Digi Connect Release Notes Part Number 93000608_N2 For Digi Connect Firmware Version 2.17.1.4 Release N1 INTRODUCTION This is a production release of firmware for a limited group of the Digi Connect family of wired and wireless products. The Digi Connect embedded and stand-alone device servers allow you to add web-enabled networking using a variety of connectivity options. The Digi Connect device servers provide powerful "plug-and-play", customizable and future-safe features, and performance in one of the smallest solutions available. SUPPORTED PRODUCTS 82000908_L1 - 2.12.4 Digi Connect SP Digi Connect SP RS232 Digi Connect SP 2-port MEI Digi Connect SP 2-port RS232 82000977_M1 - 2.17.1 Digi Connect Wi-ME Digi Connect Wi-ME CLI 82000983_M1 - 2.17.1 Digi Connect Wi-EM 82001116_K - 2.8.2 Digi Connect ME (2 MB) Digi Connect ME (2 MB) CLI 82001118_K - 2.8.2 Digi Connect EM 82001120_M - 2.17.0 Digi Connect ME 4 Digi Connect ME CLI Digi Connect N2S-170 82001220_L - 2.12.4 Digi Connect Wi-SP Digi Connect Wi-SP 2-port MEI Digi Connect Wi-SP 2-port RS232 82001607_M - 2.17.0 Digi Connect ME-9210 (4 MB) Digi Connect ME-9210 (8 MB) 82002740_N - 2.17.0 Digi Connect SP MEI Python Digi Connect SP RS232 Python 82002741_N1 - 2.17.1 Digi Connect Wi-SP Python (16 MB) ENHANCEMENTS To comply with North American FCC regulations, the WiFi Driver will now operate always in a world-wide mode. Active scanning will occur by default on channels 1-11 and would be extended to any channel where a Beacon is received. Moreover, Active scanning will be extended to the appropriate country channel mask when a 802.11d Beacon is received. The WiFi Driver will also always enable 802.11d and 802.11h by default. In addition, the Ad Hoc Wireless Network Type will be removed, as well as any ability to configure country code, channels, or Network type. (JIRA NDS-94) BUG FIXES CLI "display wlan" and WebUI incorrectly showed AES encrypted connection as "WEP CCMP". Fixed. (JIRA NDS-98) KNOWN ISSUES The Wifi options which were removed to comply with North American FCC regulations (channel, country code, and protocol mode) still show up in the Device Cloud. However they cannot be modified and will be removed in a subsequent release of Device Cloud software. (JIRA NDS-99) With encryption set to AES on a wireless device, serial throughput will be lower than usual. The unit must be power cycled for new port sharing settings to take affect. It is not currently possible to configure the escape characters used by client applications (connect, telnet, and rlogin). If the standard web service (HTTP) is disabled, the encrypted web service (HTTPS) stops operating. They will be made independently selectable in a future release. When attempting to upgrade the firmware on a unit which has password authentication enabled, the initial release of the firmware would fail. This current release includes a workaround to this behavior by allowing the user to disable passwords during the time period of the firmware upgrade. In order to clear the persistent configuration storage from the CLI one can execute the "boot action=factory" command. The only web accessible method for clearing the storage is available via the reset functionality in the administrative pages at "admin/factory_defaults.htm". When attempting to replace files in the file system, simply overwrite the existing version of the file rather than deleting the file first. Attempting to delete the file first defeats the internal file versioning maintained by the firmware, and can confuse your browser's cache. For the most consistent experience with the user interface, it is suggested that you clear your Internet cache. Microsoft Internet Explorer 6 Service Pack 1 (SP1) has a known problem where it displays the error message "Internet Explorer Cannot Open" when you use an HTTPS URL to access this Digi product. The following Microsoft article explains the problem: http://support.microsoft.com/default.aspx?kbid=812935 Digi devices do not support SSL renegotiation. This can cause problems with some Open SSL applications that do not correctly handle this situation. To work around this problem, use the "openssl -quiet" option. There is no IPV6 support for IA (Industrial Automation) or Modem Emulation. TFTP using IPv6 addresses is not supported. Backup using IPv6 addresses is supported using the Web UI but not CLI. Downgrading a unit from an IPv6-enabled EOS to an IPv4-only EOS will result in the loss of some IP address settings. To insure that settings are not lost in this situation, a user is advised to do a back-up of their device prior to upgrading it to an IPv6-enabled EOS. If, after upgrading, a user wishes to go back to an IPv4-only EOS, they should: o Upload the IPv4-only EOS to the device o Revert the device to factory defaults o Resore the device using the saved backup configuration The Me 4 does not have an IPv4-only EOS release. For the Wi-ME, the IPv4-only releases are Release H and earlier. The IPv6-enabled releases are Release H1 and later. The IA route option "set ia route connect={active|passive}" is not supported in this release. Contrary to what is stated in the Command Reference manual, connect cannot be set to active. Setting the Serial Profile to Industrial Automation only works smoothly if you have NOT set IA parameters manually by Telnet or command line. Use one method only - either Web UI or Telnet. CONNECTING TO THE WIRELESS DEVICE The device can only be configured over the wireless link with an access point. In order to establish a wireless link the access point must have authentication and encryption disabled. Furthermore to ensure that the Connect wireless device establishes a link with the correct access point the access point should use the SSID of "Connect". By factory default our device scans through each wireless channel and generates a list of access points. It then associates with the access point with the strongest signal strength. However it will choose to associate with an access point with SSID of "Connect" over another access point that has a different SSID regardless of which access point has the stronger signal strength. When the device successfully associates with an access point its link LED will go solid. RESETTING THE UNIT Digi Connect device server firmware has an enhanced ability to be both soft reset as well as reset to its factory defaults. Both functions may be invoked on the ME and the Wi-ME via manipulation of pin 20 on the module's header: * If the module is running (i.e. more than a few seconds after power on), holding pin 20 low for a second and then raising it will soft reset the unit * If pin 20 is held low for more than 10 seconds from the power on or release from hard reset of the unit, and then raised, it will reset the unit to its factory default state For all devices, the action takes effect when reset is released. ADDITIONAL INFORMATION On initial boot of this device, it will generate encryption key material: an RSA key for SSL/TLS operations, and a DSA key for SSH operations. This process can take as long as 40 minutes to complete. Until the corresponding key is generated, the device will be unable to initiate or accept