Digi ConnectPort TS 1/2/4 Release Notes Part Number 93000725_D For Digi ConnectPort TS Firmware EOS 82001592_D Version 2.12.4 February 10, 2011 INTRODUCTION This is a production release of firmware for the Digi ConnectPort TS 1/2/4 family of products. SUPPORTED PRODUCTS Digi ConnectPort TS 1/2/4 Wireless MEI Digi ConnectPort TS 1/2/4 MEI Digi ConnectPort TS 1/2/4 RS-232 ENHANCEMENTS As a security enhancement, SNMP has been turned off by default. Enabled the CLI flashdrv command. Enabled PPP client and server support. Enabled Python support. Improve the user interfaces for configuring static routes in the network stack. For a WAN interface, always use the interface gateway IP address. For a LAN interface, use the associated interface gateway IP if the static route rule is configured with a gateway address of 0.0.0.0. If the static route gateway IP is other than 0.0.0.0 for a LAN interface, use that configured value. This properly and implicitly accommodates WAN interface static routes and allows the user to select use of the LAN interface gateway or a configured value for LAN interface static routes. The web UI help is updated to describe this enhancement. Improve the network stack to address the issue described in US-CERT Vulnerability Note VU#498440: Multiple TCP/IP implementations may use statistically predictable initial sequence numbers. The note can be viewed at: http://www.kb.cert.org/vuls/id/498440. (36183) Expand the description of iDigi keep-alives in the web help information. Add a Network Port Scan Cloaking feature that permits users to prevent replies to various received packets for which there is no local service. On a global or per-network-interface basis, one can disable ping replies, TCP reset replies for received connection requests to unused ports, and ICMP destination/port unreachable replies to received UDP datagrams destined for unused ports. This capability "cloaks" a device from being probed on such unused ports, and it reduces packet traffic by eliminating replies that may be billable to service accounts (e.g., cellular service). This feature is exposed in the CLI as the "scancloak" option, and it is supported in the web UI on the Advanced Network Settings page under the Network Configuration section. By default, this feature is disabled. Add iDigi connection status items for send and receive idle times. Enhance the Wi-Fi support. - Enable TX power calibration. - Add "band" configuration on the Wi-Fi LAN Settings web page. Specify the band in which this device is being used. By selecting a band, the channel settings will be restricted to the legal set for that band. - Add "802.11d" configuration on the Wi-Fi LAN Settings web page. 802.11d Multi Domain Capability enables the device operation in additional regulatory domains (countries) with allowed channel set and tx power. - Add "EAP-FAST" network authentication configuration on the Wi-Fi Security Settings web page. EAP-Flexible Authentication via Secure Tunneling is now supported in WPA. - Add the CLI command "revert wlan" and hide the "revert wireless" command (retained for backward compatibility). The option "wlan" is used for the commands set, show, display and info, so the use of "wireless" for revert was inconsistent. (34675) Update the SSL/TLS implementation with enhancements and bug fixes. Add a new info command to the CLI, "info time". This command displays SNTP Client statistics when SNTP is configured as a time tource. Enable TCP keep-alives by default for these services: ssh, telnet. This provides default cleanup of orphaned sessions. Clarify description: the serial statistics page displays the current port settings. (32689) The Connectware Manager (also referred to as Remote Management) has been rebranded in the Digi device firmware as "iDigi". This corresponds with the service being offered by Digi for this purpose. A number of enhancements are added for the iDigi client in the Digi device firmware: - iDigi activity is recorded in the Event Log. - An iDigi client entry appears in the "Connections" list when: - The client is connected to the iDigi server. - The client is trying to connect to the iDigi server. - The client is waiting (listening) for the iDigi server to connect to it. - The client is waiting for a configured interval before initiating a (new) connection to the iDigi server. The connections list may be displayed in the CLI ("who") and in the web UI (Management > Connections). - When the iDigi client is waiting to (re)connect to the server, the connection table entry may be "killed" in which case the wait is canceled and the connection attempt proceeds immediately. - When the iDigi client is connecting to the server, the connection table entry may be "killed" in which case the connection attempt is abandoned. The "connecting" state is typically very brief. If for some reason the Digi device gets "stuck" in the "connecting" state, the kill request will terminate the condition. This is not an expected condition. - Add the CLI command "display idigi" report iDigi connection status of the Digi device. - Add the iDigi status web page under Administration > System Information to report iDigi connection status of the Digi device. - Show the iDigi Device Type for the Digi device on the iDigi Configuration page in the web UI. This is the device type by which the Digi device is known to the iDigi server. That value also is displayed via the CLI command "show mgmtglobal" and in the RCI output as (in addition to the existing field). - Send the actual Digi device type to the iDigi server rather than a possibly user-customized product name in config.ini. Customized names are problematic for the iDigi server for device recognition and management. (1291266) - Eliminate unsupported interfaces from the network settings RCI and related CLI (set mgmtnetwork). The web UI was already correct. (34520) - Increase the maximum permitted request and reply document sizes for the iDigi protocol RCI facility. The new size accommodates encoded files of just over 2MB. - Expose the (previously hidden) devicesecurity CLI option from these commands: set, show, revert. This was previously available but hidden to prevent misuse of some of that command's capabilities. The options that could cause problems if misconfigured have been removed, so it is no longer necessary nor appropriate to hide the devicesecurity option. (34535) For the iDigi client configuration's connection server list, reduce the number of server entries to 4 from 8. The list of 8 is simply truncated to 4 for this change. An attempt to restore "deprecated" entries results in warnings, not errors, generated by the settings manager. Note that Digi devices are typically configured to use only one of the server list entries, so this change won't affect deployed products. This reduces runtime memory usage, NVRAM use for configuration setting storage and Add DHCP lease information to the output of the CLI command "show network" when the IP configuration for the Digi device is received from a DHCP server. The information shown includes the IP address of the DHCP server, the lease duration, the renew and rebind times, and the time remaining in the current lease. Remove unneeded and deprecated data and code to reduce memory use. Improve iDigi (Connectware) client's connection backoff/retry logic in the case of failure to connect to the iDigi server. Add "disp ia" to "disp techsupport" command list. (32252) Add SNTP Client as a time source for time source management. This new feature adds SNTP client as a source for time management. It allows the device to synchronize its clock with NTP/SNTP servers. Configuration for this feature is available through RCI, the web UI and the command line "set clocksource" command. Add an "offset" from UTC to time source management. This new feature adds the ability to modify Coordinated Universal Time (UTC) by increments that correspond with time zones. Configuration for this feature is available through RCI, the web UI and the command line "set time" command. Add SSL connection support and simple password authentication for device connections to the iDigi Server (Connectware Manager Server). Add support for RealPort authentication. Add numerous commands to "display techsupport" for improved reporting. (31539, 31689) Reduce the amount of alarm data sent at the start of a connection to an iDigi Server (Connectware Manager Server) by sending only the active alarms. This improvement is coupled with a server change to not request the current state of all alarms. Allow fully qualified domain names (FQDN) instead of only IP address for a number of features. These features are: AutoConnect, UDP Serial, SNMP trap destinations, and the alarms e-mail server. For UDP Serial, a lookup of the FQDN (typically in the DNS resolver's cache) is done for each packet sent, with a full name resolution occurring only when the cached entry's time-to-live expires (or the cache is flushed). This supports dynamic destination IP addresses. (19517, 30637) Add options to CLI, web UI and RCI to save encrypted passwords and keys in the configuration backup file. Configuration restore accepts either encrypted or plain text passwords and keys. (15108) Change the signature method on the self-generated, self-signed certificate from MD5 to SHA1. Although MD5 is not generally unsafe, SHA1 is deemed to be the most secure. All browsers or SSL clients recognize SHA1 instead of