Citrix SD-WAN

Release Notes for Citrix SD-WAN 11.4.0a Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix SD-WAN release 11.4.0a.

Note

  • For a list of security related advisories, see the Citrix security bulletin.
  • Citrix SD-WAN 11.4.0a release addresses the security vulnerabilities described in https://support.citrix.com/article/CTX319135 and replaces release 11.4.0. In addition to the enhancements and bug fixes that were available in release 11.4.0, release 11.4.0a contains the following bug fixes - SDWANHELP-2106, SDWANHELP-2078, SDWANHELP-2066, NSSDW-35630, NSSDW-35596, and NSSDW-34670.
  • The Citrix SD-WAN 11.4.0 release is the last main line release that fully supports Citrix SD-WAN Center and SD-WAN Configuration Editor. Both Citrix SD-WAN Center and SD-WAN Configuration Editor are deprecated. Note that deprecation is an advanced notice of products/features being phased out, but are available today and fully supported. In the next Citrix SD-WAN release family, Citrix SD-WAN Center and SD-WAN Configuration Editor will be deleted and not supported. In their place, Citrix recommends that you use Citrix SD-WAN Orchestrator for all your configuration requirement. Citrix SD-WAN Orchestrator supports all configurations that are currently done through Citrix SD-WAN Center and SD-WAN Configuration Editor. For more details, see Citrix SD-WAN Orchestrator service and SD-WAN Orchestrator for On-premises.

What’s New

The enhancements and changes that are available in release 11.4.0a.

Configuration and Management

NITRO Rest APIs for static IP address for WAN ports in fallback configuration

From Citrix SD-WAN 11.4.0 release onwards, you can configure static IP addresses for WAN port in fallback configuration using NITRO REST APIs. New parameters are added in the existing fallback configuration API.

[ NSSDW-33255 ]

Citrix SD-WAN New UI enhancements

The Citrix SD-WAN New UI includes the following enhancements:

  • The look and feel of the Citrix SD-WAN New UI is changed to reflect the new color and font as per Citrix rebranding.

  • The New UI is enabled, by default, on all the Citrix SD-WAN appliances that are configured as clients.

    Note

    Provisioning the Citrix SD-WAN appliances as an MCN redirects you to the legacy UI.

  • You can view the LACP LAG interface details.

  • DNS Proxy Statistics monitoring

  • SLAAC WAN links monitoring

[ NSSDW-30842, NSSDW-28818, NSSDW-32030 ]

SNMP

The following SNMP MIBs are added:

  • Appliance Statistics
    • The percentage of CPU utilized for the Appliance
    • The percentage of RAM utilized for the Appliance
  • WAN Link Statistics table
    • The Max LAN To WAN Physical Rate in Kbps for the WAN Link
    • The Max WAN To LAN Physical Rate in Kbps for the WAN Link
    • The LAN To WAN Allowed Rate in Kbps for the WAN Link
    • The WAN To LAN Allowed Rate in Kbps for the WAN Link

[ NSSDW-30592 ]

In-band management

In-band Management supports High Availability device pairs. The appliances in a High Availability pair communicate with each other using in-band access.

[ NSSDW-24534 ]

Static NAT policy for IPv6 Internet and Intranet services

While upgrading an appliance running Citrix SD-WAN version 11.3.1 to version 11.4.0, existing static NAT policies for the IPv6 Internet/Intranet service must be manually updated.

[ NSSDW-33726 ]

Miscellaneous

Patch upgrade support for Edge Security components

Citrix SD-WAN Advanced Edition (AE) supports patch upgrade mechanism that allows upgrade of the Edge Security subsystem.

If you upgrade from an existing release with edge security enabled to a higher release, which includes a newer version of the edge security component, only the parity of the subsystem updates will be downloaded and upgraded.

[ NSSDW-26721 ]

SD-WAN Center Dashboard

On the Citrix SD-WAN Center dashboard, the multi-region summary dashboard is visible when up to 300 sites are configured.