that type of encrypted connection. It will also report itself as 100% busy but, since key generation takes place at a low priority, the device will still function normally. On subsequent reboots, the device will use its existing keys and will not need to generate another unless a reset to factory defaults is done, which will cause a new key to be generated on the next reboot. USING MODBUS BRIDGE This image includes a Modbus protocol bridge. Modbus is one of the most common "third party" interfaces for industrial equipment. The full protocol specification can be found at www.modbus.org The Modbus Bridge functionality enables Masters and Slave to communicate using any combination of the 3 official dialects: - Modbus/TCP transported by TCP/IP or UDP/IP - Modbus/RTU transported by serial, TCP/IP, or UDP/IP - Modbus/ASCII transported by serial, TCP/IP, or UDP/IP One-serial port bridges are defined by the role of the attached serial device. Selecting the "Industrial Automation" serial port profile enable you to define either: 1) Serial Modbus master accessing remote IP-based Modbus slaves 2) Remote Modbus masters sharing a serial Modbus slave(s). See Digi Support Document 90000638 for more details on various ways to setup and use a Modbus Protocol Bridge: http://ftp1.digi.com/support/documentation/90000638_a.pdf See Digi Support Document 90000649 for more details on how the message queuing and processing works within a Modbus Bridge: http://ftp1.digi.com/support/documentation/90000649_a.pdf HISTORY Version 2.17.0, Release N ENHANCEMENTS Rebranded "iDigi" as "Device Cloud" Improve event log and trace messages to better identify the general cause of a PPP chat script failure. Support differential configuration backups via the web user interface and command line interface (CLI), containing only settings groups whose values differ from the device defaults (settings class and custom defaults). This produces a smaller backup file that is more readily reviewed and perhaps edited for use as a defaults.rci file (custom factory defaults). For user configuration, improve the web page text and associated help to emphasize the selection of the desired device access and feature permissions for user logins that are added beyond the default "root" user. (44865) Add support to perform configuration backup/restore operations via the CLI "backup" command and the web UI. Files are in the internal WEB filesystem. Add the CLI "file" command that can copy, remove, rename and list files in the Digi flash filesystems. For security reasons, the file options copy, remove and rename are not permitted for files in subdirectories of the WEB filesystem (e.g., "python"). The "file" command also supports the display of total/used/available filesystem space. The options are described by "help file". New Packet Capture (PCAP) feature: Add support to the network stack for internal packet captures from various network interfaces. Users can capture packets from eth0, eth1, wln0, mobile0, wmx0 and pppN (serial, N=0-9), with the possible network interfaces differing among Digi products. Only a single interface at a time can be captured. Capture output is a standard PCAP-format stream that can be interpreted by common capture analysis tools. The feature adds a CLI "pcap" command with a variety of options to manage and perform captures. As a security measure, by default, the packet capture capability is disabled when a device boots. There are no stored settings -- all configuration and use of PCAP is a runtime matter after a device boots. The pcap command is hidden from the usual command help unless it is explicitly invoked. Trace output for "pcap" is added to trace capture actions and activity for debugging purposes. Packet captures can be obtained locally to the device from the CLI, with the output written to a local file in the WEB flash filesystem. Local captures may be performed as "foreground" or "background" tasks. Captures also can be obtained by connecting to the configured PCAP capture TCP port of the NDS device, when such "network" captures are enabled by the user. This permits "clients" such as netcat to connect and capture the packet stream. Such remote packet captures should not be performed by connecting over the network interface whose packets are being captured. The CLI "pcap" help text documents the various options and caveats for use of the packet capture feature. Improve the network stack's support for unpredictable IP ID use. The change provides better protection against a potential attacker as well as addresses a possible issue with IP fragmentation and reassembly. Implement changes for possible programming issues that were identified by a static code analysis tool. The identified issues were reviewed and triaged, with changes resulting in many cases. Issues addressed include possible memory leak elimination, removal of unneeded code, improved error detection and handling, data initialization and buffer overflow prevention. While none of the changes are directly linked to issues reported by customers, the changes do improve overall firmware quality. Add event logging and a CLI command to report status of Custom Factory Defaults (CFD). If custom defaults are applied, or if some error occurs while trying to process them at start-up time, a "system" event log record is created. A hidden "cfd" CLI command will display the status of CFD processing. This is added to "display techsupport" as well. This is provided as an aid for troubleshooting. Add event logging and trace for two internal APIs that can disconnect the iDigi connection, via Python. Helpful for troubleshooting. Optimize the internal na_pton() API to immediately fail look-ups when an empty string (IP address or domain name) is passed to that API. This improves performance in application code such that the eventual failure is more immediate Eliminate unneeded code and data to reduce runtime memory use. Improve the web pages for the Alarms Settings: - For the individual alarm configuration page in the web UI, add a link to the SNMP Settings page in existing page text where the SNMP trap can be enabled for the alarm. If no trap destination is configured, display "(not configured)" as the destination value rather than nothing. - Improve error detection in the alarm edit web page. Add "display serial" and "info serial" to "display techsupport" command list. Add the Python version number to the RCI query_state/device_info reply. NEW iDIGI MANAGEMENT DEFAULTS Firmware defaults have been changed to enable connectivity to the iDigi(R) Device Cloud and automatic registration of the device to the iDigi(R) Support+ account. Services for registered devices include remote Digi Technical Support, with access to a wider range of remote capabilities through the creation of an iDigi Manager Pro account. iDigi Manager Pro is a web-based service that provides central and remote device management tools including: o Downloading of new software and updates o Editing of configurations and settings o Establishing user accounts with privileges o Selecting additional security measures For more information, visit www.idigi.com. To disable the iDigi default connection: 1. Open the web UI of the gateway using the method outlined in the Quick Start Guide. 