Westermo RedFox-5528-E-F4G-T24G-LV Firmware

Brand: Westermo

Model: RedFox-5528-E-F4G-T24G-LV

Type: Firmware

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

WeOS 5.15.1

Release Notes

Contents

1 SummaryofChanges.................................... 5

1.1 Newsin5.15.0...................................... 5

1.1.1 NewLinuxKernel ................................. 5

1.1.2 New Product Platform (Envoy) . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.1.3 Dagger Platform Support Temporarily Excluded . . . . . . . . . . . . . . . . . . 5

1.1.4 FRNTv2Supported................................. 5

1.1.5 IEEE 802.1X and MAC Authentication Supported . . . . . . . . . . . . . . . . 6

1.1.6 Updates to WESTERMO-EVENT-MIB and Alarm Traps . . . . . . . . . . . . . 7

1.1.7 Updated IGMP Snooping Behaviour and Settings . . . . . . . . . . . . . . . . . 7

1.1.8 Updates to Static FDB Filter Commands . . . . . . . . . . . . . . . . . . . . . . 7

1.1.9 Flood to CPU Setting Removed . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.1.10 Changes in PoE Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1.11 Increased Number of VRRP Instances and Synchronization Groups . . . . . . . 9

1.1.12 New Bootloader Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1.13 IEC 61375 Not Recommended With WeOS 5.15.0 . . . . . . . . . . . . . . . . 9

1.1.14 RiCo Support Temporarily Removed . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1.15 Energy Efﬁcient Ethernet (EEE) disabled . . . . . . . . . . . . . . . . . . . . . 10

1.2 Newsin5.15.1...................................... 10

1.2.1 Dagger Platform Support Included . . . . . . . . . . . . . . . . . . . . . . . . . 10

1.2.2 New Default Bootloader for Dagger and Coronet Products . . . . . . . . . . . . 10

1.2.3 IEC 61375 Train Protocol Support Included . . . . . . . . . . . . . . . . . . . . 10

1.2.4 Updated FRNT Alarm Trigger and Trap support . . . . . . . . . . . . . . . . . . 11

1.2.5 Improved LED Support and Documentation . . . . . . . . . . . . . . . . . . . . 11

1.2.6 IEEE 802.1X and MAC Authentication Updates . . . . . . . . . . . . . . . . . . 12

1.2.7 Listen Setting for NTP Server Reintroduced . . . . . . . . . . . . . . . . . . . . 12

2 FixedIssues......................................... 13

2.1 WeOS5.15.0....................................... 13

2.2 WeOS5.15.1....................................... 15

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

3 KnownLimitations..................................... 17

3.1 PortAccessControl ................................... 17

3.2 Login........................................... 17

3.3 SettingDateManually.................................. 17

3.4 Available ports for boot speciﬁc functionality . . . . . . . . . . . . . . . . . . . . . . 17

3.5 Routing Hardware Ofﬂoading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.6 SNMP .......................................... 18

3.7 FRNT .......................................... 18

3.8 RSTP........................................... 18

3.9 IEC61375 ........................................ 19

3.10LLDP........................................... 19

3.11PortMonitoring ..................................... 20

3.12 Media Redundancy Protocol (MRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.1310GSFPPorts...................................... 20

3.14 Search function in User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4 KnownIssues........................................ 22

4.1 Listofknownissues................................... 22

4.2 #18163: Work-around for OSPF NSSAs convergence issue . . . . . . . . . . . . . . 23

5 QuickStartGuide...................................... 24

5.1 Default User and Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5.2 General.......................................... 24

5.3 CLI............................................ 25

6 FirmwareUpgrade ..................................... 27

6.1 WeOSImage....................................... 27

6.2 BootLoader ....................................... 27

7 Signiﬁcant differences between WeOS 4 and WeOS 5 . . . . . . . . . . . . . . . . . . . 28

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

Legal Information

The contents of this document are provided “as is”. Except as required by applicable law, no war-

ranties of any kind, either express or implied, including, but not limited to, the implied warranties of

merchantability and ﬁtness for a particular purpose, are made in relation to the accuracy and reliability

or contents of this document. Westermo reserves the right to revise this document or withdraw it at

any time without prior notice. Under no circumstances shall Westermo be responsible for any loss of

data or income or any special, incidental, and consequential or indirect damages howsoever caused.

More information about Westermo at http://www.westermo.com

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

Important User Information

This section details important user information, directed in particular to new users of WeOS 5:

• WeOS 5.15.1 has been interoperability tested with WeOS 4.32.5.

