Citrix SD-WAN 11.3

Release Notes

This release notes describes what’s new, fixed issues, and known issues applicable to Citrix SD-WAN software release 11 version 3 for the SD-WAN Standard Edition, WANOP, Premium Edition appliances, and SD-WAN Center.

For information about the previous release versions, see the Citrix SD-WAN documentation.

What’s New

Application-centric enhancements

Enhanced Application vendor API based classification

First packet classification of Microsoft Office 365 traffic, and Citrix Cloud and Gateway Service traffic is performed irrespective of whether the direct internet breakout for this traffic is enabled or not. Thus, application-specific rules can now be configured using these applications, without necessarily having to breakout the traffic to the Internet.

[NSSDW-27821]

Earlier, only the Active-Backup mode was supported in LAG. From 11.3 release onwards, the 802.3AD Link Aggregation Control Protocol (LACP) protocol based negotiations are supported. The LACP is a standard protocol and provides more functionality for LAGs.

[NSSDW-25021]

IPv6 support

Citrix SD-WAN provides the following IPv6 capability:

  • NDP Router Advertisement - In an IPv6 network, SD-WAN appliance periodically multicasts Router Advertisement (RA) messages to announce its availability and convey information to the neighboring appliances in the SD-WAN network. Neighbor Discovery protocol (NDP) running on the SD-WAN appliances uses these Router Advertisements to determine the neighboring devices on the same link. It also determines each other’s link-layer addresses, find neighbors, and maintain reachability information about the paths to active neighbors.

Note

Citrix SD-WAN Orchestrator services do not support IPv6 addresses.

The following features of Citrix SD-WAN appliances support IPv6 addresses:

  • Management plane features
    • Management interface
    • RADIUS server
    • TACACS+ server
    • SMTP server
    • Syslog server
    • HTTP server
    • DNS server
    • App Flow/IPFIX
    • SNMP
    • Remote licensing
    • Centralized licensing
    • NTP server
    • Allow list
    • New User Interface for SD-WAN appliances
    • Diagnostics

Note

After configuring the above listed features, if you disable IPv4 or IPv6 protocol, then the features do not work as expected.

  • Data plane features

    • Static Routing
    • Internet Service over IPv6 WAN Links
    • Intranet Service over IPv6 WAN Links
    • Router Advertisement
    • DHCP Client
    • DHCP Server/Relay
    • Application QoS
    • Firewall
    • In-band Management
    • High Availability
    • IP Rules
    • IPv6 supported over LTE links

[NSSDW-1938, NSSDW-21915]

Security enhancements

User accounts

The network administrator and security administrator roles on Citrix SD-WAN Center or Citrix SD-WAN appliance UI can change the configuration and deploy the changes to fully provision a site. The security administrator can also enable or disable the write access to the firewall for all user accounts except the super administrator.

[NSSDW-31045]

Advanced Edge security support for Citrix SD-WAN 410 SE appliance

Citrix SD-WAN 410 SE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses.

[NSSDW-27582]

UI enhancement

New User Interface

The Citrix SD-WAN new user interface is now available for Citrix SD-WAN 410 SE and Citrix SD-WAN SE VPX platforms.

NOTE

Provisioning the Citrix SD-WAN 210-SE, 410 SE, or VPX SE platforms as an MCN redirects you to the legacy UI.

[NSSDW-29803]

LTE enhancements

USB LTE modem support

You can connect an external 3G/4G USB modem on certain Citrix SD-WAN appliances. The appliances use the 3G/4G network along with other connections to form a virtual network that aggregates bandwidth and provides resiliency. If there is a connectivity failure on the other interfaces, traffic is automatically redirected through the USB LTE modem. In addition to Citrix SD-WAN 110 SE, 110 LTE Wi-Fi, 210 SE, and 210 LTE Wi-Fi, the external USB LTE modem support is now extended to the following platforms:

  • Citrix SD-WAN 1100 SE / AE / PE
  • Citrix SD-WAN 2100 SE / PE
  • Citrix SD-WAN 110 SE Wi-Fi

[NSSDW-24523]

External USB modem MBIM and NCM support

External USB modems that use MBIM and NCM mode are supported on Citrix SD-WAN 110 and 210 appliances. You can also configure the APN settings and Enable/Disable modem through the new Citrix SD-WAN GUI and Citrix SD-WAN Center. Mobile broadband operations are not supported on CDC Ethernet USB modems.