2. Navigate to the "Configuration > iDigi" section 3. Uncheck the box labeled "Enable Device-Initiated iDigi Connection" 4. Press the "Apply" button 5. Re-boot the gateway Add the CLI command "revert wlan" and hide the "revert wireless" command (retained for backward compatibility). The option "wlan" is used for the commands set, show, display and info, so the use of "wireless" for revert was inconsistent. (34675) When restoring a device to factory defaults, revert the certificates and keys only if the ALL settings are being reverted. (36710) Improve the network stack to address the issue described in US-CERT Vulnerability Note VU#498440: Multiple TCP/IP implementations may use statistically predictable initial sequence numbers. The note can be viewed at: http://www.kb.cert.org/vuls/id/498440. (36183) Improve the error messages that are reported due to ping CLI failures, such as when there is no route to the destination IP address, to be more specific to the underlying problem. (36872) Add the TCP "timewait" option to the "set network" command. This option specifies the desired system-wide value in seconds for the TCP TIME_WAIT interval. The default value is 60 seconds, and the supported range is from 10 to 240 seconds inclusive. Also added to the RCI settings. Add a note to the "set network" help, and to the "set network" output if a TCP option is changed, to clarify that the change is not applied to existing TCP connections, nor to service listeners until the listeners are restarted or a reboot occurs. Add similar notes to "revert network" help and "revert network" output if the global settings are reverted. Add DHCP lease information to the output of the CLI command "show network" when the IP configuration for the Digi device is received from a DHCP server. The information shown includes the IP address of the DHCP server, the lease duration, the renew and rebind times, and the time remaining in the current lease. Add support for a user-configured Maximum Transmit Unit (MTU) size for the Ethernet interface. The MTU size can be configured using the "mtu" option of the "set network" CLI command, or in the web interface on the Advanced Network Settings page in the Network Configuration area. For the "display logging" CLI, add the ability to display the event log and continue to check for and display new log messages as they are written to the log. The help text for this command is updated to describe how to request and terminate the continuous log "tailing". Improve the user interfaces for configuring static routes in the network stack. For a LAN interface, use the associated interface gateway IP if the static route rule is configured with a gateway address of 0.0.0.0. If the static route gateway IP is other than 0.0.0.0 for a LAN interface, Update the SSL/TLS implementation with enhancements and bug fixes. Enable TCP keep-alives by default for these services: ssh, telnet. This provides default cleanup of orphaned sessions. Enable the telnet client command in the command-line interface (CLI). (37522) Add a new info command to the CLI, "info time". This command displays SNTP Client statistics when SNTP is configured as a time source. Improve the parsing of RCI documents to better handle embedded XML comment and declaration values. (37651) To CLI, web UI and RCI, add flash (web) filesystem reporting for total, used and free space in the filesystem. Add these to: - CLI: display device (info device) - Web UI: General System Information page, and help - RCI: DeviceStats class (new elements) (38557) The Connectware Manager (also referred to as Remote Management) has been rebranded in the Digi device firmware as "iDigi". This corresponds with the service being offered by Digi for this purpose. The iDigi feature has been improved to support binary data service and file system service betwen the device and iDigi Server. These services are supported through interfaces available to python applications in the device. See www.idigi.com for more information on iDigi. A number of enhancements are added for the iDigi client in the Digi device firmware: - iDigi activity is recorded in the Event Log. - An iDigi client entry appears in the "Connections" list when: - The client is connected to the iDigi server. - The client is trying to connect to the iDigi server. - The client is waiting (listening) for the iDigi server to connect to it. - The client is waiting for a configured interval before initiating a (new) connection to the iDigi server. The connections list may be displayed in the CLI ("who") and in the web UI (Management > Connections). - When the iDigi client is waiting to (re)connect to the server, the connection table entry may be "killed" in which case the wait is canceled and the connection attempt proceeds immediately. - When the iDigi client is connecting to the server, the connection table entry may be "killed" in which case the connection attempt is abandoned. The "connecting" state is typically very brief. If for some reason the Digi device gets "stuck" in the "connecting" state, the kill request will terminate the condition. This is not an expected condition. - Add the CLI command "display idigi" report iDigi connection status of the Digi device. - Add the iDigi status web page under Administration > System Information to report iDigi connection status of the Digi device. - Show the iDigi Device Type for the Digi device on the iDigi Configuration page in the web UI. This is the device type by which the Digi device is known to the iDigi server. That value also is displayed via the CLI command "show mgmtglobal" and in the RCI output as (in addition to the existing field). - Send the actual Digi device type to the iDigi server rather than a possibly user-customized product name in config.ini. Customized names are problematic for the iDigi server for device recognition and management. (1291266) - Eliminate unsupported interfaces from the network settings RCI and related CLI (set mgmtnetwork). The web UI was already correct. (34520) - Increase the maximum permitted request and reply document sizes for the iDigi protocol RCI facility. The new size accommodates encoded files of just over 2MB. - Expose the (previously hidden) devicesecurity CLI option from these commands: set, show, revert. This was previously available but hidden to prevent misuse of some of that command's capabilities. The options that could cause problems if misconfigured have been removed, so it is no longer necessary nor appropriate to hide the devicesecurity option. (34535) - Add iDigi connection status items for send and receive idle times. - Add iDigi Timed Connection support to web UI and web help. This connection type has long been exposed via CLI and RCI. - For the iDigi client configuration's connection server list, reduce the number of server entries to 4 from 8. The list of 8 is simply truncated to 4 for this change. An attempt to restore "deprecated" entries results in warnings, not errors, generated by the settings manager. Note that Digi devices are typically configured to use only one of the server list