) for the iDigi server to connect to it. - The client is waiting for a configured interval before initiating a (new) connection to the iDigi server. The connections list may be displayed in the CLI ("who") and in the web UI (Management > Connections). - When the iDigi client is waiting to (re)connect to the server, the connection table entry may be "killed" in which case the wait is canceled and the connection attempt proceeds immediately. - When the iDigi client is connecting to the server, the connection table entry may be "killed" in which case the connection attempt is abandoned. The "connecting" state is typically very brief. If for some reason the Digi device gets "stuck" in the "connecting" state, the kill request will terminate the condition. This is not an expected condition. - Add the CLI command "display idigi" report iDigi connection status of the Digi device. - Add the iDigi status web page under Administration > System Information to report iDigi connection status of the Digi device. - Show the iDigi Device Type for the Digi device on the iDigi Configuration page in the web UI. This is the device type by which the Digi device is known to the iDigi server. That value also is displayed via the CLI command "show mgmtglobal" and in the RCI output as (in addition to the existing field). - Send the actual Digi device type to the iDigi server rather than a possibly user-customized product name in config.ini. Customized names are problematic for the iDigi server for device recognition and management. (1291266) - Eliminate unsupported interfaces from the network settings RCI and related CLI (set mgmtnetwork). The web UI was already correct. (34520) - Increase the maximum permitted request and reply document sizes for the iDigi protocol RCI facility. The new size accommodates encoded files of just over 2MB. - Expose the (previously hidden) devicesecurity CLI option from these commands: set, show, revert. This was previously available but hidden to prevent misuse of some of that command's capabilities. The options that could cause problems if misconfigured have been removed, so it is no longer necessary nor appropriate to hide the devicesecurity option. (34535) Improve iDigi information for SMS replies to #idigi commands. - Add the device ID to the returned data if the 'i' flag is specified. E.g., #idigi,i status - Add the "id" command option for #idigi to return the device ID. I.e., #idigi id - Add support to manage the "waiting to connect" state of the iDigi client to the SMS "#idigi" command. The "#idigi waitcancel" command cancels the wait and the connection attempt proceeds immediately. Change "opts" (options) to "flags" in the SMS # usage (help) text. For the iDigi client configuration's connection server list, reduce the number of server entries to 4 from 8. The list of 8 is simply truncated to 4 for this change. An attempt to restore "deprecated" entries results in warnings, not errors, generated by the settings manager. Note that Digi devices are typically configured to use only one of the server list entries, so this change won't affect deployed products. This reduces runtime memory usage, NVRAM use for configuration setting storage and the RCI text generated for backups. (34309) Reduce the number of Alarms to 8, from the previous maximum of 32. For Digi devices being upgraded from an earlier firmware version, only the first 8 alarms will be used by the new firmware. The other 24 alarm entries will be discarded (deprecated). An attempt to restore such deprecated alarm entries results in an "invalid index" warning rather than an error. This reduces runtime memory usage, NVRAM use for configuration setting storage and the RCI text generated for backups. Add DHCP lease information to the output of the CLI command "show network" when the IP configuration for the Digi device is received from a DHCP server. The information shown includes the IP address of the DHCP server, the lease duration, the renew and rebind times, and the time remaining in the current lease. The VRRP feature is now available only on Digi devices that support cellular services (no longer present for non-cellular devices). (32513) Support for LPD, RLOGIN and RSH have been removed from the product. Remove unneeded and deprecated data and code to reduce memory use. BUG FIXES: Fix a problem with Ericsson F3507g module in NDIS mode, in which the '@' character in the username or password results in an authentication failure. NDIS mode is now supported for this modem. (33202) For the Option GTM382 cellular module, fix an issue that prevented the Digi device from successfully acquiring the mobile LAC and CID values. These values are reported as mobile status and are necessary values for troubleshooting. Fix a bug in which setting the time with a year greater than 2036 causes the wrong year to be set. (32781) Fix a bug in which multiple SNTP Server entries may be configured as time sources in the Date and Time Settings, but only the first one in the list is used. (33367) Fix an issue in the SNTP Client that results in frequent name resolution attempts (one per second) if a domain name is configured for an SNTP time source. This may occur if the name is invalid or cannot be resolved by the configured DNS servers. A backoff is implemented to mitigate the too-frequent name resolution attempts. (32652) Fix a bug in which the SMS settings for Python were not being saved when set via the web UI. Fix incorrect "set smscell" help information. Fix a bug in which, for SMS messages sent to Python via #python command, only the text that follows #python (and optional flags/password) should be passed to the Python read interface. The entire message starting with #python was being passed erroneously. Fix a corrupt IPSEC SPD table header string in the output of the CLI commands "display ipsecspd" and "display vpn". Fix a problem in which the Digi device, running in IP Pass-through mode, stops passing packets from the Ethernet interface to the mobile interface. The Digi device had to be rebooted to clear the problem. (33756) - Fix a problem that caused the mobile send to block permanently. - Add detailed statistics for pass-through activity to the CLI command "display passthrough". - Add detailed trace capability for technical support troubleshooting. Fix a bug for dual SIM devices in which the incorrect SIM may be selected when no SIMs are installed or configured. (33966) Fix a problem in which the Cisco ASA would not establish a VPN tunnel to Digi units. (33948) Fix a bug in which the CLI command "show vpn phase1 verbose=on" shows the wrong encryption key size, when the key size is other than the default. (34974) Fix a serial port problem in which the break end status is not generated when break completes after TCSENDBREAK. (34008) Fix a bug in the Alarms Settings web UI in which the value saved is not what was entered for large time values (cellular-related time intervals). (26557) Fix a bug in which