Digi IX20, IX20W, IX20-PR, IX20W-PR User Manual

DIGI INTERNATIONAL

9350 Excelsior Blvd, Suite 700
Hopkins, MN 55343, USA
+1 (952) 912-3444 | +1 (877) 912-3444

www.digi.com

Digi Accelerated Linux (DAL) Release Notes

IX-series

Version 21.2.39.79

INTRODUCTION

This is a patch firmware release for the IX20/IX20W products. This is a recommended production
firmware release

SUPPORTED PRODUCTS

· Digi IX20/IX20W

· Digi IX20-PR/IX20W-PR

KNOWN ISSUES

· Cellular metrics are not shown under the Settings → Status → Communications section of Digi
Remote Manager, but are shown under the Data Streams for the device. [DALP-768]

· Health metrics are uploaded to Digi Remote Manager unless the Monitoring > Device Health >
Enable option is de-selected and either the Central Management > Enable option is de-

selected or the Central Management > Service option is set to something other than Digi
Remote Manager [DAL-3291]

· Wired Internet connectivity is interrupted during cellular modem firmware updates [DAL-4647]

· The cellular Access technology configuration option is ignored if carrier PLMN locking is

enabled [DAL-4693]

UPDATE BEST PRACTICES

Digi recommends the following best practices:

1. Test the new release in a controlled environment with your application before you update

production devices.

2. Unless otherwise noted, apply updates in the following order:

a. Device firmware
b. Modem firmware
c. Configuration
d. Application

Digi recommends Digi Remote Manager or Digi aView for automated device updates. For more
information, follow the instructions for Digi Remote manager or Digi aView in the links below:

1. Instructions for Digi Remote Manager:

https://www.digi.com/resources/documentation/digidocs/90001436-13/default.htm#tasks/t_update_device_firmware.htm

2. Instructions for Digi aView:

https://www.digi.com/resources/documentation/digidocs/acl-kb/default.htm#Subsystems/kb-6300-cx/update-firmware.htm

96000472_C Release Notes Part Number: 93001321_V Page 1

If you prefer manually updating one device at a time, follow these steps:

1. Download the firmware file from the Digi firmware support page.

2. Connect to the device’s web UI by connecting your PC to the LAN Ethernet port of the device

and then going to http://192.168.210.1.

3. Select the System tab on the top navigation bar of the page, then select Firmware Update.

4. Select the Browse button in the Upload file section.

5. Browse for and select the downloaded firmware file.

6. Click the Update Firmware button.

TECHNICAL SUPPORT

Get the help you need via our Technical Support team and online resources. Digi oers multiple
support levels and professional services to meet your needs. All Digi customers have access to
product documentation. firmware, drivers, knowledge base and peer-to-peer support forums.

Visit us at https://www.digi.com/support to find out more.

CHANGE LOG

Mandatory release = A firmware release with a critical or high security fix rated by CVSS score.

For devices complying with ERC/CIP and PCIDSS, their guidance states that
updates are to be deployed onto device within 30 days of release

Recommended release = A firmware release with medium or lower security fixes, or no security fixes

Note that while Digi categorizes firmware releases as mandatory or recommended, the decision if
and when to apply the firmware update must be made by the customer aer appropriate review
and validation.

VERSION 21.2.39.79 (April 1, 2021)

This is a Recommended release
IX20-21.2.39.67.bin

SHA512:

3dbcfd33a66474d7fdb308d292868f8a044207f687039afb9404ae44d1feb30925075a993
5cbb395a868398514343a2e97e0c4fd62ce1eda373152f6c13a86c3

MD5: 5aca7b9224e9d3104eb0f29d29883cf6

IX20-PR-21.2.39.67.bin

SHA512:

176308c72b7a706ca0c036314944a5b88a4e8451b3a5f9fe8230ee61588db265e27bf987
21f5d23af83657a6baa68d7adc5d825498dab291ee2ccafeb5e98c95

MD5: 3993f737da1d405ce36fa7e0370ccd14

IX20W-21.2.39.67.bin

SHA512:

4bfb707b256352b2a44cde67ae2700c1f9f02acc785ab52a521934a5dec2b88f01b6564b
05a7d3ee2be53958273b9dc8eca17407e1efd24c985989f2b275a0

