RSA-Series v2 Firmware release notes
- These release notes apply to all models of the RSA-series.
- V2.x firmware versions contain PHY software for both ADSL Annex A and Annex B.
- When upgrading from RSA-4122(W) version 1 software to version 2 software, the settings of
the version 1 software will not be used (but will remain stored).
After updating from v1 to v2 software, a new configuration will have to be made, which means
that you cannot do the upgrade from a remote location over any of the WAN ports.
(release date: October 30, 2018)
Added support of RFC 4638 for accommodating an MTU/MRU of 1500 (instead of max 1492) for PPPoE
links. The ISP's BRAS and network should support this feature as well in order for it it work.
The firewall.post script now gets passed the WAN_INTERFACE environment variable which holds the
ifname of the current active WAN interface.
Replaced ping from busybox for ping from iputils. The ping command now has all features as known on regular
Changed default MTU for WWAN ppp connections (as used for the 2G/3G PH8 module) from 1400 to 1500. MTU now can also be set for WWAN USB connections (as used on the 2G/3G/4G PLS8 and PLS62 modules).
Fixed bug in WAN failover monitor. See "Known issues" of version 2.1-3848. Fixed SNMP (MIB-2) iftable.ifAdminStatus. Now all objects (interfaces) are supported again. Note that only
the settings of Ethernet ports Eth0-Eth3 are stored in the settings database. Also the other interfaces can
be controlled by means of an SNMP-set in iftable.ifAdminStatus, but these settings are not stored.
(release date: October 22, 2018)
In WAN failover: when "ping address 1" responds but "ping address 2" fails to respond, then the
WAN interface will be treated as "down" and the WAN interface with the lower priority will be used.
This is incorrect. The WAN interface should be declared "Up" when either the "ping address 1" or
"ping address 2" responds. This will be corrected in a new release as soon as possible.
Added support for boot.post script. This script is executed once after system initialization. The boot.post and firewall.post scripts are now stored in the settings database and can be created,
written, read, and tested via the web interface and shell.
Added 'fwtest' shell command for manually restarting (updating) the firewall. This command (equal
to the 'Test Script' button in the web interface) can be used for testing the firewall.post script.
Added download to RSA unit of boot.post script and firewall.post script via TR-069 CWMP. Added registers for use in boot.post and firewall.post scripts in settings database. These registers
can be created, written and read via the web interface, shell, and TR-069 CWMP.
Firewall forwarding filter rules in settings database, web interface and via TR-069.
When enabled without additional accept rules, no data will pass the router regardless of passing via
NAT routing, port forwarding, VPN tunnels or straight IP routing. Forwarding filtering is disabled by default.
Added Traffic Control (tc). The settings for tc must be made via the firewall.post script. Added automatic generation of XML Schema Definition file for validation of configuration files. Added WWAN status information to database. This info can now be read via TR-069 CWMP and dbctl. Added data counters of interfaces to database. This info can now be read via TR-069 CWMP dbctl. Added command-line completion for dbctl commands.
Newly created firewall input rule (row) now is disabled by default. This is to prevent an "accept TCP
all-to-all" firewall input rule from being created directly upon adding a new row (object) via TR-069 or dbctl.
Changed behaviour on creation of an "accept TCP all-to-all" firewall input rule via the web interface.
All newly created rules are now disabled by default.
When no "Ping Addresses" are entered for WAN failover or when these addresses are deleted, the interface
will not be disabled any more. Failover will not work, however, when the ping addresses are missing.
The checkmark for "Load custom settings from USB flash drive" is now visible in the web interface for RSA
models with USB support.
Changed retry of TR-069 response messages to 3 times with 1 second delay. Improved XML validation of uploaded configuration file. Changed procedure for restoring factory defaults or custom defaults by means of the reset button.
Fixed restart of OpenVPN tunnels after WAN fail-over. Fixed readout of xDSL Output power when values (in dBm) are negative. Fixed timeout in TR-069 response on adding or removing static route objects. Fixed several issues in TR-069 getParameterValues response.
(release date: July 9, 2018)
Changed log level of certain TR-069 log messages. Changed log level of certain RADIUS log messages. Disabled sending of IXagent keys via TR-069.