the Digi device might panic (reboot) when using the CLI command "certmgmt" to generate a key for SSH. (33249) Fix a bug in which the cold start trap is sent everytime the user enables "Generate cold start traps" in the web page or the CLI. (33655) Fix a bug in which the geofence SMTP server field will not accept a DNS name for the mail server in the web UI (Position Configuration > Geofence Settings). The web page will now accept a FQDN as well as an IP address for the primary and secondary SMTP server fields. (32808) Fix a bug in which the geofence email recipient fields will accept any input as an e-mail address. Recipient strings now are validated in a manner that is consistent with e-mail recipient validation on other web pages. (32809) Fix an inconsistency in validating the signal strength threshold values when configuring alarms for cellular-capable Digi devices. The change standardizes a range of -120 dB to -40 dB. Previously, some interfaces implemented that range, while others implemented the range -300 to 0 dB. (26564) Fix a bug in which a user could not remove or disable a VRRP instance other than by reverting the settings altogether. (30490) Fix a bug in which the DialServ feature's connection_wait_time setting could be set outside its designed value range (10-300). This problem existed only when the setting was applied via the RCI interface. (34647) Fix the keep-alive checkbox for DialServ dial-out configuration. (32833) Fix a pmodem feature problem for which, under some conditions, an ATDT command (that normally works correctly) stops working. (34433) 82001276_L3 (2.9.0.13) - March 16, 2010 ENHANCEMENTS: As a debugging aid, improve the Python interpreter to report the filename of the calling code in tracebacks and other stack inspections. (32589) BUG FIXES: Fix an initialization bug for the GlobalSat BU-353 USB GPS receiver and other SiRF III-based GPS receivers. (33635) 82001276_L2 (2.9.0.11) - February 12, 2010 ENHANCEMENTS: Improve performance of cellular modems (primarily those using NDIS) by queuing more than one buffer with the USB host controller. Eliminate excessive event logging for SMS activity. A two-level logging capability is now implemented this such that the original detailed event logging is still available, but the customer must enable it via the settings (CLI, web UI, RCI). By default the event logged SMS activity is now leaner than it was previously. (32265) Improve the Mobile Configuration Advanced Settings web page and the associated web help. The new text states that the mobile connection must be restarted (or the device rebooted) for the settings changes to take effect. The help information was updated with a more detailed discussion of issues for manual carrier selection. (25271) Improve iDigi (Connectware) client's connection backoff/retry logic in the case of failure to connect to the iDigi server. If SNTP Server use is configured as a time source in the Date and Time Settings, with a domain name specified for the time server, the time query could fail if the Access Control List (ACL) feature is enabled. The SNTP client has been modified to temporary configure an ACL entry to permit the time server access, then remove the temporary ACL entry on either success or failure of the time server query. This avoids the need to explicitly configure the time server's IP address in the ACL. A possible stale name resolution condition also was eliminated. BUG FIXES: Modify SSH to prevent an initial false SNMP login failure trap when the SSH client connects with the "none" authentication method. (1278304). Fix issues in the SSH service implementation: - Eliminate possible memory leaks when loading DSA/RSA keys. - Fix a failure to disconnect and report the reason to the client when the maximum number of authentication failures is reached. Fix several reported VPN problems: - Some Digi products will not build VPN tunnels to other Digi products. (32256, 32257) - TheGreenBow VPN client will no longer build a connection with newer Digi firmware. (32255) - Correct/improve several misleading/incorrect VPN event log messages. - ISAKMP frames negotiating with certificates were being incorrectly generated. The bug caused garbage data to be added to the end of the frame. Also, verification of certificates from the peer would reject the frame if the cerificate was followed by a NAT-T discovery payload. (32834) Allow auto-IP addresses (169.254.0.0/16) to be used in IP packets and translated/forwarded by the NAT feature. This had been rejected by the network stack in previous firmware releases. With the Digi device operating in IP Pass-through mode, when working with a pass-through host whose IP settings are statically configured, communication from the mobile network to the pass-through host could be temporarily lost. The loss of communication could occur in as little as four minutes after a successful communication (although usually longer). The outage could continue until the pass-through host sends packets to the Digi device, to be forwarded to the mobile connection. The problem has been corrected. (30936) Fix a bug in the DHCP client that accumulates small network buffers on the DHCP client's internal information structure. This occurred for options received from a DHCP server that are unrecognized by the DHCP client. These buffers are now freed to avoid gradual memory depletion. Fix an issue where the Send Character Immediate IOCTL was not getting a response, causing a RealPort hang. (32061) Fix problems with RX/TX byte counts, activity LED and idle timers for some supported cell modules using USB network interface (NDIS) mode. Specifically, some packets exchanged between the operating system and the module are no longer reported in the RX/TX activity, since those are local packets are are not sent over the mobile connection. Also, the RX and TX idle times are now properly initialized when the mobile connection is established. Eliminate some unneeded information from the configuration backup file. (32511, 32512) Flush the DNS resolver cache when the DNS server list changes (servers are removed). This avoids a possible stale DNS resolver cache issue. Disallow an attempt to set the IP address for a network interface and the interface-specific gateway to the same value, which causes problems for routing in the network stack. 