MD5: 1904551bb372c568cba6fc644912b18e

IX20W-PR-21.2.39.67.bin

SHA512:

f721b6ba36cc555b88e9e515dc6a96eae53b32abbe03b86e5d7158b5752078e2953d0cf
67b55316dec12b073e413aa5113245d3888b470eebd4da002a32db7

96000472_C Release Notes Part Number: 93001321_V Page 2

MD5: aa85293fdc99c41c7a8b50926e029c46

BUG FIXES

1. IX20W: Fixed issue where Wi-Fi network crashes when under heavy load [DAL-4667]

VERSION 21.2.39.67 (February 27, 2021)

This is a mandatory release
IX14-21.2.39.67.bin

SHA512:

39234c8644fff88e0ac8503e80e023f92ebe768a5ce9cd7648be38e202fd592e0fd9f35ab4
4fddd3d9321d50c42ad1146ae089875ffe8cccb0e60e23dd863502

MD5: d6ed79ec3b2db14738451c15038fd5aa

IX10-21.2.39.67.bin

SHA512:

72a8ef1e4e892ea431b101063eb040b6cffe37351f7d27556836a33915f0cf8e241b2296ed
2d6cc3d69e2dee05bdba08273d58f81f2333fa36d88bc17a087547

MD5: 8e7d2ca15d40de7d7955fa5d5d7773cc

IX20-21.2.39.67.bin

SHA512:

525dbe3d67ae2db90c3c28bb98acbab9b893be87e7432d3930baad8fe827bed5a92231e
8c7eaa4a9b945b231ddcb9f5972d552dc52aedabdcd1711431e281a1d

MD5: 1b6bc3ac24b0bd009177c77d076efbf8

IX20-PR-21.2.39.67.bin

SHA512:

33b393e3bfd347070b4086267dd29dfe327e2c81ae8a695635433f2fdbb156cd29af3ceb8
6feaf5731b7fc8fb07b58ba010ee1a749c2d165467d5e3b6428fd30

MD5: b8a737e16faee85f34678e2d9de8e330

IX20W-21.2.39.67.bin

SHA512:

ac896a32a704728834385eae13555d07c7901c8f74794c1848e592b1570268df0f9b4149f
13f24bb807742cdfe493323d82ad9386efe33e82d118e403c1a8f1b

MD5: efa574c9e98186bddcbafdb2c7df56f9

IX20W-PR-21.2.39.67.bin

SHA512:

a3feb157fb421d8787d5f8c51a898f3bd88954874d7dd967ed56fd5fae60e25cead4cc4024
eb0384b556635436bbc068e876721f4e44c0845b1deb9021f6307e

MD5: 3c1900f45ed730d15ae13ea5d074481c

FEATURES

1. Add the Location service to all DAL products. DAL devices can utilize several location

sources (cellular, GNSS, or user defined) to determine where it's located and report that to
Digi Remote Manager or other servers [DAL-724]

2. Add geo-fencing configuration options. This new features is found under Services →

Location → Geofence. It can be utilized to define one or more circular or polygonal geo­fence areas and then perform a set of actions when the device enters or leaves that area.
Current options for actions to perform are either factory erasing the device or running a
custom script. [DALP-711]

3. New modem scan CLI command for listing available carriers for the current modem and

SIM setup.

96000472_C Release Notes Part Number: 93001321_V Page 3

4. New Network → Interface → Modem → Network PLMN ID config setting to lock the SIM card

to a particular carrier based on its PLMN ID(note that the Carrier selection mode must be
set to Manual or Manual/Automatic in order to lock the SIM to a specific carrier) [DALP­637]

5. Added local API to the web UI for automated configuration of the device [DALP-777]

6. Support remote CLI commands through Digi Remote Manager [DAL-4273]

7. New configuration options under System → Scheduled tasks → System maintenance to

automatically check for device and modem firmware updates, then notify in the CLI and
web UI when updates are available [DAL-4413]

ENHANCEMENTS

1. Added new DFS Client Support configuration setting to support 5GHz DFS Wi-Fi channels in

client mode [DALP-720]

2. Add 5GHz frequencies to the list of channels that can be scanned for client-mode Wi-Fi

background scanning [DAL-2570]

