Release Notes

This release note describes known issues, and fixed issues applicable to Citrix SD-WAN software release 10 version 1 for the SD-WAN Standard Edition, WANOP, and Premium Edition appliances.

For information about the previous release versions, see the SD-WAN documentation.

Fixed Issues


Issue ID 709418: If a new site that has a WAN link with public IP address learning enabled is added to the network, after configuration change, it is possible that a WAN path on the network goes to a DEAD state.

Issue ID 707003: In NetScaler SD-WAN release 9.3 version 3, STS generation in peak traffic or load can lead to memory issues causing the STS generation process incomplete.

Issue ID 709309: In NetScaler SD-WAN release 9.3 version 4, packets drop when packets are received on an untrusted link with a source MAC address, which is different from the link gateway MAC address.

Issue ID 706721: The SD-WAN GUI session stops working when you try to navigate to the configuration tab, if multiple tech-support files remain in the two-box (Virtual WAN, WANOP) solution.

Issue ID 705855: After configuration activation, the SD-WAN service might crash when traffic flow moves from one WAN service to another WAN service for which NAT’ing is enabled.

Application QOS Rule Index:

Issue ID 707561: In NetScaler SD-WAN release 9.3 version 3, the SD-WAN service restarts unexpectedly, when switching from static virtual paths to dynamic virtual paths due to memory issues because of incorrect application QOS rule index.

SD-WAN Service:

Issue ID 703119: In NetScaler SD-WAN release 9.3 version 2, the SD-WAN service restarts on a 410-SE appliance edition because of high rate of packet bursts. In some cases, the appliance might go into a hung state.

Issue ID 709077: In Citrix SD-WAN release 10.0 version 1, the WAN Link usage report shows multiple Internet Services view instead of one when multiple routing domains are configured.

Issue ID 709392: In NetScaler SD-WAN release 9.3 version 4, the SD-WAN service restarts when the Internet Service transfers from Primary/Secondary mode to balanced mode with internet access to all routing domains configured in the WAN link access interface.

DHCP Server:

Issue ID 709403: In Citrix SD-WAN release 10.0 version 1, the DHCP server cannot allocate IP address in the configured subnet, if a new site is created and the DHCP server is configured before the Audit Now button is clicked.

WANOP Plug-in:

Issue ID 709125: In NetScaler SD-WAN WAN OP release 9.3 version 4, passive FTP connectivity issue is encountered when using the WAN OP plug-in on Windows platform.

STS Packet Capture:

Issue ID 708889: In Citrix SD-WAN release 10.0 version 1, on the 4100 or 5100 platform editions, STS packet capture does not contain any data when collected for the first time with only 5 seconds on the data interface.

ESP Protocol:

Issue ID 705654: In NetScaler SD-WAN WANOP release 9.3 version 3, on the SD-WAN 4000 or 5000 platform editions, the WANOP module drops the ESP protocol packets when it is configured with return to Ethernet sender.

Ether IP Protocol:

Issue ID 702652: In NetScaler SD-WAN WANOP release 9.3 version 3, on the SD-WAN 4000 or 5000 platform editions, the WANOP module drops the Ether IP protocol packets when it is configured with return to Ethernet sender.

Change Management process:

Issue ID 706577: During the change management staging process on an SD-WAN 1000 appliance, a branch node might remain in the unpacking phase for a long duration.

SD-WAN Configuration:

IssueID 713545: In NetScaler SD-WAN release 10.0 version 2, when dynamic virtual path is disabled and enabled within a short period followed by configuration or registry update, the SD-WAN service restarts.

Issue ID 712630: An audit error occurs when you modify the QOS class configuration with the Reverse Also option in NetScaler SD-WAN release 10 version 2.

Issue ID 712187: In NetScaler SD-WAN release 9.3 version 5, route update or resync for a virtual path UP event could be affected when processing existing virtual path DOWN event causing the routes to be removed from route neighbors and not reinserted.

Issue ID 712093: In NetScaler SD-WAN release 10.0 version 2, the License event alert is generated even when the configured WAN link rate is less than twice the licensed bandwidth due to licensed bandwidth misinterpreted as 1Mbps instead of 1Gbps.

Issue ID 709212: A “Backup file parsing failed” error is encountered when a SD-WAN WAN OP appliance configuration running with release 10.0.x is restored after a backup.

Issue ID 709079: In Citrix SD-WAN release 10.0 version 1, the SD-WAN Center application notification configuration settings such as; Virtual Path, Dynamic Virtual Path, Appliance, License, and Events are not applied to the SD-WAN appliances in the network.

Issue ID 709149: In Citrix SD-WAN release 10 version 1, session based HTTP POST notification on the SD-WAN appliance and SD-WAN Center is added.

Issue ID 699237: In Citrix SD-WAN release 10 version 1, you can configure secondary DHCP relay server when you have DHCP servers configured for an active high availability network.

