Release Notes PN 93000699_C Digi Connect WAN 3G 82001532_C EOS March 28, 2008 INTRODUCTION This is a production release of firmware for the Digi Connect WAN 3G. The Digi Connect WAN 3G is a hardened, upgradeable 3G cellular router that provides secure high speed wireless connectivity to remote sites and devices. It can be used for primary wireless broadband network connectivity to equipment at remote locations, as well as for a backup to existing landline communications. The Digi Connect WAN 3G is ideal for use where wired networks (e.g., leased line/frame relay, ISDN, DSL) are not feasible, or where alternative network connections are required. SUPPORTED PRODUCTS Digi Connect WAN 3G SUPPORTED AIR INTERFACES Sierra Wireless MC5720 Sierra Wireless MC5725 Sierra Wireless MC8755 Sierra Wireless MC8765 Sierra Wireless MC8775 Sierra Wireless MC8780 Sierra Wireless MC8781 ENHANCEMENTS Update the IP Network Stack to benefit from many improvements and fixes from the network stack vendor. Add support for NAT-T (NAT traversal) VPN tunneling. Add support for Simple Certificate Enrollment Protocol (SCEP) for X.509 certificates. Add support for Virtual Router Redundancy Protocol (VRRP) per RFC 3768. Add support for DNS Proxy, optionally integrated with the DHCP Server. Add support for Python scripting feature. Add support for Device-Initiated RealPort. Add support to the Mobile Configuration web page (Advanced Settings) for user-requested PRL updates. This enhancement applies to the MC5720 and MC5725 air interfaces. Add DMZ support to the NAT feature. Enhance the Event Logging feature to permit the user to clear the log on demand, thereby removing all log entries. This is supported in the web UI (Event Logging page) and the CLI ("display logging action=clear"). Add two new options to the CLI command "display logging": head=(lines) tail=(lines) where "(lines)" is a number of log entries to display. The "head" option displays lines from the start of the event log (the oldest entries), and the "tail" option displays lines from the end of the event log (the most recent entries). (25091) Add support to permit the publication of private IP addresses to the DynDNS service. (25403) Add support for Dynamic DNS service updates when the Digi device is operating in IP Pass-through mode. (25129) Add "show ddns" to the list of commands run by "display techsupport". (25725) Reduce runtime memory usage, including both executable code and data. The firmware image size also is somewhat reduced. This results in more available memory in the Digi device, which can help improve performance during intervals of high memory demand operations. Add support for new air interface cards: o Sierra Wireless MC8780 (GSM/GPRS/UMTS/HSDPA/HSUPA) - Succeeds MC8775 (and MC8755). - Supports European frequency. - Adds HSUPA support. o Sierra Wireless MC8781 (GSM/GPRS/UMTS/HSDPA/HSUPA) - Succeeds MC8775 (and MC8765). - Supports North American frequency. - Adds HSUPA support. Improve web UI in numerous areas for usability and feature additions: o Mobile service provisioning. o Mobile service configuration and authentication. o Advanced network configuration: ability to prioritize the ordering of DNS servers and default gateway selection. Add support for CDMA technology selection (i.e., 1xRTT / EVDO / Automatic) for the Sierra Wireless MC5720 and MC5725 modules. Add support for carrier/band/service class (i.e., 2G/3G) selection for the following Sierra Wireless modules: MC8755, MC8765, MC8775, MC8780 and MC8781. The following previous KNOWN ISSUES from earlier releases have been addressed and are no longer issues for the Digi Connect WAN 3G: o On some IPSec VPNs, SA lifetime is not negotiated correctly. To work around this issue, configure the SA lifetime on the Digi Connect WAN 3G to be less than that configured on the VPN concentrator. o For IPSec VPN tunnels using AES encryption, multiple key lengths (128-, 192- and 256-bit) are supported for ISAKMP/IKE phase 1 encryption proposals. For ISAKMP/IKE phase 2 proposals, currently only 256-bit keys are supported for AES encryption. Add the "display dnsserver" CLI command to report the DNS servers that are configured in the Digi Connect WAN 3G. Add VPN-related CLI options for the "display" command" o ikesa - IKE SA table o ikespd - IKE SPD table o ipsecspd - IPSec SPD table Improve the information provided by the "display techsupport" and "display netdevice" CLI commands. Enable automatic ("sticky") response for UDP Sockets feature to the last client when no UDP Sockets "destinations" are defined. (CR 23531) Enhance NAT trace for improved troubleshooting detail. Revise the signal strength reporting ranges for consistency across the Digi cellular product line and with both service provider and modem manufacturer recommendations. Update service provider support for AT&T. BUG FIXES Fix a problem in the "set vpn tunnel" CLI. The CLI help incorrectly specifies an option "public_interface" that is actually "interface". The valid interface names shown also may be incorrect. The help has been corrected. (25131) Fix a memory leak in the Python feature. Some of the semaphores created by Python were not being released to the system when they were no longer needed. (25288) Fix a problem in which NAT-T (VPN) failed because a mobile provider network changed the UDP source port for NAT-T, and our version of IKE did not handle that condition properly. (25489) Fix a problem in which possible "garbage" characters may be collected and stored as part of the "Current Network" mobile status item. This information is reported to the user in CLI, web UI and XML sent to the