MD5. Update the web UI for IP Forwarding Settings to show the maximum number of entries for Static routes and "Forward TCP/UDP/FTP connections...". (31866) Add support to send login success and failure traps via SNMP when a user logs into the device using HTTP or HTTPS. Add configuration web page for MEI in all MEI-capable products. Add diversity setting for Wi-Wave PCIe module on Wi-Fi configuration web page. Update "display techsupport" to include new and additional commands. Add the current date/time to the device status display (CLI and web UI), in addition to the uptime value for the device. Modbus requests/responses for vendor-specific function code 100 are now speculatively estimated as Scattered Read Command (as used by Schneider Electric). Previously, function 100 was treated as not possible to estimate, thus the idle-gap (time with no more data) was the only method to detect end-of-packet. This change should be transparent to other vendors using function 100 for other purposes. First, this estimate is only applied if the 3rd byte of the PDU is the constant 0x04. Second, even packets which are incorrectly estimated will be properly handled by the fall-back detection of the idle-gap. Failure to estimate properly does not cause packet failure; it merely speeds up handling when the end-of-packet estimation succeeds. For event logging, add the device uptime to end-of-log display line (both CLI and web UI), if the timestamp display for logging is other than the uptime (such as date/time). Add simple CLI to manipulate the time source management settings. See CLI command "set clocksource". Improve configuration settings implementation to use less memory, better support customized defaults and more effectively manage NVRAM. Split apart support for the Web Server (HTTP) service and Secure Web Server (HTTPS) service so they are managed independently of one another. Event logging enhancements. - For "uptime", display days+hh:mm:ss versus a time in seconds. - In CLI, support user-selectable time display format. - Automatically determine appropriate time display format according to time source availability and use in a given product. Add start-up event logging in the "system" facility of these items: - product name and ID - model name (if different than the product name) - firmware (EOS) version - boot version - POST version - manufacturing VPD version (build tag) - hardware strapping value The above information is also shown by the "display device" command. BUG FIXES Fixed an issue where SSH keys were being removed by the "revert all" command and were not being regenerated (36710) Fixed an issue where a ping issued from either the CLI or Web UI was displaying a generic error message when pinging an address that has no route to it. (36872) Fixed an IA route RCI issue, IA Route settings class allows a "scatter string" for protocol address, RCI only allowed min and max. (36812) Fixed an issue where changing the IP address from dynamic to static via the webui redirects to a URL mix of the old and new IP.(33205) Fixed an issue where the Web UI was vulnerable to a cross-scripting attack. (36770) Fixed several SSH issues (37339): Insured that all devices are able to clear a public key. This was not consistent over all devices. Insured that SSH worked correctly over all user models. Improve SSH public key identification (RSA) and validation. Fix "off by one" issue in web UI for maximum key material size. Fix a memory leak in the "set user public_key=(server):(file)" handling. Improve error and trace messages when downloading SSH public keys via CLI (tftp) or configuring them in the web UI Fix an issue where ssh and suppress login feature are not working correctly together (37483). Fix a long-standing settings class RCI bug that affects settings restore, custom defaults and iDigi configuration of the failover feature. The TCP test destination port was not being correctly set, which left in place the previous value that was defaulted or set via CLI or web UI. (36372) Fix a problem in which Ethernet driver might lose synchronization between its interrupt handler and its packet receive processing thread. This could cause received packets to be held in the driver's receive buffer ring and not passed to the network stack in a timely manner. Under such a condition, network communication might appear to be broken for network protocols and applications. (35638) Fix a problem in which the iDigi discovery tool uses the Wi-Fi interface MAC address as the iDigi device ID. The required iDigi device ID is based on the Ethernet MAC address. The problem affects only products that have a WiFi network card as a second LAN interface, when that interface is used for iDigi discovery. (35697) Fix