[NSSDW-29811]

LTE Signal strength

You can view the LTE signal strength information as part of the site reports under Site > Reports > Appliance Reports > LTE signal. The LTE signal tab is visible only for Citrix SD-WAN 110 and 210 appliances.

[NSSDW-26505]

Platform

Citrix SD-WAN 110-WiFi-SE

The Citrix SD-WAN 110-WiFi-SE platform is a branch side appliance that can be deployed in micro and small branch offices/ remote sites/ retail stores, homes, and temporary worksites. A single box-in-branch solution helps to reduce the hardware footprint and eases branch deployment. The Citrix SD-WAN 110-WiFi-SE appliance can be configured as an access point. This eliminates the need to maintain an extra access point appliance to create a WLAN. The devices on your LAN can connect to Citrix SD-WAN 110-WiFi-SE appliance through Wi-Fi.

NOTE

Citrix SD-WAN 11.3.0 is the minimum software version that supports Wi-Fi capabilities for Citrix SD-WAN 110-LTE-WiFi and Citrix SD-WAN 110-WiFi-SE model.

[NSSDW-1920]

Cloud management

M5 and C5 instances support on AWS

Citrix SD-WAN has introduced support for the M5 and C5 instances on Amazon Web Services (AWS).

[NSSDW-23745]

AWS Outposts

Citrix SD-WAN has introduced support for the AWS Outposts feature.

[NSSDW-23823]

NITRO Rest APIs for PE WANOP settings

You can now configure and retrieve WANOP Virtual Machine Appliance Settings in a PE appliance using Citrix SD-WAN NITRO REST APIs. These new APIs are available for PE supported platforms - 1100, 2100, 5100, and 6100. You can get detailed information on API usage in Citrix SD-WAN NITRO API documentation under the WAN Optimization section. The following are the WANOP settings that can be configured using the NITRO APIs:

  • KeyStore Settings
  • Window Domain Join
  • Delegate Users
  • SSL CA and SSL Certificate-Key Pair
  • SSL Profile
  • Secure Peering

[SDW-14532]

SD-WAN Orchestrator enhancements

Wi-Fi Access point

You can configure a Citrix SD-WAN appliance that supports Wi-Fi as a Wi-Fi Access Point, eliminating the need to maintain an extra access point appliance to create a WLAN. The devices on your LAN can connect to Citrix SD-WAN appliance through Wi-Fi.

The following two variants of Citrix SD-WAN 110 platform support Wi-Fi and can be configured as an access point:

  • Citrix SD-WAN 110-WiFi-SE
  • Citrix SD-WAN 110-LTE-WiFi

For more information about the platforms, see Citrix SD-WAN 110 SE.

You can configure and manage Citrix SD-WAN appliances that are configured as Access Points through the Citrix SD-WAN Orchestrator service. Citrix SD-WAN Orchestrator service also allows you to view Wi-Fi related reports such as connected devices, data utilized, usage, and authentication failure logs at both network level and individual site level.

There are 2 geography SKUs to support 110 Wi-Fi SE and 110 LTE Wi-Fi SE, one for US or Canada and the other for Rest of World (ROW).

[NSSDW-1920, NSSDW-28612]

Security enhancements

Firewall defaults

The Action When Security Profiles Cannot be Inspected drop-down list is introduced to define an action for the packets that match a firewall rule and engage a security profile but temporarily cannot be inspected by the Edge Security subsystem. If you select Ignore, then the relevant firewall rule is treated as not matched and the next firewall rule in order is evaluated. If you select Drop, the packets matching the relevant firewall rule, are dropped.

[SDW-9990]

IPS Profiles

IPS profiles allow you to enable a combination of IPS rules for a specific set of sites within the network. When an IPS profile is enabled, it inspects the network traffic only for the sites with which the IPS profile is associated and the IPS rules enabled within that profile. You can create IPS profiles on Citrix SD-WAN Orchestrator services at the network level under Configuration > Security > Intrusion Prevention.