Connectware Manager server. The "garbage" characters were problematic for the Connectware Manager in particular. This fix affects devices that are equipped with the MC87x5 air interface modules, when the "Current Network" value is less than eight characters in length. (24868) Remove the VPN "interfaces" (vpn0, etc.) from the list of valid interfaces for configuring a static route. These are not true network interfaces in Digi's network stack. They are not suitable for static routes, since only IPSEC policies may be used for the purpose of routing packets through tunnels. These VPN pseudo-interfaces are meaningful only for the VPN "Virtual Host" mode, which was included in 82001532_A. Fix a problem for the MC5720 and MC5725 modules, in which the illuminated signal strength LEDs differ from the number of "bars" shown in the web UI (Mobile System Information page) or CLI ("display mobile" command output). (23706) In certain situations, the Sierra Wireless MC5720/MC5725 would indicate that a call had been made, but would not assert the carrier signal on the data virtual UART. This would result in a valid call being dropped prematurely. This has been remedied. Improve the reliability of information reported in the mobile status, including network- and modem-specific status, phone number (when available), and SIM status for GSM. Fixes for mobile service provider support and configuration: o Username and password are no longer required fields for some AT&T (Cingular) Orange service accounts. (23161) o When authentication is disabled: (22466) - Clear the CHAP ID, CHAP key, PAP ID, and PAP password. o Provide a default initialization string for a CDMA Custom Provider. (21890) o Change "European Provider" to "European/EMEA Provider". (19833) Eliminate a possible condition in which a system resource could be lost (leaked) when a cell modem is reset between PPP connections. Only a Digi device reboot would reclaim the resource. Fix an initialization problem with GSM data-only mode configuration in which the mode could remain incorrectly set if a different cellular provider selection is used. Specifically, if data-only mode is enabled, it could not be correctly disabled in the cellular modem. KNOWN ISSUES Problems have been encountered with some Linksys VPN appliance models when using different Diffie-Hellman group settings for phase 1 and phase 2. To work around this issue and successfully establish the VPN tunnel, use the same Diffie-Hellman group for both phase 1 and phase 2 settings. DOCUMENTATION ERRATA None. ADDITIONAL INFORMATION It is recommended that you perform a backup of your device's settings prior to upgrading your firmware. If you should need to revert back to a previous version of firmware, this will ensure that you will be able to restore your device to its previous settings in the event that some settings are not restored properly after downgrading the firmware. To backup your device settings, follow this simple procedure: 1) Open the web user interface and navigate to the "Administration" section and select "Backup/Restore". 2) Click the "Backup" button and select the location to where you want to save your backup file. To restore: 1) Navigate to the same section within the web UI. 2) Click the "Browse" button to select the backup file you saved in the previous steps. 3) Click the "Restore" button to upload the configuration settings contained in your backup file. On initial boot of this device, it will generate some encryption key material: an RSA key for SSL/TLS operations, and a DSA key for SSH operations. This process can take as long as 40 minutes to complete. Until the corresponding key is generated, the device will be unable to initiate or accept that type of encrypted connection. It will also report itself as 100% busy but, since key generation takes place at a low priority, the device will still function normally. On subsequent reboots, the device will use its existing keys and will not need to generate another unless a reset to factory defaults is done, which will cause a new key to be generated on the next reboot. HISTORY 82001532_C (2.7.2.6) - March 28, 2008 See ENHANCEMENTS and BUG FIXES information above. 82001532_B1 (2.6.3.8) - November 29, 2007 ENHANCEMENTS: None. BUG FIXES: Enable CTS Errata fix to address quicker hardware flow control issues. May see double characters if this is not enabled. 82001532_B (2.6.3.6) - November 8, 2007 ENHANCEMENTS: None. BUG FIXES: Fix issue with stdio holding onto pointers to invalid data. Add SIM PIN retry mechanism to account for slow module access to SIM. Fix missing MEI serial port initialization. 82001532_A1 (2.6.3.5) - October 16, 2007 ENHANCEMENTS: Add support for displaying SIM status as text in addition to the numerical status value. Enable the watchdog code to allow Python to maintain the watchdog so that if a python script that should be working with the watchdog fails, the unit is reset. Added "onexit" parameter to the "set python" cil command. Add support for CLI command access through Python scripts. Improve the ability of SureLink feature to do a DNS lookup when no DNS names were retrieved from the network (use static DNS names instead). BUG FIXES: Fix Cellular Data Only mode initialization where a different cellular provider was selected. Fix a bug where the zigbee socket layer would cause a "hang". Fix a bug where USB Transport Descriptors were leaking from the Sierra Wireless driver. Fix a bug where the flash filesystem could cause the unit to reference a memory structure that had been freed which resulted in heap corruption. 82001532_A (2.6.3.3) - September 27, 2007 Initial release.