a problem for the Industrial Automation (IA) feature in which the full settings were not properly restored from a backup file. (35891) Fix a possible panic that occurs while configuring the primary network interface (Ethernet) and saving the changes to NVRAM. (35715) Fix a bug in uudecodeToFile() that causes RCI file transfers to fail when Fix an IA modbus problem in which a buffer was being freed twice when a message send failed because the network connection was down. This could result in a panic reboot. (32914, 34800) Address issues in the Wi-Fi support. - Fix a bug in which the BSSID is not being randomly generated when creating an ad-hoc network. (33819) - Fix a bug in the Wi-Fi driver that caused duplicate packets to be sent. (32292) - Fix a bug in the Wi-Fi driver ad-hoc mode, caused when the unit sends a probe_response and receives an ACK, followed thereafter by the 500 ms timeout. - Fix WPA/Wi-Fi driver issues related to problems in the handling of 4-Way key exchanges, uncovered through UNH Interoperability testing. (24015, 24030, 28561, 28562, 29455, 31391, 31392) - Fix Wi-Fi driver failures for UNH interoperability. (28659, 23903) - Fix a multirate Wi-Fi defect (protection mode) using AES on b/g WLANs, which caused high packet loss. - Fix Wi-Fi driver issues related to Cisco LEAP+WEP. Fix a problem in which the Industrial Automation "Hostname" was not properly set on a configuration restore. (34086) Fix a bug in which the Digi device might panic (reboot) when using the CLI command "certmgmt" to generate a key for SSH. (33249) Fix a bug in which the cold start trap is sent everytime the user enables "Generate cold start traps" in the web page or the CLI. (33655) Fix a pmodem feature problem for which, under some conditions, an ATDT command (that normally works correctly) stops working. (34433) Modify SSH to prevent an initial false SNMP login failure trap when the SSH client connects with the "none" authentication method. (1278304). Fix issues in the SSH service implementation: - Eliminate possible memory leaks when loading DSA/RSA keys. - Fix a failure to disconnect and report the reason to the client when the maximum number of authentication failures is reached. Fix a bug in the DHCP client that accumulates small network buffers on the DHCP client's internal information structure. This occurred for options received from a DHCP server that are unrecognized by the DHCP client. These buffers are now freed to avoid gradual memory depletion. Fix an issue where the Send Character Immediate IOCTL was not getting a response, causing a RealPort hang. (32061) Eliminate some unneeded information from the configuration backup file. (32511, 32512) Fix Modbus IA engine support of 802.15.4 radios. (30733) Modbus Web UI misaligns the Master to Table Relationship. (31803) Check if enough free memory is available to handle a firmware update from the iDigi Server (Connectware Manager) and return an appropriate error response if not. (31321) Fix a bug that limited length of the primary SNMP destination field in the SNMP Settings web UI. (31895) Add a change to work around a problem in which Digi products do not accept gateways from Apple's Airport Extreme when the Digi product is configured as a DHCP client and the Apple is the DHCP server. (31166) Improve a condition under which client-initiated connections to the iDigi Server (Connectware Manager Server)) won't start unless the "Reconnect after..." box is checked. (31885) Eliminate several memory leaks. Fix a bug in which login success and failure traps were not being sent via SNMP when a user logs into the device using SSH. (32161) Fix a memory leak that may occur when DNS lookups are performed. Although the leak is small, it can lead to memory exhaustion in systems that perform many DNS operations, such as some iDigi client configurations. (30870) Fix a bug that could result in a USB stall condition when accessing some USB devices. Part of this fix eliminates a possible USB resource leak that could be recovered only by rebooting the Digi device. Implement RFC-specified validation for a hostname, per the requirements for DHCP option 12. The RFCs consulted include 952, 1035, 1123 and 2132. The maximum length of the hostname is increased to 127, increased from 31. Support for a FQDN also has been implemented. Web UI help has been updated to describe a valid hostname construction. (27588) Fix a bug that occurs when restoring a public key: the value is set to the key plus additional bytes, resulting in a corrupt key. (27780) Add option value ranges to CLI "udpserial" command help. (29034) Fix a bug in which the event log includes one or more messages that specify the wrong (misleading) system time value