RSA-Series  
Version 2.2 software Release Notes

---

Notes and warnings:

1. These release notes apply to all models of the RSA-series.

2. Older RSA-4122 models from early 2017 and before, do not have sufficient storage space for the latest
    software images. For these units  download the "s"  version of the firmware.

3. The standard images do not contain BGP routing software. Firmware with BGP support is available on request.

4. When you update from versions 2.2.1, 2.2.2 or 2.2.3 to a newer version, you can get the message "this
    firmware version is not supported on this hardware configuration...". This is due to the firmware check
    being too strict for some hardware versions. 
    To disable the firmware check, you can use the shell command: dbctl set /update/firmware_check false.
    After update to a newer (2.2.4 or higher) version, you can turn on the firmware check again by means
    of the shell command: dbctl set /update/firmware_check true.

---

Version 2.2.14
(release date: January 30, 2024)

New features

• Added LTE Band 28 operation for units with SIM7600G-H WWAN module.
• Added Manual WWAN operator selection by PLMN code.
• Added SHA384 authentication algorithm for OpenVPN setup.
• Added option for "custom configuration" of OpenVPN profile.
• Added detection of 'locked state of ppp process' to watchdog.
  
  

Bug fixes

• Fixed false "No SIM present" warning after cold boot or rebooting units with SIM7600 G-H modules.
  
  

---

Version 2.2.13
(release date: October 10, 2023)

New features

• Added priority to incoming and forwarding firewall entries. This allows for manipulating the order of rules as
  set by the system. When no priorities are set (Priority 0), the system determines the order of the rules.
• Added SHA-224, SHA-256, SHA-384, SHA-512 and AES-192, AES-256 modes to SNMPv3 config options.
  
  

Changes

• Ethernet hardware switching mode is disabled during the boot process. This prevents traffic at one
  port from temporarily leaking to other Ethernet ports.
  
  

Bug fixes

• Added defaults ("Any") to the interface fields of the forwarding firewall. This stops the warnings at
  boot time when no interfaces were configured.
   
  

---

Version 2.2.12
(release date: June 30, 2023)

New features

• Added 'Modbus TCP to Modbus RTU conversion' to serial port gateways.
• Added Action scripts to be run from command line, task scheduler and network monitor.
• Added custom name fields to physical Ethernet port setup.
• Added custom names of WAN interfaces and Eth ports to SNMP ifXtable.
• Added configurable port number for DHCP relay (Server address = <ip address>[:<port>]).
• Added back-up of configuration file to prevent loss of configuration on power fail while writing
  in flash memory.
• Added configurable Restart delay to prevent unit from restarting immediately after shutdown
  invoked by "Loss of Power detection".
• Added selection of in/out interfaces to Firewall forwarding filter rules.
• Added "tc-cake" traffic shaper that can be used for WAN connections with low bandwidth in
  order to reduce high latency times caused by devices streaming data upstream at a rate at or
  above the WAN upstream rate. For now, tc-cake is to be configured via the "iptables.post" script.
  

Changes

• Changed internal timing of "return to factory defaults" push button detection to reduce the risk of
  accidental factory defaults events caused by external electrical surges.
• Changed hibernate timer to allow for hibernate times longer than 24 hours.
• Improved status feedback after invoking firmware download and flashing via curl script.
• Shutdown after "Loss of Power detection" can now be disabled by setting the Shutdown delay to 0.
  In this case only the alerts are send (when enabled).
  

Bug fixes

• Fixed bug in execution of the "Test Script" that required the "Test Script" button to be clicked twice
  in order to run the script with the changes just made.
• Fixed the control of the I/O output contact (relay) when used for alerting.
• Fixed routing errors on WAN fail-over when two or more WAN interfaces shared the same gateway address.
• Fixed bug in ML620 (LTE450 WWAN module) driver. In v2.2.11 the WWAN connection will drop every 5
  minutes due to wrong reporting of the "attach state" which causes a time-out and forced disconnect.

---

Version 2.2.11
(release date: December 20, 2022)

Known Issues

The WWAN connection of the RSA-4222WU (LTE450) models will drop and reconnect every 5 minutes.
   This has been corrected in Version 2.2.12.

New features

Added Mac (port based) authentication with RADIUS access. This feature is similar to
   "MAC authentication bypass" (MAB) of 802.1X port based authentication.

Added support for alternative mode for setting up "private" WWAN connections.

Added "Hibernate" feature to put the unit into low power mode for a defined amount
   of time. Can be initiated via command line and task-scheduler.


Changes

Changed behaviour of RADIUS client to prevent long delays when RADIUS server is not
   available.

RADIUS and Tacacs+ settings now have individual port numbers for primary and
   secondary servers.

Bug fixes

Fixed bug in the termination of PPPoE over an EthWAN VLAN interface. LCP termination
   and PADT now are sent to remote side before the link goes down.