[ NSSDW-21753 ]

Network

Classes

Citrix SD-WAN displays only those classes that have traffic flowing on Virtual Paths and Dynamic Virtual Paths. If a class is displayed and shows 0 as the value, it means the traffic that was previously flowing has now stopped. However, if a class is not displayed at all, it means that there has never been any flow of traffic for that class, since the Virtual path service state has been reset (For example software upgrade or reboot).

[ NSSDW-33974 ]

IPv6 support for IPFIX

Citrix SD-WAN supports IPv6 addresses for IPFIX. Citrix SD-WAN uses templates 615 and 616 to export IPv6 IPFIX flow data. You can choose Application Flow Info (IPFIX) to export data sets as per template 615. If there are issues exporting the flow data, choose Basic Properties (IPFIX) which exports data as per template 616.

[ NSSDW-29153 ]

IPv6 Support for DNS Proxy and DNS Transparent Forwarder

Citrix SD-WAN supports IPv6 addresses for configuring DNS Proxy and DNS Transparent Forwarding. You can define DNS Proxy or DNS Transparent Forwarding using the following IPv6 DNS service types:

  • StaticV6: Allows you to configure static IPv6 DNS server IP address. You can create internal, ISP, google or any other open source DNS service. StaticV6 DNS service can be configured at global and site level.
  • DynamicV6: Allows you to configure dynamic IPv6 DNS server IP address. DynamicV6 DNS service can be configured at site level only. Only one DynamicV6 service is permitted per site.

[ NSSDW-29151 ]

ECMP load balancing

Equal Cost Multi-Path (ECMP) groups allow you to group multiple routes, with the same cost, destination, and service type. ECMP load balancing ensures:

  • Distribution of traffic over multiple equal-cost connections.
  • Optimal usage of available bandwidth.
  • Dynamic transfer of traffic to other ECMP member route, if a route becomes unreachable.
  • ECMP supports static routes on IPsec/GRE tunnels.
  • ECMP groups can be formed over Virtual Paths and Intranet services.

[ NSSDW-1238 ]

Platform and systems

Citrix Hypervisor 8.2

Citrix SD-WAN is supported on Citrix Hypervisor 8.2 from 11.4.0 release onwards.

[ NSSDW-32037 ]

Office 365 categories

Citrix SD-WAN 11.4.0 provides a more granular classification of the Allow and Optimize Office 365 categories, enabling selective bookending to improve the performance of network-sensitive Office 365 traffic. Directing network-sensitive traffic to SD-WAN in the cloud (Cloud Direct or an SD-WAN VPX on Azure), or from an at-home SD-WAN device to an SD-WAN at a nearby location with more reliable Internet connectivity, enables QoS and superior connection resilience compared to simply steering the traffic to the nearest Office 365 front door, at the cost of an increase in latency. A bookended SD-WAN solution with QoS reduces VoIP dropouts and disconnects, reduces jitter, and improves media-quality mean opinion scores for Microsoft Teams.

The Optimize category is classified into the following subcategories:

  • Teams Real-time
  • Exchange Online
  • SharePoint Optimize

The Allow category is classified into the following subcategories:

  • Teams TCP Fallback
  • Exchange Mail
  • SharePoint Allow
  • Office365 Common

[ NSSDW-27324 ]

Google Cloud Platform support for SD-WAN SE with HA and High throughput

You can now configure an SD-WAN SE instance on Google Cloud Platform (GCP) with High Availability. An SD-WAN instance on GCP also supports a higher throughput of 1 Gbps.

[ NSSDW-17179 ]

Wired 802.1X authentication

Wired 802.1X is an authentication mechanism that requires clients to authenticate prior to being able to access the LAN resources. Citrix SD-WAN Orchestrator service supports configuring wired 802.1X authentication on LAN interfaces.

In the Citrix SD-WAN network, the clients send authentication requests to the Citrix SD-WAN appliance to access the LAN resources. The Citrix SD-WAN appliance acts as an authenticator and sends the authentication requests to the authentication server. Citrix SD-WAN Orchestrator service supports only RADIUS servers to be configured as authentication servers.

[ NSSDW-1921 ]

Fixed Issues

The issues that are addressed in release 11.4.0a.

Configuration and Management

After adding some network objects, configuration audit and export was failing. The issue is fixed.