when the device boots. Affects devices with a real time clock. (29804) If a public key has been enabled for SSH, allow authentication based on the key regardless of the password setting. Dynamically generate a list of accepted authentication methods based on the configuration of the device. (27834) Fix memory leak related to RCI requests. Increase the general event log maximum message size to avoid message truncation. (24640) KNOWN ISSUES For the most consistent experience with the user interface, it is suggested that you clear your Internet cache. Microsoft Internet Explorer 6 Service Pack 1 (SP1) has a known problem where it displays the error message "Internet Explorer Cannot Open" when you use an HTTPS URL to access this Digi product. The following Microsoft article explains the problem: http://support.microsoft.com/default.aspx?kbid=812935 IP ADDRESS ASSIGNMENT NOTES The Digi ConnectPort TS supports three IPv4 assignment methods: * Static IP address * DHCP * Auto-IP If a static address is enabled, it will be used. If a static address is not enabled, and DHCP is enabled, the unit will use an address supplied by a DHCP server regardless of the state of Auto-IP configuration. If a static address is not enabled, and Auto-IP is enabled, it will be used to generate an address ONLY if DHCP is disabled, or if DHCP is enabled and a DHCP server has not responded to the DHCP query. If both are enabled, Auto-IP has assigned an address, and then a DHCP server responds, the Auto-IP address will be discarded and the DHCP address will be used. Ipv6 addresses are automatically set using the auto-configuration process. The IPv6 auto-configuration process includes creating a link-local address, verifying its uniqueness on a link and determining what information should be auto-configured. This implementation only supports obtaining IP addresses via the stateless mechanism, DHCPv6 is not supported. Site-Local addresses and global addresses are also supported. RESETTING THE UNIT One feature of the Digi ConnectPort TS firmware is an ability for a user to both soft reset the unit as well as reset the unit to its factory defaults. Both functions may be invoked via the "reset" hole between the power switch and the ethernet ports * If the unit is running, holding the button for a second and then releasing it will soft reset the unit. * If the button is pressed for more than 10 seconds from the power on of the unit, it will prepare to reset the unit to its factory default state. Once the unit is prepared to reset, it will blink "1-5-1" on the red LED. Releasing the button will then reset the configuration. ENABLING THE WEB USER INTERFACE The embedded web user interface is ALWAYS available at the following URL: http://ip-address-of-device/home.htm It is also available as the default configuration interface at the following URL: http://ip-address-of-device ADDITIONAL INFORMATION The configuration save and restore tools will save every configurable parameter (including IP configuration) except for some related to password authentication. On initial boot of this device, it will generate some encryption key material: an RSA key for SSL/TLS operations, and a DSA key for SSH operations. This process can take as long as 40 minutes to complete. Until the corresponding key is generated, the device will be unable to initiate or accept that type of encrypted connection. It will also report itself as 100% busy but, since key generation takes place at a low priority, the device will still function normally. On subsequent reboots, the device will use its existing keys and will not need to generate another unless a reset to factory defaults is done, which will cause a new key to be generated on the next reboot. IPv6 NOTES Windows IPv6 installation * IPv6 cannot be installed on versions prior to Windows XP * Service Pack 2 or greater must be installed * Enter "IPv6 install" or "netsh inter ipv6 install" * Enter "ipconfig" and you should see both the IPv4 and IPv6 address Windows IPv6 command line applications * Ping6 is used for IPv6 addresses * "%x" is used at the end of the IPv6 address to specify the Ethernet interface # used for IPv6 (run ipconfig). IPv6 Discovery * ADDP currently only supports IPv4 * To find the IPv6 address of a unit use ADDP to discover the unit and go to the web page using the IPv4 address HTTPv6 * Internet Explorer and Mozilla Firefox do not let you enter the IPv6 address as a URL, you must use an FQDN. * Units do not support DDNS so you have to manually add a IPv6 DNS entry before you can access the unit via HTTPv6 * Linux users can specify a static computer host name to IP address mappings in network configuration => hosts to access the unit via HTTPv6 HISTORY