0.0.0.0 is substituted for the gateway so IP routing is not adversely affected. Disable NDIS support for the Ericsson cellular modems. The PPP support is supported as in the past. NDIS support for Ericsson modems will be enabled in the future after some technical issues have been resolved. (33202) 82001276_L1 (2.9.0.7) - October 30, 2009 ENHANCEMENTS: Add support for Short Message Service (SMS) capabilities for GSM cellular modems. This feature is available for all GSM cellular modems identified in the "Full Support" list under SUPPORTED CELLULAR MODEMS above. SMS may be used for remote command of the device, alarms, event monitoring and Python application interaction (send and receive). Python support is provided via the new Python module "digisms". The use of passwords and a sender control list (to filter messages that are received from unknown senders) provide user-configurable security for this new feature. Add "Paged Connection" support to the Remote Management settings. This may be used in conjunction with the SMS feature. Add SNTP Client as a time source for time source management. This new feature adds SNTP client as a source for time management. It allows the device to synchronize its clock with NTP/SNTP servers. Configuration for this feature is available through RCI, the web UI and the command line "set clocksource" command. Add an "offset" from UTC to time source management. This new feature adds the ability to modify Coordinated Universal Time (UTC) by increments that correspond with time zones. Configuration for this feature is available through RCI, the web UI and the command line "set time" command. Add logging for time events such as changes to offset or time "jumps". Add SSL connection support and simple password authentication for device connections to the iDigi Server (Connectware Manager Server). Add support for RealPort authentication. Add numerous commands to "display techsupport" for improved reporting. (31539, 31689) Reduce the amount of alarm data sent at the start of a connection to an iDigi Server (Connectware Manager Server) by sending only the active alarms. This improvement is coupled with a server change to not request the current state of all alarms. Add support to flush the ARP table and DNS resolver cache on demand. Enhance "display dnsserver" to display resolver cache entries. Automatically flush the DNS resolver cache when the DNS server list changes, removing possibly stale cache entries. Add support for USB cellular modems using a network interface (NDIS) instead of PPP for improved performance. This is supported for the Option GTM382 and Ericson F3507g modems. Add GPS support for the Ericsson F3507g modem. Add setting and UI to enable/disable antenna diversity on Sierra Wireless cellular modems. (25728) Add the ability to set the SIM PIN for GSM modems to the command line interface: set mobile sim_pin=. If the cellular module can determine and report the location of the cellular base station, the latitude and longitude are reported in the device Event Log. This change applies to some CDMA modems. (26706) Add units to ambiguous measures on the GPS position web page. (29856) Allow fully qualified domain names (FQDN) instead of only IP address for a number of features. These features are: AutoConnect, UDP Serial, SNMP trap destinations, and the alarms e-mail server. For UDP Serial, a lookup of the FQDN (typically in the DNS resolver's cache) is done for each packet sent, with a full name resolution occurring only when the cached entry's time-to-live expires (or the cache is flushed). This supports dynamic destination IP addresses. (19517, 30637) Add options to CLI, web UI and RCI to save encrypted passwords and keys in the configuration backup file. Configuration restore accepts either encrypted or plain text passwords and keys. (15108) Add event logging for IPSEC (VPN). (20170) Improve the web UI to make it more intuitively clear how to configure a VPN tunnel for responder mode, The user is now explicitly prompted to select one of: responder only, or client and responder with an address. (26348) VPN support: Improve the CLI to set a default value for the local tunnel when host mode is selected. (30995) The CLI commands for configuring a VPN tunnel have been changed. Older firmware versions allowed you to set the local peer ID of a tunnel using the local_peer_id option in the "set vpn tunnel" command line. This option has been removed from the "set vpn tunnel" command line. You must now use the "set vpn interface" command line to set the local peer ID for all tunnels that use a particular interface. (30994) Add a new configuration option into the VPN Global Settings web page which allows users to select support for dynamic DNS. This feature is useful if the remote VPN peer does not have a static IP address (i.e., its IP address may change). In this case, the remote peer should register its DNS host name using dynamic DNS, and update the DNS entry whenever its IP address changes. When the dynamic DNS option is selected in the VPN Global Settings web page, the VPN client will periodically check the remote peer's DNS entry to see if its IP address has changed. It will renegotiate the VPN tunnel when the address does change. Change the signature method on the self-generated, self-signed certificate from MD5 to SHA1. Although MD5 is not generally unsafe, SHA1 is deemed to be the most secure. All browsers or SSL clients recognize SHA1 instead of MD5. Expose 'rmdir' and 'rename' calls to Python through POSIX wrapper. Update the web UI for IP Forwarding Settings to show the maximum number of entries for Static routes and "Forward TCP/UDP/FTP connections...". (31866) Add support for the u-blox 5 USB GPS receiver. Change the GPS priority so an external or PCIe GPS receiver is given preference over the integrated cellular GPS receiver (if there is one) for sending NMEA output to the /gps/0 device. ENHANCEMENTS in 82001276_L1 subsequent to 82001276_L: Add support to send login success and failure traps via SNMP when a user logs into the device using HTTP or HTTPS. On the Alarms Settings web page and in associated help, clarify that the SMS feature must be enabled to successfully send alarms via SMS. Improve the information sent for some alarm conditions when e-mail or SMS is the configured method for sending the alarm. BUG FIXES: Fix a problem in which the reported VPN status is incorrect. (30201) When cellular PPP instance settings are set via RCI, mobile PPP settings are set instead to maintain backward compatibility. Change this to also enable the cellular PPP instance, which allows cellular connections to be fully enabled via RCI. (31946) Remove reference to GSM from RSSI alarms in web UI. (25830) Check if enough free memory is available to handle a firmware update from the iDigi Server (Connectware Manager) and return an appropriate error response if not. (31321) Fix a bug that limited length of the primary SNMP destination field in the SNMP Settings web UI. (31895) Add a change to work around a problem in which Digi products do not accept gateways from Apple's Airport Extreme when the Digi product is configured as a DHCP client and the Apple is the DHCP server. (31166) Add Mobile System Information help text to the web UI help information. (31839) Improve a condition under which client-initiated connections to the iDigi Server (Connectware Manager Server)) won't start unless the "Reconnect after..." box is checked. (31885) Eliminate several memory leaks. BUG FIXES in 82001276_L1 subsequent to 82001276_L: Fix a bug in which login success and failure