Product Documentation

Release Notes

Sep 24, 2017

This release notes describes known issues, and fixed issues applicable to Citrix NetScaler SD-WAN software release 9.3 for the SD-WAN Standard Edition, WANOP, and Enterprise Edition appliances.

For information about the previous release versions, see the NetScaler SD-WAN 9.2 and NetScaler SD-WAN 9.1 documentation. 

Fixed Issues

SD-WAN 4100-SE

Issue ID 675715: On a NetScaler SD-WAN 4100-SE appliance, changing Interface settings for 1G interface does not work and causes link to become inactive. For example; changing the speed to 100MB does not work. The interface settings change option is disabled for all 1G ports similar to the 10G ports as it is not supported on the 4100-SE appliance.

SD-WAN 4000-WANOP and 4000-SE

    Issue ID 680778: A configuration audit error occurs in two-box mode deployment when a NetScaler SD-WAN 4000-SE appliance with two interface groups is configured with first interface group having bridged pair with two Ethernet interfaces selected, and second interface group is connected to the WANOP appliance. The error occurs when the first interface group is enabled with WCCP listener indicating that multiple Ethernet interfaces cannot be enabled with WCCP. When you revert configuration by disabling WCCP on the first interface group and enabling it on the second interface group, the same configuration audit error is displayed even though only one Ethernet interface is enabled on the interface group.

    Issue ID 679121: While upgrading SD-WAN 4000 appliance from old releases to 9.2 release, the SD-WAN GUI appears before the upgrade process is completed. The old image is listed in the GUI.

    Issue ID 680825: On a NetScaler SD-WAN 4000 appliance with release version 9.2, the HTTP service does not work for one of the SD-WAN instances and fails to start or restart the https service.

TCP Fragmented traffic

    Issue ID 681472: Virtual WAN drops TCP Fragmented traffic when firewall connection tracking is enabled.

NTP Server Time Settings

    Issue ID 680987: On NetScaler SD-WAN 2000 appliances, when you change the NTP server settings, the Enterprise Edition appliance time settings sync up with the new NTP server time settings and the correct time zone format is displayed. However, the new NTP server time settings on a WANOP appliance are not synchronized with the new NTP server time settings.

Diagnostic tool

    Issue ID 680251: In a NetScaler SD-WAN VPX appliance setup, multiple IPREF client TCP sessions are initiated while server session is still on causing the server to display additional entries even when the client has stopped sending any further traffic.

Rules Group Tab

    Issue ID 681562: The Rule group tab in SD-WAN Center report page does not show any data for the configured applications.

DPI- No audit error on disabling DPI

    Issue ID 681175: If an application object created with DPI application is associated to a firewall policy template, and is used in firewall and then if the DPI is disabled, there is no audit error message displayed indicating that there are rules still associated with firewall as the firewall is still functional.

SSL Profile Name

    Issue ID 681482: In a NetScaler SD-WAN VPX appliance setup, when you create an SSL profile and try to edit the profile and save it, the following error message is displayed: “No object with profile name exists”.

SSL Profile page

    Issue ID 681443: When creating or editing an SSL profile, the settings are saved but the application does not get redirected to the SSL Profile home page.

GUI

    Issue ID 681649: Unable to enable DHCP Server and Relay for management from the UI. On selecting Enbale DHCP Server, the fields Lease Time, Domain Name, Start IP Address and End IP Addresss  should  be editable, but these fields are not editable.

Security Vulnerability

    Issue ID 690709: Unauthenticated remote code execution on the NetScaler SD-WAN Enterprise Edition and Standard Edition appliances. This security hotfix addresses the vulnerabilities as described in the CTX security bulletin article (CTX225990). 

SD-WAN WANOP

    Issue ID 675452: NetScaler SD-WAN WANOP client info displays OS version as Windows 8 even when plugin is installed in Windows 10 OS.

Simplified Configuration

    Issue ID 678342: In the SD-WAN configuration editor, secondary level confirmation is not provided when deleting a WAN Link, Interface Group, or Static Route from the Basics view.

Ethernet Interfaces Configuration

    Issue ID 680585: In a NetScaler SD-WAN Standard Edition appliance web GUI, the Basic View under Configuration Editor allows you to create Interface without selecting Ethernet interfaces. The created interface is displayed in the Advanced View as VLAN 0 instead of displaying in the Basic View.

DPI - Traffic classified as unknown when the traffic flows through EE appliances

    Issue ID 677504: Applications are classified as Unknown protocol when the traffic flows through EE appliances, because the compressed traffic is not classified. Therefore, the Firewall rules do not work on EE appliance with DPI enabled when rules are configured with Application, Application Family or Application Object firewall policies. This issue occurs only when a WANOP Service Class Compression policy is configured on a Standard Edition/Enterprise Edition or Standard Edition/Standard Edition appliance with a WANOP deployment mode.