Fixed bug in reboot procedure that caused reboot to take 30 seconds longer.

Fixed bug in hardware detection of older RSA-1020DW (rev1) units that caused
   firmware vs hardware mismatch error message.

---

Version 2.2.10
(release date: October 5, 2022)

New features

Added "Network monitor fail" event to Alert messages.

Network Monitor ping count is now user configurable.


Changes

Network monitor ping interval changed from 0.5 sec to 1 sec.

Network monitor starts 5 minutes after reboot to suppress "fail" messages
   directly after device boot.

Removed account log hash from table in web interface.

Improved info in local en remote (Tacacs+) account log messages.

Bug fixes

Fixed WAN failover problem when two WAN interfaces have the same gateway
   address and both WAN interfaces are up.

Fixed bug in network monitor while running in "dmp" log mode.

Fixed wrong username/password order in units equipped with SIM7600 WWAN
   modem. (Already fixed in V2.2.9.1 patched version)

Fixed accounting info on HTTP POST config change execution.

---

Version 2.2.9.1
(release date: August 4, 2022)

Change

This is a patched version of the v2.2.9 release for the RSA-4222W4 with SIM7600G-H WWAN modem.
   In this version the WWAN reversed username/password issue has been resolved.

---

Version 2.2.9
(release date: July 15, 2022)

Known Issues

On units equipped with the SIM7600G-H WWAN modem, the username and password are reversed
   in the WWAN port setup. This has been corrected in version 2.2.9.1

New features

Added Tacacs+ Authentication/Authorization.

Added Tacacs+ Accounting. 

Added access to multiple DHCP servers in DHCP relay agent mode.

Added option for using "Gateway IP address" as source address of DHCP relay agent.

Added Port Mirroring of Ethernet ports.

Added "Power restored" and "System Shutdown" alerts for use with power buffer.

Added support of multiple SNMPv3 users.

Added "New MAC address seen" alert.


Changes

ARP Table and MAC filtering list now show more detailed state information.

Improved logging of telnet sessions in account log. Note: for telnet sessions, only local
   authentication is supported.

Bug fixes

Fixed "WAN:any" interface selection for DHCP relay agent.

Fixed WWAN hangup after MVNO network error.

---

Version 2.2.8
(release date: April 20, 2022)

Changes

Web terminal now shows indication when closed on time-out. The terminal screen is restarted by pressing
   the 'Enter' key.

Changed IPsec start-up procedure to avoid time-out when starting multiple tunnels with big RSA keys in
   the certificate.

Security updates and CVE fixes

Fixed various CVEs and updated access services.


Bug fixes

Fixed SMS operation with the ML620EU WWAN modem after Dual SIM change-over.

Fixed memory leak caused by RADIUS authentication.

Fixed sending erroneous VPN "tunnel connection down/up" alert messages when rekeying the IPsec
   Phase2/Child SA while using DH group 15 or 16 for PFS.

---

Version 2.2.7
(release date: March 2, 2022)

Known issues

SMS operation with the ML620EU WWAN modem will fail after Dual SIM change-over. Sending SMS
   will operate again after a WWAN modem restart. This issue will be resolved in a following release.

New features

The WAN interfaces used for Dynamic NAT can now be selected individually.

Added "ping_restart" for (active) WWAN modem. (This feature is controlled by command line).
   Upon failing response from the pinged host, the WWAN modem will be restarted provided it is the active
   interface or the only interface in the WAN failover list. The ping address(es) as set in the WWAN entry
   for WAN failover will be used.

Increased the amount of configurable NTP server addresses from 2 to 4.

Bug fixes

Fixed bug in NTP client (NTP server connection stopped when non-resolvable name was entered).

Fixed bug in network monitor (check failed when same IP address was also used for WAN failover check).

Fixed "Interface List" indexing (used for Static routes and Network monitor).

Fixed DNS addresses received from the network by ML620EU WWAN modem.

Fixed SMS operation of ML620EU WWAN modem (see Known issue for Dual SIM operation).

---

Version 2.2.6
(release date: January 21, 2022)

Known issues (fixed in V.2.2.7)

When the same IP address and interface are used for both ping check of the WAN failover and the
   ping check of the Network Monitor, then one of the checks may fail. Use different IP addresses for
   each of these checks.

The indexing of the list of gateway interfaces for static routes and network monitoring contains a bug.
   After a reboot, or after removing WAN interfaces, the gateway (when selected from the 'Interface list')
   may point to a different interface than originally selected. This issue will be resolved in the next release.
   Note that settings for which the 'Interface list' was used, may be incorrect and may have to be
   configured again after loading new firmware.

NTP server connection will fail when a non-resolvable name is entered for one of the two DNS servers.

