release notes for cradlepoint rev 21242f48cc5dde3a5de18-c192e5eeeb00e48f305665dbb83b8a03.r95.… ·...

Global Leader in 4G LTE Network Solutions 1111 W Jefferson Street, Ste. 400, Boise, ID 83702-5389 | Toll Free: +1 855-813-3385 | Local: +1 208-424-5054 | Cradlepoint.com | Page: 1

Release Notes for Cradlepoint Rev 6.3.2 Firmware

Products supported/tested

AER3100/AER3150

AER2100

AER1600/AER1650

IBR1100/IBR1150

IBR900/IBR950

IBR600C/IBR650C

Notes:

Before upgrading to new firmware, it is always a good idea to save the configuration file from your current version. This firmware version will remove a configuration for version 3.2 or lower and will not try to keep your settings.

Modems tested (new 6.2.0 modems / modem platforms are in blue text)

Cradlepoint Cellular Devices (Embedded & USB Modems)

Cradlepoint AER16x0LPE-AT / AT&T (USA)

Cradlepoint AER16x0LPE-GN / T-Mobile, US Cellular (USA); Generic (North America)

Cradlepoint AER16x0LPE-SP / Sprint (USA)

Cradlepoint AER16x0LPE-VZ / Verizon (USA)

Cradlepoint AER16x0LP4 / AT&T, T-Mobile, Verizon (USA)

Cradlepoint IBR350L / Verizon (USA)

Cradlepoint IBR350LPE-AT / AT&T (USA)

Cradlepoint IBR350LPE-GN / T-Mobile (USA); Generic (North America)

Cradlepoint IBR350LPE-SP/ Sprint (USA)

Cradlepoint IBR350LPE-VZ / Verizon (USA)

Cradlepoint IBR350P2 / AT&T (USA); Generic GSM-compatible locations (World)

Cradlepoint IBR6x0B-LP4 / AT&T, T-Mobile, Verizon (USA)

Cradlepoint IBR6x0C-LPE-AT / AT&T (USA)

Cradlepoint IBR6x0C-LPE-GN / T-Mobile (USA); Generic (North America)

Cradlepoint IBR6x0C-LPE-SP/ Sprint (USA)

Cradlepoint IBR6x0C-LPE-VZ / Verizon (USA)


Cradlepoint IBR6x0LPE-AT / AT&T (USA)

Cradlepoint IBR6x0LPE-GN / T-Mobile, US Cellular (USA); Bell Mobility, Rogers, Telus (Canada); Generic (North America)

Cradlepoint IBR6x0LPE-SP/ Sprint (USA)

Cradlepoint IBR6x0LPE-VZ / Verizon (USA)

Cradlepoint IBR6x0LP3-EU / Generic (Europe)


Note: Also certified on AT&T (USA), Sprint (USA), and Generic (North America)

Cradlepoint IBR9x0LP5 / Generic (APAC)

Cradlepoint IBR9x0LP6 / AT&T, Sprint, T-Mobile, Verizon (USA); Generic (North America, Europe)


Cradlepoint IBR11x0LPE-GN / C-Spire, T-Mobile, US Cellular (USA); Bell Mobility, Rogers, Telus (Canada); Generic (North America)

Cradlepoint IBR11x0LPE-SP / Sprint (USA)

Cradlepoint IBR11x0LPE-VZ / Verizon (USA

Cradlepoint IBR11x0LP3-EU / Generic (Europe), Telstra (Australia)


Cradlepoint MC400L2 / Public Safety Band 14 only (USA)

Cradlepoint MC400LPE-AT / AT&T (USA)

Cradlepoint MC400LPE-GN / T-Mobile, US Cellular (USA); Bell Mobility, Rogers, Telus (Canada); Generic (North America)

Cradlepoint MC400LPE-SP / Sprint (USA)

Cradlepoint MC400LPE-VZ / Verizon (USA)

Cradlepoint MC400LP3-EU / Generic (Europe)