[NSSDW-28281]

Anti-Malware

You can add new File Types and MIME Types for Anti-Malware scanning. If Anti-Malware denies access to a website, you can set an external server location to redirect users. The users can be redirected to the default redirect page provided by the SD-WAN Orchestrator or you can create a custom redirect page.

[NSSDW-26640]

Web filter option for advanced edition

For the Web filtering security functionality, the following safe browsing options are added under the Advanced Options:

  • Enforce safe search on popular search engines
  • Enforce restrict mode on YouTube
  • Force searches through kid-friendly search engine

[NSSDW-26636]

SSL inspection

You can now configure Secure Sockets Layer (SSL) inspection for the traffic flowing to and from your organization. SSL inspection intercepts, decrypts, and scans the HTTPS and secure SMTP traffic for malicious content. You can create SSL rules as part of security profiles and define conditions for the traffic to undergo SSL inspection.

SSL inspection can be configured through Citrix SD-WAN Orchestrator. The SSL Inspection option is newly added under Configuration > Security and Configuration > Security Profile > New Security Profile.

[NSSDW-24377]

Fixed Issues

NSSDW-27727: Networks with VPX and VPXL instance using the IXGBEVF driver, used for certain Intel 10 GB NICs when SR-IOV is enabled, must not be upgraded to 11.0.1. It might result in a loss of connectivity. The issue is known to impact AWS instances with SR-IOV enabled.

NSSDW-27753: If SD-WAN was not registered with MAS before upgrading to SD-WAN 11.2.0 release, then it fails to register with MAS after upgrading to SD-WAN 11.2.0 release.

NSSDW-27928: You cannot enable or disable the modem if no configuration is done on the LTE modem.

NSSDW-27934: If Two-Box mode is enabled, you cannot upgrade from 11.2.0 release to any upper releases without disabling Two-Box mode and re-enabling it after the upgrade is complete.

NSSDW-27935: HTTP server alerts are not sent from Citrix SD-WAN appliances.

NSSDW-27938: STS bundle that is created using the CLI is not downloadable through Citrix SD-WAN GUI.

NSSDW-28146: If Citrix SD-WAN 11.2.0 release is upgraded from 10.2 release or downgraded to 10.2 release once and later it is upgraded to 11.0/11.1 releases, then again downgrading back to 10.2 release fails. Similarly, after upgrading from Citrix SD-WAN Center from 10.2 release to 11.2.0 release, the downgrading of SD-WAN Center from 11.2.0 to 10.2 release was not supported.

NSSDW-28799: Creating a Custom dashboard provides you an option to set it as a primary dashboard. If you check and save the dashboard, you land on that saved dashboard by default with every login or when you navigate to the dashboard page.

NSSDW-29699: When you provision an SD-WAN appliance with 11.2.0 version freshly, single sign-on to MCN from SD-WAN Center does not work as expected. Features like Cloud Direct, Change Management, automated Azure deployment, Azure virtual WAN, Zscaler do not work from SD-WAN Center. The issue is fixed in SD-WAN 11.2.1 version. When you upgrade from a freshly provisioned 11.2.0 version to 11.2.1 version, regenerate the Appliance certificate.

NSSDW-29862: SD-WAN Center virtual machine running on VMware ESXi hypervisor might hang while taking a snapshot.

NSSDW-31822: When managing a scale network (> 500 sites) where the controller (MCN or RCN) and branches each have multiple WAN Links, a controller might experience a service interruption during a major configuration update.

NSSDW-31903: On performing reauthentication, negative values are displayed for upload and download data in Wi-Fi client reports.

SDWANHELP-1161: After upgrading to 10.2.5.6 build, the SD-WAN UI access became slow.

SDWANHELP-1193: For an MCN in factory default state, the LCM package downloaded immediately after clicking staging but before activating the staged software, does not contain the necessary content.

SDWANHELP-1210: When both VRRP and HA are configured, the GUI access is interrupted, loss of connectivity and ping failure are observed. Do not initiate the VRRP instance on the HA standby appliance.