3. Set 2.4GHz default Wi-Fi bandwidth to 20MHz [DALP-772]

4. Update default background scanning settings for Wi-Fi clients to the following:

1. Scan threshold: -75dB

2. Short interval: 5s

3. Long interval: 300s

5. Updated Surelink recovery of Wi-Fi connections to restart the Wi-Fi module if restarting the

network connection fails to recover the setup [DAL-4387]

6. Added settings under Authentication → Serial to control Certificate Management for TCP

and autoconnect serial port setups [DALP-682]

7. Allow hidden/debug config settings to be controlled and preserved by DigiRM [DAL-4445]

8. Asymmetric preshared keys for IPsec tunnels [DALP-707]

9. Don't display Aggressive/Main mode or Xauth selections for IKEv2 IPsec tunnels [DAL-4142]

10. Update name and description of certificate settings for OpenVPN clients and servers [DAL-

4435]

11. Add digidevice.led python module to all products [DALP-710]

12. Add options to forward location information to a remote host over TCP [DALP-778]

13. Add new Forward interval multiplier configuration option under Services → Location →

Destination servers to control the number of location update intervals to wait before
sending location data to this server [DAL-4056]

14. Report location metrics as datapoints to DigiRM [DAL-4055]

15. Include the connection uptime of IPsec tunnels as datapoint metrics to Digi Remote

Manager [DAL-4062]

16. Report the phone number of the SIM as a health metric datapoint to Digi Remote Manager

[DAL-4440]

17. Fixed incorrect format of ICCID and IMEI metrics reported to Digi Remote Manager [DAL-

4440]

18. Add iptables TRACE tool for enhanced firewall debugging [DAL-4182]

19. Improved accuracy of the status shown for a modem during a firmware update

20. IX10/1002-CMG4: Disable GEA1 on EG25-G modem [DAL-4250]

21. IX10/1002-CMG4: Disable voice services on EG25-G modules [DAL-4560]

22. IX10: Enable QXDM support on IX10 [DAL-4512]

BUG FIXES

96000472_C Release Notes Part Number: 93001321_V Page 4

1. IX14: Fixed reboot loop issue on IX14 device running default settings on 20.11.x firmware

[DAL-4507]

2. Fixed issue with utilizing soware flow control on serial ports set in remote-access mode

[DAL-3630]

3. Fix issue where a serial port could lock up and prevent access if flow control was enabled

[DAL-4585]

4. Fixed issue where non-primary DNS were queried through the wrong interface when

use_dns configuration option is set to primary [DAL-3156]

5. Report the phone number of the SIM as a health metric datapoint to Digi Remote Manager

[DAL-4440]

6. Fixed incorrect format of ICCID and IMEI metrics reported to Digi Remote Manager [DAL-

4440]

7. Fixed setup issue between custom firewall rules and IPsec tunnels [DAL-4433]

8. Fixed occasional issue preventing LM940 modems from re-establish their cellular

connection aer a modem firmware update [DAL-2933]

9. Fixed issue requiring a user to fix syslog configuration setting when updating from 20.5.x or

older firmware to 20.8.x/20.11.x firmware [DAL-4426]

10. Fixed rare issue where show system CLI command would display incorrect uptime details

[DAL-4350]

11. Fix issue with secondary CLI sessions showing stale configuration settings if the config is

updated elsewhere [DAL-4446]

12. Updated message displayed in web UI to direct the user to refresh the page aer erasing the

device back to default settings [DAL-2326]

13. Fixed issue where dynamic DHCP leases were not displayed in the CLI or web UI (bug

present on 20.11.x firmware versions) [DAL-4557]

14. Fixed inaccurate status of the Ethernet interface of a device in passthrough mode [DAL-

4543]

15. Fixed issue preventing web UI access if two-factor authentication was enabled (bug present

on 20.11.x firmware versions) [DAL-4509]

16. Fixed issue where CLI commands sent from DigiRM would crash the DAL device's connection

to DigiRM [DAL-4412]

17. Fixed issue preventing WAN/cellular connections from working if the interface was

configured with a single Interface Up Surelink test [DAL-4629]

18. Fix rare issue where Wi-Fi hotspots would stop responding to DHCP requests if restarted

many times [DAL-4298]

19. Fixed output of the show wifi ap name <ap_name> and show wifi client name

<client_name> CLI commands [DAL-1615]