New features

Added support for ML620EU LTE450 WWAN module for utility companies.

Added 'Loss of Power' detection by means of the CI contact input. Note that a UPS, backup
   battery or Power supply buffer unit is needed.

Added 'Loss of Power' alert to Management>Alert messaging>Alert rules page.

Added automatic recovery of internal USB failures caused by surges or EMI/RFI events.

Added 'Boot reason' field to Management>Alert messaging>History page.

Changes

Reduced WWAN down time on scheduled WWAN reconnect and operator-initiated WWAN reconnect.

Added 'Loss of Power' trap information to SNMP MIB file.

Bug fixes

Added attributes to XML Schema file for correct XML validation of V.2.2 configuration files.

Fixed detection of 1x20M-A2 add-on board.

---

Version 2.2.5
(release date: November 18, 2021)

Changes

Added the reason for an unsuccessful WWAN PDP context activation or PDP context deactivation in
   the log for SIM7600G-H module.

Bug fixes

Added SIM7600G-H initialisation to set the module's MTU to 1500 in all cases.

Fixed WWAN issue with changing from a wrong/invalid APN to a correct APN.

---

Version 2.2.4
(release date: October 12, 2021)

Known issues (fixed in V2.2.5)

"W4" versions with the SIM7600G-H WWAN module may have MTU issues depending on the mobile
   operator. The WWAN MTU may have to be changed to 1430.

When changing from a wrong/invalid APN to a correct APN the WWAN data link may sometimes not
   be initiated until a full device reboot.

New features

Added RFC 4638 MTU negotiation for PPPoE links over EthWAN. This enables MTU sizes up to 1500.

Changes

Changed behaviour on accidental reset of internal GPIO expander. GPIO expander will be re-initialised
   instead of forcing a device reboot.

Changed behaviour upon loading wrong firmware version: no forced reboot will follow.

Changed the "model vs firmware check" to be less strict in order to avoid false negatives.

Reduced reconnect-time after operator-initiated forced WWAN data reconnect.


Bug fixes

Fixed VPN LED behaviour upon re-authentication of multiple IPsec tunnels at the same time.

Fixed setting of SHA256 authentication algorithm for OpenVPN.

Fixed device entering RS232 console mode after firmware update.

Fixed SIM7600 occasional hang-up and added additional WWAN control watchdog.

Fixed RADIUS handling of unknown attributes or unknown vendor-specific attributes.
   Unknown attributes are now ignored.
 

---

Version 2.2.3
(release date: August 27, 2021)

Known issues (all fixed in V2.2.4)

After a firmware update, the unit will restart in console mode on the RS232 port.
   Console mode will be disabled again after the first reboot.

The "model vs firmware check" which checks if the firmware matches the hardware, in some cases
   is too strickt. To disable this check, use this shell command: 'dbctl set /update/firmware_check false'

Selecting authentication algorithm SHA256 for OpenVPN will fail.

Internal SIM7600G WWAN modem may stop operation occasionally which may require a device
   reboot to resolve.

The VPN LED may remain off after a re-authentication of multiple IPsec tunnels at the same time.

RADIUS authentication can fail after receiving an unknown attribute or unknown vendor attribute.

New features

Increased maximum string size for sysname, syslocation and syscontact from 32 to 64.

Model check upon Firmware uploads. (loading firmware for wrong model is refused by default).

Model check upon Config file uploads. (loading configuration file for wrong model is refused by default).


Bug fixes

Fixed stacktraces after closing 'atcom' command line tool.

Fixed Ethernet re-init on link-up.

Fixed APN name check on changes of APN configuration in "W1" WWAN versions.
 

---

Version 2.2.2
(release date: July 14, 2021)

New features

Added support for "W1" WWAN versions.


Bug fixes

Fixed WWAN port initialisation directly after firmware update.

Fixed upload of firmware and settings files with brackets in the file name.
 

---

Version 2.2.1
(release date: June 30, 2021)

Known issues

Directly after a firmware update to V2.2.1, the WWAN port of the "W" versions will not be
   activated properly. After the first reboot of the unit, the WWAN port will be operational.

This software version is not suited for the "W1" WWAN versions.
   The "W1" versions will be supported in the next software release.    

New features

Added "enable" parameters to scripts so that running a script (Boot_post, Firewall_post and
    SMS_control) can be enabled/disabled by means of a single parameter in the database.

Added Network monitoring tool which allows for checking individual hosts via LAN or WAN
   interfaces of choice. The results can be seen in the web interface and via SNMP.

Updated MIB file with OIDs for Network Monitoring tool.

Added info on type and size of system Flash memory in database at /system/info/flash

Added "Do not verify SSL certificates" option for "Update from remote server". This allows
  for (less secure) downloads from https web servers without having to load the CA certificate
  or certificate chain of the web server.