SDWANHELP-1292: Timezone setting done using Citrix SD-WAN Center is not applied on Citrix SD-WAN appliances.

SDWANHELP-1299: A branch with dynamic virtual path established with another branch and WAN-to-WAN forwarding enabled, forwards the routes received over the dynamic virtual path to other sites. When the dynamic virtual path goes down, the learned routes are not removed from the other sites.

SDWANHELP-1309: With Citrix SD-WAN 11.1.x release, the Azure Virtual WAN configuration model was changed from using pre-created Intranet services to choosing WAN links for the auto Intranet service creation. In this case, the customer upgraded from 10.x, and the higher version was not removed along with the previous Azure Virtual WAN configuration. With this change, when the new site was deployed using a new SD-WAN Center deployment, duplicate entries were created. As result, the import configuration failed and the previously created Azure Virtual WAN configurations were not shown.

SDWANHELP-1314: Unable to configure interface groups for Citrix SD-WAN 210 and 110 appliances using the REST API through the MCN. The fix provides the support to configure the interface groups for Citrix SD-WAN 210 or 110 site model and BASE submodels through REST APIs.

SDWANHELP-1323: MCN High Availability (HA) device shows not connected if the wire from the first HA interface is not plugged in (when multiple HA interfaces are defined).

SDWANHELP-1326: After upgrading Citrix SD-WAN to 11.1.0/11.1.1 release, PPPoE links fail to get connected on the following platforms:

  • Citrix SD-WAN 410

  • Citrix SD-WAN 210

  • Citrix SD-WAN 1100

  • Citrix SD-WAN 4100

  • Citrix SD-WAN 5100

  • Citrix SD-WAN 6100

SDWANHELP-1330: SD-WAN Center did not deliver email notifications as email settings was set to null in the SD-WAN Center database.

SDWANHELP-1332: If a single data flow is sent on more than three different WAN links, the SD-WAN service might crash during NetFlow statistics collection.

SDWANHELP-1337: For AWS’s Elastic Compute Cloud (EC2), the SD-WAN instance having more than 32 GB memory, the virtual instance falls back to the default value of 16 static Virtual Paths. It leads to undefined behavior and possible crash scenarios when more than 16 static Virtual Paths are configured.

SDWANHELP-1353: The SD-WAN service might get aborted when WAN links are added for internet load balancing as part of the configuration update.

SDWANHELP-1363: The SD-WAN service might get aborted when ARP entry is updated from host to persistent type.

SDWANHELP-1365: In a High Availability GEO MCN setup with WAN-to-WAN forwarding enabled, an internet service down event can trigger an erroneous scenario wherein routes learned from the Secondary GEO MCN take higher precedence than the Primary GEO MCN.

SDWANHELP-1368: SNMP Walk did not show the correct MAC address information for interfaces.

SDWANHELP-1370: SNMP service enabled after provisioning the SD-WAN Center with the default community string as public causes a vulnerability issue. SD-WAN Center does not support SNMP service. So, the SNMP service is permanently disabled to resolve the vulnerability issue.

SDWANHELP-1384: Inter-routing domain service routes when created using network objects do not get added. The export route option for all inter-routing domain service routes to export the route to other connected sites does not work.

SDWANHELP-1385: Citrix SD-WAN device serial number information might be lost and reset to Default string due to an issue in BIOS firmware v1.0b on Citrix SD-WAN 210 platform.

SDWANHELP-1386: The user is unable to schedule path bandwidth testing on Citrix SD-WAN appliance.

SDWANHELP-1420: On Citrix SD-WAN Premier Edition (PE), the WANOP GUI pages are not accessible over the In-band management Virtual IP address.

SDWANHELP-1423: You must not start the site diagnostics test at the same time for a given site from the peer appliance.

SDWANHELP-1432: Trace files are not parsed properly when the file name contains a + symbol.

SDWANHELP-1437: Disabling the insecure TLS1.0 and TLS1.1 between Citrix SD-WAN and SD-WAN Center connectivity.