Fixed bug in syslog when hostname string (device name) contains a '%' character. Fixed timeout for TR-069 initiated download of firmware file via slow links. Fixed DHCP server operation on multiple LANs. DHCP services now run indepently from each other.
(release date: June 26, 2018)
Added automatic loading of the custom default configuration or "pre-provisioning" file from a USB drive
in one of the USB ports (RSA-4122/4222 only).
Added upload of custom default configuration or "pre-provisioning" from script via HTTP(s) POST.
Added dbctl options to download firmware from remote site. Added execution of shell commands via http(s). Added 'L2 bridged mode' to GRE tunnels. Added SNMP OIDs and traps for serial Gateway status. Added reset to custom defaults via a "press and hold" of the reset button.
Changed behaviour of reset to factory defaults via a "press and hold" of the reset button. Changed timing and procedure of SIM card detection to support older (slow) SIM cards.
Changed firewall IP filtering setup to prevent accidental creation of a rule to allow access from all IP
addresses to all TCP ports.
Changed DNS lookup for access to TR-069 ACS. Changed timing in system manager code to reduce CPU load.
IXagent subscription information is now stored in the regular settings file so it can
be saved by means of downloading the "configuration with private info".
Blocked output of private data when using dbctl shell commands. Changed handling of datastream for TCP to serial port conversion to avoid data loss in large
blocks of data.
Fixed bug that made RSA-4122(W) to reset when Ethernet port 1 was disconnected directly
after uploading firmware containing new reset controller code.
Fixed bug that caused failed login of newly created users with SSH key. Fixed use of 'dbctl' shell command in web terminal. Fixed SNMP OID for reading serial port DTR status. Fixed system temperature readout. On rare occasions the System temperature readout
was not displayed.
Fixed setting DNS and Gateway address when only LAN interfaces and no WAN interfaces
Fixed encoding of special characters in TR-069 SOAP messages.
(release date: April 16, 2018)
Added routing table to TR-069 CWMP MuLogic branch.
Added user name to 'Configuration changed' alert messages. Added button in web interface for creating 'Custom defaults' file. Added button in web interface for 'Restore custom default configuration'.
Changed behaviour when clicking 'Restore factory default configuration': now all configuration files and
user-made scripts will be deleted, similar to factory reset by keeping the reset button pressed.
DTR control of serial port gateway TCP client now is configurable as option.
Changed routing table in web interface. Now the type of routing protocol (RIP, OSPF or BGP) is shown. Moved storage of 'Software image url' to another location in the database. URLs will have to be entered again. Added BPG status and bgpd debug output.
Fixed Odd and Even parity setting of serial ports. Fixed long delay when opening 'Management>system time' web page. Fixed timeout when reading 'CurrentGateway' via TR-069 for the 1st time after reboot. Fixed unintended 60 seconds delay when changing configuration of serial ports.
(release date: April 4, 2018)
Added Role based access control for users authenticated via RADIUS (for HTTP/HTTPS and SSH shell access).
All roles can be assigned through the vendor specific "MuLogic-Login-Role" attribute. The RFC 2865 Service-Type attribute
supports the roles of "Administrator" (value 6) and "Operator" (value 7).
Added "Web administrator" user role. This role offers all permissions of "Administrator" except for shell command access. Added "Updater" user role. This role only offers permission to update firmware and view the Device info summary. Added "Logged-in users" to Device info web pages and "who" command to the shell interface. Added TR-069 CPE WAN Management Protocol (CWMP) for remote device management. Added web view (last entry on top) and raw file output of Account log. Added page for setting system temperature threshold for alerting.
Added alert messaging of system temperature above threshold. Added alert messaging of configuration changes. Added SNMP OID with MD5 hash of configuration file. Added "ANY" to protocol selection of IP filtering in firewall. Added support for static routes over (point-to-point) network devices. Added handling of custom default or "pre-provisioning" configuration file.
Added BGP routing protocol (Note: software with this feature is available on demand). Added IXagent for cloud access via IXplatform (Note: software with this feature is available on demand).
Updated Annex A and Annex B PHY software for RSA units with VDSL2 support. Updated routing daemon software for RIP and OSPF. Increased timeout of "network ping-check" from 0.5 seconds to 1.2 seconds.