DPI – Any application traffic sent via GRE Tunnel is reported as GRE in SD-WAN Center

    Issue ID 680994:  Ideally, any application traffic (example HTTP) sent through the GRE tunnel should be classified by DPI reported as both GRE and the real application traffic (example HTTP) in the Application section of Reporting page in SD-WAN Center. Due to this bug, the real application (example HTTP) is also reported as GRE traffic.

    This bug is only a reporting issue and the real classification has no issues in the site level DPI. Both the classification and firewall actions after DPI will have no impact in any site.

SD-WAN GUI

    Issue ID 683520:  In the SD-WAN GUI, changing the interface settings for interface under Configuration > Appliance Settings > Network adapters > Ethernet does not work for the SD-WAN 1000-EE, 2000-EE and 400-SE platforms.

XS 6.5 Upgrade Support

    Issue ID 662041: Once your appliance is upgrade to NetScaler SD-WAN 9.3 software, you can also upgrade XenServer to version 6.5 in case if you are using 6.0 or 6.2 version currently. 

Known Issues

Platform

 

SD-WAN 4100 and 5100 WANOP 

    Issue ID 688095 and 687990:  In NetScaler SD-WAN 4100 and 5100 WANOP appliances, when the time zone or date is changed, the NetScaler instance reboots. While rebooting the CB broker is unable to communicate with the NetScaler instance and hence displays the IP address of the NetScaler instance as 0.0.0.0.  The corresponding IP address of the NetScaler instance is displayed after the reboot. 

    Issue ID 691656: When provisioning SD-WAN 4100 and 5100 WANOP appliances with NetScaler SD-WAN 9.3 build, the provisioning fails and a message that the NetScaler instance is down appears.

SD-WAN Appliances

    Issue ID 677856: SD-WAN appliance will not honor drop or reject firewall filter rules for any traffic when the appliance goes to Fail-to-wire (FTW) mode.

SD-WAN VPX Appliances Software Downgrade

    Issue ID 670142: SD-WAN software downgrade for SD-WAN VPX appliances from release 9.1.1 to version 9.1.0 does not work in XenServer, ESXi, and AWS environments.

SD-WAN 4000 WANOP and 4000 SE

    Issue ID 681550: On a NetScaler SD-WAN 4000 WANOP appliance, uploading DER encoded certificate for the SSL profile is ignored and no error message is displayed in the web GUI. Only PEM encoded certificates are accepted.

Two Box Mode

    Issue ID 681680: After a factory reset on the SD-WAN SE appliance in a two box mode, configuration sync between SD-WAN WANOP and SD-WAN SE appliances fails due to stale SSL certificates.

    Workaround: Disable and re-enable two box mode on the SD-WAN WANOP appliance.

SD-WAN 1000 / 2000    

    Issue ID 681663:  When you upgrade SD-WAN 1000 / 2000 appliance from release build version 9.1.2.26 to 9.2.x, a warning is displayed in the browser.

    Workaround: Perform the upgrade in an in-cognito mode window of the Google Chrome browser.

SD-WAN WANOP 4000, 4100, and 5100 – NetScaler and WANOP instance information unavailable in the GUI after TACACS readonly user login

    Issue ID 688948: On SD-WAN WANOP 4000 platform editions with SVM running software release version earlier than 9.3.0, TACACS user with readonly viewer privilege setting did not require executable command for user profile in the remote TACACS server.

In release 9.3.x, readonly command needs to be configured for read only user in the remote TACACS server.

Sample user configuration in remote TACACS server: 

Code Copy

user = tac_super1 {
        login = cleartext tac_super1_pwd
        cmd = superuser { permit .* }
}
user = tac_ro1 {
        login = cleartext tac_ro1_pwd
        cmd = readonly { permit .* } // earlier this was not required
}

Configuration

WAN GRE Tunnel

    Issue ID 681171: Fragmented GRE tunnel packets are not reassembled properly by a NetScaler SD-WAN appliance.

IPSec Tunnel Configuration

    Issue ID 681121: On a NetScaler SD-WAN VPX appliance, a web GUI error is displayed and configuration fails when you try to add and configure IPSec tunnel through the SD-WAN configuration editor.

    Workaround: Configure IKE and IPsec parameters except protected networks and save the configuration. Edit the configuration to add protected networks.

Enterprise Edition as MCN – SSL Profile

    Issue ID 680199: On a factory shipped Enterprise Edition appliance when you create an SSL profile and associate a Service Class to the profile with unidirectional setting, the SSL profile is not checked/enabled in the SSL Profile page of the SD-WAN EE web GUI. Also, the service class is not associated to the SSL profile.

