Citrix SD-WAN

Release Notes

This release note describes known issues, and fixed issues applicable to Citrix NetScaler SD-WAN software release 11.0 for the SD-WAN Standard Edition, WANOP, and Premium Edition appliances.

In Citrix SD-WAN release 11.0.0, the underlying OS/kernel for the SD-WAN software is upgraded to a newer version, requiring an automatic reboot to be performed during the upgrade process. As a result, the expected time for upgrading each appliance is increased by approximately 100 seconds. In addition, by including the new OS, the size of the upgrade package transferred to each branch appliance is increased by approximately 90MB.

For information about the previous release versions, see the Citrix SD-WAN documentation.

Fixed Issues

SDWANHELP-590: Citrix SD-WAN Center security enhancements.

SDWANHELP-594: Virtual paths are marked as DEAD for all the sites when corrupted control packet is processed. If the control packet is malformed, it is dropped and paths becomes inactive.

SDWANHELP-600: After a software upgrade from release 9.3.2 to 9.3.5, the post upgrade SNMP System Name shows as the default Virtual WAN, and does not use the device host name.

SDWANHELP-617: Dynamic Virtual Path is not allocated with required bandwidth when the Adaptive Bandwidth Detection feature is enabled on any of the WAN links forming Dynamic Virtual Path.

SDWANHELP-626: Unable to access Citrix SD-WAN Center due to memory outage.

SDWANHELP-649: Excessive Virtual Path packet retransmissions might experience with low-bandwidth utilization, high loss or congestion, and less than 20 ms RTT times.

SDWANHELP-650: Configuration process such as adding, editing, cloning a site, or doing audit, makes the MCN GUI unresponsive.

SDWANHELP-654: SD-WAN WANOP 4000 appliance might be interrupted while parsing ICA connections.

SDWANHELP-666: PPTP or GRE tunnel over internet service fails to get established when internet access for all routing domains feature is enabled.

The SD-WAN appliance is acting as pass-through and not an endpoint.

SDWANHELP-671: The licensing log files consume a large amount of disk space while using remote licensing server.

SDWANHELP-674: On the SD-WAN EE and PE appliance, you need to change the host name for WANOP communication.

SDWANHELP-676: Domain service automatically restarts even when domain service occasionally fails.

SDWANHELP-680: Audit configuration gets failed on deleting Intranet service in a site, if an Intranet service with the same name existed in another site.

SDWANHELP-682: The Site location field is not saved, while creating a site using basic configuration editor.

SDWANHELP-698: The high availability failover does not happen if the LAN port went down, if:

  • A Citrix SD-WAN appliance is deployed in serial high availability (FTW) mode.
  • A LAN port (in FTB) is defined in high availability interfaces for tracking.

SDWANHELP-703: IPsec traffic to Zscaler is impacted when memory usage peaks are observed.

SDWANHELP-712: LTE connected virtual path is reported as DOWN even when the modem is operational on the branch SD-WAN appliance.

SDWANHELP-725: SD-WAN appliance sends the high availability virtual path information to SD-WAN Center. In results, it throws statistics error as it is unable to recognize it.

SDWANHELP-734: The default class name does not get updated after changing it.

SDWANHELP-735: The Active OS partition is completely full alert is observed on the 1100 platform edition configured as PE in 10.2.0 and 10.2.1 releases.

You need to manually restart the 1100 appliance after upgrading to 10.2.2 release.

SDWANHELP-736: SD-WAN service might be interrupted during the configuration change in a two-box deployment mode.

SDWANHELP-742: SD-WAN service might be interrupted during STS bundle collection when the number of Application QoS rules exceeds the IP-based QoS rules.

SDWANHELP-746: While creating two different firewall rules, an audit error might occur if an IP address and a port number are same even if the protocols are different.

SDWANHELP-748: The license does not get applied on multiple sites.

SDWANHELP-754: When you delete the DHCP configuration, the sub objects such as DHCP relays and DHCP option sets still remain as stale entries.

All the child objects need to be deleted when the parent DHCP element is deleted.

SDWANHELP-768: 5100 Premium Edition (PE) virtual WAN service restarts when establishing signaling channel. This occurs due to ephemeral port conflict between multiple WANOP packet engines.

SDWANHELP-795: The path bandwidth test is interrupted, if:

  • The path bandwidth test is run on branches that are isolated from MCN due to the virtual path is down or disabled.
  • The MCN performs branch WAN link property change, when the branches come up.

SDWANHELP-799: The SD-WAN learning OSPF prefixes with cost “AS IS” from neighbor routers and allowing export of these to peer SD-WAN devices. If the redistribution cost is changed externally on the neighbor router (such as, redistributing BGP and RIP into OSPF metric cost change), the newly changed cost is updated only on the immediately connected SD-WAN device but not updated to the peer SD-WAN devices.