entries, so this change won't affect deployed products. This reduces runtime memory usage, NVRAM use for configuration setting storage and the RCI text generated for backups. (34309) - Improve the error recovery algorithm for failed RCI requests received via iDigi. The updated algorithm reduces network activity by eliminating redundant error reports. Improve trace output for troubleshooting. (37637) - Expand the description of iDigi keep-alives in the web help information. - Add event log and trace messages for the "Disconnect" iDigi protocol message, to help with troubleshooting the loss of iDigi connections. The Python ONEXIT condition has been added to the Web UI. (37541) As a debugging aid, improve the Python interpreter to report the filename of the calling code in tracebacks and other stack inspections. (32589) Enhance filesystem support: - Add POSIX APIs. - Enhance Python interfaces. - Extend the "ls" command for file systems in RCI to request a hash value be returned for files in the listing. At present, the only hash methods supported are "none" (the default) and "crc32". - Extend all RCI implementations in NDS to supporting requesting a specific file rather than just a directory in a "ls" command request. The "dir" attribute of the "ls" command has been deprecated as a result, with the more applicable synonym "path" now taking its place as the standard attribute tag to use to choose what should be listed. For the IA feature, add support for fixed addresses when routing Modbus via XBee. (37200) Remove unneeded and deprecated data and code to reduce memory use. BUG FIXES Fixed a bug where IA Modbus would have errors at low baud rates on the Digi Connect ME 9210. Fixed a bug where the clockstamp on J1708 callbacks was rolling over at ~49.7 days (NDS-24) Fixed a bug where an unauthenticated user could delete a file from the filesystem (NDS-69) Fix a bug in which the "file copy ..." CLI command might fail if the destination is a directory rather than a file. Fix a bug in the PPP settings (both serial and mobile) in which the maximum value length for the phone number fields was not sufficiently large. Values were limited to four characters rather than the intended maximum of 20. This issue affected iDigi users when configuring these settings. (45000) Modify the TCP retransmit timeout (RTO) settings to support different minumum and maximum value ranges. Use of these new ranges may reduce TCP retransmits on mobile networks if application data is sent when the cell modem is in a standby state. The TCP RTO settings are modified to permit a minimum of 30-5000 ms (previously 30-1000) and a maximum of 5-240 seconds (previously 1-240). This system-wide setting affects all TCP connections at the time they are first established. The default values for RTO minimum and maximum are unchanged; only the permissible value ranges have changed. (44960) Corrected wireless ad hoc behavior that caused units to lose connectivity (45536) Corrected Wi-Fi behavior that caused incorrect MAC address filtering and unnecessary re-associations (45402) Fixed a bug that caused the clockstamp returned with J1708 callbacks to roll over to zero after about 49.7 days. (NDS-24) Fix a problem in which DSA security does not work with the Digi SSL implementation. (42451) Fix a bug in which autoconnect was failing to attempt a sslauth connection. (42575) Fix a problem with serial PPP that results in a failed LCP negotiation on the next (immediate) connection attempt following a PPP session disconnect. (44060) Fix a data abort exception in the Python digicli module that can occur due to an allocated buffer overflow for CLI output lines that exceed 256 characters. Although such long lines aren't likely, the crash could result from any CLI output with long lines. The fix limits the output strings to 2048 bytes at most, breaking them into segments if necessary, and it precludes the overflow condition. No CLI output is lost as a consequence of this change. Fix problems in the RCI handling for the and settings. The problems were exposed in the iDigi device configuration interface for these settings. Issues addressed are: - Add missing elements in settings. - Remove excess/incorrect elements in settings. - Correct the value range identification for some elements, specifically those related to group association. Improve the element description strings displayed by iDigi. (41545) Fix a problem in which configuration backup/restore with keys/password option selected, does not include some keys. In particular, the SSH and SSL private keys were absent but are now included in the backup RCI as encrypted values, only if the user requests them as such. This uses the same method as for passwords and other keys. (44048) Fix a problem in which the CLI "certmgmt" command quietly creates empty files when saving private keys (SSH, SSL, VPN). Per security requirements, disallow saving private keys via "certmgmt" and provide an explicit error message to the user. Detect empty certificates and invalid index (range) values and provide an appropriate error message for such cases. (44048) Fix the web server to reset form items for multipart/form-data. (41637) Fix this reported bug: Python TFTP Remote Start Fails with \r\n line endings. Uninitialized "garbage" at the end of the result buffer could cause odd error messages. A previous change for issue 26971 (in 2008) strips carriage returns from the received file. That change had a bug in which it did terminate the remaining text correctly, leaving garbage at the end of the result buffer. This commit corrects that bug. (40307) Fix a bug in which Python digicli.digicli.__doc__ returns a confusing response. (40421) Fix an SNMP issue that could cause an SNMP denial of service. (39737) Fix a panic that could occur while accessing some System Information pages in the web UI. (38729) Fix a bug in which the help text for the "show ia" CLI command contains "garbage" characters. (41619) Fixed an issue where the time offset to UTC was being applied twice in getDateTimeAdjusted() calls through iDigi Fixed an issue that caused a Digi device to momentatily disconnect from iDigi when iDigi Manager Pro opens the device's Properties Page. Fix a problem that caused the Python built-in time.clock() call to return a value that "rolls over" after approximately 49.7 days of operation after a boot of the Digi device. This occurred due to an internal clock counter rollover. It could cause Python application program to assume that the clock (and time) had gone backwards, resulting in unpredictable behavior of the application. (37986) Fix a bug that may result in a memory leak when a fully qualified domain name (FQDN) is configured for a SNTP Server as a time source in the Date and Time Settings (CLI "set clocksource"). (37807) Fix a bug in which multiple SNTP Server entries may be configured as time sources in the Date and Time Settings, but only the first one in the list is used. (33367) Fix an issue in the SNTP Client that results in frequent name resolution attempts (one per second) if a domain name is configured for an SNTP time source. This may occur if the name is invalid or cannot be resolved by the