Citrix SD-WAN

Citrix SD-WAN 11.0.2 Release Notes

Introduction

This release note describes what’s new, fixed issues, and known issues applicable to Citrix SD-WAN software release 11.0 version 2 for the SD-WAN Standard Edition, WANOP, Premium Edition appliances, and SD-WAN Center.

For information about the previous release versions, see the Citrix SD-WAN documentation.

What’s New

Palo Alto Integration on 1100 Platform

Palo Alto Networks next-generation firewall VM-Series (VM 50 and VM 100) hosted on the SD-WAN 1100 platform is supported.

User Accounts – Network Admin

A new user account privilege level, Network Admin is introduced. Network administrator has read-write access to the network settings only.

Routing Domain

The following routing domain use cases are supported:

  • Allow routing domains to transit a site, but have no exit point at the site.
  • Allow a routing domain to exist with no routable IP.

Domain Name Based Application Classification

The DPI classification engine is enhanced to classify applications based on the domain name and patterns. The classified domain name based applications are used in configuring the following:

  • DNS Proxy
  • DNS Transparent forwarder
  • Application objects
  • Application Routes
  • Firewall policy
  • Application QoS Rules
  • Application QoE

Certificate Authentication

Certificate based authentication is introduced in Citrix SD-WAN 11.0.2. It allows organizations to use certificates issued by their private Certificate Authority to authenticate appliances before establishing the virtual paths between sites.

Fixed Issues

SDWANHELP-779: SD-WAN package upgrade traffic is slow and does not handle Out of Order packets in the network optimally.

SDWANHELP-896: In some deployments with Dynamic Virtual Paths or short Security Association (SA) lifetimes where SAs are being created and destroyed frequently, a service interrupting error might occur.

SDWANHELP-899: A possible race condition is addressed in rule configuration update which might sometimes cause data path interruption.

SDWANHELP-901: If the system has high availability and got lot of virtual path then you might miss syncing the routes to the peers, whenever lot of route update events are available from the other peers.

SDWANHELP-919: Under heavy load and a high arrival rate of Time-to-live (TTL) expiry packets, the service might crash if a filter is applied under Monitoring > > Flows. This would cause a High Availability (HA) switchover in HA deployment.

SDWANHELP-934: We send out the Address Resolution Protocol (ARP) request (which must not be sent out) if:

  • The Virtual Router Redundancy Protocol (VRRP) instance is in disabled state.
  • The Address Resolution Protocol (ARP) request of Gratuitous ARP (GARP) received from the peer router.

This issue occurs when the VRRP is configured and the instance is disabled.

SDWANHELP-945: In Configuration Editor, if you click Audit for the BGP section takes you to the OSPF section even when OSPF is not configured.

SDWANHELP-947: Usage reported for a metered link is abnormally high.

SDWANHELP-950: Scalar OIDs exposed in the MIB are not returning the valid response.

SDWANHELP-978: LTE modem can go missing upon rebooting the SD-WAN 210 appliances. This is an intermittent issue where a power cycle must bring the modem back up online.

SDWANHELP-981: Automated Azure Virtual WAN deployment via SD-WAN Center was unable to download and apply VPN configuration and associated routes.

SDWANHELP-999: Unable to delete license files that have more than one ‘.’ in the file name.

SDWANHELP-1004: The Intranet/Internet services do not get the allocated bandwidth share in WAN to LAN direction, when Static VP, DVP, Intranet/Internet service is enabled on the WAN link.

SDWANHELP-1009: In rare conditions, some intranet or LAN IPsec packets may be transmitted with invalid destination MAC addresses, causing the packets to be lost or dropped in the network.

NSSDW-17552: If the appliance was rebooted either triggered by the user or on a software upgrade, the Change Management occasionally would freeze at preparing packages preventing the user from performing subsequent configuration updates.

NSSDW-17238: Build root VPXL does not show more than 4 interfaces when created in XenServer.

Known Issues

NSSDW-21802: In a two-box deployment, if the two-box mode is disabled in WANOP and a change management is performed on Virtual WAN, on re-enabling the two box mode on WANOP, the WCCP cache IP’s are not populated intermittently.

Workaround: Disable and re-enable two-box mode from the WANOP GUI.

NSSDW-21808: The provisioned appliance information on SD-WAN Center is cleared before the actual de-provision operation is completed on the SD-WAN appliance.

Workaround: In the SD-WAN Center GUI, navigate to Configuration > Hosted Firewall > Hosted Firewall Sites > Provision, select the de-provisioned failed site(s) and initiate provision to restore the site information.

NSSDW-21806: For a PPPoE interface group, on configuring the AC Name, Service Name and Username in uppercase, the entries change to lower case. This could cause problem in IP learning from the Access Concentrator (ISP).

Workaround: Either do not configure any value for AC Name and Service Name or use lowercase.

NSSDW-21873: Custom Applications are not reported in SD-WAN Center.

Workaround: Add the custom applications to an application object and enable reporting on the application object.

NSSDW-20371: The error message “Failed to parse license models” appears when downgrading to Citrix SD-WAN 10.2.3 or older versions, with centralized licensing enabled and license rate set to auto.

Workaround: Downgrade to Citrix SD-WAN 10.2.4.

NSSDW-27727: Networks with VPX and VPXL instance using the IXGBEVF driver, used for certain Intel 10GB NICs when SR-IOV is enabled, must not be upgraded to 11.0.2. This might result in a loss of connectivity. This issue is known to impact AWS instances with SR-IOV enabled.

Citrix SD-WAN 11.0.2 Release Notes