Known limitations

OPC UA limitations

Kaspersky IoT Secure Gateway 100 version 2.0 has the following OPC UA protocol support limitations:

• Kaspersky IoT Secure Gateway 100 must be restarted before it can apply new security settings for the OPC UA server after reconnection.
• The OPC UA client certificate does not undergo verification.
• To verify the server certificate, the OPC UA client checks the following:
  • The server certificate matches one of the certificates from the list of trusted certificates.
  • The server certificate is valid according to its validity term.
• If it is configured to trust all certificates via "trustList": "AllowAll", the OPC UA client does not verify the server certificate.
• When the None security policy and mode are indicated in the Kaspersky IoT Secure Gateway 100 settings, the OPC UA client certificate and encryption key must also be provided.
• Only the following data types described in the OPC UA specification are supported:
  • Boolean
  • SByte
  • Byte
  • Int16
  • UInt16
  • Int32
  • UInt32
  • Int64
  • UInt64
  • Float
  • Double
  • String
  • DateTime
  • XmlElement
  • NodeId (only numeric and string)
  • ExpandedNodeId (only numeric and string)
  • StatusCode
  • QualifiedName
  • LocalizedText (partially)
  • Variant
• Double- and Float-type data received over the OPC UA protocol is rounded to the nearest six significant digits.
• To transmit data over OPC UA, the server must support the MonitoredItem and Subscription service sets.
• Only one OPC UA client connection to one OPC UA server is available.

MQTT limitations

Kaspersky IoT Secure Gateway 100 version 2.0 has the following MQTT protocol support limitations:

• Only one MQTT client connection to one MQTT broker is available.
• A delivery guarantee (qualityOfService parameter) is configured for all messages from the MQTT client.
• The MQTT client does not use the retain flag when sending messages nor for the LWT message (message informing that the client was improperly disconnected).
• Setting the keepAlive parameter of the MQTT client to 0 will not disable the "keep alive" mechanism (this mechanism disconnects a client that is inactive for too long).
• The MQTT client ignores the lack of response from the MQTT broker for a prolonged period of time and does not close the connection.
• If the connection is disrupted, a small number of published messages may be lost after the connection is restored, even if the buffer has sufficient free space.
• On the early stages of the MQTT client initialization, information from the client is not written to the health log of Kaspersky IoT Secure Gateway 100. This is due to the restrictions imposed by KasperskyOS security policies.

TLS limitations

Kaspersky IoT Secure Gateway 100 version 2.0 has the following TLS protocol support limitations:

• Only TLS protocol versions 1.2 or later are supported.
• Only the following TLS suites are supported:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_SHA256
• Only the following digital signature algorithms are supported:
  • ecdsa_secp521r1_sha512
  • ecdsa_secp384r1_sha384
  • ecdsa_secp256r1_sha256
  • ed25519
  • ed448
  • rsa_pss_pss_sha512
  • rsa_pss_rsae_sha512
  • rsa_pss_pss_sha384
  • rsa_pss_rsae_sha384
  • rsa_pss_pss_sha256
  • rsa_pss_rsae_sha256
  • rsa_pkcs1_sha384
  • rsa_pkcs1_sha512
  • rsa_pkcs1_sha256

Other limitations

Other limitations of Kaspersky IoT Secure Gateway 100 version 2.0:

• Kaspersky IoT Secure Gateway 100 does not apply new network settings received from the DHCP server until the lease time of the IP address expires.
• In the Kaspersky IoT Secure Gateway 100 health log, the name en0 is used for both network interfaces.
• Messages regarding a lost connection on the internal or external network interface are not written to the Kaspersky IoT Secure Gateway 100 health log immediately after disconnection. This type of message may appear in the health log if a connection is absent for a prolonged period of time, or it may never appear at all.
• If powered off, Kaspersky IoT Secure Gateway 100 does not retain any unsent data because it does not store this data in non-volatile memory.
• Kaspersky IoT Secure Gateway 100 does not process disk space overflow events when maintaining the health log. When configuring the health log settings, make sure that the size of the log storage folder does not exceed the available disk space on the TGW-HW-LOG partition of the microSD card.