[ SDWANHELP-2041 ]

Importing a large sized network configuration from Citrix SD-WAN appliance to Citrix SD-WAN Center failed, due to limits on the allowed memory resources. The issue is fixed.

[ SDWANHELP-2034 ]

Citrix SD-WAN’s email notification adds an extra ‘CR’ character in the AUTH command which causes the SMTP session to terminate.

[ SDWANHELP-2028 ]

During the database archival of large networks, the statistical records on the MCN appliance were not getting inserted into the statistics database tables for a few minutes.

[ SDWANHELP-1872 ]

During interface changes, VRRP might still use old interface data which might result in core dump.

[ SDWANHELP-1867 ]

Hosted Firewall configuration on the local GUI does not load when the Firewall VM is in shutdown state.

[ SDWANHELP-1839 ]

You cannot choose the Backup Management Network as None while configuring virtual IP addresses.

[ SDWANHELP-1824 ]

The Public IPv4 Address field was grayed out under the Basic section of the configuration editor.

[ SDWANHELP-1780 ]

While public IP address learning is enabled on a branch WAN link, the RCN might not learn the new public IP address and results in a dead path if:

  • There is a configuration version mismatch between the branch and the RCN
  • The public IP address of the branch WAN link has changed

[ SDWANHELP-1580 ]

When the appliance management port is configured with DHCPv4, switching to a static IPv4 address fails.

[ NSSDW-35630 ]

When an appliance is configured for both DHCP IPv4 and DHCP IPv6 addresses, but the network has only a DHCP IPv6 server configured, then the appliance keeps waiting for the DHCP IPv4 address and hence does not get assigned with the IPv6 address also.

[ NSSDW-33741 ]

Auto-generated summary routes created for a Regional Control Node (RCN) network is assigned a cost of 30,000 instead of 65534.

[ NSSDW-32629 ]

Appliance settings are not getting applied to Citrix SD-WAN when pushed from Citrix SD-WAN Center.

[ NSSDW-32257 ]

Enable and Disable external modem does not work from the legacy UI.

[ NSSDW-32221 ]

An audit error during configuration prevents users from configuring an Internet service on a site unless all the WAN links are configured with access interfaces of the same IP types.

[ NSSDW-32185 ]

A WAN link configured as a DHCP client leads to Virtual Path failure. This issue occurs when the name of the WAN link is changed and change management effected.

[ NSSDW-32110 ]

License

On the Citrix SD-WAN 110 and 210 platforms, if the management port is configured as a data port, the Host ID might change after upgrading to a newer version. The SD-WAN appliances use the grace license if this issue occurs.

[ SDWANHELP-1866 ]

Miscellaneous

When cloning a site with more than one HA interface, the second HA interface IP address is not getting cloned.

[ SDWANHELP-2005 ]

Citrix SD-WAN Center GUI logs consume excessive disk space resulting in upgrade and STS failure.

[ SDWANHELP-1960 ]

When you view Citrix SD-WAN Center 11.3.0 login page on a browser in fullscreen mode, the Citrix logo and product name are not displayed correctly.

[ SDWANHELP-1910 ]

Network admin role has access to perform the security admin role specific activities which must not be allowed as per the definition of network admin role.

[ SDWANHELP-1906 ]

Import and Export of large network configurations (when the configuration file size exceeded 16 MB) on Citrix SD-WAN Center were failing.

[ SDWANHELP-1787 ]

Citrix SD-WAN Centers email notification adds an extra CR character in the AUTH command which causes the SMTP session to terminate.

[ SDWANHELP-1736 ]

Qualys security scanner tool caused one of the services of the Citrix SD-WAN appliance to consume high memory leading to unresponsiveness and reboot of the appliance. The issue is fixed.

[ SDWANHELP-1530 ]

When the internal license of Edge Security antivirus and antimalware components expires, Citrix SD-WAN stops detecting the virus and malware.

[ NSSDW-35596 ]

On performing reauthentication, negative values are displayed for upload and download data in Wi-Fi client reports.