    Workaround: Create a new SSL profile and associate unidirectional service classes.


Configuration and Reporting

    Issue ID 683882: Audit errors are reported when you create more than one Service Class on an SD-WAN appliance with override options. This issue occurs only when you perform override for service class and create more than one service class. It is not observed when you create only one Service Class under the default section.

 Upgrade Failure

Issue ID 689362: In CB VPX, upgrade from 7.2.2 to 9.3.0.74 image failed. The following error message is displayed- “Unable to upload patch. Patch size may be too large!”.  There is a limit for patch size in older builds.

   Workaround: Upgrade to any intermediate build ( 7.4.3 build or any build post 7.4.3 release )  and then from the intermediate build upgrade to 9.3.0 build.

Transparent proxy support for TLS 1.2

    Issue ID 691900: In NetScaler SD-WAN WANOP 9.3.0, for SSL compression the SSL profile has to be configured in split mode only as transparent proxy mode is not supported.

SD-WAN GUI Audit Error 

    Issue ID 687693: In the NetScaler SD-WAN GUI, when you navigate to Basic view > Add Service Provider with maximum number in the Physical Rate field, the generated audit error is misleading - Integer must be less than or equal to XXX.XXX (decimal number).

    Issue ID 687701: In the NetScaler SD-WAN GUI, Service Provider Queue rate value percentage is represented incorrectly when max value is added in the physical rate field.

 

Change Management  (Single Step Upgrade)  SD-WAN GUI

    Issue ID 691080: The single step upgrade procedure fails on an SD-WAN MCN appliance in a high-availability mode. When you attempt to perform change management procedure using the .zip single step upgrade file, the non-Virtual WAN software components, such as the WANOP package transfer is initiated only when manual toggle of the appliance happens for the Primary appliance being Active. This results in version mismatch between the WANOP appliances and the single step upgrade process is not successful.

   Issue ID 691359:  You can download LCM package by clicking on the active/staged hyperlink under Download Package when using the tar.gz files to perform Change Management. This will download only the Virtual WAN package as in the previous software release versions.  If you use the . zip file of single step upgrade procedure to perform Change Management, the staged/active hyperlink under Download LCM Package downloads the single step upgrade package.

   Issue ID 691571: On low-end platform editions, such as the SD-WAN 400, 100, 2000, or VPX appliances with 4 GB or smaller memory assigned, if concurrent local change management package downloads are initiated the appliance runs out of memory and becomes unresponsive.

        Workaround: Download local change management package one at a time, this reduces the load on the appliance.

    Issue ID 691953:  During software upgrade on an appliance using an SE license a WAN optimization related waring message appears. After the scheduled upgrade and after the WAN optimization, SVM and XenServer hotfixes are installed the warning message is cleared.

    Workaround: Clear the warning messages manually or open the SD-WAN web UI in an incognito window.

    Issue ID 691746:  In SD-WAN 1000 and 2000 appliances, when the software is upgraded from software release version 8.1.0 to version 9.3.0 and the appliance license is changed from SE to EE, the WAN Optimization node is not displayed in the Configuration and Monitoring tabs.

Networking

    Issue ID 668835: WCCP does not work with GRE redirection when loopback IP is configured on the router. If you have loopback IP as the WCCP router IP configured on SD-WAN-WANOP on any previous software release version other than 9.3.x, upgrading to software release version 9.3.x will not resolve the issue.

     Workaround: You need to reconfigure the cache IP addresses and service group by performing Change Mode in the SD-WAN WANOP GUI by navigating to Configuration >Advance deployments >WCCP.

HDX CGP over SSL

Issue ID 690794: HDX ICA/CGP over SSL sessions behavior In Virtual WAN Standard Edition:

  • HDX sessions are not being negotiated as multi stream sessions even though MSI is enabled on the appliance and MSI+MP policies are set on incoming ICA traffic.
  • HDX traffic is classified as belonging to Hyper Text Transfer Protocol Secure (https) application and web family.
  • HDX traffic falls under interactive_very_low class. This may cause issues in QoS, bandwidth allocation and so on as application QoS will not be triggered because the traffic is not classified as HDX sessions.
Issue ID 690805:HDX ICA/CGP over SSL behavior In Virtual WAN Enterprise Edition:
  • HDX sessions are negotiates as multi stream session.
  • HDX traffic is classified as belonging to Hyper Text Transfer Protocol Secure (https) application and web family.
  • HDX traffic falls under HDX_priority_tag_1 class. But, this traffic is not reported in Application QoS reports and in HDX reports in SD-WAN Center. However, in WANOP reports display CGP over SSL sessions as HDX session.