Cradlepoint MC400LP4 / AT&T, T-Mobile, Verizon (USA)

Cradlepoint MC400LP5 / Generic (APAC)

Cradlepoint MC400LP6 / AT&T, Sprint, T-Mobile, Verizon (USA); Vodafone (Worldwide), Generic (North America, Europe)

3rd Party USB Cellular Modems

Franklin U770 (“Sprint Plug-In-Connect Tri-Mode USB Modem”) / Sprint (USA)

Franklin U772 (“Franklin U772 USB Modem”) / Sprint (USA)

Huawei E3276 / Telus (Canada)

Huawei E368 (“AT&T USBConnect Force 4G”) / AT&T (USA)

Netgear AC340U (“AT&T Beam”) / AT&T (USA)


Netgear AC341U (“NETGEAR® 341U USB Modem”) / Sprint (USA)

*supports Netgear firmware 4.07.01.11 and MR2 firmware 45.04.20.00

Novatel 551L LTE (“Verizon USB551L”) / Verizon (USA)

Novatel U620L (“Verizon MiFi© 4G LTE Global USB Modem U620L”) / Verizon (USA)

Novatel U679 (“4G LTE Novatel Wireless U679 Turbo Stick”) / Bell Mobility (Canada)

Pantech UML295VW (“Verizon 4G LTE USB Modem UML2954G LTE”) / Verizon (USA)

*requires Pantech firmware version L0295VWD821F.B4 or later

Portsmith PSA1U1M ("Portsmith USB Client to Analog Modem Adapter") / POTS phone providers

Sierra Wireless 308 USB (“AT&T USBConnect Shockwave”) / AT&T (USA)

Sierra Wireless 313U (“AT&T USBConnect Momentum 4G”) / AT&T (USA)

Sierra Wireless 320U (“Telstra USB 4G (Sierra AirCard 320U)”) / Telstra (Australia)

Sierra Wireless 330U (“4G LTE Sierra Wireless U330 - Turbo Stick”) / Bell Mobility (Canada)

Sierra Wireless 330U (“LTE Rocket Stick – Sierra Wireless AirCard 330U”) / Rogers (Canada)

ZTE MF683 (“T-Mobile Rocket 3.0 4G Laptop Stick”) / T-Mobile (USA)

Analog Modems

Portsmith PSA1U1M (“Portsmith USB Client to Analog Modem Adapter”) / POTS phone providers

Portsmith PS6EX1M ("Portsmith ExCard to Analog Modem Adapter”) / POTS phone providers (ExpressCard format, compatible with MBR1400s, MBR1200B, & CBA750B only)

New features added in this release (Not all features are in all products – see their respective Data Sheets)

Added Threat Management support to IBR9x0 and IBR6x0c products. This is enabled under the Security -> Threat Management menu. This is a licensable feature and is not enabled by default.

Additional UI/Usability changes

No UI changes

Defects fixed

AER2100 disconnects and reconnects all IPSec tunnels simultaneously

Router still trying to route through policy-based IPSec tunnel when it is down

6.3.0 ECM Config editors - Attempting to add local certs fails: Unable to verify config store size

WiFi as WAN on hidden SSID not working for IBR1100 or AER1600 on v6.3.0

Excluding Remote Networks in IPSec config blocks all tunnel traffic

Router reboots unexpectedly when using Hotspot Services and a large number of wired clients


Upstream Proxy Settings: HTTPs isn't being redirected properly

IPSec VPN IPv4 Netmask defined as a IPv4 address instead of netmask

Disabling VPN service, race condition doesn't always tear down service and tunnels

MAC Address Web Filter Defaults of a matching Allow mac address blocks access when non-matching Block rule is added.