• When using WeConﬁg to manage WeOS 5.15, WeConﬁg 1.17.2, or later is recommended.

For help with getting started using WeOS 5, refer to the Quick Start Guide in section 5.

User Guide

In WeOS 5, the primary user documentation is referred to as the WeOS 5 User Guide. Compared

to the WeOS 4 Management Guide, the User Guide is a web ﬁrst publication focusing on use-cases,

documented in stand-alone “HowTo:s”, and conﬁguration guides for all supported sub-systems.

The User Guide is included in the release Zip ﬁle in the sub-directory: user-guide/. To access the

documentation, open the following ﬁle in your web browser:

file://Downloads/WeOS-5.15.1/user-guide/index.html

The User Guide is also available online at https://docs.westermo.com/weos/weos-5/.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

1 Summary of Changes

This section details new features added in this major release.

Users new to WeOS 5 are recommended to read section 7 carefully, as it high-lights some of the major

differences between WeOS 4 and WeOS 5.

1.1 News in 5.15.0

The subsections below describe news in WeOS 5.15.0. In addition, section 2.1 includes information

on ﬁxed issues.

1.1.1 New Linux Kernel

The kernel used by WeOS has been upgraded from Linux 4.19 to Linux 5.17. By basing WeOS on a

newer kernel, WeOS can utilise advances in Linux services and hardware support. An example is the

product platform (Envoy), which is enabled by the new kernel.

The kernel upgrade has implied substantial adaptions in WeOS and in its hardware abstraction layer.

Some services have not been fully migrated, see sections 1.1.13 (IEC 61375) and 1.1.14 (RiCo) for

more information. Furthermore, products based on the Dagger platform are excluded in WeOS 5.15.0,

see section 1.1.3. (Support for Dagger products is included in 5.15.1 and onward, see section 1.2.1.)

1.1.2 New Product Platform (Envoy)

WeOS 5.15.0 is the ﬁrst release with products based on the Envoy platform, starting with the Lynx-3500

series. Detailed information about product launches is handled through the regular Westermo sales

channels.

1.1.3 Dagger Platform Support Temporarily Excluded

Support for the Dagger products (RedFox-5700/7500 and Lynx-5500/5600 series) is not included in

5.15.0. Note: Dagger support is included in 5.15.1 and onward, see section 1.2.1.

1.1.4 FRNTv2 Supported

FRNTv2 was ﬁrst introduced in WeOS 4.28, and is now also supported on WeOS 5! With FRNTv2,

advanced ring and sub-ring layer-2 topologies can be created. The example below creates an FRNTv2

instance as focal point with ring ports eth1 and eth2.

example:/#> conﬁg

example:/config/#> frnt 1

example:/config/frnt-1/#> version 2

example:/config/frnt-1/#> port eth1

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

example:/config/frnt-1/port-eth1/#> end

example:/config/frnt-1/#> port eth2

example:/config/frnt-1/port-eth2/#> end

example:/config/frnt-1/#> show

FRNT version : 2

Ring ID : 1

Mode : Focal Point

Guarded-recovery : Enabled

Ring-interval : 500 ms

Blocking-port : eth1

Port : eth1

hello-time : 500 ms

Port : eth2

hello-time : 500 ms

example:/config/frnt-1/#> leave

example:/#>

For more information on conﬁguring FRNT, see the WeOS User Guide section Conﬁguration Guides

→Bridging/Switching →FRNT.

1.1.5 IEEE 802.1X and MAC Authentication Supported

WeOS 5.15.0 includes support for port access control with IEEE 802.1X and MAC authentication.

A WeOS unit can act as IEEE 802.1X authenticator, relaying EAP exchanges between connecting

hosts (supplicants) and a backend RADIUS server. For MAC Authentication, WeOS can keep a local

whitelist of MAC addresses to grant access, or let a backend RADIUS server authorise the MAC

addresses. The latter is referred to MAC Authentication Bypass (MAB).

The example below shows how to conﬁgure WeOS to act as IEEE 802.1X authenticator on ports

eth1-eth4, with a RADIUS authentication server at address 10.0.1.5.

example:/#> conﬁg

example:/config/#> aaa

example:/config/aaa/#> remote-server 1

example:/config/aaa/remote-server-1/#> address 10.0.1.5

example:/config/aaa/remote-server-1/#> password MySecr3t

example:/config/aaa/remote-server-1/#> end

example:/config/aaa/#> end

example:/config/#> port-access

example:/config/port-access/#> port eth1..eth4

example:/config/port-access/#> dot1x

example:/config/port-access/dot1x/#> authentication-server 1

example:/config/port-access/dot1x/#> leave

example:/#>

For more information on conﬁguring port access control, see the WeOS User Guide section Conﬁgu-

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

ration Guides →Bridging/Switching →802.1X & MAC-Auth.

1.1.6 Updates to WESTERMO-EVENT-MIB and Alarm Traps

The WESTERMO-EVENT-MIB includes status information on alarm triggers and SNMP trap deﬁni-

tions of alarm triggers. The MIB has been modiﬁed signiﬁcantly to include more status information

and more informative and coherent alarm trap deﬁnitions. In addition, trap support for MRP and FRNT

is now included via a common “ring traps” (ringNotiﬁcationOK och ringNotiﬁcationWarning).

For detailed information on changes, see the REVISION information in the WESTERMO-EVENT-

MIB ﬁle included in the release zip.

1.1.7 Updated IGMP Snooping Behaviour and Settings

WeOS 5.15.0 introduces major changes to how multicast is handled. The reasons for this are a bug

reports caused by chipset limitations on some products, and a wish to align the WeOS 5 IGMP snooping

support with Linux kernel facilities and with the snooping behaviour in WeOS 4 (4.29.0 and later).

A new setting is introduced, [no] multicast-flood-unknown [PORTS] which by default

is enabled on all ports.

example:/#> conﬁg

example:/config/#> ip

example:/config/ip/#> show multicast-ﬂood-unknown

ALL

example:/config/ip/#>

Enabling multicast-flood-unknown implies that IP multicast will be ﬂooded until there is

a subscriber (once there is a subscriber, trafﬁc will be ﬁltered/sent towards the subscriber). It also

implies that if a learned address cannot be stored in the hardware chipset, trafﬁc to that address will

still reach the subscriber as it is treated as unknown and therefore ﬂooded. This solves issue #17982,

see section 2.1.

For more information on conﬁguring IGMP snooping, see the WeOS User Guide section Conﬁgura-

tion Guides →Bridging/Switching →IGMP Snooping.

1.1.8 Updates to Static FDB Filter Commands

The arguments for the mac and group commands in the forwarding database (FDB) conﬁguration

context is updated.

• Static MAC ﬁlters: [no] mac <ADDR> [vlan VID] port <PORTS,cpu|all,cpu>

Use the mac command for static MAC multicast addresses. However, MAC addresses corre-

sponding to IP multicast (01:00:5e:00:00:00 – 01:00:5e:7f:ff:ff) can no longer be used with mac

command. Instead, use the group command for IP multicast, see below.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

example:/config/fdb/#> mac 01:23:45:01:01:01 port eth1,eth3..eth5

example:/config/fdb/#> mac 01:23:45:01:01:02 vlan 1 port all

example:/config/fdb/#> show mac

Static MAC Entries VLAN Port(s)

01:23:45:01:01:01 ALL eth1, eth3..eth5

01:23:45:01:01:02 1 ALL

example:/config/fdb/#>

• Static IP Group ﬁlters: [no] group <ADDR> [vlan VID] port <PORTS|all>

Use the group command for static IP multicast address ﬁlters.

example:/config/fdb/#> group 226.1.1.1 port eth3

example:/config/fdb/#> group 227.2.2.2 vlan 1 port all

example:/config/fdb/#> show group

IP Multicast Groups VLAN Port(s)

226.1.1.1 ALL eth3

227.2.2.2 1 ALL

example:/config/fdb/#>

Note: In earlier releases it has been possible to use the mac command for addresses in the IP multicast

range (01:00:5e:00:00:00 – 01:00:5e:7f:ff:ff). These conﬁguration entries are ignored when upgrading

to WeOS 5.15.0.

There are two current limitations for the group command:

• Static IP group ﬁlters only apply if IGMP snooping is enabled.

• Static IP ﬁlters cannot be speciﬁed within the 224.0.0.X range

For more information on conﬁguring static FDB ﬁlters, see the WeOS User Guide section Conﬁgura-

tion Guides →Bridging/Switching →Transparent Bridge.

1.1.9 Setting for Flooding Unknown Unicast/Multicast to CPU Removed

In WeOS 5.14.0 and earlier there was an explicit setting for controlling ﬂooding of unknown uni-

cast and multicast to the CPU ([no] flooding [unicast | multicast]) within system

conﬁguration context.

This setting is now removed, and its conﬁguration entry is ignored when upgrading to WeOS 5.15.0.

In 5.15.0 ﬂooding of unknown unicast and multicast to CPU is always active.