DPI Functionality

DPI- ICMP Functionality

    Issue ID 677356: A firewall policy for blocking ICMP as an application blocks only pings (echo requests). All other ICMP types are allowed to pass through.

    Workaround: Instead of blocking ICMP as an application, block IP-protocol > ICMP.

DPI – Dual- mode IPERF test identifies traffic only from one node

    Issue ID 678131: When dual-mode IPERF test is performed between two appliances, the traffic in NetScaler SD-WAN web management interface under Monitoring > Firewall > Connections with DPI identifies traffic flow only from one of the connections.

DPI –Traffic for Top App Family as "Standard" and Top App as "Unknown Virtual protocol" for a Standard Edition appliance

    Issue IDs 678373, 678339, 678545, 675063, 676017: On a NetScaler SD-WAN Standard Edition appliance, enable EDT policy for MSI+MP for Win7 and Win2K12 XD 7.12 VDAs on ports 2598, 2599, 2600, 2601 and subsequently disable Session Reliability policy for Win7 VDA.

    Start sending internet traffic and check the monitoring flows in the Standard-Edition web management interface for Classes, Rule groups – ICAUDP and ICACGPUDP, and Firewall. Check the Dashboard and Reporting page in SD-WAN Center web management interface. The results display Top Application Family as Standard and Top Applications as Unknown Virtual Protocol.

SD-WAN Center

    Issue ID 683419: In the SD-WAN Center dashboard,  read-only user login access generates the following GUI error:  Error in retrieving top applications.

    Issue ID 692484: In the SD-WAN Center network map dashboard,  sites with manually added Static or Dynamic Virtual paths are not accounted symmetrically for both the sites. When visualizing sites in the network map, only one of the sites constituting Static or Dynamic Virtual path is displayed.

    Issue ID 692486: In SD-WAN Center, intermittent 550 site information for all sites on the dashboard is displayed in yellow tile. These sites are considered as BAD sites. However, data for the sites gets auto corrected and displays correct information for all sites. 

    Issue ID 692487:  In the SD-WAN Center dashboard, configuration setup for monitoring 400 or more sites can take approximately 4 minutes to load.

    Issue ID 692500: The SD-WAN Center dashboard does not work on Internet Explorer browser, all other pages of SD-WAN Center web interface works fine on Internet Explorer browser.    

        Workaround: Use other browsers like Firefox or Google Chrome.

 

Limitations

HDX

  • The number of users is equal to the total number of HDX sessions. The number of users is not based on distinct user names. That is, two sessions started by a single user on two different machines or the same machine is counted as two users.
  • HDX sessions are not being negotiated as  Multi Stream Sessions even though MSI is enabled on the appliance and MSI+MP policies are set on incoming ICA traffic.
  • HTML5 receiver and ICA over SSL are not supported.

DPI Classification

  • DPI Classification will not classify compressed traffic. This happens on any deployment which has two box (SD-WAN SE/WANOP) solution where WANOP is optimizing the traffic through MBC/DBC as acceleration policy and the traffic is received as compressed traffic.
  • Enabling DPI functionality might affect your system performance.

SD-WAN Center and Diagnostics Tool

  • SD-WAN web GUI Diagnostic tool will not be supported on UNTRUSTED links and Dynamic Virtual Paths.
  • In the SD-WAN Center Reporting page, the Application name, Application Family, and Site filter do not contain scrollable search drop-down menu.

Microsoft Azure

  • A VM in Azure supports more than one Public IP on an interface. This VM needs to be on the WAN link to establish Virtual Path. While configuring SD-WAN VPX-SE,  network interfaces have to added in following order:
                 a) Management interface 
                b) LAN interface 
                c) WAN interface
 
  • After a VM is created and booted in Azure, the interfaces cannot be added or deleted. The VM profile (RAM/HD/CPUs) can be changed.
  • Azure does not allow two network interfaces NIC on a VM to have IP address on same subnet. There is no L2 Support and bridging is not allowed. VPX-SE on Azure has to be deployed in Gateway mode.
  • There is no concept of MAC address spoofing in Azure Cloud. The LAN subnet of the VPX-SE and the LAN subnet of the Client/Server Host have to be different. This will require additional routing configuration to be done in two places.
        – User Defined Routes (UDR) have to be added in Azure directing all Virtual WAN Data traffic from the Client/Server LAN Subnet to the LAN interface of the VPX-SE in Azure.
        – Routes have to be added in the Virtual WAN Configuration File directing all Virtual WAN Data traffic coming from the WAN to the Client/Server LAN Subnet.
  • PCI Enumeration causes the order of NICs in an Azure VM to get switched on reboots. This might cause Management Subnet unreachability.