traps were not being sent via SNMP when a user logs into the device using SSH. (32161) Fix a bug that could cause the device to reboot when an alarm is sent via SMS. Fix a condition in which some specific characters could not be sent in SMS messages sent by Python. The characters are: [ \ ] ^ { | } ~ 82001276_L (2.9.0.5) - October 17, 2009 Not released for customer use. See ENHANCEMENTS and BUG FIXES information for 82001276_L1 EOS. 82001276_K2 (2.8.4.16) - August 28, 2009 ENHANCEMENTS: None. BUG FIXES: Fix a memory leak that may occur when DNS lookups are performed. Although the leak is small, it can lead to memory exhaustion in systems that perform many DNS operations, such as some iDigi client configurations. (30870) 82001276_K1 (2.8.4.14) - July 1, 2009 ENHANCEMENTS: Add support for new cellular modules: - Ericsson F3507g - Option Wireless GTM382 Improve event log messages for the DHCP Server feature. (29931) Improve a timing condition to reduce by up to five seconds the time it takes before the first mobile PPP connection is established when the Digi device boots. Eliminate some timing dependencies when mobile band and carrier selection options are used with GSM modems. Eliminate a condition that could result in a false indication that the mobile call has dropped when establishing a PPP connection. This avoids unnecessary modem resets and decreases the time that the mobile PPP connection is unavailable. Add the ability to enable/disable incoming dynamic VPN configurations, and to display all incoming dynamic VPN tunnels. (28912) BUG FIXES: Fix a bug that could result in a USB stall condition when accessing some USB devices. Part of this fix eliminates a possible USB resource leak that could be recovered only by rebooting the Digi device. 82001276_K (2.8.4.7) - March 31, 2009 ENHANCEMENTS: CELLULAR ENHANCEMENTS: Add support for new cellular modules: - Sierra Wireless MC5727 - Sierra Wireless MC8790 - Sony Ericsson EC400g ExpressCard Add support for new Sprint provisioning method (OMA-DM). Add support for on-board GPS receivers on some modules (MC5727, MC8790). Add configuration capabilities in CLI, web UI and RCI. Add capability to report ICCID of the SIM cards. Improve mobile band and carrier selection for GSM modules. Add warning and informational text to web UI, carrier scan wizard and web help. For carrier selection, indicate discovery of 2G and 3G carriers when displayed in the carrier scan wizard. (25271, 28118, 29251) Add information to the event log and the UI (CLI, web and RCI) that indicates the user's choice of manual or automatic cellular band and carrier selection. (24942) Improve the CDMA module provisioning wizard: - Enable PPP on successful provisioning. (29078) - If network provisioning fails, offer a choice of retrying network provisioning, instead of manual provisioning. Choice of manual is available only at the start of the provisioning wizard. Add support to SNMP for mobile link up/down traps. (25003) GENERAL/OTHER ENHANCEMENTS: Add support for higher memory platforms (32MB RAM and 16MB Flash). Add configuration web page for MEI in all MEI-capable products. Update "display techsupport" to include new and additional commands. Add the current date/time to the device status display (CLI and web UI), in addition to the uptime value for the device. For event logging, add the device uptime to end-of-log display line (both CLI and web UI), if the timestamp display for logging is other than the uptime (such as date/time). Add simple CLI to manipulate the time source management settings. See CLI command "set clocksource". Use NMEA 0183 default settings for GPS profile. These settings are: 4800,8,N,1,no flow control. (29439) BUG FIXES: CELLULAR BUG FIXES: Fix a panic in the mobile carrier scan thread in the web UI. (26476) Fix a bug in which PPP statistics may display as negative values in "display pppstats". (related to 22844) Correct a bug in which e-mail alarms and snmp traps are not working for a mobile configuration change event. (26810) Fix a problem in which GSM manual carrier selection would always force that connection to have 2G service, even if 3G service is available and supported by the cell modem. (28118) Fix a high CPU utilization issue that occurs while PPP is bringing up a connection. (29771) GENERAL/OTHER BUG FIXES: Implement RFC-specified validation for a hostname, per the requirements for DHCP option 12. The RFCs consulted include 952, 1035, 1123 and 2132. The maximum length of the hostname is increased to 127, increased from 31. Support for a FQDN also has been implemented. Web UI help has been updated to describe a valid hostname construction. (27588) Strip carriage returns from TFTP loaded Python scripts. (26971) Add a very basic stat call for FAT FS, so we can report st_size. (22785) Add a check to the DHCP server to accept datagrams only if received on the interface being served by the DHCP server. Affects only devices with multiple LAN interfaces Fix a bug that occurs when restoring a public key: the value is set to the key plus additional bytes, resulting in a corrupt key. (27780) Add option value ranges to CLI "udpserial" command help. (29034) Fix a bug in which the event log includes one or more messages that specify the wrong (misleading) system time value when the device boots. Affects devices with a real time clock. (29804) If a public key has been enabled for SSH, allow authentication based on the key regardless of the password setting. Dynamically generate a list of accepted authentication methods based on the configuration of the device. (27834) 82001276_J1 (2.8.1.13) - December 11, 2008 ENHANCEMENTS: None. BUG FIXES: Upgrading the ConnectPort WAN VPN to the J revision firmware from an earlier revision could result in a permanent hang or panic condition. The problem could occur if VPN settings were configured using the F3 revision or earlier firmware, and if those settings were still configured in the ConnectPort WAN VPN. Note that only a full revert to factory default settings would have removed those VPN settings. The problem occurs during an implicit conversion of the VPN settings from an older format to their newer format required by the J revision and later firmware. (28851) 82001276_J (2.8.1.8) - October 21, 2008 ENHANCEMENTS: Improve configuration settings implementation to use less memory, better support customized defaults and more effectively manage NVRAM. Add dynamic web page generation support for native web server from Python. Add support for Connectware Manager Web Services. Add support for file system access from Connectware Manager. Add native GPS support with Geofencing application. Add VPN "Responder Only" feature. Add automatic failover from one network interface to another as the default gateway using customer-configurable rules. Failover-capable interfaces include cellular and Ethernet. Allow the system time to be set from the Cellular System Time. The real time clock can be set by