Removed IP port range restriction for serial gateways. Changed boot reason to "Watchdog timeout" upon reboot after watchdog time out. The saved file "configuration without private info" no longer contains user names and key files. After loading this file, the
default admin password will apply and the factory default "test certificate" is used for https.
Changed download file name for settings with private data to "backupsettings-priv.xml". Changed formatting of file for account log download to facilitate text editors like Wordpad. Increased maximum length of host names for Watchdog Network check to 128 characters. IPsec key manager is disabled completely when no IPsec profile is enabled. Various text changes and additions of information in web pages.
Fixed ospfd SEGFAULT message when OSPF operation is disabled. Fixed reporting of line attenuation in ADSL Annex B mode of ADSL/VDSL2 models.
Fixed RADIUS authentication for SSH login. Fixed VPN LED behaviour when openvpn tunnels go down. Now the alert manager is triggered and the VPN LED turns off. Fixed support for HTTPS certificates without a trailing newline. Fixed HTTPS mode for firmware download from remote web server. Note: a root CA (public key) of the remote server must
be added to the list of CA certificates.
Removed "X-Frame-Options: SAMEORIGIN" header from HTML pages. This gave problems when showing the Web interface
in an I-frame.
(release date: December 12, 2017)
Watchdog Network check now also supports host names besides IP addresses. Added description and enable check box to static routes setup. Added support for Broadcom-based ADSL DSLAMs with 'Nitro' mode (ATM compression) enabled.
Changed behaviour when uploading wrong file type (or empty file) as configuration file. Changed order of presentation of SNMPv3 Auth and Privacy settings in web interface. The error message when adding ADSL interfaces with duplicate VPI/VCI now appears when
the interface is enabled instead of when created. Now multiple (disbled) DSL interfaces
with the same VPI/VCI can be stored.
(release date: November 23, 2017)
The URL for firmware update from remote server in the web interface is now stored after
having been used. It will be changed by writing new URL.
Added means to store pre-provisioning configuration. This configuration is not deleted
at a "factory defaults reset" via Web interface, command line or TR-069 RPC.
Note that this configuration is deleted on resetting to factory defaults by means of
keeping the reset button pressed.
The URL for firmware update from remote server in the web interface is now stored after
having been used. It will be changed by writing new URL.
Relaxed the communication timeout while uploading firmware images. Updated web server software to add latest security improvements. Added to some security related HTTP headers. Improved firmware upload while low memory available. In ADSL Bridge mode, now both untagged ATM interface and VLAN tagged ATM
interface are add to the LAN bridge. This allows for using either untagged
or tagged VLAN over ATM without changing configuration.
Improved behaviour of WWAN interface on change or forced refresh of IP address.
On some mobile networks the WWAN link fell back from 4G to 3G on change of
Fixed problem with connecting to certain SMTP servers for email alerts. Fixed usage of "Domain" option in DHCP server mode. Fixed re-initialisation of static routes when WAN interface changes (manual or fail-over) Fixed OpenVPN P2P TCP-server mode.
(release date: Oktober 4, 2017)
Added Local ID to IPsec IKE configuration when using certificates for authentication..
Added Ethernet port control (enable/disable) via SNMP (MIB2 IfAdminStatus). Added readout of Ethernet attached MAC addresses via SNMP (parts of Bridge-MIB). Added warning message when too big firmware images are uploaded. Added WAN interfaces to interface lists of RIP and OSPF setup.
Added support for new revision of Cinterion 2/3G modules.
Added internal hardware integrity check.
Ethernet device status is shown as 'disabled' instead of 'down' when disabled. Changed log level of DHCP and WWAN connect events.
Removed reference to "USB syslog" on hardware versions without USB ports. Removed /netmask from WAN adresses in e-mail and SMS alerts.
Fixed accidental "return to factory settings" on power surge or static discharge. Fixed reconnect of DSL link after both short and long line interruptions. Fixed temporarily loss of connection of DHCP enabled WAN ports on DHCP renew.
DHCP renews are ignored when the IP address has not changed.
(release date: June 12, 2017)
Added field in WWAN setup page to enter PUK code in case of blocked SIM card
after 3 consecutive activations with wrong PIN code.
Added Enable/disable checkmarks for SNMP-invoked firmware and config file
download from remote server.
Added hardware revision number (Rev1.3) for new RSA-M1 main boards with 16MB flash. Changed "Management>Services" menu: added submenus for HTTP, SNMP and Shell.
