Citrix SD-WAN Orchestrator

Known issues

Citrix SD-WAN Orchestrator service has the following known issues:

SDW-16045: The static virtual paths that are formed between a transit node and the branch sites are not getting deleted when the transit node configuration is removed.

  • Workaround: Delete the static virtual paths manually when the transit node configuration is removed.

SDW-17671: The Routing Domain column is not getting displayed on the Reports > Real Time > Statistics > Multicast Group table.

SDW-18024: Even after the management IP address is removed or the Citrix SD-WAN appliance is unable to communicate to Citrix SD-WAN Orchestrator service, the Citrix SD-WAN Orchestrator service GUI continues to show the Connectivity status as connected (online).

SDW-17906: Disabling the NTP servers for a site from the Citrix SD-WAN Orchestrator service GUI clears the existing NTP server entries from the Citrix SD-WAN appliance.

SDW-17638: For custom roles created with feature access set to No Access, the Citrix SD-WAN Orchestrator service GUI displays the default feature configuration instead of hiding the feature or displaying a 403 error message.

SDW-15287: The previously created IPS rules that are global for all Citrix SD-WAN Edge Security sites are not migrated automatically.

  • Workaround: Recreate the IPS settings as part of profile creation and apply them to all Citrix SD-WAN Edge Security sites.

SDW-18031: In the Citrix SD-WAN 210 appliance, if you remove the add-on license, the services get disabled.

  • Workaround: Remove the firewall policy having security profile, stage, and activate the changes to convert the appliance to standard edition.

SDW-16968: For In-band HA, the GUI does not have an option to select the direction of the Destination Rule with Service Type as Any resulting in failure of outbound rules. The error message “[EC818] At Site ‘site-name’: service_type ‘any’ may not be used when direction is outbound.

SDWANHELP-1541: Error message is displayed while retrieving a license in Citrix SD-WAN Orchestrator service. The licensing back office did not have a start date for the license, which is a required field for licensing service.

SDWANHELP-1632: When the correct IP address is not getting reported, the Dashboard page displays the system default management IP address ( even though a different IP address is assigned through DHCP. There is no impact on the appliance’s connectivity. The correct IP address is displayed on the Appliance Settings page.

SDWANHELP-1678: The Usage report at the network level generated for long duration (more than a day) takes longer time to fetch the statistics and no data is displayed on the UI.

SDWANHELP-1754: For the path MTU discovery, the path MTU probe events are enqueued for processing during a timer kick-off. A segmentation failure occurs in the case if a probe event is not valid when the actual execution is attempted.

SDWANHELP-1760: When the customer is out of SD-WAN Orchestrator Entitlements and tries to assign a license to the Citrix SD-WAN device, the license assignment fails with an incorrect error message.

SDWANHELP-1764: You cannot Stage and Activate a new configuration change. The memory and CPU fields are assigned some default values and that cannot be changed as there is no option available in the SD-WAN Orchestrator UI currently. This issue occurs as the default values vary from customer to customer.

SDWANHELP-1803: The Historical and Quality statistics do not get generated as the SD-WAN Orchestrator UI does not get the required device information to invoke the call for statistics when the SD-WAN device is offline.

SDWANHELP-1918:Static routes for LAN IPsec tunnels were not getting configured.

SDWANHELP-1973: Sometimes displaying different statistics for the duration of 1 day and more takes time. This is more observable for 1 week and more. In some of the cases, the request does not get completed in time and UI then shows - no statistics available.

SDWANHELP-1976: In rare conditions, Citrix SD-WAN service might crash when Deep Packet Inspection (DPI) for Citrix ICA Applications is enabled.

  • Workaround: Disable the DPI for HDX.

SDW-10104: Creating the transit nodes for the branches does not form virtual paths.

  • Workaround: Create the static virtual paths manually between the transit site and the branch nodes.

SDW-11355: For the existing Standard Edition (SE) devices, the Inspect action can be selected in firewall policies. Also, the Advanced Edition (AE) to SE conversion will not throw an error when there are existing firewall policies with Inspect action enabled. In both of these scenarios, no errors occur during the staging and activation.