this source as well. Support a Customizable Dialserve Initialization String. Split apart support for the Web Server (HTTP) service and Secure Web Server (HTTPS) service so they are managed independently of one another. Change mobile PPP interface to be always "mobile0" rather than a set of "pppX" interfaces where X varies among products. Add an on-board Primary Roaming List (PRL) update mechanism for Sierra Wireless CDMA/EVDO cellular modules. Add display of mobile network MCC and MNC numeric values in addition to associated names for Sierra Wireless cellular modems. (26910) Add a conditional second cellular signal strength bar graph to web UI, and a new "Service Mode" item. Add CLI counterparts for these (display mobile). These changes applies to products equipped with Sierra Wireless MC5720/25 modules, for the purpose of reporting signal strength for both 1xRTT service and EV-DO service. The reporting for other cellular modules is unaffected by these changes. Also, show the correct signal strength for the current technology in use for the mobile connection (2G or 3G). On products that have bi-color mobile Signal Strength and/or Link LEDs, correctly set and update the color as follows: - Indicate 3G service via a green LED. - Indicate 2G service via a yellow LED. Since the in-use service may change during the life of the mobile PPP connection, the color is updated if/as the service changes. Add options to set the DNS priorities and gateway priorities lists from the command-line. (27324) Added these options to "set network": gwpriority=(comma-separated interface name list) dnspriority=(comma-separated priority list) Event logging enhancements. - For "uptime", display days+hh:mm:ss versus a time in seconds. - In CLI, support user-selectable time display format. - Automatically determine appropriate time display format according to time source availability and use in a given product. Add start-up event logging in the "system" facility of these items: - product name and ID - model name (if different than the product name) - firmware (EOS) version - boot version - POST version - manufacturing VPD version (build tag) - hardware strapping value The above information is also shown by the "display device" command. Add service provider support for Bell Mobility. BUG FIXES: Fix memory leak related to RCI requests. Increase the general event log maximum message size to avoid message truncation. (24640) 82001276_H1 (2.7.2.10) - June 26, 2008 ENHANCEMENTS: Improve the DHCP client capability so it persists in attempting to acquire IP configuration information if the DHCP client is enabled in the device configuration settings, and the DHCP client fails to acquire the IP configuration. This could occur if no DHCP server was available when the device booted, or if the Ethernet cable was disconnected at that time. Improve the detail reported in "display techsupport" for the network settings. Specifically, use "show network globalsettings if=*" to report everything available ("show network" is less complete). BUG FIXES: An engineering change in some versions of supported Sierra Wireless 3G PCI Express modules (8775, 8775V, 8780, 8781) was incompatible with the implemented existing reset logic for all other PCIe based modules, causing the Sierra Wireless modules to come up in "Low-Power Mode." A change was made to the firmware to not drive the PCIe reset pin for Sierra Wireless modules, correcting the issue. Fix e-mail alarm failures. (26107, 25684, 25810) Correct a time rollover bug (wraparound to zero) in the Event Log. Eliminate a memory leak on the VPN identity key/certificate web page. (26255) Correct a bug in which two of the options of the "set vpn global" CLI command, didn't work as the CLI help stated. Specifically, the options "suppress_phase1_lifetimes" and "suppress_delete_sa_for_pfs" are documented to accept "on" and "off" as values. However, the command was expecting "yes" and "no" instead. The command has been modified to accept "on" and "off" as documented, and "yes" and "no" are still accepted as valid option values. (26607) Fix VPN tunnel settings backup/restore issues. (26648, 25010) o Default settings could be backed up but not restored for some options (such as "host address" of 0.0.0.0). o The manual tunnel outbound authentication algorithm "SHA1" could not be restored. It could be set correctly by use of CLI command and web page settings. Fix a problem in which packets would have a zero Ethernet MAC address for up to four minutes when running in IP Pass-through mode. (26760) 82001276_H (2.7.2.7) - April 8, 2008 ENHANCEMENTS: Add support to the Mobile Configuration web page (Advanced Settings) for user-requested PRL updates. This enhancement applies to the MC5720 and MC5725 air interfaces. Add DMZ support to the NAT feature. Enhance the Event Logging feature to permit the user to clear the log on demand, thereby removing all log entries. This is supported in the web UI (Event Logging page) and the CLI ("display logging action=clear"). Add two new options to the CLI command "display logging": head=(lines) tail=(lines) where "(lines)" is a number of log entries to display. The "head" option displays lines from the start of the event log (the oldest entries), and the "tail" option displays lines from the end of the event log (the most recent entries). (25091) Add support to permit the publication of private IP addresses to the DynDNS service. (25403) Add support for Dynamic DNS service updates when the Digi device is operating in IP Pass-through mode. (25129) Add "show ddns" to the list of commands run by "display techsupport". (25725) Reduce runtime memory usage, including both executable code and data. The firmware image size also is somewhat reduced. This results in more available memory in the Digi device, which can help improve performance during intervals of high memory demand operations. Add support for new air interface cards: o Sierra Wireless MC8780 (GSM/GPRS/UMTS/HSDPA/HSUPA) - Succeeds MC8775 (and MC8755). - Supports European frequency. - Adds HSUPA support. o Sierra Wireless MC8781 (GSM/GPRS/UMTS/HSDPA/HSUPA) - Succeeds MC8775 (and MC8765). - Supports North American frequency. - Adds HSUPA support. o Sierra Wireless AC881 (GSM/GPRS/UMTS/HSDPA/HSUPA) - Succeeds AC875. - Supports North American frequency. - Adds HSUPA support. BUG FIXES: Fix a problem with Connectware Manager client Last Known Address (LKA) updates, that could occur if an update was attempted when the network interface was restarted but retained the same IP address it had prior to the restart. The problem resulted in a rolling connect/disconnect by the Digi device to the Connectware Manager Server, and only a true change of IP address for the interface, or a device reboot, cleared the problem. The problem was introduced in 82001276_F2. (25548) Fix a problem in the "set vpn tunnel" CLI. The CLI help incorrectly specifies an option "public_interface" that is actually "interface". The