Phase 2 IPSec SAs are not being removed during failover/failback VPN tunnels causing issues with RRI on VPN Cisco Hubs

No supported GPS device found message on Status -> GPS page UI, using LP5 and LP6 modems

IPSec VPN: Invalidate specifying the same remote gateway for concurrent VTI and non-VTI tunnels

Identity Type not disabled when selecting cert with asn1dn checked

GRE keep-alive response not getting encrypted in GRE over IPSec tunnel configuration

Route Table Editor should display metric field of listed routes

Feature license banner is confusing when editing Main Route Table

Changing NAT-T port on both ends doesn't bring up VPN tunnel. Work around this by enabling “Force UDP Encapsulation”.

AER3100 Error Applying Settings When Disabling 5Ghz Radio

LP6 / LP5 modems. Extended GPS re-enablement process for modems self-disabling GPS service. Some modems occasionally turn their own GPS off for reasons yet unknown. The driver’s GPS detect and re-enable recovery is a temporary workaround until the modem firmware can address this issue directly.

LP6 / LP5 modems in dual SIM platforms. Modified the modem shutdown process to prevent possible modem corruption seen only when used in a highly stressed modem environment.

Security defects fixed

No security fixes

Known Issues

IPSec UI (6.3.0). In 6.3.0 the restriction of configuring tunnels with duplicate remote gateways was removed. Configuring a combination of VTI-Tunnel and Tunnel mode IPSec with the same remote gateway can lead to unexpected behavior and we recommend avoiding this type of configuration.

On the System -> Administration -> GPS page, an alert will state that a GPS-enabled device isn’t found even if one is connected to the router. The alert will persist until the device gets a GPS lock.

Reputation Services (6.0.1). If you upload a reputation file to the router, save the configuration, factory reset, then reload the configuration file any firewall entries referencing that reputation file will fail. The reputation file is not saved in the exported configuration file.

If any of the router’s WAN connections (Ethernet, Wi-Fi as WAN, modem) connects to a device that has the same IP subnet as the router, the router will disable the interface and provide a


Bounce Page warning that the WAN interface has a conflict (if bounce pages are enabled). Simply change the LAN IP Address on the Network Settings -> WiFi / Local Network Settings page in the UI.

When using WiFi as WAN or WiFi Client Mode set to “WiFi-as-Client”, enable WAN verify on the WiFi-as-WAN Profile in Connection Manager

LTE

Unless you have a specific service from your carrier, LTE modems will not generally provide an externally-available IP address. Services, such as Remote Management, will not work.

Modem

Franklin U770. The Modem’s Ethernet address conflicts with the default address of the Guest LAN. A warning message is placed in the log and the Guest LAN is disabled. If you change the address of the Guest LAN to a non-conflicting address, this restriction will not occur.

Sierra Wireless 313U, 330U. When these modems connect on 2G or 3G bands, specifically on GSM 850, they will sometimes cause interference on the USB bus, resulting in the modem not plugging properly. If this occurs, attaching the modem to a USB extension cable will generally fix the problem.

The following USB modems contain an embedded web server through which many modem

settings are configured. To access the modem’s web pages, you must be logged in as the router

administrator. Once logged in, you can then access the modem web pages at these given IP

addresses:

Franklin U770, U772 / Sprint (USA) -> 192.168.10.1

Netgear AC341U * / Sprint (USA) -> 192.168.1.1 (address is configurable)

Pantech UML295VW * / Verizon (USA) -> 192.168.32.2

* The modem web pages are available only when the modem is operating in NAT mode.



AER3100/AER3150

AER2100

AER1600/AER1650

IBR1100/IBR1150

IBR900/IBR950

IBR600/IBR650


IBR600B/IBR650B

IBR600C/IBR650C

IBR350

CBA850

MBR1200B

Notes:


Modems tested: (new 6.2.0 modems / modem platforms are in blue text)
































Analog Modems



New features added in this release (Not all features are in all products – see their respective Data Sheets):

No new feature

Additional UI/Usability changes:

No UI changes

Defects fixed:

Network Mobility (NEMO/DNMR) traffic was blocked by an incorrect priority on a black-hole route used to prevent packet leakage.