configured DNS servers. A backoff is implemented to mitigate the too-frequent name resolution attempts. (32652) Fix a bug in which the localtime() API didn't correctly adjust time by the specified timezone offset. (36959) Fix a bug in which setting the time with a year greater than 2036 causes the wrong year to be set. (32781) Address SSH public key authentication issues. (37339) - Fix a bug in which configuration settings support for SSH public key authentication was inconsistently implemented in the Digi firmware, depending on the product and user interface being used. - Ensure that user authentication is in accordance with RFC 4252. - Eliminate memory leak when configuring a public key via tftp. - Improve SSH trace output for troubleshooting purposes. Fix a bug in which changing the IP address from dynamic to static via the web UI redirects to a URL mix of old/new IP addresses. Also correct a failure to redirect if the service port for HTTP or HTTPS is other than the usual values 80 or 443, respectively. (33205) Fix a problem in which Classless Inter-Domain Routing (CIDR) fails to route correctly under certain narrow instances (such as routing between hosts with IP addresses 25.0.0.50 and 24.0.0.50, with a subnet mask of 248.0.0.0). (37043) Fix a problem in which Ethernet driver might lose synchronization between its interrupt handler and its packet receive processing thread. This could cause received packets to be held in the driver's receive buffer ring and not passed to the network stack in a timely manner. Under such a condition, network communication might appear to be broken for network protocols and applications. (35638) Fix a possible panic that occurs while configuring the primary network interface (Ethernet) and saving the changes to NVRAM. (35715) Fix a bug in which the file system component was incorrectly accounting for open directories in the system. Due to this bug, it was possible that the open would fail regardless of actual resource availability. (31645) Fix a bug in a previous fix to gettimeofday() that causes incorrect display and behavior in "set time" and the Date and Time web page. (35957) Fix a bug in uudecodeToFile() that causes RCI file transfers to fail when there is white space after the file data. (36147) Fix a bug in which the Digi device might panic (reboot) when using the CLI command "certmgmt" to generate a key for SSH. (33249) Fix a bug in which the cold start trap is sent every time the user enables "Generate cold start traps" in the web page or the CLI. (33655) Fix a pmodem feature problem for which, under some conditions, an ATDT command (that normally works correctly) stops working. (34433) Fix a problem for the Industrial Automation (IA) feature in which the full settings were not properly restored from a backup file. (35891) Fix an IA modbus problem in which a buffer was being freed twice when a message send failed because the network connection was down. This could result in a panic reboot. (32914, 34800) Fix a problem in which the Industrial Automation "Hostname" was not properly set on a configuration restore. (34086) Fix a Python socket read failure that could occur if a timeout is set on an SSL socket. Fix an inconsistency and bug in which the Python command string was not properly managed with its maximum length value of 127 characters. The value returned by the Python time.time() function is no longer modified by the offset option of "set time". The function gettimeofday() was returning UTC biased by "offset". (34994) For Digi products that do not expose the serial port to the end user, fix a bug in which profile settings are exposed but should not be. This affects: - CLI (set/show/revert profile and "display techsupport") - Configuration backup (33414) Fix a bug in which the "set_factory_default" RCI request incorrectly states in its RCI descriptor text that a device reboot will be performed after the "factory" action has been completed. No reboot is performed. Eliminate several potential memory leaks. (34946) Version 2.13.1.2, Release M2 BUG FIXES Corrected an issue where the reset button no longer worked for reboot or reset to factory defaults Version 2.13.1.1, Release M1 BUG FIXES Disable a new EDP messaging facility that was not inteded for this release Version 2.13.1, Release M ENHANCEMENTS Added support for the Digi Connect SP MEI Python, Digi Connect SP RS232 Python, and Digi Connect Wi-SP Python (16 MB) platforms. Note that 82002740 and 82002741 EOS's cannot be loaded on 82000908 or 82001220 platforms; and 82000908 and 82001220 EOS's cannot be loaded on 82002740 or 82002741 platforms. Add the TCP "timewait" option to the "set network" command. This option specifies the desired system-wide value in seconds for the TCP TIME_WAIT interval. The default value is 60 seconds, and the supported range is from 10 to 240 seconds inclusive. Also added to the RCI settings. Add a note to the "set network" help, and to the "set network" output if a TCP option is changed, to clarify that the change is not applied to existing TCP connections, nor to service listeners until the listeners are restarted or a reboot occurs. Add similar notes to "revert network" help and "revert network" output if the global settings are reverted. For the "display logging" CLI, add the ability to display the event log and continue to check for and display new log messages as they are written to the log. The help text for this command is updated to describe how to request and terminate the continuous log "tailing". CLOCK (TIME) SOURCE MANAGEMENT SUPPORT The "Clock Source" functionality of the system has been replaced so as to simplify the behavior and improve the consistency of the time values delivered by the system, while still allowing the system to maintain a level of synchronization with external time sources. The updated feature includes a ranking system for clock sources. If a sample is taken from a better clock source than what has thus far been received (has a smaller number), the sample will be used to influence the baseline of our time measurements, and all sources of a less significant rank will be temporarily disabled. This allows the system to get a relatively accurate sense of time as quickly as possible, but eventually to run only listening to the best possible external sources. Internally, on products that have an RTC, the RTC itself is given a ranking of 50. This allows clock sources to be configured with a lower ranking... arranging so that they are only enabled when the RTC has not yet been initialized with a time value, essentially assigning them as one-shot programmers of the RTC. The rankings are re-evaluated when the clock sources are reconfigured, or when a user interface causes a "jump" in the time. Event logging of time-related events also is improved. The event log may be displayed using the "display logging" CLI or via the web UI. Changed the SNMP service default from "on" to "off" to improve initial device security BUG FIXES Address SSH public key authentication issues. (37339) - Fix a bug in which configuration settings support for SSH public key authentication was inconsistently implemented in the Digi firmware, depending