Citrix SD-WAN

Release Notes

This release note describes known issues, and fixed issues applicable to Citrix SD-WAN software release 10.2 version 3 for the SD-WAN Standard Edition, WANOP, Premium Edition appliances, and SD-WAN Center.

For information about the previous release versions, see the Citrix SD-WAN documentation.

What’s new

NSSDW-2011: 6100 new platform introduced to replace 5100 hardware. The SD-WAN 6100 Standard Edition (SE) is a 2U appliance. Each model has two 14-core processors for a total of 28 physical cores (with hyper-threading enabled), and 256 GB of memory.

NSSDW-17381: Support IP directed broadcast capability on SD-WAN appliances. The IP directed broadcast feature goal is to reach the target subnet with the broadcast packets without broadcasting to the entire network.

NSSDW-17785: Enable RED for ICA traffic by default. Since application QoS rules take precedence over the IP QoS rules, the HDX Fair Sharing feature has been off by default. Turn RED back on to ensure that no single HDX user consumes more than a fair share of the available network bandwidth when there is congestion.

NSSDW-18707: 100 Mbps SFP and E1T1 SFP are now supported on 1100 platform.

Fixed issues

SDWANHELP-654 (78620706): SD-WAN WANOP 4000 appliance might crash while parsing ICA connections.

SDWANHELP-725 (78779804): SD-WAN appliance sends the HA virtual path information to SD-WAN Center and it throws statistics error as it is unable to recognize it.

SDWANHELP-742 (78825507): SD-WAN service might crash during STS bundle collection when the number of Application QoS rules exceeds the IP based QoS rules.

SDWANHELP-746 (78827291): While creating two different firewall rules, an audit error might occur if an IP address and a port number are same even if the protocols are different.

SDWANHELP-768 (78860524): 5100 Premium Edition (PE) Virtual WAN Service restarts when establishing signaling channel. It occurs due to ephemeral port conflict between multiple WANOP packet engines.

SDWANHELP-778 (78876692): The SD-WAN service might crash in a scenario due to an undesirable situation when the intermediate site is enabled in the configuration.

SDWANHELP-795 (78859346): The path bandwidth test running crashes, if:

  • The path bandwidth test is run on branches that are isolated from MCN due to the virtual path is down/disabled.
  • The MCN performs branch WAN link property change, when the branches come up.

SDWANHELP-799 (78893894): The SD-WAN learning OSPF prefixes with cost “AS IS” from neighbor routers and allowing export of these to peer SD-WAN devices. If the redistribution cost is changed externally on the neighbor router (such as, redistributing BGP/RIP into OSPF metric cost change), the newly changed cost is updated only on the immediately connected SD-WAN device but not updated to the peer SD-WAN devices.

SDWANHELP-801 (78899126, 78938744): SD-WAN service might crash when processing ICMP packets to its Virtual IP at high rate and configuration update is triggered simultaneously.

SDWANHELP-808 (78866821): Due to legacy reasons, SD-WAN does not allow few patterns in site configuration. This particular site contains APN in its name. It is misleading only in the SD-WAN GUI and doesn’t affect any operation at the site level.

SDWANHELP-812 (78862423, 78937011): Provisioning 10.2.x fails on 1100 PE platform as it did not create DBC disk.

SDWANHELP-818: Once dynamic routes have learned and converged, if a configuration update happens that has a cost change performed, post activation the route ID of dynamically learned routes are reset to ‘0’ instead of staying enumerated causing even optimal routes to be deleted in a route update to the neighbor.

SDWANHELP-830: The CA certificates used for auto-secure peering in SD-WAN WANOP are getting deleted upon upgrade. This impacts formation of secure peering for any new devices added to the deployment. In this case, it is required to regenerate CA certificates, delete certificates, and cert-key pairs from all sites and re-establish auto-secure peering once again after upgrading to 10.2.3.

SDWANHELP-846 (78958288): SD-WAN service might crash when receiving ICMP packets destined to virtual IP in a multi Routing Domain deployment.

NSSDW-19233: The Windows Azure agent is filling up with root partition because of few extensions are getting installed by Azure portal.

NSSDW-17168: In Azure HA mode deployment, when a remote appliance is behind NAT (in LTE scenarios), it is observed that remote source port learning is not happening and the virtual path is not getting established.

NSSDW-18617 (78807883): Network route configuration is supported to steer traffic to Zscaler service. Earlier, Zscaler SD-WAN integration allowed only application routes to steer internet traffic to the Zscaler endpoints. Application routes have higher precedence than network routes. In this case, some virtual path traffics were redirected over the internet. Supporting network routes for redirecting Zscaler traffic would make sure that no virtual path traffic is sent to the internet.

Known issues

SDWANHELP-786 (78714443): On a branch site (CGNAT/Public IP Address translation enabled) communicating with MCN, if UDP hole punching is enabled after the initial configuration push, the configuration will not get updated until the service is restarted. As a result, the MCN will not update the port details to other branches. This causes the paths to be in “dead” state.

  • Workaround: Restart the MCN.

  • Recommendation: If the branches get NAT’ed, it is best to enable UDP hole punching as part of the initial configuration to activate direct virtual paths between the two branches.

NSSDW-20101: Problem with IP_Host service type in export filters - Once dynamic routes have been learned and converged, if a configuration update happens that has a cost change performed, post activation the route IDs of dynamically learned routes are reset to ‘0’ instead of staying enumerated causing even optimal routes to be deleted in a route update to the neighbor.

  • Workaround: A temporary workaround would be to stop learning and propagating /32 routes from DC back to branch.

  • Recommendation: If you are using IP_Host service type in export filters, do not upgrade to 10.2.x. The issue will be fixed in future release.

Release Notes