Security issues:

No security fixes



AER3100/AER3150


AER2100

AER1600/AER1650

IBR1100/IBR1150

IBR900/IBR950

IBR600/IBR650

IBR600B/IBR650B

IBR600C/IBR650C

IBR350

CBA850

MBR1200B

Notes:


Modems tested: (new 6.2.0 modems / modem platforms are in blue text)

































Analog Modems



New features added in this release (Not all features are in all products – see their respective Data Sheets):

IPSec/VPN Tunnels. Support was added for IKEv2 and Suite B cryptographic algorithms and IKEv2 Mobility and Multihoming Protocol (MOBIKE) along with a significant revamp of VPN Tunnel support across the product line.

◦ UI Changes

Networking -> Tunnels -> IPSec VPN has been separated into three tabs. One to configure tunnels, one to configure general settings for all tunnels, and the third to configure logging of VPN tunnel connections.

Status -> Tunnels -> IPSec VPN has also been separated into three tabs. The first page shows the status of all configured tunnels, and the user can select each tunnel to see significant amounts of information about the connection. The second page shows information about the Security Policy Database and Security Association Database. The third page shows configuration information.

NHRP UI Changes

Status -> Tunnels -> GRE/ NHRP

◦ Add a grid with NHRP cache information


Networking -> NHRP

◦ IPSec VPN Responder Only checkbox removed from NHRP Global Settings. Active creation of VPN tunnels is now done on a per-tunnel basis and can linked to specific VPN configurations

◦ CLI debugging tools added

vpn show

vpn loglevel

xfrm policy

xfrm state

nhrp show

nhrp flush

nhrp flush nbma ip

◦ This change provides significantly faster startup of tunnels

◦ Failover tunnels must be enabled. When upgrading, failover tunnels that were disabled will be automatically enabled to maintain the same functionality. Disabled tunnels are not loaded and will not function as a primary or failover tunnel until enabled.

◦ Additional added VPN options

▪ Networking -> Tunnels -> IPSec VPN -> Global Settings

Permissive IPSec policy firewall – Defaults as enabled. When enabled traffic that matches the IPSec policy is automatically permitted through the firewall.

Allow aggressive mode pre-shared key – Defaults as enabled. Pre-shared keys with aggressive mode VPN is considered unsafe. Disable this to prevent responding to aggressive mode pre-shared key initiation requests.

Legacy HMAC SHA256 bit truncation – Hashing algorithm SHA2 256 with 96 bit truncation has been removed from tunnel configuration and will now use SHA2 256 with 128 bit truncation by default. Enable this to use SHA2 256 with 96 bit truncation instead. This may be required to connect to devices using the legacy algorithm.

▪ Networking>Tunnels>IPSec VPN>Tunnels

Inactivity Timeout – Configure termination of Child Security Associations when traffic is not detected for timeout amount of seconds

QoS changes. Significant changes have been made to automatically support applications such as VOIP without complex QoS configuration changes. Additional changes include:

◦ Direct numeric rate settings on queues in addition to percentage system

◦ QoS Zone Firewall Identity Support

◦ Per-WAN QoS Enable/Disable


◦ QoS pre-classify support (tunneling)

◦ IP Passthrough with QoS now works in both directions

Smart WAN Selection. Added the ability for the system to automatically select the best WAN connection based on configuration of specific criteria thresholds, including Signal Strength, Data Usage, Latency and Jitter. When Smart WAN Selection is enabled, Failback is automatically disabled. Enablement and configuration of this feature are found in Connection Manager on the new Smart WAN Selection tab.

Note: This feature impacts general Connection Manager functionality which includes failover, failback and load balance processes. These have been improved to follow more intuitive configuration interpretations.

Dual SIM management. Added the ability to more specifically control dual SIM management, such as preferring a primary SIM and enabling/disabling SIM slots per physical port. Configuration of these features is found in Connection Manager on the new Dual SIM tab.