on the product and user interface being used. - Ensure that user authentication is in accordance with RFC 4252. - Eliminate memory leak when configuring a public key via tftp. - Improve SSH trace output for troubleshooting purposes. Fix a bug in which an SSH user other than the root user, might acquire root user permissions for CLI commands. (37483) Fix a bug that may result in a memory leak when a fully qualified domain name (FQDN) is configured for a SNTP Server as a time source in the Date and Time Settings. (37807) Fix an issue where IPv6 destinations do not work with wi-fi devices (38166) Version 2.12.4, Release L1 ENHANCEMENTS Improved manufacturability Version 2.12.4, Release L ENHANCEMENTS As a security enhancement, SNMP has been turned off by default for the Connect ES, ConnectPort TS 1/2/4/W, Connect SP, and Connect Wi-SP Improve the user interfaces for configuring static routes in the network stack. For a WAN interface, always use the interface gateway IP address. For a LAN interface, use the associated interface gateway IP if the static route rule is configured with a gateway address of 0.0.0.0. If the static route gateway IP is other than 0.0.0.0 for a LAN interface, use that configured value. This properly and implicitly accommodates WAN interface static routes and allows the user to select use of the LAN interface gateway or a configured value for LAN interface static routes. The web UI help is updated to describe this enhancement. Improve the network stack to address the issue described in US-CERT Vulnerability Note VU#498440: Multiple TCP/IP implementations may use statistically predictable initial sequence numbers. The note can be viewed at: http://www.kb.cert.org/vuls/id/498440. (36183) Expand the description of iDigi keep-alives in the web help information. Add a Network Port Scan Cloaking feature that permits users to prevent replies to various received packets for which there is no local service. On a global or per-network-interface basis, one can disable ping replies, TCP reset replies for received connection requests to unused ports, and ICMP destination/port unreachable replies to received UDP datagrams destined for unused ports. This capability "cloaks" a device from being probed on such unused ports, and it reduces packet traffic by eliminating replies that may be billable to service accounts (e.g., cellular service). This feature is exposed in the CLI as the "scancloak" option, and it is supported in the web UI on the Advanced Network Settings page under the Network Configuration section. By default, this feature is disabled. Add iDigi connection status items for send and receive idle times. Add an optional interface name list to "display pppstats" so individual specific interfaces can be displayed. The absence of interface name parameters causes all valid PPP interfaces to be displayed. Enhance the Wi-Fi support. - Add "802.11d" configuration on the Wi-Fi LAN Settings web page. 802.11d Multi Domain Capability enables the device operation in additional regulatory domains (countries) with allowed channel set and tx power. - Add "EAP-FAST" network authentication configuration on the Wi-Fi Security Settings web page. EAP-Flexible Authentication via Secure Tunneling is now supported in WPA. - Add the CLI command "revert wlan" and hide the "revert wireless" command (retained for backward compatibility). The option "wlan" is used for the commands set, show, display and info, so the use of "wireless" for revert was inconsistent. (34675) Update the SSL/TLS implementation with enhancements and bug fixes. Enhance PPP support: - Add PPP server for standard serial ports. - Add PPP server port profile to web UI. - Display statistics for all PPP instances on CLI "display pppstats". - Rename CLI set/show/revert "pppoutbound" commands to "ppp". - Encrypt PPP passwords in RCI and backup files. Add a new info command to the CLI, "info time". This command displays SNTP Client statistics when SNTP is configured as a time tource. Enable TCP keep-alives by default for these services: ssh, telnet. This provides default cleanup of orphaned sessions. Clarify description: the serial statistics page displays the current port settings. (32689) The Connectware Manager (also referred to as Remote Management) has been rebranded in the Digi device firmware as "iDigi". This corresponds with the service being offered by Digi dor this purpose. A number of enhancements are added for the iDigi client in the Digi device firmware: - iDigi activity is recorded in the Event Log. - An iDigi client entry appears in the "Connections" list when: - The client is connected to the iDigi server. - The client is trying to connect to the iDigi server. - The client is waiting (listening) for the iDigi server to connect to it. - The client is waiting for a configured interval before initiating a (new) connection to the iDigi server. The connections list may be displayed in the CLI ("who") and in the web UI (Management > Connections). - When the iDigi client is waiting to (re)connect to the server, the connection table entry may be "killed" in which case the wait is canceled and the connection attempt proceeds immediately. - When the iDigi client is connecting to the server, the connection table entry may be "killed" in which case the connection attempt is abandoned. The "connecting" state is typically very brief. If for some reason the Digi device gets "stuck" in the "connecting" state, the kill request will terminate the condition. This is not an expected condition. - Add the CLI command "display idigi" report iDigi connection status of the Digi device. - Add the iDigi status web page under Administration > System Information to report iDigi connection status of the Digi device. - Show the iDigi Device Type for the Digi device on the iDigi Configuration page in the web UI. This is the device type by which the Digi device is known to the iDigi server. That value also is displayed via the CLI command "show mgmtglobal" and in the RCI output as (in addition to the existing field). - Send the actual Digi device type to the iDigi server rather than a possibly user-customized product name in config.ini. Customized names are problematic for the iDigi server for device recognition and management. (1291266) - Eliminate unsupported interfaces from the network settings RCI and related CLI (set mgmtnetwork). The web UI was already correct. (34520) - Increase the maximum permitted request and reply document sizes for the iDigi protocol RCI facility. The new size accommodates encoded files of just over 2MB. - Expose the (previously hidden) devicesecurity CLI option from these commands: set, show, revert. This was previously available but hidden to prevent misuse of some of that command's capabilities. The options that could cause problems if misconfigured have been removed, so it is no longer necessary nor appropriate to hide the devicesecurity option. (34535) For the iDigi client configuration's connection server list, reduce the number of server entries to 4 from 8. The list of 8 is simply truncated to 4 for this change. An attempt to restore "deprecated" entries results in warnings, not errors, generated