valid interface names shown also may be incorrect. The help has been corrected. (25131) Fix a memory leak in the Python feature. Some of the semaphores created by Python were not being released to the system when they were no longer needed. (25288) Fix a problem in which NAT-T (VPN) failed because a mobile provider network changed the UDP source port for NAT-T, and our version of IKE did not handle that condition properly. (25489) Fix a problem in which possible "garbage" characters may be collected and stored as part of the "Current Network" mobile status item. This information is reported to the user in CLI, web UI and XML sent to the Connectware Manager server. The "garbage" characters were problematic for the Connectware Manager in particular. This fix affects devices that are equipped with the MC87x5 air interface modules, when the "Current Network" value is less than eight characters in length. (24868) Remove the VPN "interfaces" (vpn0, etc.) from the list of valid interfaces for configuring a static route. These are not true network interfaces in Digi's network stack. They are not suitable for static routes, since only IPSEC policies may be used for the purpose of routing packets through tunnels. These VPN pseudo-interfaces are meaningful only for the VPN "Virtual Host" mode, which was added in 82001276_F. 82001276_G (2.7.0.8) - December 5, 2007 ENHANCEMENTS: Add support for NAT-T (NAT traversal) VPN tunneling. Add support for Simple Certificate Enrollment Protocol (SCEP) for X.509 certificates. Add support for Virtual Router Redundancy Protocol (VRRP) per RFC 3768. Add support for DNS Proxy, optionally integrated with the DHCP Server. Add support for Python scripting feature. Add support for Device-Initiated RealPort. Improve web UI in numerous areas for usability and feature additions: o Mobile service provisioning. o Mobile service configuration and authentication. o Advanced network configuration: ability to prioritize the ordering of DNS servers and default gateway selection. Add support for CDMA technology selection (i.e., 1xRTT / EVDO / Automatic) for the Sierra Wireless MC5720 and MC5725 modules. Add support for carrier/band/service class (i.e., 2G/3G) selection for the following Sierra Wireless modules: AC775, AC850, AC860, AC875, MC8755, MC8765 and MC8775. The following previous KNOWN ISSUES from earlier releases have been addressed and are no longer issues for the ConnectPort WAN VPN: o On some IPSec VPNs, SA lifetime is not negotiated correctly. To work around this issue, configure the SA lifetime on the Digi ConnectPort WAN VPN to be less than that configured on the VPN concentrator. o For IPSec VPN tunnels using AES encryption, multiple key lengths (128-, 192- and 256-bit) are supported for ISAKMP/IKE phase 1 encryption proposals. For ISAKMP/IKE phase 2 proposals, currently only 256-bit keys are supported for AES encryption. Add the "display dnsserver" CLI command to report the DNS servers that are configured in the ConnectPort WAN VPN. Add VPN-related CLI options for the "display" command" o ikesa - IKE SA table o ikespd - IKE SPD table o ipsecspd - IPSec SPD table Improve the information provided by the "display techsupport" and "display netdevice" CLI commands. Enable automatic ("sticky") response for UDP Sockets feature to the last client when no UDP Sockets "destinations" are defined. (CR 23531) Enhance NAT trace for improved troubleshooting detail. Revise the signal strength reporting ranges for consistency across the Digi cellular product line and with both service provider and modem manufacturer recommendations. Update service provider support for AT&T. BUG FIXES: Fix a problem for the MC5720 and MC5725 modules, in which the illuminated signal strength LEDs differ from the number of "bars" shown in the web UI (Mobile System Information page) or CLI ("display mobile" command output). (23706) In certain situations, the Sierra Wireless MC5720/MC5725 would indicate that a call had been made, but would not assert the carrier signal on the data virtual UART. This would result in a valid call being dropped prematurely. This has been remedied. Improve the reliability of information reported in the mobile status, including network- and modem-specific status, phone number (when available), and SIM status for GSM. Fixes for mobile service provider support and configuration: o Fix Alltel provisioning on factory default unit. (23817) o Allow PRI HA/SEC HA for Alltel's manual provisioning. (23541) o Username and password are no longer required fields for some AT&T (Cingular) Orange service accounts. (23161) o When authentication is disabled: (22466) - Clear the CHAP ID, CHAP key, PAP ID, and PAP password. - Set 'sgauth' accordingly in init script for Siemens modems. o Provide a default initialization string for a CDMA Custom Provider. (21890) o Change "European Provider" to "European/EMEA Provider". (19833) Improve the Dynamic DNS update feature: o Implement better handling of error conditions (failure to connect to and successfully update the DynDNS service in particular). Enhance the retry method to use the alternate DynDNS server access ports if the user-configured update method fails. o Add event logging of DDNS updates. o Eliminate a condition that could result in blocking DDNS updates until the Digi device is rebooted. (23805) Eliminate a possible condition in which a system resource could be lost (leaked) when a cell modem is reset between PPP connections. Only a Digi device reboot would reclaim the resource. Fix an initialization problem with GSM data-only mode configuration in which the mode could remain incorrectly set if a different cellular provider selection is used. Specifically, if data-only mode is enabled, it could not be correctly disabled in the cellular modem. 82001276_F3 (2.6.0.18) - July 12, 2007 ENHANCEMENTS: Add support for ERI-specific roaming codes, first seen as a 0x40 roaming code on the Verizon network (MC5725 module). BUG FIXES: Fix problem where the MC8775 module would not be detected following a cold boot of the ConnectPort WAN VPN. (23469) Fix problem in VPN settings that did not support the hyphen character as a valid part of a domain name. When used in an identity string, the error for "invalid" content was not being displayed in the web UI, but failed to be saved in the settings. (23415) Handle multiple proposals in Phase 2 IPSec VPN requests. (22534) Fix a NAT problem where a non-ICMP trigger’s time-to-live (TTL) was incorrectly reset when an ICMP error was received, thereby interfering with the proper NAT management of the associated trigger (rule). 