Smart Disconnect. When changing from one WAN connection to another, this feature allows the older session to more gracefully terminate the connection. The disconnect process can be configured with time or data usage-based criteria. Configuration of this feature is found in Connection Manager by clicking the new Smart Disconnect column icon.

(SDK support) Added the ability for an SDK application to provide UI pages, especially when using Hotspot.

Hotspot Services and Hotspot routing was added to the AER3150 and AER1650

Support up to 16 NEMO tunnels

Status -> Firewall -> Hit Count Status was added to allow the admin to see which firewall policies are being triggered

(IBR900/IBR950) Added modem thermal alert support

(IBR1100/IBR600B) Added support for EAP-TLS for WiFi-as-WAN and WiFi Client modes. Added WiFi Client mode support to the 2.4GHz radio as well as the 5GHz radios.

(IBR900) Added support for EAP-TLS for WiFi-as-WAN and WiFi Client modes

Made sure the LAN properly/optimally supports /32 networks

Proxy ARP and true 1-to-1 NAT support. Proxy ARP can be enabled for configured Ethernet WAN or Local IP Network (LAN) interfaces. When enabled, the Cradlepoint router will respond to ARP requests received on the enabled interface if a route exists for the requested destination.

1-to-1 NAT rules have been enhanced to allow specification of Zone binding for each translation in addition to the previous global translation, and the option to add routes useful for Proxy ARP.

Added the ability to define the Source IP address for WiFi authentication RADIUS requests coming from the router

Add Dead Peer Detection to Zscaler Secure Web Gateway support

Added the ability to filter passwords when saving a configuration or creating a Support Log to send to Cradlepoint Support.

Added the ability in the CLI to rename an Ethernet port or add a description

Added the ability to learn the WAN route next hop from DHCP


Re-enabled Advanced Settings for legacy modem configuration, found in profile/interface Modem menu

Added the ability to immediately reconnect a modem if the unit was offline due to no cellular service (e.g. in a tunnel)

(LP6 modems) Added support for GLONASS and Beidou GNSS systems (in addition to already supported GPS)

(LPE/LP3 modems) Added support for GLONASS (in addition to already supported GPS)

(LP6/LPE/LP3) Extended GPS support to report all incoming GNSS NMEA sentences

Additional UI/Usability changes

Status -> NTP. Added status page for NTP information

Added the ability to copy/paste in status page panels

Status -> Internet -> Client Data Usage. Added Usage Summary tabs to better display the data.

Status -> GPS. Added information about the quality of the GPS fix. Please note that this is the last major firmware version that will provide Google Maps

support within the router UI. The feature will be removed in 6.4.0. Location services will continue to be available using Enterprise Cloud Manager.

Connection Manager>modem interfaces. The configured APN is now displayed in the expanded status.

(LP4 modems) Added channel bandwidth and cell tower ID to diagnostics

(LE modems) Due to Verizon’s change of OTA process, removed OTA retries since they won’t be successful. This modem does not support Verizon’s new OTA process.

Defects fixed

IP Passthrough, QoS affects upload speeds but not download speeds

Static route disappears from the Routing Table when upgrading from 6.0.5 to 6.1.0 on IBR6x0

WiFi / Wired clients disassociated and not passing traffic even though the WAN interface is up and able to be pinged.

Multiple routers DynDNS fail after update to 6.2.2

VPN fails after failback

IPSec VPN, aggressive mode not establishing when an FQDN is used for the tunnel identity

IPSec: Full tunnel behind NAT always on

Policy route lo:ecm isn’t functioning after reboot

Route Policy missing after upgrade to 6.2.1

LAN Schedule causing SSID to not rebroadcast until reboot

NAS-ID on WPA Enterprise not coming through

Select Option for APNs not using the selected APN

Client/Server OpenVPN pushed routes not pushing

Cannot enter IP address/Prefix length format under Security -> Zone Firewall -> Remote Access Restriction