20. Fixed inaccurate status of the Ethernet interface of a device in passthrough mode [DAL-

4543]

21. PR products: Fixed issue preventing usage of the digidevice.config python module on PR

firmware products [DAL-4378]

22. 1003-CM11: Fixed occasional issue preventing LM940 modems from re-establish their

cellular connection aer a modem firmware update [DAL-2933]

23. 1003-CM11: Fixed timing issue aer updating firmware on LM940 modems that preventing

the modem from reconnecting unless rebooted [DAL-4614]

24. Fixed issue causing aView-initiated speed tests to report the same upload/download speeds

[DAL-4420]

SECURITY FIXES

96000472_C Release Notes Part Number: 93001321_V Page 5

The highest level vulnerability that has been fixed in this release is listed as a Critical CVSS score of

8.1 High

1. Update hostapd to address CVE-2019-16275 and CVE-2019-13377 [DAL-4232]

2. Update wpa_supplicant to address CVE-2019-16275 [DAL-4233]

3. Update libcurl to version 7.74.0 (CVE-2020-8169, CVE-2020-8177) [DAL-4336]

4. Update to python version 3.6.12 (CVE-2020-14422) [DAL-4364]

5. Update OpenSSL to version 1.1.1i (CVE-2020-1971) [DAL-4326]

6. Update dnsmasq to version 2.83 (CVE-2019-14834, CVE-2020-25681, CVE-2020-25682, CVE-

2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687) [DAL­3950]

7. Update web security settings with the following headers [DAL-4192]

1. Pragma: no-cache

2. Content-Security-Policy

3. X-Content-Type-Options: nosni

4. X-XSS-Protection: 1; mode=block

8. Set SAMEORIGIN in X-Frame-Options to uppercase [DAL-4192]

9. Automatically de-activate active user logins/sessions if the password for that user changes

10. Removed support for https CBC ciphers [DAL-4408]

11. Fixed XSS vulnerability on serial page in the local web UI (Bug present on firmware versions

20.11.x and older) [DAL-4646]

12. PR products: Removed debug config options from PR firmware for changing https ciphers

[DAL-4417]

VERSION 20.11.32.168 (December 23, 2020)

This is a recommended release.

ENHANCEMENTS

1. Use PDP context 1 with Telus carrier SIMs [DAL-4332]

BUG FIXES

1. Fixed bug preventing Ethernet speed/duplex adjustment (aects firmware version

20.11.32.138) [DAL-4414]

2. IX10-only: Fixed bug preventing serial port signal mode from being set to RS-485 when in

application or modbus modes (aects firmware versions 20.11.32.138 through 20.8.22.32)
[DAL-4424]

VERSION 20.11.32.138 (December 2, 2020)

This is a mandatory release

IX14-20.11.32.138.bin

SHA512:

723d71598e538fa1ad1dc4a54c9d80d6e7a0d2fcf67c9b040e8c181085e55a4f9958ace58
0b4fb68ebdaa4106ef1f9cba98520f43e54342fd5b13488cbde3e00

MD5: c0b2f67e9126ab15bb62cd92de94ab

IX10-20.11.32.138.bin

SHA512:

e4850185fa3714a4e15b78f620f3985bbe3c47564c7907a68a61b1a2814d7756d7c14fa81
1360ed6279bb7fd55fc47a6ba5a012a0a4c36d7852a312b366d454a

96000472_C Release Notes Part Number: 93001321_V Page 6

MD5: d1780394cbfdeb398e0dd7cfa8f07707

IX20-20.11.32.138.bin

SHA512:

00ed82ef515d85f624cbc8c5ccf04736f907e61e955655f7aa051c567599b69f7575892dbc
214086b017176ce0260931601e3100d7c883bf1f3ff4f0cc9ec140

MD5: dce476fb431f95954776d783c26c2dda

IX20-PR-20.11.32.138.bin

SHA512:

12478faf7c902916ddd0e171efb19ba0b8773eec7ad6b97ba7bf797fefeb91cc3cfa57f078b
fd475ac7692b2af22acfd2e63f3cb23e155c53d546d35162fc984

MD5: 2d0aa54d637a6579a9206dbf4b6b9797

IX20W-20.11.32.138.bin

SHA512:

a5f1fd71a11ac6f335124a709873b9315a9b46f01ed26ded488cc0b003e5d6cd0af93906f5
81494702dd06faf109a224e026246bb107945d9d8ba12bf970f27e