82001276_F2 (2.6.0.17) - June 25, 2007 ENHANCEMENTS: Add support for new air interface card: o Sierra Wireless AC875 (GSM/GPRS/HSDPA/UMTS) Add "display techsupport" CLI command. This reports a wide variety of settings ans status information that is helpful for technical support purposes. Enhance NAT to support multiple instances rather than just one instance. BUG FIXES: Fix problem with conversion of version 1 VPN settings to version 2 format, which caused VPN thread to lock up and settings to be lost. (22437) Modify NAT behavior so it will not send untranslated IP datagrams. This avoids a problem in cases where the mobile provider does not accept IP datagrams whose source IP address is not the mobile IP address, and it takes the action of resetting the mobile PPP connection, which disrupts network services over the mobile connection. Modify IP pass-through behavior to better filter the IP datagrams sent to the mobile network (this is similar to the NAT change above). This avoids a problem in cases where the mobile provider does not accept IP datagrams whose source IP address is not the mobile IP address, and it takes the action of resetting the mobile PPP connection, which disrupts network services over the mobile connection. Fix problem in which the factory default settings for Mobile Carrier are not the same as Manufacturing default. The problem is with some GSM products only. The "none selected" (unconfigured) choice is the new (and correct) universal default. (22892) Fix problem in which some GSM products were displaying the wrong frequency for their cellular service market. (22854) For the Edge (Edge10) products, initialize the cellular module to use an LLC packet size of 1520 bytes, rather than default to 500 bytes. This change is recommended by the cellular module manufacturer, and it avoids some observed occasional packet loss in some cellular service markets. Filter nonprintable characters from display in web UI, which could result in a device lockup Fix problem in which the DHCP server did not properly use the DHCP client's requested lease time. Fix problem in which the alarms configuration could possibly be corrupted from the web UI. (21977) Fix problem in which authenticationFailure traps were being sent for login failures. (22026) Fix network stack problem for IP datagram fragment reassembly. (20481) Fix problem in which data buffer is not cleared when UDP serial settings are changed. (19786) Fix problem in which autoconnect fails if it is configured to connect on data, and the serial buffer becomes full, resulting in no subsequent connection attempts. (22333) Fix problem in which some mobile statistics were displaying as negative values when the bytes transferred count became large. (22844) Fix problem in which the host list restore from backup would fail. (22779) Changed the web server, for dynamic pages, to return: cache-control: no-cache,no-store (used to only be no-cache) to prevent clients from storing dynamically generated content. In particular, the java 1.6 plugin was caching camera images that it should not. The java plug in now caches all network resources that do no specify no-store, so we now will return no-store on all dynamic content. 82001276_F1 (2.6.0.12) - April 23, 2007 ENHANCEMENTS: None. BUG FIXES: Fix problem where resetting the MC8775 module could result in the module taking a long time to register on the mobile network. Remove a 2MB file size limitation in the Connectware management protocol to allow upgrading to future EOS images that may be larger than 2MB. 82001276_F (2.6.0.10) - April 4, 2007 ENHANCEMENTS: Add support for X.509 certificates. This feature is available to the SSH, SSL and IPSec VPN services. Add event logging capabilities for critical system events. Add Virtual Host VPN capabilities to allow common Ethernet network configuration on multiple units connecting into the same VPN concentrator. Add support for IUSACELL wireless provider. Add support for Digi DialServ, providing connectivity to legacy devices and peripherals that are only capable of connecting to a PSTN. Add DNS Host List for use with Digi DialServ and auto-connect services. Add SNMP MIBs providing support for cellular statistics and traps. Enhance VPN tunnel configuration to allow all traffic, destined for any subnet (0.0.0.0/0), through the VPN tunnel. Add check box to VPN IKE settings to support functionality with Nortel VPN appliances. o Suppress SA lifetime during IKE phase 1 BUG FIXES: None. 82001276_E (2.5.1.3) - January 3, 2007 ENHANCEMENTS: Add support for new air interface cards: o Sierra Wireless MC5725 (CDMA/1xRTT, HDR/1xEV-DO) - replaces 5720 card o Sierra Wireless MC8775 (GSM/GPRS/HSDPA/UMTS) - replaces 8755/8765 cards Improve support for existing air interface cards: o Sierra Wireless MC5720 (CDMA/1xRTT, HDR/1xEV-DO) o Sierra Wireless MC8755 (GSM/GPRS/HSDPA/UMTS) - European frequency o Sierra Wireless MC8765 (GSM/GPRS/HSDPA/UMTS) - North American frequency Improve NAT port forwarding to support FTP servers on the private side of the NAT. The public FTP server port number can now be other than the standard FTP server port 21, and multiple FTP servers can be configured by the use of a different public port number for each such server. (CR 17097) For VPN, add support for use of FQDN to negotiate in aggressive mode. Add peer IP address to PPP status display information. Add the "sigsonopen" parameter to the "set serial" command that indicates which serial signals should be asserted when a connection is made to that serial port. BUG FIXES: Enable DHCP option 12 (hostname) support. (19902) Fix bounds checking in alarms configuration for CLI and RCI. (19519, 19520) Fix panics involving udpserial settings and profiles. (19583, 19591) Fix problems in udpserial and tcpserial in which serial data was not being transmitted to the network. A default setting value was incorrect. (19621) Fix problem in which "display buffer" did not display all data properly if there was a NUL byte in the data stream. (19545) Fix problem in which double SNMP traps might be sent when a trap is triggered. (19699) Fix problems in which SSH might stop transferring data. (19887, 19909) 82001276_D (2.5.0.5) - October 17, 2006 ENHANCEMENTS: Add "ping" pinhole for IP pass-through mode of operation. Increase to five the number of concurrent VPN tunnels. Add more mobile status information items including network speed, service type, frame erasure rate, noise and others. Add LCP echo support in web UI for Movistar Panama. Add PPP option to enable/disable IPCP acquisition of DNS IP addresses, enabled by default to preserve prior behavior. For NAT: o Add port range support for port forwarding rules. o Increase the maximum number of triggers to 1024 (was 512). o Add maximum number of triggers configuration field to web UI. o Reduce TCP trigger idle lifetime to free associated resources: new idle lifetime is 122 minutes rather than 24 hour). For SureLink (tm) link integrity monitoring "ping" test: o Change ping data size to minimum of 4 bytes (was 56), to reduce data usage for cellular network connections. o Increase ping "wait for reply" interval to 5 seconds (was 3) to reduce the likelihood of unnecessary retries and hence reduce data usage for cellular network connections. Add the use of the "nonadministrative reset" statistic