First GPS parse error causes service to halt

6.x.x to 6.2.0, One touch router FW upgrade factory reset does not reset

Certificate Name not listed in Local Certificate CSR dropdown


NAT-TO doesn’t correctly configure firewall rules on configuration changes

Fixed unable to edit a Connection Manager profile update after router FW upgrade

Removed excessive alerts for a disconnect of a WAN interface that was not connected

Improved general APN management and recovery

(LP4/ATT) Select now works on all profiles (not just default profile)

Fixed several dual SIM issue, such as adding dynamic detection of IMSI changes, and addressing Sprint HFA interruptions

Fixed Modem FW upgrade to add message box on communication failures

Added WAN uptime history if Ethernet was connected at boot time

(LP6) Enable GNSS antenna power when it’s occasionally disabled

Security defects fixed

Sweet32 mitigation. https://sweet32.info/ describes an attack that is unlikely but possible to recover secure HTTP cookies. To mitigate this attack, we changed the default cryptographic algorithms from the Mozilla recommended Intermediate compatibility list to their Modern compatibility list. The list can be modified by changing /config/system/cipher_list in the CLI. https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29

Known issues

IPSec UI (6.3.0). In 6.3.0 the restriction of configuring tunnels with duplicate remote gateways was removed. Configuring a combination of VTI-Tunnel and Tunnel mode IPSec with the same remote gateway can lead to unexpected behavior and we recommend avoiding this type of configuration.

GRE keep alive responses are not encrypted using IPSec. This can cause GRE keep alive status to report inaccurate keep alive states between two Cradlepoint routers when GRE over IPSec is configured using "Always On" initiation mode. To work around this issue, configure GRE over IPSec using "On Demand" initiation mode or use another keep alive mechanism such as Dead Peer Detection.

On the System -> Administration -> GPS page, an alert will state that a GPS-enabled device isn’t found even if one is connected to the router. The alert will persist until the device gets a GPS lock.

Reputation Services (6.0.1). If you upload a reputation file to the router, save the configuration, factory reset, then reload the configuration file any firewall entries referencing that reputation file will fail. The reputation file is not saved in the exported configuration file.

If any of the router’s WAN connections (Ethernet, Wi-Fi as WAN, modem) connects to a device that has the same IP subnet as the router, the router will disable the interface and provide a Bounce Page warning that the WAN interface has a conflict (if bounce pages are enabled). Simply change the LAN IP Address on the Network Settings -> WiFi / Local Network Settings page in the UI.

When using WiFi Client Mode set to “WiFi-as-Client”, enable WAN verify on the WiFi-as-WAN Profile in Connection Manager

https://sweet32.info/

https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29


LTE

Unless you have a specific service from your carrier, LTE modems will not generally provide an externally-available IP address. Services, such as Remote Management, will not work.

Modem

Franklin U770. The Modem’s Ethernet address conflicts with the default address of the Guest LAN. A warning message is placed in the log and the Guest LAN is disabled. If you change the address of the Guest LAN to a non-conflicting address, this restriction will not occur.

Sierra Wireless 313U, 330U. When these modems connect on 2G or 3G bands, specifically on GSM 850, they will sometimes cause interference on the USB bus, resulting in the modem not plugging properly. If this occurs, attaching the modem to a USB extension cable will generally fix the problem.

The following USB modems contain an embedded web server through which many modem settings

are configured. To access the modem’s web pages, you must be logged in as the router

administrator. Once logged in, you can then access the modem web pages at these given IP

addresses:

Franklin U770, U772 / Sprint (USA) -> 192.168.10.1

Netgear AC341U * / Sprint (USA) -> 192.168.1.1 (address is configurable)

Pantech UML295VW * / Verizon (USA) -> 192.168.32.2

The modem web pages are available only when the modem is operating in NAT mode.

release notes for cradlepoint rev 21242f48cc5dde3a5de18-c192e5eeeb00e48f305665dbb83b8a03.r95.… ·...

Documents