Citrix SD-WAN 10.1.2 Release Notes
This release note describes what’s new, known issues, and fixed issues applicable to Citrix SD-WAN software release 10.1 version 2 for the SD-WAN Standard Edition, WANOP, and Premium Edition appliances, and SD-WAN Center.
For information about the previous release versions, see the Citrix SD-WAN documentation on docs.citrix.com.
Release 10.1 version 2 introduces the following enhancements:
The new Citrix SD-WAN 1100 standard and premium edition appliance is introduced.
SDWANHELP-512 (SR#: 78314443): In Citrix SD-WAN, release 10.0 version 4, upon main registry updates such as, adding, deleting, or renaming WAN link, there is a downtime of 15 seconds to 40 seconds for the virtual path routing protocol to converge between SD-WAN deployed sites.
SDWANHELP-537 (SR# 78411542): In release 10.0 version 4, emails alerts are not reported in the SD-WAN Center for WAN link status.
SDWANHELP-543 (SR# 78246343): During high availability switchover with multiple routing domains, routes are not synchronized properly in the routing tables.
SDWANHELP-549: In release 10.0 version 2, before the main software configuration update, the routes set with path eligibility remain in path state after main registry update without associating the current active path state causing routing issues.
SDWANHELP-550: In release 10.0 version 4, the Ping output for user-initiated ping displays responses for auto-generated pings.
SDWANHELP-553 (SR# 78428386): In release 10.0 version 3, the active appliance transmits only the most optimal OSPF routes for deletion or addition causing active and standby route tables to differ.
SDWANHELP-560 (SR# 78416143): The Ethernet and LTE paths configured on an SD-WAN 210-SE appliance become inactive, and the SD-WAN service stops.
SDWANHELP-566 (SR# 78409673): In release 10.0 version 4, relayed DHCP packets are redirected or not transmitted, if packets from DHCP relay servers send packets using the client DHCP source port. This may occur even when not using the broadcast IP address.
SD-WAN Center – Hyper-V platform
- NSSDW-10334: Creating Citrix SD-WAN Center VM in Hyper-V platform takes approximately 50 minutes.
- NSSDW-3996: Unable to integrate SD-WAN plug-in with Citrix Receiver version 4.11. The SD-WAN plug-in is not accessible from Citrix Receiver.
SD-WAN 410 appliance
NSSDW-4475: On a Citrix SD-WAN 410 appliance, after upgrading to release 10 version 1, the Virtual WAN service might be disabled with the following error message, “Disabled by dpdk_daemon due to hardware initialization failure 4 times.”
Workaround: Restart the Citrix SD-WAN 410 appliance and enable SD-WAN service.
Two box mode
Issue ID 681680: After a factory reset on the SD-WAN SE appliance in a two-box mode, configuration sync between SD-WAN WANOP and SD-WAN SE appliances fails due to stale SSL certificates.
Workaround: Disable and re-enable two-box mode on the SD-WAN WANOP appliance.
SD-WAN 1000 / 2000
NSSDW-13123: When you upgrade SD-WAN 1000 / 2000 appliance from release build version 184.108.40.206 to 9.2.x, a warning is displayed in the browser.
Workaround: Perform the upgrade in an incognito mode window of the Google Chrome browser.
HDX CGP over SSL
NSSDW-6004: HDX ICA/CGP over SSL session’s behavior In SD-WAN Standard Edition:
- HDX sessions are not being negotiated as multi stream sessions even though MSI is enabled on the appliance. MSI+MP policies are set on incoming ICA traffic.
- HDX traffic is classified as belonging to Hyper Text Transfer Protocol Secure (https) application and web family.
- HDX traffic falls under interactive_very_low class. This can cause issues in QoS, bandwidth allocation, as application QoS is not be triggered because the traffic is not classified as HDX sessions.
NSSDW-12298: A firewall policy for blocking ICMP as an application blocks only pings (echo requests). All other ICMP types are allowed to pass through.
Workaround: Instead of blocking ICMP as an application, block IP-protocol > ICMP.
NSSDW-7020: Some SD-WAN appliance licensing models are missing from the Citrix SD-WAN Center GUI when configuring the remote license.
Workaround: Use the Citrix SD-WAN appliance GUI for configuring the license models.
NSSDW-6913: The clear connections/flows clears SD-WAN connection table entries and then all the ICA sessions. The SD-WAN Center dashboard shows incorrect results for HDX TCP and EDT classification sessions and reports it as “Not Classified.”
NSSDW-6755: For HDX configuration, ICA classifier classifies only UDP ICA sessions. The Framehawk ICA sessions are ignored. The SD-WAN DPI fails to classify the Framehawk sessions.
NSSDW-11253: After you upgrade your existing network to SD-WAN 10.X, when you create a region and associate a site to it, the following Audit error appears:
“One Site must have Appliance Mode set to primary MCN”
Workaround: Create virtual paths manually between the MCN and all the RCNs
- NSSDW-8882: After activating a configuration that changes the mode of a site from ‘Secondary RCN’ to ‘Client’ when the site is demoted, you must perform the Local Change Management process at the demoted site to bring it online after the configuration is activated on the network.
Reconfigure domain join
- NSSDW-8562: When upgrading SD-WAN WANOP from SD-WAN software release 10.0 or older to release 10 version 1 or newer, you must reconfigure the Windows domain and delegate user information.
NSSDW-7093: Configuration error occurs when you attempt to override service in a Virtual Path by changing the IP Rule properties.
NSSDW-7012: The Site Name in SD-WAN configuration should be configured with alphanumeric characters between 3-15 characters only. This is due to the host name restrictions in WAN Optimization that is required for domain join operation.
- NSSDW-11690: The Application family added as one of the match types in the Application Object, which is used for Application Routes configuration is not considered for steering.
Custom application reporting
- NSSDW-5373: When an existing application name is modified and change management is performed, the new application name may not be listed in the SD-WAN Center under the Top Sites-> Application drop-down menu. If the page is hard refreshed, then the new application name is listed and reported, if traffic matches the application.
WAN GRE tunnel
- NSSDW-12263: The SD-WAN appliance does not reassemble fragmented GRE tunnel packets properly.
- NSSDW-9413: Dynamic routes are installed with path eligibility, LOCAL service as part of Import filters. In SD-WAN release 10.0, if the path becomes inactive, then all routes are termed as REACHABLE – YES, and ELIGIBLE - NO instead of REACHABLE - NO and ELIGIBLE – NO. These routes, which are ineligible, stay in the remote SD-WAN routing table instead of being purged.
Secure peering certificate and keys
NSSDW-6459: In the SD-WAN GUI, on the Secure Peering Certificate and Keys page, the CA certificate contents are displayed when the private CA radio button is selected after setting the Keystore password on a new appliance.
Workaround: You need to switch between the radio buttons of the ‘Private CA’ and ‘CA Certificate’ once to get the correct contents displayed under ‘Private CA’ and ‘CA Certificate’ for Secure Peering Certificate and Keys.
- NSSDW-9582: When you configure Application QoS rule with match type as “Application” to match ‘icmp’ and change the class to Real-time, and mode to load balance, which overrides the default rule, the multicast traffic, is not processed.