for PPP, to count occasions when the cellular network disconnects the PPP session by means of an LCP Terminate message (versus dropping the call). Add a new item to indicate the reason/type of the last PPP connection reset. BUG FIXES: IPSec updates (fixes specific to IKE). Fix a possible lockup condition in the processing of network stack timers. For NAT: o Fix a bug in which NAT would forward an untranslated packet to a public network when the maximum trigger limit was reached. (19552) o Fix a bug in which a NATed FTP session could become nonresponsive and eventually that session would abort. Fix various pmodem issues. (19206, 19226) Improve "revert" help. (17161) Fix a timing problem when reading the phone number from the SIM via an AT command sent to the Siemens MC75 module. Fix a problem in IP pass-through mode in which some services may not be accessible from the Ethernet side, if a pinhole was configured for that service. (19487) Improve the resolution of the TCP idle/keepalive timer to comply better with configured keepalive settings. (19546) Fix stack size problem for simple password daemon. (19659) 82001276_C (2.4.3.8) - August 30, 2006 ENHANCEMENTS: Add IP Pass-through mode (optional): IP Pass-through (bridged) mode specifies that IP packets received by the Digi device server will be bridged transparently between the Ethernet and mobile data links. This is useful for interoperability with third-party routers. Effectively, the mobile IP address of the Digi device server is given to a host on the Ethernet side of that Digi device server. Please consult with your mobile plan provider to obtain addresses to use (IP, DNS), and that your plan supports static address assignment. Optional "pinholes" can be configured such that a user can still access specific services of the Digi device server from the mobile network side, even when it is operating in IP Pass-through mode. For example, one can configure a pinhole that permits a user to telnet to the Digi device server over the mobile network connection. Add Socket Tunnel feature: A Socket Tunnel can be used to connect two network devices - one on the Digi device server's local network and the other on the remote network. This is especially useful for providing SSL data protection when the local devices do not support the SSL protocol. One of the endpoint devices is configured to initiate the socket tunnel. The tunnel is initiated when that device opens a TCP socket to the Digi device server on the configured port number. The Digi device server then opens a separate connection to the specified destination host. Once the tunnel is established, the Digi device server acts as a proxy for the data between the remote network socket and the local network socket, regardless of which end initiated the tunnel. Support additional wireless carriers: o Cellular South (CDMA) o Movistar Colombia (CDMA) o Movistar Panama (CDMA) o Movistar Peru (CDMA) o Verizon Puerto Rico (CDMA) Improve cellular module provisioning (web UI and CLI). Add SureLink (tm) statistics and additional mobile information to the Mobile System Information web page. Connectware Manager (Remote Management): o Add Server-Initiated Connection support for Connectware Manager, allowing the server to connect to the device (on demand) as a configurable option. Includes Last Known Address (LKA) updates to the Connectware Manager when the mobile IP address changes. o Decrease the amount of data exchanged over a cellular connection when connecting to the Connectware Manager server. o Simplify Remote Management Configuration web pages for an improved user experience. o Add support to disconnect from the Connectware Manager when the connection to the server is idle for a configurable interval. DHCP Server: o Add configurable conflict detection, whereby the DHCP Server pings an IP address to verify its availability, before offering it to a client for a new lease. Conflict detection is disabled by default. o Improve information on web page for DHCP Server Management. o Improve web UI help information. Add RealPort (tm) "exclusive" mode option: Exclusive mode provides the ability for the Digi device to close an existing RealPort connection and establish a new one immediately upon a new connection request from the same IP address. This mode is useful when using RealPort over wide area networks that can be unstable and where you are charged by the byte (such as cellular or satellite) and do not wish to incur costs for keep-alive traffic. Exclusive mode will allow your application to retain continuity when temporary, unexpected interruptions in network connectivity occur. This configuration is available via the command line. Syntax: set realport exclusive=on|off Add support for new air interface cards: o Sierra Wireless MC8755 (GSM/GPRS/HSDPA/UMTS) - European frequency o Sierra Wireless MC8765 (GSM/GPRS/HSDPA/UMTS) - North American frequency Operate with newer Sierra Wireless AirCard 850 with SIM PINs enabled. BUG FIXES: Fixed an issue in which some of the cached DHCP Server configuration information may be corrupt after a button reset. (18483) Fixed an issue in which a network endpoint (UDP socket) could become blocked because of an empty packet being sent to it. (18626) Invalid alarm subject when configuring an snmp trap alarm. (17656) In Network Services Settings page, ADDP UDP port may no longer be configured by the user. (16811) Added mobile phone number of cellular modem to Mobile System Information page in web UI. (17752) Fixed an issue in which telnet breaks were not being sent on a serial port. (17568) Fixed memory leaks. (17730, 18440) Fixed a failure to detect in a timely manner the end of a session in SSL/TLS, particularly during the handshake phase. (19068) Removed unneeded or invalid groups from the RCI reply. This eliminates confusion and significantly reduces the size of the generated output. (18880) Corrected duplicate and elements in the group. (19052) Added multiple AES key lengths (128, 192 and 256 bit) to ISAKMP/IKE phase 1 encryption proposals. Clarified encryption proposals for ISAKMP/IKE phase 2 proposals, which currently support only 256-bit keys. Removed the other key length selections from the UI for phase 2, until we support a configurable AES key length. (18824) 82001276_B1 (2.4.2.3) - May 10, 2006 - Fixed an issue, where, in certain circumstances, the device would not retain the correct default IP address assignment configuration. (18544) 82001276_B (2.4.2.1) - April 28, 2006 - SureLink (tm) link integrity monitor. - DynDNS.org dynamic DNS support. - GSM data-only SIM/plan support. - Mobile data throughput enhancements. - Support for newer AirCard 860 firmware (1.1.29). - An issue was corrected which may have prevented negotation of PAP over the mobile link. - An issue was corrected where, under certain conditions, it was possible for the Digi Connect to be unaware of the dropped mobile link. 82001276_A - January 23, 2006 Initial release.