[ NSSDW-31903 ]

To make the Citrix SD-WAN Orchestrator on-premises manage SD-WAN appliances shipped with 11.2.1 or 11.2.2 software, you must upgrade the SD-WAN appliance software to 11.3.0 version.

[ NSSDW-31612 ]

Network

After upgrading to Citrix SD-WAN 11.3.1, MSS (Maximum Segment Size) clamping fails with PPPoE when the Maximum Transmission Unit (MTU) size is set to 1492 bytes.

[ SDWANHELP-2048 ]

When in-band management is enabled and RADIUS server is accessible through data plane, Wi-Fi WPA2-Enterprise authentication fails.

[ SDWANHELP-2032 ]

Application identification related entries for Application Routing, QoS, or DNS features are regularly added to the First Packet Classifier (FPC) hash table. When an aged-out entry is evicted from the table, on some occasions, the Citrix SD-WAN appliance can crash.

[ SDWANHELP-1980 ]

When a packet received on LAN side or over local service that requires fragmenting is sent over LAN GRE, SD-WAN service crashes.

[ SDWANHELP-1846 ]

For the path MTU discovery, the path MTU probe events are enqueued for processing during a timer kick-off. A segmentation failure occurs in case if a probe event is not valid when the actual execution is attempted.

[ SDWANHELP-1754 ]

For an internet service route in a non-default routing domain and a path eligibility configured, when the path goes down and the remote site that does not have the given routing domain configured, the internet route is not marked unreachable.

[ SDWANHELP-1400 ]

When Citrix SD-WAN configuration with summary routes is loaded, the appliance might reload continuously.

[ NSSDW-34670 ]

In case appliance has a static route configured as summary route, and there is another same prefix route learned dynamically, then the summary route is not summarizing routes.

[ NSSDW-34355 ]

Adding import filters to remove previously imported OSPF/BGP routes can cause service crash.

[ NSSDW-34207 ]

Once SLAAC learns an IP and gateway address from a router, unless and until the current address expires, SLAAC will not relearn the IP if the gateway changes or we change network segments, even after rebooting the SD-WAN appliance. This might delay getting an address when moving ports.

[ NSSDW-33807 ]

Once SLAAC learns an IP and gateway address from a router, SLAAC will not relearn the gateway if the gateway changes (unless and until the current address expires).

Example:

  • Branch appliance learns its IP and gateway from gateway-1.
  • The network administrator decides to replace gateway-1 with a new gateway-2. The administrator configures gateway-2 the same as gateway-1 so that router advertisements send the same prefix info that gateway-1 was sending. However, gateway-2 has a different source address than gateway-1.
  • The branch appliance will not automatically learn gateway-2’s IP. (unless and until the current address times out)

[ NSSDW-33802 ]

A configuration update might result in not starting the DHCP server hosted on Prefix Delegation LAN Virtual Network Interface. Prefix Delegation is not supported with Citrix SD-WAN 11.3.1 release.

[ NSSDW-33664 ]

Enabling Static NAT on an Internet or Intranet Service with proxy NDP can cause the SD-WAN to respond to NDP for addresses owned and used by other hosts in the network.

[ NSSDW-33653 ]

The underlay site diagnostic bandwidth test is not supported in Citrix SD-WAN 11.3.1 release.

[ NSSDW-33597 ]

When Internet Service is enabled on WAN links that have an IPv6 access interface, service interruption might occur after configuration update.

[ NSSDW-32212 ]

Wi-Fi feature does not support High Availability (HA) in Citrix SD-WAN 11.3 release.

[ NSSDW-32197 ]

Dynamic NAT might not function correctly or cause a service interruption during configuration update if used for both IPv4 and IPv6 on an Internet Service with Internet Load Balancing enabled.

[ NSSDW-32139 ]

DHCPv4 and DHCPv6 mode on the LTE interface can cause SD-WAN device to lose IP address after configuration updates.

[ NSSDW-31998 ]

Platform and systems

When a Citrix SD-WAN 4000 appliance is upgraded to 11.3.0, 11.3.1, or 11.4.0, the SD-WAN service might fail due to race condition.

