Release Notes PN 93000697_E1 Digi ConnectPort X8 82001115_E1 EOS December 11, 2008 INTRODUCTION This is a production release of firmware for the Digi ConnectPort X8. The ConnectPort X8 is a hardened, upgradeable wireless gateway for Drop-in Networking. The ConnectPort X8 aggregates and transports ZigBee/802.15.4 network traffic to central data applications over cellular, Wi-Fi, or Ethernet connections. ConnectPort X8 gateways are a key element of Digi's Drop-in Networking family of products - a collection of hardare components that also includes our Xbee (R) adapters, modules, extenders, and bridges - which together enable distributed electronic devices to be wirelessly networked where no wired infrastructure exists, or where access to an existing network is prohibited. The ConnectPort X8 includes support for Industrial Automation protocols and capabilities. See http://www.digi.com/support/ for complete documentation related to these protocols and special capabilities. SUPPORTED PRODUCTS Digi ConnectPort X8 SUPPORTED AIR INTERFACES Sierra Wireless MC5720 Sierra Wireless MC5725 Sierra Wireless MC8755 Sierra Wireless MC8765 Sierra Wireless MC8775 Sierra Wireless MC8780 Sierra Wireless MC8781 ENHANCEMENTS None. BUG FIXES Upgrading the ConnectPort X8 to the E revision firmware from an earlier revision could result in a permanent hang or panic condition. The problem could occur if VPN settings were configured using the A or B revision firmware, and if those settings were still configured in the X8. Note that only a full revert to factory default settings would have removed those VPN settings. The problem occurs during an implicit conversion of the VPN settings from an older format to their newer format required by the E revision and later firmware. (28851) KNOWN ISSUES - Problems have been encountered with some Linksys VPN appliance models when using different Diffie-Hellman group settings for phase 1 and phase 2. To work around this issue and successfully establish the VPN tunnel, use the same Diffie-Hellman group for both phase 1 and phase 2 settings. - Digi RealPort can only be used if the Modbus Bridge function is disabled. You cannot use RealPort with Modbus/RTU or ASCII to access the Modbus Bridge function. - Do not attempt to "Port Forward" TCP 502 or UDP 502 to local Modbus/TCP servers while the Modbus Bridge is active - this causes NEITHER function to work. Disable the Modbus Bridge if you desire tradtional Router/NAT function for Modbus/TCP port 502. - IA routes targeting Zigbee/PWAN remotes assume each route can run independently. Thus three routes targeting the same extended MAC might potentially try to send three requests at once, which will confuse a serial protocol like Modbus/RTU. Use the new "scattered-route" design to convert such multiple routes to a single route, which promises only one outstanding request is sent at once. DOCUMENTATION ERRATA None. ADDITIONAL INFORMATION It is recommended that you perform a backup of your device's settings prior to upgrading your firmware. If you should need to revert back to a previous version of firmware, this will ensure that you will be able to restore your device to its previous settings in the event that some settings are not restored properly after downgrading the firmware. To backup your device settings, follow this simple procedure: 1) Open the web user interface and navigate to the "Administration" section and select "Backup/Restore". 2) Click the "Backup" button and select the location to where you want to save your backup file. To restore: 1) Navigate to the same section within the web UI. 2) Click the "Browse" button to select the backup file you saved in the previous steps. 3) Click the "Restore" button to upload the configuration settings contained in your backup file. On initial boot of this device, it will generate some encryption key material: an RSA key for SSL/TLS operations, and a DSA key for SSH operations. This process can take as long as 40 minutes to complete. Until the corresponding key is generated, the device will be unable to initiate or accept that type of encrypted connection. It will also report itself as 100% busy but, since key generation takes place at a low priority, the device will still function normally. On subsequent reboots, the device will use its existing keys and will not need to generate another unless a reset to factory defaults is done, which will cause a new key to be generated on the next reboot. HISTORY 82001115_E1 (2.8.1.13) - December 11, 2008 See ENHANCEMENTS and BUG FIXES information above. 