In future WeOS-5 releases this will be controlled according to what services are running in the device.

As an example, having a bridged layer-2 VPN port (ssl1) conﬁgured in the device would enable ﬂooding

of unknown uni- and multicast to the CPU.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

1.1.10 Changes in PoE Default Settings

For products with Power Over Ethernet (PoE) support, two PoE port settings have new default values

in 5.15.0. The change is done to align WeOS 4 and WeOS 5 PoE default settings.

• PoE enabled by default: PoE ports now have PoE enabled by default

• Priority low: The PoE port priority setting now has priority low by default.

For more information on conﬁguring PoE, see the WeOS User Guide section Conﬁguration Guides →

Ethernet/LAN Ports →PoE.

1.1.11 Increased Number of VRRP Instances and Synchronization Groups

The following VRRP parameters have been increased:

• Maximum number of conﬁgurable VRRP instances (32 →50)

• Maximum number of conﬁgurable VRRP sync groups (10 →25)

For more information on conﬁguring VRRP, see the WeOS User Guide section Conﬁguration Guides

→Routing →VRRP.

1.1.12 New Bootloader Versions

Products shipped with WeOS 5.15.0 have the following bootloader:

• Viper (Coronet): Barebox 2017.12.0-10

(In WeOS 5.14.0, Vipers were shipped with 2017.12.0-8.)

• Lynx 3500 Series (Envoy): Barebox 2022.08.0-1

(Lynx 3500 are the ﬁrst products using a revision of Barebox 2022)

For more information, see associated Barebox release notes included in the WeOS 5.15.0 release zip.

1.1.13 IEC 61375 Not Recommended With WeOS 5.15.0

The IEC 61375 protocol stack has not been fully stabilized after the kernel upgrade. The use of IEC

61375 is not recommended with WeOS 5.15.0.

1.1.14 RiCo Support Temporarily Removed

Support for FRNT Ring Coupling (RiCo) has not yet been adapted to the new kernel introduced in

5.15.0. Customers are recommended to instead use FRNTv2 to manage ring and sub-ring layer-2

topologies.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

1.1.15 Energy Efﬁcient Ethernet (EEE) disabled

Up to WeOS 5.14, Energy Efﬁcient Ethernet (EEE) was enabled on copper ports on Lynx, RedFox and

Viper-A products, which has caused issues with 3rd party products not supporting EEE (see #18637

in section 2.1). EEE is now disabled on all WeOS 5 products, however, ability to enable may become

available in later WeOS 5 versions.

1.2 News in 5.15.1

The subsections below describe news in WeOS 5.15.1. In addition, section 2.2 provides the list with

ﬁxed issues. The release also contains various security improvements related to the Web interface.

1.2.1 Dagger Platform Support Included

Support for the Dagger products (RedFox-5700/7500 and Lynx-5500/5600 series) was excluded in

5.15.0, but included in 5.15.1 and onward.

This means that new features introduced in 5.15.0, such as FRNTv2, IEEE 802.1X Authenticator and

MAC-Authentication, are now also available on Dagger Products. See section 1.1 for more information

on news in 5.15.0.

Note: Dagger products are strongly recommended to have their bootloader upgraded before upgrading

to WeOS 5.15.1, see below.

1.2.2 New Default Bootloader for Dagger and Coronet Products

Products of the Dagger Platform (RedFox-5700/7500 and Lynx-5500/5600 series) and Coronet Plat-

form (Viper) have a new Bootloader, Barebox 2017.12.0-11.

Note: Existing Dagger products are strongly recommended to have their bootloader upgraded to

Barebox 2017.12.0-11, before upgrading to WeOS 5.15.1 or later; otherwise the unit may not be able

to boot WeOS after upgrade.

The improvements made only concern Dagger products, thus existing Coronet products (Viper) need

not upgrade to Barebox 2017.12.0-11.

For more information, see associated Barebox-2017 release notes included in the WeOS 5.15.1 release

zip.

1.2.3 IEC 61375 Train Protocol Support Included

The IEC 61375 train protocol implementation has been migrated to the new kernel, and is supported

in WeOS 5.15.1. See remarks in sections 3.5 and 3.9.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

1.2.4 Updated FRNT Alarm Trigger and Trap support

With WeOS 5.15.1, the alarm ring trigger can be used both for FRNTv0/FRNTv2 alarms in addition

to MRP alarms. Use of frnt trigger for FRNTv0 alarms is still supported, but deprecated.