Added monitoring and storage of settings of the Flow cache mechanism (hardware acceleration)
  for debugging purposes.


Changes  

Improved handling of SIM errors at boot time with older (slower) SIM cards.

Improved handling of connection mode for WWAN "Connect On Demand" mode.  

Improved "early detect of WWAN module" to speed up module startup.  

Improved SNMP response time for Bridge-MIB and MuLogic RSA-MIB OIDs.  

Added feedback of download errors upon a failed "Update from remote server" action.

Added enable/disable(default) of nvram writing in PLS8-E WWAN modem. Upon update from V2.1
  firmware, those settings that were already written in nvram will not be overwritten.  

"Last seen" info of ARP table is no longer stored in settings file but as a separate file.
  This change drastically reduces the frequency of writing in flash memory.  

Increased time-out for WWAN data attach.


Bug fixes

Fixed SNMP "rsaWwanSwVer" OID.  

Added "UTC" time zone and corrected some time zone names (names with spaces were truncated).

Fixed MTU setting of WWAN data interfaces.  

Fixed static routing via EthWAN interfaces.

---

Version 2.2.0
(release date: April 12, 2021)

Known issues

This software version is not suited for the "W1" WWAN versions.
   The "W1" versions will be supported in the next software release.    

New features

XFRM interfaces for IPsec tunnels

   The standard way for IPsec to determine what traffic is destined
   for the tunnel is by means of security policies. These policies
   have priority over routes, which means that the normal routing
   table has no influence over what traffic is encrypted.

   This can be confusing and cumbersome, for example when traffic is
   to be directed by means of a routing protocol.
   A way to overcome this problem is to let the IPsec tunnel terminate
   at a local virtual interface. This interface can be given an IP
   address but can also be used without IP address. We refer to this
   as "Route-based IPsec", as opposed to "Policy-based IPsec".

   With route-based IPsec, the actual IPsec tunnel still will be
   policy-based so that one end can have the tunnel terminated at an
   xfrm interface and use normal routing, while the other end uses the
   security policy to determine where the traffic goes.

   The default policy for route-based IPsec is 0.0.0.0/0 to 0.0.0.0/0
   for all types of traffic. The policy can be changed at will in order
   to facilitate a policy based remote or to distinguish the various
   tunnels in a hub-spoke configuration that are using the "anonymous
   address" mode.

MAC address filtering

   MAC address filtering adds an extra layer of protection for access
   from devices connected to the local LAN ports. Access is based on MAC
   address rather than IP address.

DHCP Relay Agent

   A DHCP Relay agent allows DHCP clients to reside on a different network
   than the DHCP server.

Hashed passwords for management access
  
   Passwords for management access of the unit can now be hashed before
   stored.

SMS control

   All models with internal WWAN modem or support for external WWAN
   modems now can be controlled via SMS. Commands for reboot, WWAN
   on/off and DSL on/off are standard. More can follow on demand.
   Custom made SMS commands can be created by means of a script.
   All entries of the settings database and all shell commands are available
   for script-based SMS control.

Support for Dual-SIM WWAN versions

   Dual-SIM versions support automatic failover between two SIM cards.
   Various criteria for failover action are available.

Support for external WWAN modems

   External (MuLogic) WWAN modems can now be combined with the
   internal WWAN modem in order to have two or more fully functioning
   WWAN connections at the same time. The models with USB ports and
   no internal WWAN can support up to two external WWAN modems.

Download of syslog on USB flash drive

  The syslog file that is stored on an external USB flash drive can now
  be downloaded via the web browser by means of a simple mouse click.

Changes with respect to the most recent V2.1 release

Reduced firmware image size

   The size of the firmware images has been reduced so that the full
   featured firmware releases will fit again in older RSA-4122 models
   and to allow more space for future feature enhancements.

New WWAN control software

   Support for SIM7600G-H module.
   Added graphs for 4G RSRP/RSRQ and 3G RSCP/EcIo in web interface.

Added SMNP OIDs

   - Signal and quality reporting for 3, 4G and 5G RAT modes.
   - Data counters in kbytes and Mbytes.
   - Last month data counter total in Mbyte.
   - IMEI (module) and IMSI/ICCID (SIM card) numbers.
   - Cell identification (LAC/TAC, PSC, PLMN).
   - Serial number and Hardware address.
   - Uptime (uptime of system, rather than uptime of the SNMP daemon).
   - Boot reason.

ADSL/ATM layer monitoring in watchdog
 
   The operation of the ATM layer for ADSL links has been added to the
   "DSL connection" part of the system watchdog.

IP interface name of WWAN devices

   All WWAN IP interfaces are (internally) named "wwan0", "wwan1" now.
   In previous versions this was a mix of "ppp", "usb" and "wwan" etc,
   depending on the type of WWAN modem used.