MD5: cdac8fb0a7cbb99649514d06f01680ec

IX20W-PR-20.11.32.138.bin

SHA512:

bc978f56f4cd58d22cfa928db3fa5c3fb3fa37eb9de9e08788b5b9baedfc1b742b1fc2197c4
e4d69ee600f70d25460adc96bfc16975f49c4160ab5740d3a944c

MD5: 45e59c1b8e42ab6e233c4f03d0b459dd

FEATURES

1. IX20/IX20W: New PR product variants and firmware for FirstNet/ResponseVerify products

[DALP-674]

1. PR stands for Primary Responder and indicates a security hardened, feature-restricted
firmware targeted to comply with AT&T FirstNet and Verizon ResponseVerify
certifcation security requirements. It is the same DAL firmware under the hood, but
with several features removed to comply with FirstNet and ResponseVerify security
restrictions. Below is a list of changes for PR products:

1. Services → Telnet removed

2. Removed Telnet option from Remote access options if a serial port was set in

Remote access mode

3. WPA1 Wi-Fi encryption option (WPA Personal) removed

4. Default Wi-Fi SSID disabled by default

5. interactive shell removed

1. Firewall → custom rules always has sandbox enabled with limited shell
command and filesystem access to only allow iptables interaction

2. System → Scheduled tasks → Custom scripts always has sandbox option
enabled with limited shell command and filesystem access to allow CLI access
and python script execution

3. No inbound SCP/SFTP support

2. Add ssh and telnet commands to Admin CLI [DALP-664]

3. Add new modem firmware CLI commands for performing local or over-the-air remote
firmware updates to the cellular modem(s) in the device [DAL-2811]

4. Add new configuration options under Network → Devices for setting the link speed/duplex
of the device's Ethernet port(s) [DALP-135]

5. Add options for starting, stopping, and viewing serial port activity logs through the CLI, web
UI, or Digi Remote Manager [DALP-458]

6. Support for the Sierra EM9190/9191 5G modems [DALP-686]

96000472_C Release Notes Part Number: 93001321_V Page 7

7. Support for the Sierra EM7411 LTE CAT7 modem [DALP-608]

8. IPv6 IPsec tunnel support for full IPv6 tunnels, IPv6-over-IPv4, or IPv4-over-IPv6 tunnels
[DALP-581]

9. IPsec XFRM interfaces for enhanced control over IPsec tunnels and the network interfaces
associated to them. This allows users to select tunnels for multiple networking features,
including static routes, policy-based routes, access control lists, and routing priority based
on metric. [DAL-490]

10. Inclusion of the Python pip for installing external modules/libraries [DAL-4078]

ENHANCEMENTS

1. Add Services → Location options for configuring GPS or GNSS location communication
[DALP-724]

2. GPS/GNSS support for the IX10 and 1002-CMG4 modem [DALP-713]

3. Add cellular technology icon to the Dashboard in the web UI [DAL-3673]

4. Add link to product User Guide under the User drop-down menu at the top-right of the web
UI [DALP-569]

5. Added help button to System → File System page of the web UI [DALP-569]

6. Added new Status → Modbus Gateway service page to the web UI to display information
about modbus clients and servers connected to the gateway [DALP-671]

7. Added show modbus-gateway CLI command to view the status of Modbus gateway service
[DALP-671]

8. Updated show modem CLI command to display historical information about the modem if
it is in the process of updating firmware [DAL-1504]

9. Added new Services → Ping responder configuration settings for controlling what
interfaces and firewall zones the DAL device responds to ICMP requests on [DAL-1565]

10. Enhance IPSec tunnels to wait for passing Surelink tests (if configured) before initiating
outbound tunnels [DAL-3878/DAL-3774]

11. Add m2m.telus.iot Telus APN to fallback list [DAL-3911]

12. Add psmtneorm and edneopate010.dpa AT&T APNs to fallback list [DAL-4041/DAL-4045]

13. Add reseller and tracfone.vzwentp Tracfone APNs to the AT&T and Verizon fallback lists
DAL-4098]

14. Add new 890103 and 890141 ICCID prefixes and 31030 PMND ID matchers to AT&T APN
fallback list [DAL-3934/DAL-4041]

15. Add service.qcdm.secure option to enable/disable encrypted QXDM access to the cellular
modem in the DAL device [DAL-3964]