When specifying a ring trigger, state the protocol (FRNT or MRP) and the associated ring ID. For

FRNTv0, use ring ID ’0’ (zero). The example below shows how to create a ring alarm trigger for an

FRNT(v2) ring with ring ID ’1’, and the associated alarm status when the ring is broken.

example:/config/#> alarm

example:/config/alarm/#> trigger ring

example:/config/alarm/trigger-1/#> protocol frnt

example:/config/alarm/trigger-1/#> ring-id 1

example:/config/alarm/trigger-1/#> leave

example:/#> show alarm

NO TRIGGER ENA ACT REASON

1 Ring YES YES FRNTv2 ring 1 is Broken

example:/#>

For more information on ring trigger conﬁguration, see the WeOS User Guide section Conﬁgura-

tion Guides →Alarm/LEDs and Logging →Alarm.

With 5.15.1, support for SNMP Traps for FRNTv2 ring triggers is included, in addition to SNMP Traps

for triggers of FRNTv0 and MRP rings. See WESTERMO-EVENT-MIB included in release zip for

more information on alarm traps.

1.2.5 Improved LED Support and Documentation

Products with an FRNT LED now shows summary alarm status for all existing FRNT rings. Earlier,

the FRNT LED only showed status of FRNTv0 (if present). Products with a RING LED now shows

summary alarm status for all ring/redundancy protocols (FRNTv0/FRNTv2/MRP/RSTP), see below.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

LED Status Description

FRNT OFF FRNT disabled

GREEN FRNT OK

RED FRNT error

BLINK Unit conﬁgured as FRNT focal point

RING OFF All ring protocols are disabled

GREEN All ring protocol are OK

GREEN BLINK All ring protocol are OK. A ring protocol acts as master/focal-

point/root.

RED A ring protocol has error

RED BLINK A ring protocol has error. A ring protocol acts as master/focal-

point/root.

For more information on LED functionality, see User Guide of your product, or the WeOS User Guide

section Conﬁguration Guides →Alarm/LEDs and Logging →LED.

1.2.6 IEEE 802.1X and MAC Authentication Updates

Support for IEEE 802.1X and MAC Authentication was introduced in 5.15.0, see section 1.1.5. With

5.15.1 a security enhancement is introduced with respect to egress of broadcast trafﬁc and multicast

on a controlled port.

With 5.15.1, Broadcast and ’unknown’ multicast will be blocked from egressing on a controlled port

until there is at least one MAC address authenticated on this port. For unknown multicast to egress a

port at all, the ‘Multicast Flood Unknown’ setting must be enabled on this port.

Restricting egressing of broadcast and unknown multicast limits the ability for attackers to eavesdrop

such trafﬁc on controlled ports. An implication is that Wake-on-LAN is currently not possible on

controlled ports.

1.2.7 Listen Setting for NTP Server Reintroduced

The ’listen’ setting for NTP Server has been reintroduced (it was removed in WeOS 5.12.0).

example:/#> conﬁgure

example:/config/#> ntp

example:/config/ntp/#> server

example:/config/ntp/server/#> listen vlan1

example:/config/ntp/server/#>

For more information on NTP functionality, see the WeOS User Guide section Conﬁguration Guides

→Network Services →NTP Server.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

2 Fixed Issues

2.1 WeOS 5.15.0

Fixed issues in WeOS 5.15.0 (as relative to 5.14.0).

Issue Category Description

#18976 Link Aggregation Link aggregation daemon (teamd) still trying to start after removing

aggregate

#18964 VPN SSL VPN tunnel still running after being removed from conﬁguration

#18944 WEB AAA Server Group without any assigned remote servers is accepted

by Web but results in invalid startup conﬁg

#18876 Documentation WeOS Licenses document not clear regarding Linux-PAM-1.2.1

#18872 TCN Leading status not synced between active and backup ECSP, causing

IEC 61375-2-3 inauguration upon ECSP failover

#18865 TCN DNS request for TCN-DNS URI spams logﬁle

#18864 System Routing between port interfaces not working

#18860 TCN TRDP comId 101 sent multiple times during TTDB generation

#18859 TCN TRDP comId 101 not aligned with comId 100 and 121

#18857 TCN ttdbSrvState and dnsSrvState in comid 121 should use value ’Leader’

instead of ’Error’

#18842 WEB Web help incorrect for VLAN and how ports are associated

#18825 WEB No edit button for Firewall rules in web

#18816 Documentation Civetweb license is not formatted correctly (third party license doc)

