Citrix SD-WAN 10.1.1 Release Notes
This release notes describes what’s new, known issues, and fixed issues applicable to Citrix SD-WAN software release 10.1.1 for the SD-WAN Standard Edition, WANOP, and Premium Edition appliances, and SD-WAN Center.
For information about the previous release versions, see the Citrix SD-WAN documentation on docs.citrix.com.
The Citrix SD-WAN release version 10.1.1 introduces the following enhancements:
Microsoft Azure Virtual WAN - Microsoft Azure Virtual WAN and Citrix SD-WAN provide simplified network connectivity and centralized management across hybrid cloud workloads. Microsoft Azure Virtual WAN offers the following benefits:
- Integrated connectivity solutions in hub and spoke deployment.
- Automated setup and configuration.
- Intuitive troubleshooting.
SD-WAN Center dashboard enhancements:
- Uniform time selection mechanism across dashboard widgets.
- MCN connection status on region tiles.
- Searchable drop-down menu, for site selection, in dashboard widgets.
- Import, export, and share custom dashboard.
- Pin reports to custom dashboard.
- Modify report views, pinned to the custom dashboard.
SD-WAN Center IPsec report enhancement - Intranet service type included in IPsec reports. The following intranet service types are reported:
- Microsoft Azure Virtual WAN.
- Citrix SaaS Gateway.
SDWANHELP-485 (SR# 78274277): In release 10 version 2, the application QoS configuration is not displayed in the Monitoring view of the SD-WAN web management interface on a 410-SE appliance.
SDWANHELP-489 (SR# 78293306): The SD-WAN routes are missing and all trusted interfaces become inactive when the SD-WAN service is enabled.]
SDWANHELP-502 (SR# SR78294734): When the Public IP Learning feature is enabled for Internet links, the virtual paths go DOWN during configuration update to release 10 version 1.
SDWANHELP-501 (SR# SR78262688): Unable to export or audit SD-WAN configuration after configuring GRE tunnels on an SD-WAN appliance using release 10.0 version 2.
SDWANHELP-509 (SR# SR78343050): On a 5100-SE platform, staging a previously working configuration fails after an upgrade to the latest release version and the routing information cannot be obtained. SDWANHELP-489 (SR# 78293306): When the SD-WAN service enabled, the SD-WAN routes are missing, and all trusted interfaces become inactive.
SDWANHELP-490: A core dump error occurs when an ICMP echo packet that creates a new firewall connection causes the packet to offload from the IP host thread to the DPI threads.
SR# 78343050: In SD-WAN release 10.0 version 2, an audit error occurs when trying to add default route each pointing to different Zscaler gateways, even if there are gateways for different routing domains.
SDWANHELP-495: In some rare scenarios, the SD-WAN appliance might crash when adding a new WAN link as part of SD-WAN configuration change.
SDWANHELP-521 (SR# 78166623): When dynamic virtual path and path MTU discovery is enabled, the SD-WAN service restarts during dynamic virtual path removal and when path MTU discovery timer is started.
SD-WAN Center – Hyper-V Platform
- NSSDW-10334: Creating new Citrix SD-WAN Center VM in Hyper-V platform takes approximately 50 minutes.
- NSSDW-3996: Unable to integrate SD-WAN plug-in with Citrix Receiver version 4.11. The SD-WAN plug-in is not accessible from Citrix Receiver.
SD-WAN 410 appliance
NSSDW-4475: On a Citrix SD-WAN 410 appliance, after upgrading to release 10 version 1, the Virtual WAN service might be disabled with the following error message, “Disabled by dpdk_daemon due to hardware initialization failure 4 times.”
Workaround: Restart the Citrix SD-WAN 410 appliance and enable SD-WAN service.
Two Box Mode
Issue ID 681680: After a factory reset on the SD-WAN SE appliance in a two-box mode, configuration sync between SD-WAN WANOP and SD-WAN SE appliances fails due to stale SSL certificates.
Workaround: Disable and re-enable two-box mode on the SD-WAN WANOP appliance.
SD-WAN 1000 / 2000
NSSDW-13123: When you upgrade SD-WAN 1000 / 2000 appliance from release build version 220.127.116.11 to 9.2.x, a warning is displayed in the browser.