by the settings manager. Note that Digi devices are typically configured to use only one of the server list entries, so this change won't affect deployed products. This reduces runtime memory usage, NVRAM use for configuration setting storage and the RCI text generated for backups. (34309) Add DHCP lease information to the output of the CLI command "show network" when the IP configuration for the Digi device is received from a DHCP server. The information shown includes the IP address of the DHCP server, the lease duration, the renew and rebind times, and the time remaining in the current lease. Remove unneeded and deprecated data and code to reduce memory use. Improve iDigi (Connectware) client's connection backoff/retry logic in the case of failure to connect to the iDigi server. Add "disp ia" to "disp techsupport" command list. (32252) Add SNTP Client as a time source for time source management. This new feature adds SNTP client as a source for time management. It allows the device to synchronize its clock with NTP/SNTP servers. Configuration for this feature is available through RCI, the web UI and the command line "set clocksource" command. Add an "offset" from UTC to time source management. This new feature adds the ability to modify Coordinated Universal Time (UTC) by increments that correspond with time zones. Configuration for this feature is available through RCI, the web UI and the command line "set time" command. Add logging for time events such as changes to offset or time "jumps". Add SSL connection support and simple password authentication for device connections to the iDigi Server (Connectware Manager Server). Add support for RealPort authentication. Add numerous commands to "display techsupport" for improved reporting. (31539, 31689) Reduce the amount of alarm data sent at the start of a connection to an iDigi Server (Connectware Manager Server) by sending only the active alarms. This improvement is coupled with a server change to not request the current state of all alarms. Allow fully qualified domain names (FQDN) instead of only IP address for a number of features. These features are: AutoConnect, UDP Serial, SNMP trap destinations, and the alarms e-mail server. For UDP Serial, a lookup of the FQDN (typically in the DNS resolver's cache) is done for each packet sent, with a full name resolution occurring only when the cached entry's time-to-live expires (or the cache is flushed). This supports dynamic destination IP addresses. (19517, 30637) Add options to CLI, web UI and RCI to save encrypted passwords and keys in the configuration backup file. Configuration restore accepts either encrypted or plain text passwords and keys. (15108) Change the signature method on the self-generated, self-signed certificate from MD5 to SHA1. Although MD5 is not generally unsafe, SHA1 is deemed to be the most secure. All browsers or SSL clients recognize SHA1 instead of MD5. Update the web UI for IP Forwarding Settings to show the maximum number of entries for Static routes and "Forward TCP/UDP/FTP connections...". (31866) Add support to send login success and failure traps via SNMP when a user logs into the device using HTTP or HTTPS. Add configuration web page for MEI in all MEI-capable products. Update "display techsupport" to include new and additional commands. Add the current date/time to the device status display (CLI and web UI), in addition to the uptime value for the device. Modbus requests/responses for vendor-specific function code 100 are now speculatively estimated as Scattered Read Command (as used by Schneider Electric). Previously, function 100 was treated as not possible to estimate, thus the idle-gap (time with no more data) was the only method to detect end-of-packet. This change should be transparent to other vendors using function 100 for other purposes. First, this estimate is only applied if the 3rd byte of the PDU is the constant 0x04. Second, even packets which are incorrectly estimated will be properly handled by the fall-back detection of the idle-gap. Failure to estimate properly does not cause packet failure; it merely speeds up handling when the end-of-packet estimation succeeds. For event logging, add the device uptime to end-of-log display line (both CLI and web UI), if the timestamp display for logging is other than the uptime (such as date/time). Add simple CLI to manipulate the time source management settings. See CLI command "set clocksource". BUG FIXES Fixed an issue where SSH keys were being removed by the "revert all" command and were not being regenerated (36710) Fixed an issue where a ping issued from either the CLI or Web UI was displaying a generic error message when pinging an address that has no route to it. (36872) Fixed an IA route RCI issue, IA Route settings class allows a "scatter string" for protocol address, RCI only allowed min and max. (36812) Fixed an issue where changing the IP address from dynamic to static via the webui redirects to a URL mix of the old and new IP.(33205) Fixed an issue where the Connect ME 9210 loses memory when doing a 'revert all'. (36680) Fixed an issue where the Web UI was vulnerable to a cross-scripting attack. (36770) Fixed an issue where hardware flow control did not work initially after a reboot on devices with the 9210 processor. (37149) Fixed several SSH issues (37339): Insured that all devices are able to clear a public key. This was not consistent over all devices. Insured that SSH worked correctly over all user models. Improve SSH public key identification (RSA) and validation. Fix "off by one" issue in web UI for maximum key material size. Fix a memory leak in the "set user public_key=(server):(file)" handling. Improve error and trace messages when downloading SSH public keys via CLI (tftp) or configuring them in the web UI Fix an issue where ssh and suppress login feature are not working correctly together (37483). Fix an issue where Connect SP CPU utilization was unusally high (37504) Fix a long-standing settings class RCI bug that affects settings restore, custom defaults and iDigi configuration of the failover feature. The TCP test destination port was not being correctly set, which left in place the previous value that was defaulted or set via CLI or web UI. (36372) Fix a problem in which Ethernet driver might lose synchronization between its interrupt handler and its packet receive processing thread. This could cause received packets to be held in the driver's receive buffer ring and not passed to the network stack in a timely manner. Under such a condition, network communication might appear to be broken for network protocols and applications. (35638) Fix a bug in which the file system component was incorrectly accounting for open directories in the system. Due to this bug, it was possible that the open would fail regardless of actual resource availability. (31645) Fix a problem in which the iDigi discovery tool uses the Wi-Fi interface MAC address as the iDigi device ID. The required iDigi device ID is based on the Ethernet MAC address. The problem affects only products that have a WiFi network card as a second LAN interface, when that interface is used for iDigi