#18800 WEB File injection in ’import certiﬁcate’ web page

#18797 WEB Issue creating new VLANs via WEB when FRNT or MRP is enabled

#18773 AAA It is possible to lock users out by change role on current logged in

user

#18769 Documentation The text in help for copy is incorrect

#18756 VPN Conﬁguring SSL-VPN client identity/password results in corrupt con-

ﬁguration ﬁle

#18753 HW SFP DDM temperatures in ’show ports’ are not displayed correctly

for sub-zero temperatures

#18705 TCN Memory leakage when using TTDP and manual DNS settings

#18665 NTP NTP server refuses client request when rebooted after ﬁrst being syn-

chronized

#18651 CLI Show/Delete alarm triggers is not working by type

#18637 Ports Gbit copper link does not come up after reboot towards some third-

party products

Continued on next page

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

Continued from previous page

Issue Category Description

#18620 TCN etbTopoCnt sometimes inconsistent within ETBN upon device recon-

ﬁguration

#18530 WEB Compressed log ﬁles downloaded via Web can not be opened

#18479 TCN Asymmetric ECN conﬁguration in consists with ’inverse’ orientation

results in incorrect inauguration results

#18471 Kernel New kernel log warnings at boot in WeOS 5.12.0 and later (Viper)

#18374 IGMP IGMP and Link aggregates with member ports on multi-switchcores

has problems with runtime changes (Viper-112A/212A)

#18164 Documentation VLAN priority listed as setting although not supported

#18147 IP Multicast Multicast reception or local multicast receiver applications breaks 5

minutes after device boot

#18127 TCN Topology frames may not be sent out on the backbone if a lag in

direction 2 is physically up but logically down

#18068 QoS Signalling protocols from unit gets PCP priority ’0’

#17986 Documentation User guide lists non-supported alarm sources

#17982 IGMP IGMP snooping may occasionally fail to store learnt group MAC

addresses in FDB (Viper-TBN)

#17668 Alarm Alarm action targets "port" and "iface" not properly documented

Comments on speciﬁc issues:

• #17982: Solved by using the new ’multicast-ﬂood-unknown’ setting (enabled by default).

• #18705: Fixed already in WeOS 5.14.0, but was incorrectly listed as a ’known issue’ 5.14.0

Release Notes

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

2.2 WeOS 5.15.1

Fixed issues in WeOS 5.15.1. In addition, the release contains various security improvements related

to the Web interface.

Issue Category Description

#19182 System Device might reboot when disabling and enabling system watch-

dog

#19178 WEB Problem with conﬁg. DHCP server in the WEB

#19131 System Periodic high CPU load when discover/ssdp enabled

#19110 Any Lynx-3510 reports to be a member of the family "Envoy", and not

the expected "Lynx" on 5.15.0

#19098 TCN Maximum number of functions in static consist information too

low (255)

#19095 NTP NTP Server ’listen interface’ option not working

#19063 Logging Webserver logs unnecessary debug information to

’/var/log/www’, risking to ﬁll up RAM disk

#19051 TCN Leading request in Dir-2 cancelation makes state Rule-C indicat-

ing a coupling event to happen

#19050 TCN Leading request without giving values to leading vehicle makes

system use Rule E Dir 1 regardless of direction requested

#19046 Routing Issues with conﬁguring static default routes in Web and CLI

#19044 Port Access Control Authorized MAC addresses may fail to be removed from hardware

after ageing out

#19043 Port Access Control An unauthorized MAC may cause continuous CPU interrupts

(MAC Authentication)

#19025 FRNT Not possible to create alarm trigger for FRNTv2 ring

#19018 LED FRNT LED only reﬂects status of FRNTv0

#19017 General Upgrading primary gives warning that CRC checking of secondary

is ongoing even when ﬁnished

#19009 TCN Leading request accepted without giving values to leading direc-

tion and leading vehicle

#19002 LED RING LED does not consider FRNTv2, MRP or RSTP (Lynx-

3500)

#18952 AAA Too short password max length for AAA Remote Server (Web)

#18940 WEB FRNT and MRP sections are blank under system.txt from Tech

Support Bundle

#18928 TCN TTDP may fail to correctly set routing entries after multiple ETB

inaugurations

Continued on next page

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

Continued from previous page

Issue Category Description

#18912 TCN The failure of an ETBN in a redundant consist causes an inaugu-

ration if inhibit is not set

#18906 DHCP DHCP-Relay does not perform DHCP-Snooping (’Coronet’ and

’Envoy’ platform products)