Workaround: Perform the upgrade in an incognito mode window of the Google Chrome browser.
HDX CGP over SSL
NSSDW-6004: HDX ICA/CGP over SSL session’s behavior In SD-WAN Standard Edition:
- HDX sessions are not being negotiated as multi stream sessions even though MSI is enabled on the appliance. MSI+MP policies are set on incoming ICA traffic.
- HDX traffic is classified as belonging to Hyper Text Transfer Protocol Secure (https) application and web family.
- HDX traffic falls under interactive_very_low class. This can cause issues in QoS, bandwidth allocation, as application QoS is not be triggered because the traffic is not classified as HDX sessions.
DPI- ICMP Functionality
NSSDW-12298: A firewall policy for blocking ICMP as an application blocks only pings (echo requests). All other ICMP types are allowed to pass through.
Workaround: Instead of blocking ICMP as an application, block IP-protocol > ICMP.
NSSDW-7020: Some SD-WAN appliance licensing models are missing from the Citrix SD-WAN Center GUI when configuring the remote license.
Workaround: Use the Citrix SD-WAN appliance GUI for configuring the license models.
NSSDW-6913: The clear connections/flows clears SD-WAN connection table entries and then all the ICA sessions. The SD-WAN Center dashboard shows incorrect results for HDX TCP and EDT classification sessions and reports it as “Not Classified.”
NSSDW-6755: For HDX configuration, ICA classifier classifies only UDP ICA sessions. The Framehawk ICA sessions are ignored. The SD-WAN DPI fails to classify the Framehawk sessions.
NSSDW-11253: After you upgrade your existing network to SD-WAN 10.X, when you create a new region and associate a site to it, the following Audit error appears:
“One Site must have Appliance Mode set to primary MCN”
Workaround: Create virtual paths manually between the MCN and all the RCNs
- NSSDW-8882: After activating a configuration that changes the mode of a site from ‘Secondary RCN’ to ‘Client’ when the site is demoted, you must perform the Local Change Management process at the demoted site to bring it online after the configuration is activated on the network.
Reconfigure Domain Join
- NSSDW-8562: When upgrading SD-WAN WANOP from SD-WAN software release 10.0 or older to release 10 version 1 or newer, you must reconfigure the Windows domain and delegate user information.
NSSDW-7093: Configuration error occurs when you attempt to override service in a Virtual Path by changing the IP Rule properties.
NSSDW-7012: The Site Name in SD-WAN configuration should be configured with alphanumeric characters between 3-15 characters only. This is due to the host name restrictions in WAN Optimization that is required for domain join operation.
- NSSDW-11690: The Application family added as one of the match types in the Application Object, which is used for Application Routes configuration is not considered for steering.
Custom Application Reporting
- NSSDW-5373: When an existing application name is modified and change management is performed, the new application name may not be listed in the SD-WAN Center under the Top Sites-> Application drop-down menu. If the page is hard refreshed, then the new application name is listed and reported, if traffic matches the application.
WAN GRE Tunnel
- NSSDW-12263: The SD-WAN appliance does not reassemble fragmented GRE tunnel packets properly.
- NSSDW-9413: Dynamic routes are installed with path eligibility, LOCAL service as part of Import filters. In SD-WAN release 10.0, if the path becomes inactive, then all routes are termed as REACHABLE – YES, and ELIGIBLE - NO instead of REACHABLE - NO and ELIGIBLE – NO. These routes, which are ineligible, stay in the remote SD-WAN routing table instead of being purged.
Secure Peering Certificate and Keys
NSSDW-6459: In the SD-WAN GUI, on the Secure Peering Certificate and Keys page, the CA certificate contents are displayed when the private CA radio button is selected after setting the Keystore password on a new appliance.
Workaround: You need to switch between the radio buttons of the ‘Private CA’ and ‘CA Certificate’ once to get the correct contents displayed under ‘Private CA’ and ‘CA Certificate’ for Secure Peering Certificate and Keys.
- NSSDW-9582: When you configure Application QoS rule with match type as “Application” to match ‘icmp’ and change the class to Real-time, and mode to load balance, which overrides the default rule, the multicast traffic, is not processed.