Improved firmware update procedure to allow updates on systems with low memory.
Removed reference to "USB syslog" on hardware versions without USB ports.
Fixed bug that caused firewall updates to fail when starting IPsec profiles with missing
"Remote network" entry.
Switched SNMP OID's vpnTunAdminStatus and vpnTunOperStatus objects to match the
(release date: May 29, 2017)
Ethernet WAN port in DHCP mode will have IP address 192.0.2.1 until valid
DHCP lease is obtained.
Added SNMP-invoked config download from remote server.
Added extra debounce for contact input sensor. Added Request ID (reqid) to IPsec status overview. When an Ethernet port is configured as WAN port this WAN port will become
active immediately (in DHCP client mode with default IP address 192.0.2.1).
DHCP host name of EthWAN port is product name by default or System name
Fixed automatic cert name generation after loading CA cert via SCEP. Fixed showing DHCP lease info of DHCP clients without host name. Fixed WWAN connection monitoring of 4G (W4) versions.
(release date: May 2, 2017)
Added IPsec failover to multiple remote peers in a single profile. Multiple peer addresses can be
added (comma separated) in the peer address field. The first entered address is tried first. If
connection fails, then the next entered address is tried, etc.
Added priority for IPsec profiles with equal crypto and Phase2/Child-SA configuration to different
peer addresses. This can be used for IPsec failover operation by using two profiles. The remote
peers must be individual IPsec devices. If the remote peer is a single device that can be accessed
via different IP addresses, then the priority must be equal or left at 0. The lowest number stands
for the highest priority. If the priority is equal, then the last established IPsec tunnel will be the
active one. If the priority value is 0 then the priority is calculated automatically by the system.
Enabled IPsec IKEv2 MOBIKE operation for rapid handover of IPsec tunnels in case of a local WAN
port change caused by a WAN failover action. In IKEv1 mode or when IKEv2 MOBIKE is disabled,
all IPsec tunnels will be restarted on a WAN failover action.
Added generation of private Key and Certificate Signing Request for local certificates. Added online certificate enrollment by means of SCEP. Added online CA certificate retrieval by means of SCEP.
(release date: March 28, 2017)
Added alerts (SNMP-trap, email, SMS) for failed authentication. Added automatic detection of PPPoE over untagged or VLAN tagged ATM channel.
Added filtering to prevent data to remote networks over IPsec tunnels to be routed to the WAN
port when the IPsec tunnel is down or reauthenticating in IKEv2 mode. This prevents loss of
TCP/IP connections during IKEv2 reauthentication.
Added "empty" rc.local and firewall.post scripts. User names for HTTP(s) access are now limited to 32 characters to prevent syslog cluttering with
oversized user names.
Changed setup of WWAN data connections to speed up "on demand" mode for failover operation. Updated RSA-series SNMP MIB with reference to Authentication failure (loginFailure) trap. Added configurable IPv6 enable/disable. IPv6 is now disabled by default until needed.
Fixed status messages in WWAN setup menu. Fixed WWAN lockup caused by temporary loss of Mobile Network service.
(release date: March 14, 2017)
Added "Source address rewriting" to Port Forwarding. This allows access to devices in a LAN
without the need for these devices to set the router's address as gateway.
Added means to disable "reauthentication" for IKEv2 mode of IPsec and do "rekeying" instead.
Changed type of internal interface for LTE (W4) versions of WWAN routers. Improved data througput in 4G/LTE wwan mode.
Fixed activation of configured default route and static routes after reboot. Fixed immediate loading of CA certificates for IPsec without the need of a reboot.
Status messages in WWAN setup menu may falsely indicate "Initializing" and "Connecting".
This will be fixed in the next release.
(release date: February 6, 2017)
Added facilities for /config/firewall.post (iptables) script which gets executed each time the
system reconfigures the firewall. This can be used to add firewall (iptables) rules that are
not supported by the regular user interface. Contact MuLogic for additional information.
Changed internal handling of rows in tables of the settings database. Now a row added to
an empty table will always start with index 1 and and added rows will start at the lowest
available index number. This is done for clarity in using the dbctl shell command.
The kernel routing cache now is flushed actively on changes in the routing table like during
WAN failover and network checks.