16. Add missing modem firmware and SIM details to datapoints uploaded to Digi Remote
Manager [DAL-4040]

17. Show uptime for connection to Digi Remote Manager on the Dashboard web UIpage in
days/hours/minutes/seconds instead of just minutes [DAL-3691]

18. Updated network bridges to use the MAC address of the first device listed in Network →
Bridges → [bridge_name] → Devices as the MAC address for the bridged interface [DAL­3949]

19. Add link in the firmware update window on the Status → Modem page to direct users to the
configuration options to schedule a modem firmware update [DALP-725]

20. Updated the help text on the login page to provide a more generic image [DAL-3916]

21. Added option when copying serial port settings on the System → Serial Configuration page
to optionally copy the label of the serial port [DAL-3842]

96000472_C Release Notes Part Number: 93001321_V Page 8

22. Removed duplicate modem signal information from the Modem → Status page [DAL-3680]

23. Added a DSCP option to policy-based routes to allows users to match the routing rule by
the type of DSCP field in the packet [DAL-3867]

24. Added a defaultroute option for matching policy-based routes to the device's active
default route [DAL-4130]

25. Hide the Monitoring → Device Health configuration options if the device is not enabled for
Digi Remote Manager central mangement [DAL-3825]

26. Update header types for the cellular modem name and network type on the Dashboard
page

27. Create system log when Surelink DNS tests are skipped because the interface doesn't have
any DNS servers [DAL-4224]

28. Hide main/aggressive mode option when using IKEv2 [DAL-4142]

29. Add reboot watchdog to IX20/IX20W devices to prevent so-reboot hangs [DAL-3392]

BUG FIXES

1. Fixed missing default settings in configuration profiles created in Digi Remote Manager (bug
aects firmware versions 20.8.x and older) [DALP-658]

2. Fixed missing option for setting the SIM Slot Preference in configuration profiles in Digi
Remote Manager (bug aects firmware versions 20.8.x and older) [DAL-3912]

3. Fixed format of user passwords when displayed in Digi Remote Manager (bug aects
firmware versions 20.8.x and 20.5.338.58) [DAL-3889]

4. Fixed issue with policy-based routing not working in conjunction with multiple IPsec
tunnels (bug aects firmware versions 20.8.x and older) [DAL-3515]

5. Fixed issue preventing OpenVPN server-managed certificates from being re-generated if the
process was interrupted (bug aects firmware versions 20.8.x and older) [DAL-3803]

6. Fixed issue preventing OpenVPN client from using an autogenerated config file from a tap­bridge openvpn server (bug aects firmware versions 20.8.x and older) [DAL-3881]

7. Fixed some formatting output of the show system verbose CLI command (bug aects
firmware versions 20.8.x and older) [DAL-3805]

8. Fixed issue preventing VRRP interoperability between DAL devices and SarOS devices (bug
aects firmware versions 20.8.x and older) [DAL-4130]

9. Update VRRP+ to properly handle changes in network interface statuses bug aects
firmware versions 20.8.x and older) [DAL-4274]

10. Removed poorly formatted script contents from the show scripts CLI command output
[DAL-3315]

11. Fixed non-working system disable-cryptography CLI command [DAL-4169]

12. Fixed second-stage erase functionality on devices not enabled for aView management [DAL­3944]

13. Fixed issue preventing multicast traic from being sent through a GRE tunnel [DAL-3879]

14. Fixed issue preventing a firewall rule from being setup for OSFPv2 entries [DAL-3869]

15. Fixed rare crash caused when a Quectel modem disconnected [DAL-3867]

16. Fixed behavior of the WWAN Service LED to blink when a modem firmware update is in
progress (bug aects firmware versions 20.8.x and older) [DAL-3963]

17. Fixed issue preventing IX10 devices and 1002-CMG4 modems from connecting with Verizon
private APNs (bug aects firmware versions 20.8.x and older) [DAL-3605/DAL-3276]

SECURITY FIXES

The highest level vulnerability that has been fixed in this release is listed as a Critical CVSS score of

9.1

96000472_C Release Notes Part Number: 93001321_V Page 9