SDWANHELP-801: SD-WAN service might be interrupted when processing ICMP packets to its Virtual IP at high rate and configuration update is triggered simultaneously.

SDWANHELP-808: Due to legacy reasons, SD-WAN does not allow few patterns in site configuration. This particular site contains APN in its name. It is misleading only in the SD-WAN GUI and doesn’t affect any operation at the site level.

SDWANHELP-812: Provisioning 10.2.x fails on 1100 Premium Edition (PE) platform as it did not create DBC disk.

SDWANHELP-818: Once dynamic routes have learned and converged, if a configuration update happens that has a cost change performed, post activation the route ID of dynamically learned routes are reset to ‘0’ instead of staying enumerated causing even optimal routes to be deleted in a route update to the neighbor.

SDWANHELP-819: SD-WAN WANOP Premium Edition (PE) unable to establish secure peering properly.

SDWANHELP-830: The CA certificates used for auto-secure peering in SD-WAN WANOP are getting deleted upon upgrade. This impacts formation of secure peering for any new devices added to the deployment. In this case, it is required to regenerate CA certificates, delete certificates, and cert-key pairs from all sites and re-establish auto-secure peering once again after upgrading to 10.2.3.

SDWANHELP-831: Upon power cycling 210 appliances, FTW relay controller might fail to initialize, which can lead to the relay stay in closed state if configured in serial high availability (FTW) mode.

SDWANHELP-846: SD-WAN service might be interrupted when receiving ICMP packets destined to virtual IP in a multi Routing Domain deployment.

SDWANHELP-854: Under rare circumstances, if invalid packets are received, the system might restart. This issue might occur if path encryption was disabled from its default enabled state.

SDWANHELP-866: SD-WAN drops large packets because of LR0/TSO enabled.

SDWANHELP-914: Unable to apply settings when adding a path to schedule bandwidth tests for it.

NSSDW-16165: Subnet added as part of region definition does not get populated in the routes table.

NSSDW-16825: DHCP agent was not able to parse DHCP OFFER packets with extra padding as in the Satellite modem.

NSSDW-17108: Selecting the first autopath group when configuring WAN Link Templates displays as “no group selected.”

NSSDW-18012: At times, the virtual paths go down after the configuration update on PPPoE devices.

NSSDW-19233: The Windows Azure agent is filling up with root partition because of few extensions are getting installed by Azure portal.

Known Issues

NSSDW-17238: VPXL does not show more than 4 interfaces when created in XenServer.

  • Workaround: Set kernel parameter for XenServer as shown below and reboot the XenServer. /opt/xensource/libexec/xen-cmdline –set-xen gnttab_max_frames=256

NSSDW-19132: In HDX MSI sessions, connection state is shown as INVALID for some of the IDLE streams in HDX User Sessions Report under HDX tab.

NSSDW-20154: On reconnecting to the same session, application-related details are not re-sent by XenApplication and XenDesktop server. Hence, data in the HDX Apps report might not be shown for that particular session.

NSSDW-20371: When Centralized Licensing is enabled, downgrade to older releases throws an error - ERROR: Failed to parse license models.

  • Workaround: Disable the centralized licensing and proceed with the downgrade. The appliances get a grace license. After the downgrade is complete, you can re-enable centralized licensing and apply the config through the Change management.

NSSDW-20500: On 5100 PE, when domain join operation is initiated for the first time, you might see a warning message stating that WANOP is initializing.

  • Workaround: Re-join to domain after two mins.

NSSDW-20527: UI allows configuring PPPoE for LTE interface, which is not expected or allowed.

NSSDW-27727: Networks with VPX and VPXL instance using the IXGBEVF driver, used for certain Intel 10GB NICs when SR-IOV is enabled, must not be upgraded to 11.0. This might result in a loss of connectivity. This issue is known to impact AWS instances with SR-IOV enabled.


  • HDX User-based reporting is shown only from XenApp and XenDesktop server version 7.17 onwards.

  • Published applications in an HDX session are reported to be closed that is, application termination time is shown in HDX Apps report only if SD-WAN receives Application Termination Time from Xen Application/Xen Desktop Server.

    Some of the apps are reported to be active even if closed in case of the app termination time is not received.

  • In case of any unintended errors because of which HDX session information is unavailable on the appliance, HDX user-based reporting is not shown even if the HDX User Reporting is enabled in config editor.

    Sometimes, few fields such as user name, server name, server version, ICA RTT in the reports is shown as NA.

Release Notes