Issue ID 700287: In NetScaler SD-WAN 9.3.2, the DHCP IP assignment on an internet link fails because DHCP packets drop when the appliance receives multiple lease time option in the packet.

WAN-to-WAN Forwarding:

Issue ID 710635: In Citrix SD-WAN release 10.0 version 1, packets matching the same header (source/destination IP/port) processed simultaneously through the firewall can cause the system to restart, if WAN-to-WAN forwarding is disabled and an external router is used to forward branch-to-branch traffic.

Site Cloning:

Issue ID 709572: In Citrix SD-WAN release 10.0 version 1, you do not have to change the access interface IP address when cloning a site, if it is a private Virtual IP address, and public IP address is configured for that WAN link.

Relearn Routes:

Issue ID 710493: In Citrix SD-WAN **release 10.0 version 1, when WAN gateway is unavailable and becomes available in a fraction of second, the routes are not relearned. Restart the SD-WAN service at the Branch to relearn routes.

OSPF Configuration:

Issue ID 710960: When configuring OSPF, the OSPF areas configuration in the SD-WAN GUI does not show the routing domain drop-down option. Therefore, areas for multiple routing domains cannot be created. The BGP configuration works fine showing the routing domains by listing the VNI’s to choose for enabling the dynamic routing participating interface.

TCP connections:

Issue ID 709163: In Citrix SD-WAN, release versions 10.0.0 and 10.0.1, the TCP connections are not established, if WANOP redirection is enabled in the multi routing domain environment on an Premium Edition appliance, which has SD-WAN release 9.1 version 2 factory, shipped base image.

SD-WAN WANOP 4000/4100/5000/5100 Appliances:

Issue ID 681372, 0709820: Citrix SD-WAN becomes unresponsive while sending traffic that hits a forwarding session.

Issue ID 0710023: Citrix SD-WAN becomes unresponsive while processing GRE fragmented packet.

Known Issues

SD-WAN Center – Hyper-V Platform:

Issue ID 710262: Creating Citrix SD-WAN Center VM in Hyper-V platform takes approximately 50 minutes.

SD-WAN Plug-in:

Issue ID 710557: Unable to integrate SD-WAN plug-in with Citrix Receiver version 4.11. The SD-WAN plug-in is not accessible from Citrix Receiver.

SD-WAN 410 appliance:

Issue ID 710435: On a Citrix SD-WAN 410 appliance, after upgrading to release 10 version 1, the Virtual WAN service might be disabled with the following error message, “Disabled by dpdk_daemon due to hardware initialization failure 4 times.”

Workaround: Restart the Citrix SD-WAN 410 appliance and enable Virtual WAN service.

Two Box Mode:

Issue ID 681680: After a factory reset on the SD-WAN SE appliance in a two box mode, configuration sync between SD-WAN WANOP and SD-WAN SE appliances fails due to stale SSL certificates.

Workaround: Disable and re-enable two-box mode on the SD-WAN WANOP appliance.

SD-WAN 1000 / 2000:

Issue ID 681663: When you upgrade SD-WAN 1000 / 2000 appliance from release build version to 9.2.x, a warning is displayed in the browser.

Workaround: Perform the upgrade in an incognito mode window of the Google Chrome browser.


Issue ID 690794: HDX ICA/CGP over SSL session’s behavior In Virtual WAN Standard Edition:

HDX sessions are not being negotiated as multi stream sessions even though MSI is enabled on the appliance and MSI+MP policies are set on incoming ICA traffic. HDX traffic is classified as belonging to HTTP Secure (https) application and web family. HDX traffic falls under interactive_very_low class. This can cause issues in QoS, bandwidth allocation, and so on, as application Quality of Service will not be triggered because the traffic is not classified as HDX sessions. Configuration

Multi-region deployment:

Issue ID 0713683: After you upgrade your existing network to SD-WAN 10.X, and try to create a region and associate a site to it, the following Audit error appears: “One Site must have Appliance Mode set to primary MCN”

Workaround: Create virtual paths manually between the MCN and all the RCNs.


Issue ID 702889: After activating a configuration that changes the mode of a site from ‘Secondary RCN’ to ‘Client’ when the site was demoted, you need to perform the Local Change Management process at the demoted site to bring it online after the configuration is activated on the network.

Reconfigure Domain Join:

Issue ID 713183: When upgrading SD-WAN WANOP from SD-WAN software release 10.0 or older to release 10 version 1 or newer, you need to reconfigure the Windows domain and delegate user information.

Virtual WAN Configuration:

Issue ID 704926: Configuration error occurs when you attempt to override service in a Virtual Path by changing the IP Rule properties.

Issue ID 704160: The Site Name in Virtual WAN configuration should be configured with alpha numeric characters between 3-15 characters only. This is due to the hostname restrictions in WAN Optimization which is required for domain join operation.