SDW-11941: Advanced firewall functionalities don’t work in one of the following scenarios. Also, no audit error is seen while performing the following scenarios:

  • Downgrade of 1100-AE from 11.2.0 to lower builds which do not support advanced firewall functionalities
  • Conversion of 1100-AE to 1100-SE on 11.2.0

SDW-12976: Activation fails when configuring an appliance with Advanced Edition (AE). This is due to missing configuration elements related to the Anti-malware configuration.

  • Workaround: Save the Anti-malware configuration from the UI once again and perform staging and activation.

SDW-12977: SD-WAN AE activation might fail consistently if the edge security component is stuck to an unresponsive state. Rebooting the failing appliance must resolve the issue and allow activation to proceed.

SDW-13046: When you roll back the network software version to lower than version 11.2, sites configured as Advanced Edition (AE) fail to stage with the message - Package extraction failure. This is because AE is supported from version 11.2 and above.

  • Workaround: Configure the sites back to SE from AE, before rolling back the network to a previous 11.2 software version to avoid the Staging Failure.

SDW-13696: Before you convert the TRUSTED interface to UNTRUSTED which is used for the DNS proxy, you need to first delete it from the DNS proxy and then modify the interface type. Otherwise, you might see an audit error that says that Only a TRUSTED interface can be used for DNS Proxy.

SDW-14057:In the period between Staging and Activation, the policy names show in reporting and logs might be incorrect or show as Unknown policy.

SDW-14759: If you perform staging on a Citrix SD-WAN appliance with an inbuilt LTE modem before the appliance comes online, then the staging fails.

  • Workaround: Perform staging after the appliance comes online.

SDW-14863: When a custom WAN Optimization Rule with an Order Number greater than 2000 is added, Verify Config throws an error with the following error code as a custom rule attains lower priority than the Default Unclassified Traffic Rule:


  • Workaround: For a custom Wan Optimization Rule, use the Order Number value less than 2000.

SDW-15169: Scheduling Information of the appliance in Change Management Settings might display outdated data when the appliance reconnects to the Orchestrator after a factory reset.

  • Workaround: In the Change Management Settings, select the desired scheduled window and apply the same to the appliance. The appliance gets updated and the data between the appliance and the Citrix SD-WAN Orchestrator service gets synchronized.

SDW-15287: The previously created IPS rules that are global for all Citrix SD-WAN Edge Security sites are not migrated automatically.

  • Workaround: Recreate the IPS settings as part of profile creation and apply them to all Citrix SD-WAN Edge Security sites.

SDW-15522: While creating a site by cloning and deleting the original site leads to an error - Unable to find Site name belonging to Uiid < num >.

SDW-15677: While associating security profiles to a firewall profile, you might see the security profile information doesn’t get persisted. This happens when the security profile name starts with a non-alphabetic character or contains anything except alphanumeric, hyphen, and underscore.

  • Workaround: Rename the security profile to use alpha-numerics, hyphens, and underscores only starting with an alphabet.

SDW-16050: A change in the SSL inspection root Certificate Authority (CA) and the key will not be propagated to the SD-WAN appliance unless another edge security-related setting is also changed. This results in the SSL inspection being performed with the previous root CA.

  • Workaround: Change another setting related to edge security, then stage and activate it. This triggers the download and application of the root CA and key.

SDW-16128: Although the changes made in the SSID profiles are inherited by SSIDs created using these SSID profiles, the changes do not reflect in the SD-WAN Orchestrator GUI.

SDW-16194: AppQoE Realtime statistics were showing data limited to 50 rows only.

SDW-16314: License counts not getting refreshed automatically after allocation of add-on license.

SDW-17038: When a site has a configuration change only related to the Advanced Edition (AE) configuration, the new configuration is not getting pushed to the appliance.

  • Workaround: Make a change in the site level configuration for the impacted site or a global level change for the complete network to detect a change in the configuration and send the latest package to the appliance.

SDW-17047: In real-time statistics, when a customer’s site is deployed in high availability mode then DHCP server/relay data, IGMP data, PPPoE data, and DNS data are incorrect and stale data.

Known issues