Citrix SD-WAN 10.2.7 Release Notes

Introduction

This release note describes what’s new, fixed issues, and known issues applicable to Citrix SD-WAN software release 10.2 version 7 for the SD-WAN Standard Edition, WANOP, Premium Edition appliances, and SD-WAN Center.

For information about the previous release versions, see Citrix SD-WAN.

Note

In the appliances factory shipped with Citrix SD-WAN 10.2.7 release or higher, LOM is disabled by default. For accessing LOM, it is recommended to set the LOM password and enable LOM access via the CLI.

What’s New

On-prem SD-WAN Orchestrator identity - You can establish a connection between your Citrix SD-WAN appliance and Citrix SD-WAN On-prem Orchestrator by enabling Orchestrator connectivity and specifying the On-prem SD-WAN Orchestrator identity.

Note: This is to provide appliance connectivity to the Citrix SD-WAN On-prem Orchestrator when available.

Update Password – REST API - From 10.2.6 release onwards, it is mandatory to change the default admin user account password while provisioning any SD-WAN appliance or deploying a new SD-WAN SE VPX. This change is enforced using both CLI and UI. In 10.2.7 release, this change is enforced using the REST API as well.

DHCP support for MCN - You can now configure the DHCP IP address for the MCN WAN interface. Ensure that the WAN link is configured with a public IP address.

Fixed Issues

SDWANHELP-1385: The SD-WAN device serial number information might be lost and reset to Default string due to an issue in BIOS firmware v1.0b on SD-WAN 210 platform.

SDWANHELP-1365: In a High Availability GEO MCN setup with WAN-to-WAN forwarding enabled, an internet service down event might trigger an erroneous scenario wherein routes learned from Secondary GEO MCN take higher precedence than the Primary GEO MCN.

SDWANHELP-1332: In rare cases, the SD-WAN service might crash during NetFlow statistics collection.

SDWANHELP-1314: Unable to configure interface groups for Citrix SD-WAN 210 and 110 appliances using REST API through the MCN. The fix provides the support to configure the interface groups for Citrix SD-WAN 210 or 110 site model and BASE submodels through REST APIs.

SDWANHELP-1278: Security vulnerabilities were observed in License Server version 11.16.2 and lower. The vulnerabilities are addressed in License Server version 11.16.3.

SDWANHELP-1267: The MCN displays a blank SD-WAN Center certificate. The blank entry is a false entry and is removed with the latest code changes.

SDWANHELP-1256: During a configuration update in an SD-WAN appliance, when a branch removes all but one Routing Domain, the Network Address Translation (NAT) might fail for Internet traffic.

SDWANHELP-1253: The Citrix SD-WAN appliance might drop internet traffic in multi routing domain configurations.

SDWANHELP-1248: In few cases, the SD-WAN service might be aborted while processing the Internet Group Management Protocol (IGMP) packets in multi routing domain configurations.

SDWANHELP-1240: Invalid SNMP GET responses are observed for SD-WAN appliances in HA deployment. The SNMP GET response returns the value 0 for Virtual Paths when the appliances are deployed in HA mode.

SDWANHELP-1222: In rare conditions, when connection tracking is enabled on an SD-WAN appliance, a specific combination of IP addresses, packet length, and IP protocol, might cause an error in checksum validation. Hence, the UDP or TCP packets inappropriately get dropped.

SDWANHELP-1210: When both VRRP and HA are configured, the GUI access is interrupted, loss of connectivity and ping failure are observed. The VRRP instance should not be initiated on the HA standby appliance. The fix blocks the VRRP instance initiation on the standby appliance.

SDWANHELP-1203: The SD-WAN appliances crash multiple times after upgrading to version 11.0.3 from version 10.2.3. The crash happens when a branch, configured as an intermediate site between two remote sites, cannot handle the traffic beyond the threshold.

The branch tries to form a dynamic virtual path between the two sites, while the remote sites are connected to it through the dynamic virtual path instead of the static virtual path. The fix ensures that the branch does not act as an intermediate site for two remote sites when it is connected to any of them via a dynamic virtual path.

SDWANHELP-1194: Citrix SD-WAN appliance loses the remote license upon reboot. The SD-WAN licensing daemon does not check out the licenses from the License Server after it is moved to grace period, even if the license was present on the server. With this fix, the daemon retries to check out licenses from the License Server.

SDWANHELP-1193: When the MCN is in the factory state while downloading the LCM package without activating the staged software/configuration, the LCM package downloaded is about the same size as the configurations (hundreds of KB).

SDWANHELP-1191: In few cases, NetFlow/IPFIX collectors (for example - SolarWinds) might report spikes in bandwidth usage due to a corner case code issue.

SDWANHELP-1179: The NITRO API to get flows statistics was returning LAN to WAN as flow direction for all flows irrespective of the correct direction. This issue was observed only with the NITRO API and not on the GUI.

SDWANHELP-1122: The host name of a Citrix SD-WAN WANOP instance can be changed from the GUI and the changed host name is reflected after reboot. On some Citrix SD-WAN WANOP instances, which serve as an arbitrator, the host name is not persistent across reboots.

SDWANHELP-1098: Citrix SD-WAN Optimization Rules UI crashes after adding or modifying any of its rules name with double quotes. It is applicable for Application Classifiers, Links, Service Classes, and Traffic Shaping Policies rules.

SDWANHELP-1097: At times, while running ICA traffic, the appliance reboots. The issue might happen if the ICA VDA or client sends ICA packets with a format that is not expected by SD-WAN.

SDWANHELP-1051: License server versions lower than 11.16.2 are prone to security vulnerabilities like denial of service attacks. Denial of service causes the license server to be compromised and in extreme cases may not be able to provide licenses to SD-WAN appliances.

SDWANHELP-760: In rare cases, a possible race condition with the route update engine, when dynamic routing is used, leads to a crash.

NSSDW-22847: The Multi-hop check box in BGP was shown checked in the SD-WAN UI by default when BGP is enabled. But the setting was not enabled unless the user disables and enables it back again.

Known Issues

SDWANHELP-1299: When a branch establishes a dynamic virtual path with another branch and if WAN-to-WAN forwarding is enabled on the branch, the branch forwards the routes received over the dynamic virtual path to other sites. When the dynamic virtual path goes down, the learned routes are not removed from the other sites.

  • Workaround: Do not enable WAN-to-WAN forwarding or remove dynamic routes.

SDWANHELP-1206: A code bug leading to unnecessary restart of the SNMP daemon when the main configuration update is done. This was causing a false appliance reboot trap. The issue is applicable only to SD-WAN 110, SD-WAN 210, SD-WAN 410, SD-WAN 1100, and SD-WAN VPX platforms.

SDWANHELP-641: In rare cases, the Citrix SD-WAN 3000 WANOP GUI session might hang after upgrade.

NSSDW-22847: On enabling BGP, the Multi-hop option for BGP is selected by default in the GUI. However, the setting is not applied unless you disable and re-enable it.

NSSDW-19617: The One touch setup feature allows uploading and installing the license after installing the LCM package. The license operation might terminate when reboot happens as part of applying the LCM package.

  • Workaround: Upload and install the license from the License Management page after the appliance has rebooted.

SDWANHELP-1238: On Citrix SD-WAN LTE appliances, the HA switchover fails over the LTE link. The LTE interface does not get an IP address when the HA switchover happens.

Citrix SD-WAN 10.2.7 Release Notes