Application Steering:

Issue ID 699285: The Application family added as one of the match types in the Application Object which is used for Application Routes configuration is not considered for steering.

Custom Application Reporting:

Issue ID 703794: If an existing application name is changed and change management is performed, the new application name might not be listed in the SD-WAN Center under the Top Sites-> Application drop-down menu. When the page is hard refreshed, then the new application name gets listed and reported, when traffic matches the application.

WAN GRE Tunnel:

Issue ID 681171: A NetScaler SD-WAN appliance does not reassemble fragmented GRE tunnel packets properly.

Transparent proxy support for TLS 1.2:

Issue ID 691900: In NetScaler SD-WAN WANOP 9.3.0, for SSL compression the SSL profile has to be configured in split mode only as transparent proxy mode is not supported.

Change Management (Single Step Upgrade) SD-WAN GUI:

Issue ID 691571: On low-end platform editions, such as the SD-WAN 400, 100, 2000, or VPX appliances by using 4 GB or smaller memory assigned, if concurrent local change management package downloads are initiated the appliance runs out of memory and becomes unresponsive.

Workaround: Download local change management package one at a time, this reduces the load on the appliance.

Issue ID 691953: During software upgrade on an appliance using a Standard Edition license, a WAN optimization related warning message appears. After the scheduled upgrade and after the WAN optimization, SVM and XenServer hotfixes are installed the warning message is cleared.

Workaround: Clear the warning messages manually or open the SD-WAN web UI in an incognito browser window.

Issue ID 705037: In the new Global Multi-Region Summary table, the “Total Sites” value appeared is less than the sum of the remaining columns. For example, if a branch node is not connected, it is possible that the branch is counted twice; once as “Not Connected” and once as “Preparing/Staging.”

Secure Peering Certificate and Keys:

Issue ID 695363: In the SD-WAN GUI, on the Secure Peering Certificate and Keys page, the CA certificate contents are displayed if the private CA radio button is selected after setting the Keystore password on a new appliance.

Workaround: You need to switch between the radio buttons of the ‘Private CA’ and ‘CA Certificate’ once to get the correct contents displayed under ‘Private CA’ and ‘CA Certificate’ for Secure Peering Certificate and Keys.

Multicast Traffic:

Issue ID 694894: When you configure Application Quality of Service rule with match type as “Application” to match ‘icmp’ and change the class to Real-time, and mode to load balance which overrides the default rule, the multicast traffic is not processed.


Issue ID 704561: Unable to make the routing domain as default for a site after disabling it.


  1. Disable site routing domain (all).
  2. Enable routing domain for the site without making it default. Select Apply.
  3. Make the enabled routing domain for the site as default. Select Apply.

Issue ID 705255: Dynamic routes can be installed by using path eligibility, LOCAL service as part of Import filters. In NetScaler SD-WAN 10.0, if the path becomes inactive, then all routes are termed as REACHABLE – YES, and ELIGIBLE - NO instead of REACHABLE - NO and ELIGIBLE – NO. These routes which are ineligible will stay in the remote SD-WAN routing table instead of being purged.

DPI Functionality:

Issue ID 677356: A firewall policy for blocking ICMP as an application blocks only pings (echo requests). All other ICMP types are allowed to pass through.

Workaround: Instead of blocking ICMP as an application, block IP-protocol > ICMP.

DPI –Traffic for Top App Family as “Standard” and Top App as “Unknown Virtual protocol” for a Standard Edition appliance

Issue IDs 678373, 678339, 678545, 675063, 676017: On a NetScaler SD-WAN Standard Edition appliance, enable EDT policy for MSI+MP for Win7 and Win2K12 XenDesktop 7.12 VDAs on ports 2598, 2599, 2600, 2601 and then disable Session Reliability policy for Win7 VDA.

Workaround: Start sending internet traffic and check the monitoring flows in the Standard-Edition web management interface for Classes, Rule groups – ICAUDP and ICACGPUDP, and Firewall. Check the Dashboard and Reporting page in SD-WAN Center web management interface. The results display Top Application Family as Standard and Top Applications as Unknown Virtual Protocol.

SD-WAN Center:

Issue ID 713288: Some SD-WAN appliance licensing models are missing from the Citrix SD-WAN center GUI when configuring the remote license.

Workaround: Use the Citrix SD-WAN appliance GUI for configuring the license models.

Issue ID 693436: The clear connections/flows clear SD WAN connection table entries and all the later ICA sessions. The SD-WAN Center dashboard shows incorrect results for HDX TCP and EDT classification sessions and reports it as “Not Classified.”

Issue ID 693026: For HDX configuration, only UDP ICA sessions are classified by ICA classifier. The Framehawk ICA session is ignored. The SD-WAN DPI fails to classify the Framehawk sessions.

Release Notes