WWAN data limits and counters now only can be changed or reset by users with Admin role.
Manually configured default route and static routes are not activated properly after reboot.
This will be fixed in the next release.
(release date: January 30, 2017)
Changed behaviour when removing (default) 'Admin' account. Now when there is another user
with 'admin' role, no new (default) account will be made for username 'admin'. When there is
no other user with 'admin' role, a default account will be made with for username 'admin'.
Swapped RxD and TxD LEDs on RSA-1x20D versions. Fixed wrong system temperature reading on RSA-4x22 units with Rev2.0 Add-on board. Fixed inadvertent error messages when adding or deleting users.
(release date: January 23, 2017)
Added automatic detection of other DHCP servers in the connected LAN to avoid DHCP server conflict.
When enabled, and other DHCP servers are found, the local DHCP server will be disabled automatically.
Added "Enable" checkmarks for controlling Static NAT (Port forwarding) rules.
Moved position of Certificates menu from "Setup" to "Management" in web interface. Moved position of "Manage users" and "Services" directly under "Management" in web interface. Improved throughput of "W4" (4G/3G/2G) WWAN devices. Enabled multicast traffic type on GRE tunnels for RIP operation. Allow for changing remote syslog server without having to disable/enable first. Changed display of contact-out status to reflex the actual state instead of the set state. Added additional WWAN modem status information. Various text changes in web interface.
Fix for proper IPsec IKEv2-SA rekeying with older Cisco ASA firmware. (bug in ASA software). Fixed handling of X.509 certificates with "non printable" characters in T61 instead of UTF-8 format. Fixed bug in IPsec IKE exchange with PSK when changing from specified Remote Identifier to "any" Remote identifier.
Fixed lock-up in System Alerts when too many alerts are generated in a short time. Fixed saving the contact output state in flash. Fixed bug in dbctl command when changing the value of some objects. Fixed automatic reconnect when manually changing WWAN access (2G/3G/4G) mode.
(release date: December 14, 2016)
Added SNMP OIDs for serial gateways and xDSL.
Changed SMS and email alert message content.
Fixed ping and traceroute tool in web interface for working with hostnames. Fixed stacktrace when accessing WWAN SNMP OIDs on units without WWAN.
(release date: November 28, 2016)
- Added SNMP OIDs for WWAN data usage and data limit.
- Changed xDSL BERT test page.
- WWAN interface now is disabled by default (when not yet configured).
- Improved stability and memory usage.
(release date: November 16, 2016)
- Added OSPF routing and added features to RIP routing.
- Added OSPF and IGMP types to firewall protocols.
- Added RADIUS authentication for (admin) access control.
- Added RAW syslog view in web interface.
- Added "task scheduler" for reboot and restart of PPP connections.
- Added basic "terminal" command line interface to Tools in webinterface.
- Added static IP address configuration for PPPoE over EthWAN interfaces.
- Added support for PPPoE over VLAN for ADSL links.
- Added local loopback address to serve as local IPsec end-point.
- Added several OIDs to SNMP agent. (New MIB available).
- Updated IPsec IKE manager software.
- Updated device drivers for improved performance and stability.
- Added features to RIP configuartion menu.
- Added ifname to GRE tunnels (for lookup).
- Added MTU setting for GRE.
- Changed IPsec "idle" state to "connecting" if appropriate.
- Moved some IPsec debug string to "warning" level for better
trouble shooting of IPsec config errors.
- Improved routing throughput.
- Changed Dynamic NAT (IP masquerading) from global to "per LAN"
- Added option "none" for OpenVPN Layer 2 (tap) mode LAN bridge assignment.
- Changed NTP and DNS server check algorithms to reduce data traffic.
- Fixed WWAN data counters that did not work after counter reset.
- Fixed system alerts for vpn tunnel Up and Down.
- Fixed OpenVPN UDP mode.
- Fixed individual enable/disable of recipient types for system alerts.
- Fixed IPsec DH1 (modp768) mode.
- Fixed bug that caused serial RS232 port to block after use of the serial CLI.
- Fixed SNMP sets in RSA-series MIB.
- Fixed "reboot" from command line to do a proper shutdown and reboot.
- Fixed DTR and DCD LED control.