[ SDWANHELP-2106 ]

A filter policy rule validation is performed during config update to distinguish between newly created vs modified rules. Due to a missing comparison check for “match_type”, most of the connections to internet are being blocked by firewall as “O_DENIED” The workaround is to change default rule from “Reject” to “Drop”.

[ SDWANHELP-2078 ]

When HDX reporting is enabled and there is HDX traffic running through the Citrix SD-WAN appliance, occasionally Citrix SD-WAN appliance might observe core dump.

[ SDWANHELP-1957 ]

When the firewall NAT information is dumped using the CLI, the appliance crashes.

[ SDWANHELP-1901 ]

When transparent DSN forwarding is enabled, the processing of large DNS response packets might lead to stack overflow due to not having proper boundary conditional checks. One use case is when cloud service might need to learn IPs from DNS to enable classification of Office 365 default category.

[ SDWANHELP-1891 ]

The firewall rules allow the ICMP ping request received on an untrusted interface but drops the ping response and therefore the SD-WAN service crashes.

[ SDWANHELP-1865 ]

After upgrading Citrix SD-WAN device to 11.2.2 version, more than one VRRP device acts as Master because of the wrong VRRP advertisement packet size sent by SD-WAN device.

[ SDWANHELP-1804 ]

During the Dynamic Virtual Path (DVP) creation, if the protocol message arrives with an unexpected IP type of service (TOS) value, it might result in core dump.

[ SDWANHELP-1783 ]

When two virtual IP addresses (one private and another one non-private) are created in the same subnet, an issue occurs that two routes are created for the same subnet and the subnet is not advertised to a remote site.

[ SDWANHELP-1739 ]

When GRE tunnel reachability changes from UP to Down, the GRE tunnel routes which are GRE tunnel eligible do not get updated with the change in reachability status.

[ SDWANHELP-1623 ]

The SSH sessions initiated using the command line interface (CLI) had a hardcoded idle time-out value of 120 minutes. The longer duration of the time-out period appeared as though the SSH session is not getting timed out. The issue is fixed with the addition of a new configuration in the GUI to configure the SSH time-out value (5–9999 minutes).

[ SDWANHELP-1622 ]

In Azure HA deployment, SD-WAN paths do not come up when the secondary access interface is configured on the WAN link.

[ SDWANHELP-1578 ]

Some carriers allow only IPv6 data sessions if the Packet Data Protocol (PDP) is enabled for IPv4 and(or) IPv6.

[ SDWANHELP-1777 ]

Known Issues

The issues that exist in release 11.4.0a.

Configuration and Management

If an application used to configure a rule is deprecated, after the upgrade, the GUI displays the same rule under a different application.

[ NSSDW-34618 ]

If out-of-band management interfaces are connected, then the DNS setting can be updated only from the appliance UI.

If in-band management is configured, then the DNS settings updated using the appliance UI do not take effect. You can update the DNS settings only from Citrix SD-WAN Orchestrator service UI.

[ NSSDW-33932 ]

VPX branch goes into single site mode, if the newly provisioned VM is first downgraded and then upgraded back to the version on which the VM was provisioned.

Workaround:

Perform Local Change Management on the affected branch.

[ NSSDW-29513 ]

Miscellaneous

When you add a new local user in Citrix SD-WAN Center, a yellow banner appears with a message that the firewall access is changed from Enabled to Disabled.

[ SDWANHELP-1737 ]

WPA3 failed authentications are not reported under site-level alerts.

[ NSSDW-32053 ]

Network

Frequent route table changes in an SD-WAN site along with configuration update or dynamic routes purge might cause route synchronization issues in the remote site.

[ SDWANHELP-2043 ]

A configuration change made to a firewall dynamic NAT policy or a port forwarding rule might result in a core dump.

[ NSSDW-34603 ]

Platform and systems

On the following platforms, when HDX reporting is enabled, if there is a parsing error after the connection is classified to HDX and starts reporting statistics, the appliance crashes when there is a new HDX connection:

  • Citrix SD-WAN 2100
  • Citrix SD-WAN 4100
  • Citrix SD-WAN 5100
  • Citrix SD-WAN 6100

[ SDWANHELP-1882 ]

Release Notes for Citrix SD-WAN 11.4.0a Release