#18895 RSTP Slow RSTP failover time when using multiple OpenVPN L2 tun-

nels

#18863 Logging Using Chromium-based browser to enter HTTPS web UI generates

SSL error messages

#18820 WEB RSTP status shows no values via WEB

#18735 IP Multicast Multicast packet loss when routing in network with IGMP, FRNT

and VRRP

#18166 IGMP Delayed loss of IGMP multicast in FRNT ring when switch in ring

restarts

#18160 IGMP Loss of IGMP multicast in FRNT ring when switch in ring restarts

Issues #18906, #18735, #18166 and #18160 were ﬁxed already in 5.15.0, but incorrectly listed as

’known issues’ in the 5.15.0 Release Notes. Issue #18160 is solved by enabling ’multicast-ﬂood-

unknown’ on FRNT ring ports. This setting was introduced in 5.15.0, see section 1.1.7.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

3 Known Limitations

This section describes known limitations in WeOS.

3.1 Port Access Control (IEEE 802.1X and MAC Authentication)

Wake-on-LAN is currently not possible on controlled ports. The reason is that broadcast trafﬁc is not

allowed to egress a controlled port until there is at least one MAC address authenticated on the port.

3.2 Login

Known limitations related to the Login service.

Side-effect of disabling console login

When disabling login from console, login via telnet is also prohibited (even when telnet login is

enabled).

SSH Public Key Lost When Disabling Built-in User

WeOS 5.13.0 introduces support for importing SSH public key for built-in users, as well as the ability

to enable/disable a user. When disabling a user, the intention is that the user shall be prohibited from

logging in, while other user conﬁguration is till kept in the conﬁguration ﬁle.

However, the disabling of a user currently implies that any SSH public key associated with the user is

removed and needs to be imported again upon enabling the user.

3.3 Setting Date Manually

Setting a manual date on the WeOS unit before 1 January 2000 will render an error message.

3.4 Available ports for boot speciﬁc functionality

The boot loader rescue mode only supports regular copper ports, not SFP ports. On RedFox-5528,

ports 1-4 are also not supported until the system has booted.

3.5 Routing Hardware Ofﬂoading

The routing hardware ofﬂoading support for Viper-TBN introduced in WeOS 5.8 has shown to have

instabilities. In particular, when used with dynamic routing, there are issues not yet solved. Therefore

hardware ofﬂoading has temporarily been disabled by default. For use cases with static routing setups,

hardware ofﬂoading can be enabled as shown in the example below.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

viper:/#> conﬁgure

viper:/config/#> ip

viper:/config/ip/#> ofﬂoad

viper:/config/ip/#> leave

When ofﬂoading is enabled, regular IPv4 forwarding is handled in hardware with some exceptions,

see the WeOS 5 User Manual for details (section ’Conﬁguration Guides’/’Routing’/’Ofﬂoading’).

Use of the WeOS Firewall together Hardware Ofﬂoading is not supported and the behaviour of doing

so is undeﬁned. The exception is when ﬁrewall conﬁguration is limited to ﬁlter input rules.

Hence, if the Firewall is use to conﬁgure ﬁlter forwarding rules, NAPT rules or port forwarding rules on

a Viper-TBN, it is necessary to disable the hardware ofﬂoading (opposite steps to the example above).

viper:/#> conﬁgure

viper:/config/#> ip

viper:/config/ip/#> no ofﬂoad

viper:/config/ip/#> leave

viper:/#>

3.6 SNMP

SNMP in WeOS 5 is read-only.

When conﬁguring SNMPv3 authentication it will not inform the user if the password length is valid

(minimum of 8 characters).

The MIBs folder in the release ZIP-ﬁle contains a conformance folder listing all supported MIBs and

OIDs.

3.7 FRNT

Fastlink must be enabled manually for FRNT (gigabit Ethernet) ring ports.

Fastlink is a unique feature of Westermo products to optimise gigabit Ethernet link-down fail-over

times in layer-2 redundancy protocols such as FRNT.

3.8 RSTP

WeOS 5 supports RSTP, compliant to IEEE 802.1D-2004. Due to limitations in the WeOS 4 implemen-

tation of RSTP, a WeOS 4 unit will keep ports in blocking mode longer than needed when connected

to a WeOS 5 node.

Hence, mixing WeOS 4 and WeOS 5 units in RSTP topologies may exhibit relatively long periods with

limited connectivity during topology changes, this applies to both link failure and when a link comes

up again.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

Link aggregate path-cost use the conﬁgured port speed value(s) and not the negotiated speed value.

This can lead to RSTP making the non-optimal path selection. Work-around this issue by setting a

ﬁxed path-cost in the spanning-tree port conﬁguration.