82001115_E (2.8.1.12) - November 25, 2008 ENHANCEMENTS: Add support for Industrial Automation (IA) protocols and capabilities. Improve configuration settings implementation to use less memory, better support customized defaults and more effectively manage NVRAM. Add dynamic web page generation support for native web server from Python. Add support for Connectware Manager Web Services. Add support for file system access from Connectware Manager. Mesh networking enhancements: - Replace the term "Mesh Network" with the broader "XBee Network" to better describe the varied RF network types supported by Digi. - Add an option to software reset or network reset a node on the XBee Advanced Settings page of the Web UI. - Add a secondary SNMP destination trap. - Add more configuration and display capabilities to the mesh networking user interface web pages. - Add support for ZB firmware versions 2x21 and later. - Add support for XBee Pro 900 radio. - Add lookup by node ID to set/show/display mesh CLI commands. - Add ability to update gateway radio firmware to web UI and RCI. - Add timeout parameter to C and Python DDO functions. - Add ability to run DDO commands from the CLI. - Display DDO commands for parameters in the CLI. - Handle missing 64-bit address on received frames. - Handle 16-bit cluster IDs. - Increment frame ID in transmitted data frames for debugging. - Update radio parameters supported by the web UI, CLI, and RCI. Wi-Fi enhancements: (X8) - Send gratuitous ARP when connection is established to inform access points of our IP address (issue observed with some Cisco APs). - Add event logging to Wifi driver. - Add Wifi signal strength bar graph to web UI. Add dual SIM support for use with GSM cellular modules. Add native GPS support with Geofencing application. Add VPN "Responder Only" feature. Add automatic failover from one network interface to another as the default gateway using customer-configurable rules. Failover-capable interfaces include cellular, Ethernet and Wi-Fi. Allow the system time to be set from the Cellular System Time. The real time clock can be set by this source as well. Support a Customizable Dialserve Initialization String. Split apart support for the Web Server (HTTP) service and Secure Web Server (HTTPS) service so they are managed independently of one another. Change mobile PPP interface to be always "mobile0" rather than a set of "pppX" interfaces where X varies among products. Add an on-board Primary Roaming List (PRL) update mechanism for Sierra Wireless CDMA/EVDO cellular modules. Add display of mobile network MCC and MNC numeric values in addition to associated names for Sierra Wireless cellular modems. (26910) Add a conditional second cellular signal strength bar graph to web UI, and a new "Service Mode" item. Add CLI counterparts for these (display mobile). These changes applies to products equipped with Sierra Wireless MC5720/25 modules, for the purpose of reporting signal strength for both 1xRTT service and EV-DO service. The reporting for other cellular modules is unaffected by these changes. Also, show the correct signal strength for the current technology in use for the mobile connection (2G or 3G). On products that have bi-color mobile Signal Strength and/or Link LEDs, correctly set and update the color as follows: - Indicate 3G service via a green LED. - Indicate 2G service via a yellow LED. Since the in-use service may change during the life of the mobile PPP connection, the color is updated if/as the service changes. Add options to set the DNS priorities and gateway priorities lists from the command-line. (27324) Added these options to "set network": gwpriority=(comma-separated interface name list) dnspriority=(comma-separated priority list) Event logging enhancements. - For "uptime", display days+hh:mm:ss versus a time in seconds. - In CLI, support user-selectable time display format. - Automatically determine appropriate time display format according to time source availability and use in a given product. Add start-up event logging in the "system" facility of these items: - product name and ID - model name (if different than the product name) - firmware (EOS) version - boot version - POST version - manufacturing VPD version (build tag) - hardware strapping value The above information is also shown by the "display device" command. BUG FIXES: Mesh networking bug fixes: - Fix mesh node list threading bug that caused remote DDO commands to fail. (25697) - Indicate when a broadcast frame is received and its source address - in ZbAddressParams structure. (25895) - Improve CLI error messages when gateway is disabled. (26632) - Preserve gateway radio settings across firmware update. (26633) - Clear node list when the gateway is disabled. (26634) - Fix panic while setting PAN ID in the web UI. (26876) - Fix payload size checking in ZigBee sockets sendto function. (27184) - Fix bug displaying DDO command results in CLI. (27869) - Allow any length up to maximum for keys and binary settings. (27904) - Fix bug during initial node discovery when remote nodes are sending data. Fix memory leak related to XBee sockets interface. Fix memory leak related to RCI requests. Increase the general event log maximum message size to avoid message truncation. (24640) Release ZigBee socket lock around calls to driver zbSendMessage() to prevent deadlocks. (28356) 82001115_D (2.7.2.11) - July 17, 2008 ENHANCEMENTS: Add support to the Mobile Configuration web page (Advanced Settings) for user-requested PRL updates. This enhancement applies to the MC5720 and MC5725 air interfaces. Add DMZ support to the NAT feature. Enhance the Event Logging feature to permit the user to clear the log on demand, thereby removing all log entries. This is supported in the web UI (Event Logging page) and the CLI ("display logging action=clear"). Add two new options to the CLI command "display logging": head=(lines) tail=(lines) where "(lines)" is a number of log entries to display. The "head" option displays lines from the start of the event log (the oldest entries), and the "tail" option displays lines from the end of the event log (the most recent entries). (25091) Add support for Dynamic DNS service updates when the Digi device is operating in IP Pass-through mode. (25129) Add "show ddns" to the list of commands run by "display techsupport". (25725) Reduce runtime memory usage, including both executable code and data. The firmware image size also is somewhat reduced. This results in more available memory in the Digi device, which can help improve performance during intervals of high memory demand operations. Add support for new air interface cards: o Sierra Wireless MC8780 (GSM/GPRS/UMTS/HSDPA/HSUPA) - Succeeds MC8775 (and MC8755). - Supports European frequency. - Adds HSUPA support. o Sierra Wireless MC8781 (GSM/GPRS/UMTS/HSDPA/HSUPA) - Succeeds MC8775 (and MC8765). - Supports North American frequency. - Adds HSUPA support. Improve the DHCP client capability so it persists in attempting to acquire IP configuration information if the DHCP client is enabled in the device configuration settings, and the DHCP client fails to acquire the IP configuration. This could occur if no DHCP server was available when the device booted, or if the Ethernet cable was disconnected at that time. Improve the detail reported in "display techsupport" for the network settings. Specifically, use "show network globalsettings if=*" to report everything available ("show network" is less complete). BUG FIXES: An engineering change in some versions of supported Sierra Wireless 3G PCI Express modules (8775, 8775V, 8780, 8781) was incompatible with the implemented existing reset logic for all other PCIe based modules, causing the Sierra Wireless modules to come up in "Low-Power Mode." A change was made to the firmware to not drive the PCIe reset pin for Sierra Wireless modules, correcting the issue. Fix e-mail alarm failures. (26107, 25684, 25810) Correct a time rollover bug (wraparound to zero) in the Event Log. Eliminate a memory leak on the VPN identity key/certificate web page. (26255) Correct a bug in which two of the options of the "set vpn global" CLI command, didn't work as the CLI help stated. Specifically, the options "suppress_phase1_lifetimes" and "suppress_delete_sa_for_pfs" are documented to accept "on" and "off" as values. However, the command was expecting "yes" and "no" instead. The command has been modified to accept "on" and "off" as documented, and "yes" and "no" are still accepted as valid option values. (26607) Fix VPN tunnel settings backup/restore issues. (26648, 25010) o Default settings could be backed up but not restored for some options (such as "host address" of 0.0.0.0). o The manual tunnel outbound authentication algorithm "SHA1" could not be restored. It could be set correctly by use of CLI command and web page settings. Fix a problem in which packets would have a zero Ethernet MAC address for up to four minutes when running in IP Pass-through mode. (26760) Fix a problem in the "set vpn tunnel" CLI. The CLI help incorrectly specifies an option "public_interface" that is actually "interface". The valid interface names shown also may be incorrect. The help has been corrected. (25131) Fix a memory leak in the Python feature. Some of the semaphores created by Python were not being released to the system when they were no longer needed. (25288) Fix a problem in which NAT-T (VPN) failed because a mobile provider network changed the UDP source port for NAT-T, and our version of IKE did not handle that condition properly. (25489) Fix a problem in which possible "garbage" characters may be collected and stored as part of the "Current Network" mobile status item. This information is reported to the user in CLI, web UI and XML sent to the Connectware Manager server. The "garbage" characters were problematic for the Connectware Manager in particular. This fix affects devices that are equipped with the MC87x5 air interface modules, when the "Current Network" value is less than eight characters in length. (24868) Remove the VPN "interfaces" (vpn0, etc.) from the list of valid interfaces for configuring a static route. These are not true network interfaces in Digi's network stack. They are not suitable for static routes, since only IPSEC policies may be used for the purpose of routing packets through tunnels. These VPN pseudo-interfaces are meaningful only for the VPN "Virtual Host" mode, which was added in 82001276_F. 82001115_C2 (2.7.0.16) - January 31, 2008 ENHANCEMENTS: Add support to permit the publication of private IP addresses to the DynDNS service. (25403) BUG FIXES: Fix a problem with Connectware Manager