(release date: July 12, 2016)
- Increased WWAN network registration time-out from 45 to 120 seconds.
- Increased WWAN data connection time-out from 30 to 60 seconds.
- Fixed DHCP lease time setting.
(release date: June 27, 2016)
- Changed OpenVPN info (details) page.
- Added OpenVPN "exit notify" to signal the remote peer that a tunnel has been disabled.
- Added restart of WWAN link on certain SIM card error messages.
- Moved Tools>DSL>BER test to separate page.
- HTML text changes.
- Fixed bug in Tools>Network page. Now other WAN interfaces can be selected.
(release date: June 20, 2016)
- Changed PPP timeout from 15 to 60 seconds.
- Changed items shown in IPsec and OpenVPN tables.
- Added bootloader version to summary page.
- Several changes in text of HTML pages.
(release date: June 14, 2016)
- Changed IP filtering page: Added warning when IP filtering is disabled.
- Changed IP connection state overview page. (now the tunneled nets are shown).
- Changed RSA-1020DW signal level LED thresholds.
- Added text to Firewall and NAT setup html pages.
- Several changes in text of HTML pages.
- Fixed bug in PPPoE over PTM (VDSL2).
- Fixed IP filtering page (hide shortcusts when filtering is disabled).
- Fixed IPsec connection state details pages.
(release date: June 6, 2016)
- Changed firmware update html page.
- Change in firmware upload procedure to prevent settings made just before firmware update from not being saved.
- Added system name and WAN IP address to email alersts.
- Added text to Firewall and NAT setup html pages.
- Fixed limitation to 1 LAN bridge for units with one Ethernet interface. All 4 LAN bridges are available now.
(release date: May 30, 2016)
- Updated RSA-1020DW profile.
- Added RSA-1120D, RSA-1120D, RSA-1120(W) and RSA-1220(W) profiles.
- Changed memory management parameters to prevent unused but fragmented
memory from growing too big.
(release date: May 24, 2016)
- Allow configuration of custom MAC address for IPoE interfaces.
- Allow configuration of static IP addresses for PPPoA and PPPoE interfaces.
- Disabled DSL interface now shows 'Disabled' in status field instead of 'Starting'.
- Fixed RIP routing daemon.
(release date: May 2, 2016)
- Added remote network configuration to GRE tunnel setup page.
- Firewall drop(deny) rules now have priority over accept(allow) rules.
- Traceroute and ping tools now remember last selected gateway.
- Various text changes, additions and clarifications in web interface.
- VPN LED is not turned On when GRE tunnel is activated.
- Fixed bug that caused reboot when immediately sending email alert at startup.
- Fixed bug that caused firewall rules to disappear when source address fields are
left empty in IP filtering and Static NAT setup.
(release date: April 19, 2016)
- Added firewall configuration option to control routing between LAN bridges.
- Added LAN bridge selection for Layer 2 OpenVPN tunnels.
- Updated xDSL PHYs to latest version.
- xDSL SRA feature enabled by default.
- Only restart-on-idle for "active" IPsec connections.
- Ignore non-digit characters in SMS number fields.
- Increased maximum string length of IPsec PSK to 128 characters.
- Textual changes in web interface.
- Removed irrelevant syslog message when adding or removing users.
- Renew xDSL CO vendor ID after xDSL line down.
- Fixed display of multiple IPsec child SAs (Phases 2).
- Fixed xDSL Dying Gasp signalling on reboot, firmware update and watchdog time-out.
- Fixed GRE tunnel operation.
- Fixed OpenVPN Layer 2 operation.
- Fixed ICMP allow/block rule. (Addresses can be entered now).
- Fixed refusal of adding VPI/VCI combination when present but not used in other DSL profile.
- Fixed memory leak problem when manually restarting xDLS link too often.
(release date: March 30, 2016)
- Added remote DSLAM Vendor ID on DSL statistics page.
- Added VDSL2 profile on DSL statistics page.
- Syslog link now opens new browser tab or page.
- Changed DSL statistics page (collumn alignment)
- Fixed possible stacktrace on boot.
- Fixed "upload settings" feature.
- Fixed reversed actual downstream/upstream rates on DSL statistics page.
(release date: Feb 28, 2016)
- First formal release of RSA-4222 V2.0 firmware.
- Other devices of the RSA-series will be added over time.