3.9 IEC 61375

In this release, not all of the recovery use cases, nor the optional cases, are supported.

It is possible to manually conﬁgure DNS rules when the train protocols are enabled. But the manually

added rules, will be removed when train protocols updates the DNS conﬁguration after inauguration.

Thus, manually added DNS conﬁguration currently cannot co-exist with the IEC 61375 support.

TTDP and non-TTDP multicast can be used simultaneously in this release, but is considered unstable

and is strongly recommended to be avoided.

"Automatic Gap Insertions", when several vehicles have the same name, can lead to unexpected

behaviour. This is also true when Ethernet speed on backbone ports is set to Gigabit speed.

When recovery-mode is set to deferred/wait, an ECSC must be running on the conﬁgured multicast

address. If no ECSC is running and sending data on the conﬁgured multicast address, no node will

come up at all.

Gigabit speed on backbone ports limits the handling of lost and recovering middle nodes.

Since hardware ofﬂoading was introduced in WeOS 5.8.0, Viper TBN can now route data at a faster

rate than the CPU could previously, leading to a potential of overloading the CPU during the time when

the ofﬂoading tables are being set up. Since this happens during TTDP train inauguration, it is strongly

recommended to enable inauguration inhibition on all nodes to reduce spurious re-inaugurations and

guarantee a stable train communication.

The “ECSP inhibit sync” function should only be enabled in consists with simple or straightforward

ECN conﬁgurations. In complex conﬁgurations with non-symmetric ETBN/ECN connections and/or

conﬁgurations where different ETBNs are master routers for different ECNs simultaneously, the backup

ETBNs will not be able to unambiguously determine which ETBN is the master router/ECSP, which

can in turn lead to unexpected behaviour with regards to the local inauguration inhibition value. In

these cases, manually setting the local inauguration inhibition values on the backup ETBNs, via the

ETBN_CTRL telegram, should instead be performed.

3.10 LLDP

When using Link Aggregation, the individual member ports will transmit LLDP frames using the MAC

address of the link aggregation interface, i.e. all member links in an aggregate will be using the same

MAC address.

Document

Release Notes WeOS 5.15.1

Date Document No

April 28, 2023 224004-ga0cb1b24ed

3.11 Port Monitoring

It is not possible to utilise port monitoring directly on a link aggregation port interface. However it is

still fully possible to monitor the individual member ports that constitute any given link aggregate.

Therefore, in order to fully monitor an aggregate, monitoring must be conﬁgured for each of the

aggregate member ports.

3.12 Media Redundancy Protocol (MRP)

•MRM not supported for MRP 30 proﬁle: WeOS 5 units can be conﬁgured to operate in MRP

200 or MRP 30 proﬁle. However, for MRP 30 proﬁle, conﬁguring the WeOS 5 unit as MRP

Master (MRM) is not supported. A WeOS 5 unit can be used as MRP Client (MRC) with MRP

30 proﬁle with MRMs from other vendors.

More details: When a link comes up between two MRP clients, the clients send link-up messages

to the MRP master. The MRP 30 ms proﬁle only gives the MRP master 4 ms to block its secondary

port from the time the MRP clients send their ﬁrst link-up message. The WeOS 5 MRP Master

is not always capable of doing that, resulting in a short transient loop in the MRP ring when the

ring is healed.

To avoid this, it is recommended to use the MRP 200 ms proﬁle instead. For link-down scenarios,

MRP 200 ms proﬁle conducts failover as fast as the 30 ms proﬁle, given that MRCs in the ring

are capable of sending MRP link-down messages (WeOS units have this capability).

•Use of MRP with virtual L2 ports (SSL VPN ports): MRP is speciﬁed for use with Ethernet ports

(full duplex, 100 Mbit/s or higher). WeOS enables the use of running MRP over SSL L2 VPNs,

but requires the VPN to run over a high-performance network to work well. Furthermore, only

the MRP ’200 proﬁle’ can be used with SSL VPNs.

3.13 10G SFP Ports

The 10G SFP ports on RedFox-7528 have the following limitations:

• IEEE 1588/PTP is currently not supported on 10G SFP ports.

• 10G SFP ports are only to be used for 10G Fiber SFPs or 1G Fiber SFPs, not copper SFPs or

100 Mbit/s Fiber SFPs.

• Status of MDI/MDIX and polarity shows value ’Invalid’ (’N/A’ or ’Not Applicable’ would be

more appropriate).

Page is loading ...

Westermo RedFox-5528-E-F4G-T24G-LV Firmware