client Last Known Address (LKA) updates, that could occur if an update was attempted when the network interface was restarted but retained the same IP address it had prior to the restart. The problem resulted in a rolling connect/disconnect by the Digi device to the Connectware Manager Server, and only a true change of IP address for the interface, or a device reboot, cleared the problem. The problem was introduced in 82001276_F2. (25548) 82001115_C1 (2.7.0.13) - January 23, 2008. Not released for customer use. 82001115_C (2.7.0.11) - January 14, 2008 ENHANCEMENTS Update the IP Network Stack to benefit from many improvements and fixes from the network stack vendor. Add support for NAT-T (NAT traversal) VPN tunneling. Add support for Simple Certificate Enrollment Protocol (SCEP) for X.509 certificates. Add support for Virtual Router Redundancy Protocol (VRRP) per RFC 3768. Add support for DNS Proxy, optionally integrated with the DHCP Server. Add support for Device-Initiated RealPort. Improve web UI in numerous areas for usability and feature additions: o Mobile service provisioning. o Mobile service configuration and authentication. o Advanced network configuration: ability to prioritize the ordering of DNS servers and default gateway selection. Add support for CDMA technology selection (i.e., 1xRTT / EVDO / Automatic) for the Sierra Wireless MC5720 and MC5725 modules. Add support for carrier/band/service class (i.e., 2G/3G) selection for the following Sierra Wireless modules: MC8755, MC8765 and MC8775. The following previous KNOWN ISSUES from earlier releases have been addressed and are no longer issues for the ConnectPort X8: o On some IPSec VPNs, SA lifetime is not negotiated correctly. To work around this issue, configure the SA lifetime on the Digi ConnectPort X8 to be less than that configured on the VPN concentrator. o For IPSec VPN tunnels using AES encryption, multiple key lengths (128-, 192- and 256-bit) are supported for ISAKMP/IKE phase 1 encryption proposals. For ISAKMP/IKE phase 2 proposals, currently only 256-bit keys are supported for AES encryption. Add the "display dnsserver" CLI command to report the DNS servers that are configured in the ConnectPort X8. Add VPN-related CLI options for the "display" command" o ikesa - IKE SA table o ikespd - IKE SPD table o ipsecspd - IPSec SPD table Improve the information provided by the "display techsupport" and "display netdevice" CLI commands. Enable automatic ("sticky") response for UDP Sockets feature to the last client when no UDP Sockets "destinations" are defined. (CR 23531) Enhance NAT trace for improved troubleshooting detail. Revise the signal strength reporting ranges for consistency across the Digi cellular product line and with both service provider and modem manufacturer recommendations. Update service provider support for AT&T. BUG FIXES Fix a problem for the MC5720 and MC5725 modules, in which the illuminated signal strength LEDs differ from the number of "bars" shown in the web UI (Mobile System Information page) or CLI ("display mobile" command output). (23706) In certain situations, the Sierra Wireless MC5720/MC5725 would indicate that a call had been made, but would not assert the carrier signal on the data virtual UART. This would result in a valid call being dropped prematurely. This has been remedied. Improve the reliability of information reported in the mobile status, including network- and modem-specific status, phone number (when available), and SIM status for GSM. Fixes for mobile service provider support and configuration: o Fix Alltel provisioning on factory default unit. (23817) o Allow PRI HA/SEC HA for Alltel's manual provisioning. (23541) o Username and password are no longer required fields for some AT&T (Cingular) Orange service accounts. (23161) o When authentication is disabled: (22466) - Clear the CHAP ID, CHAP key, PAP ID, and PAP password. - Set 'sgauth' accordingly in init script for Siemens modems. o Provide a default initialization string for a CDMA Custom Provider. (21890) o Change "European Provider" to "European/EMEA Provider". (19833) Improve the Dynamic DNS update feature: o Implement better handling of error conditions (failure to connect to and successfully update the DynDNS service in particular). Enhance the retry method to use the alternate DynDNS server access ports if the user-configured update method fails. o Add event logging of DDNS updates. o Eliminate a condition that could result in blocking DDNS updates until the Digi device is rebooted. (23805) Eliminate a possible condition in which a system resource could be lost (leaked) when a cell modem is reset between PPP connections. Only a Digi device reboot would reclaim the resource. Fix an initialization problem with GSM data-only mode configuration in which the mode could remain incorrectly set if a different cellular provider selection is used. Specifically, if data-only mode is enabled, it could not be correctly disabled in the cellular modem. 82001115_B (2.6.2) - July 23, 2007 82001115_A (2.5.2.10) - February 2, 2007 Initial release.