discovery. (35697) Fix a problem for the Industrial Automation (IA) feature in which the full settings were not properly restored from a backup file. (35891) Fix a possible panic that occurs while configuring the primary network interface (Ethernet) and saving the changes to NVRAM. (35715) Fix a bug in uudecodeToFile() that causes RCI file transfers to fail when there is white space after the file data. (36147) Fix an IA modbus problem in which a buffer was being freed twice when a message send failed because the network connection was down. This could result in a panic reboot. (32914, 34800) Address issues in the Wi-Fi support. - Fix a bug in which the BSSID is not being randomly generated when creating an ad-hoc network. (33819) - Fix a bug in the Wi-Fi driver that caused duplicate packets to be sent. (32292) - Fix a bug in the Wi-Fi driver ad-hoc mode, caused when the unit sends a probe_response and receives an ACK, followed thereafter by the 500 ms timeout. - Fix WPA/Wi-Fi driver issues related to problems in the handling of 4-Way key exchanges, uncovered through UNH Interoperability testing. (24015, 24030, 28561, 28562, 29455, 31391, 31392) - Fix Wi-Fi driver failures for UNH interoperability. (28659, 23903) - Fix a multirate Wi-Fi defect (protection mode) using AES on b/g WLANs, which caused high packet loss. - Fix Wi-Fi driver issues related to Cisco LEAP+WEP. Fix a problem in which the Industrial Automation "Hostname" was not properly set on a configuration restore. (34086) Fix a bug in which the Digi device might panic (reboot) when using the CLI command "certmgmt" to generate a key for SSH. (33249) Fix a bug in which the cold start trap is sent everytime the user enables "Generate cold start traps" in the web page or the CLI. (33655) Fix a bug in which the DialServ feature's connection_wait_time setting could be set outside its designed value range (10-300). This problem existed only when the setting was applied via the RCI interface. (34647) Fix the keep-alive checkbox for DialServ dial-out configuration. (32833) Fix a pmodem feature problem for which, under some conditions, an ATDT command (that normally works correctly) stops working. (34433) Modify SSH to prevent an initial false SNMP login failure trap when the SSH client connects with the "none" authentication method. (1278304). Fix issues in the SSH service implementation: - Eliminate possible memory leaks when loading DSA/RSA keys. - Fix a failure to disconnect and report the reason to the client when the maximum number of authentication failures is reached. Fix a bug in the DHCP client that accumulates small network buffers on the DHCP client's internal information structure. This occurred for options received from a DHCP server that are unrecognized by the DHCP client. These buffers are now freed to avoid gradual memory depletion. Fix an issue where the Send Character Immediate IOCTL was not getting a response, causing a RealPort hang. (32061) Eliminate some unneeded information from the configuration backup file. (32511, 32512) Modbus Web UI misaligns the Master to Table Relationship. (31803) Check if enough free memory is available to handle a firmware update from the iDigi Server (Connectware Manager) and return an appropriate error response if not. (31321) Fix a bug that limited length of the primary SNMP destination field in the SNMP Settings web UI. (31895) Improve a condition under which client-initiated connections to the iDigi Server (Connectware Manager Server)) won't start unless the "Reconnect after..." box is checked. (31885) Eliminate several memory leaks. Fix a bug in which login success and failure traps were not being sent via SNMP when a user logs into the device using SSH. (32161) Fix a memory leak that may occur when DNS lookups are performed. Although the leak is small, it can lead to memory exhaustion in systems that perform many DNS operations, such as some iDigi client configurations. (30870) Fix a bug in which PPP statistics may display as negative values in "display pppstats". (related to 22844) Fix a high CPU utilization issue that occurs while PPP is bringing up a connection. (29771) Implement RFC-specified validation for a hostname, per the requirements for DHCP option 12. The RFCs consulted include 952, 1035, 1123 and 2132. The maximum length of the hostname is increased to 127, increased from 31. Support for a FQDN also has been implemented. Web UI help has been updated to describe a valid hostname construction. (27588) Fix a bug that occurs when restoring a public key: the value is set to the key plus additional bytes, resulting in a corrupt key. (27780) Add option value ranges to CLI "udpserial" command help. (29034) Fix a bug in which the event log includes one or more messages that specify the wrong (misleading) system time value when the device boots. Affects devices with a real time clock. (29804) If a public key has been enabled for SSH, allow authentication based on the key regardless of the password setting. Dynamically generate a list of accepted authentication methods based on the configuration of the device. (27834) Version 2.8.2, Release K ENHANCEMENTS Report average received signal strength in decibels. Display power levels in dBm. Display maximum transmission rates in Mbps. BUG FIXES Corrected data loss issue with pmodem emulation autoconnect where by the first few bytes of data was being dropped, regardless of flow control. [28212] Corrected WiFi settings defects that prevented the module from associating and operating after reseting the module to it's factory default state. [28295] Fixed short-range connectivity problems at 11Mbps transmission rate. Version 2.6.5.2, Release J2 ENHANCEMENTS Added support for the ME (2 MB) CLI on by default option BUG FIXES Fixed a UDP socket freeze associated with fragmentation Fixed a serial "hang" at initial boot time Fixed a problem with getting serial stats Fixed a problem in shared serial when the first two clients are allowed to write to the serial port. Version 2.6.5.1, Release J1 BUG FIXES Corrected TCP socket to serial port defect assocciated with the 'close connection when DSR goes low option', when port sharing is enabled. Corrected defects observed (panic) when changing the port sharing parameters when TCP clients are concurrently connected. Corrected defects observed (panic) when multiple telnet sessions are sharing a serial port. Corrected defects observed (panic) when killing sessions currently connected to a shared serial port, after changing the control from "shared" to "exclusive". Corrected defects that required multiple kills to terminate telnet and ssh connections, after changing the control from "shared" to "exclusive". Corrected defects observed (panic) when a shared timeout occurs, after setting the timeout period (i.e., set sharing timeout=n). Version 2.6.5.0, Release J ENHANCEMENTS Added port sharing support, up to 32 clients can share a serial port, this is configured using the 'set sharing' CLI command described in the "Command Reference" document. CLI enabled by default for the Digi Connect ME CLI product. Enabled PPP support, see the "Command Reference" document for details on how to use PPP.