SDWANHELP-1454: An incorrect WAN Link use setting of Auto was allowed for Internet service which caused a crash. The configuration code has been corrected to block users from selecting the Auto option for WAN Link use for Internet service. An audit has also been added to catch this misconfiguration.

SDWANHELP-1463: Some SD-WAN devices were entering the grace period for a few minutes because the license server was temporarily unreachable.

SDWANHELP-1464: The SD-WAN service gets aborted while processing packets received over the intranet service configured over the Private MPLS link that has MPLS queues.

SDWANHELP-1484: An error in PCKS12 bundle processing prevents bundles where the key precedes the certificate from being processed.

SDWANHELP-1485: Packets received on Internet/Intranet service might get associated with the wrong WAN link when multiple WAN link gateways are resolved to the same MAC address.

SDWANHELP-1491: ICMP connections getting WAN to WAN forwarded between Virtual Path and Intranet service over IPSEC tunnel experience packet loss.

SDWANHELP-1503: Modems can go to unresponsive over time, which leads to qmi-proxy failure in accepting new requests.

SDWANHELP-1504: The SD-WAN service might get aborted when the ARP entries are manually cleared from the GUI.

SDWANHELP-1507: An issue in the configuration module was causing the export route setting to be true while the WAN to WAN forwarding setting was disabled. After the fix, the export route is correctly set to false when the WAN to WAN forwarding is disabled and when the user has not explicitly set the export route setting.

SDWANHELP-1509: Unable to change the default community string (public) for the SNMP trap message in Citrix SD-WAN.

SDWANHELP-1513: DNS settings were not getting updated using DHCP when the Management port is acting as a DHCP client.

SDWANHELP-1520: The issue is with the IP learning on the branch site, where the stale IP details are not cleared for the disconnected WAN link. These stale IP details cause a virtual path between a branch to another branch in a DEAD state. As part of the fix, clean up the old IP details on the branch appliance during the IP learning.

SDWANHELP-1531: In Citrix SD-WAN Center reporting page, the data in the Top applications report of a site was inconsistent with the data in the Top sites report. It happened due to an unwanted regex match of the site name.

SDWANHELP-1535: When the Geo MCN is used as an active MCN, the standby RCN shows as Not Connected state at the Geo MCN. This issue can occur if there was a switchover done from Active MCN to Geo MCN.

SDWANHELP-1537: Citrix SD-WAN Center authentication for TACACS based users was failing for a few combinations of passwords having $ and # characters in the password. This issue was present in the 11.2.0 release.

SDWANHELP-1538: The following rare issues are addressed:

  • Data path goes to a state where configuration updates of learned source IP/Port, DHCP IP, and PPPoE IP are not applied/missed.

  • A configuration update can take more than expected time and cause a data path crash.

SDWANHELP-1547: After a configuration update, WAN links might not be available for Internet or Intranet traffic.

SDWANHELP-1553: Back-end validation that the certificate matched the signing authority was broken.

SDWANHELP-1554: Back-end parsing of certificate information was broken.

SDWANHELP-1555: Underscores were not allowed when entering the common name field.

SDWANHELP-1558: Internet service does not use the backup links when the primary link goes down.

SDWANHELP-1580: While public IP address learning is enabled on a branch WAN link, the RCN might not learn the new public IP address and results in a dead path if:

  • There is a configuration version mismatch between the branch and the RCN
  • The public IP address of the branch WAN link has changed

SDWANHELP-1616: Office365 local internet breakout might not work when multiple routing domains are enabled on a site.

SDWANHELP-1617: When regional subnets are created, the summary routes are auto-created with 65534 costs. When this route is advertised to another site, the cost is rolled over and becomes a non-summary route with the lowest cost.

SDWANHELP-1627: Connections redirected through the hosted firewalls (Palo Alto) and routed over the Virtual Path service experience high latency issues.

SDWANHELP-1641: A crash in the configuration compiler occurs when the auto path group is not set in WAN Link usage for the Dynamic virtual path when it is configured on an LTE-E1 interface.

SDWANHELP-1643: Unable to disable the Packet Resequencing option in the IP QoS rule once it is edited to enabled.

SDWANHELP-1646: The management port must not be added in the LAG, hence we have not listed the management interface while forming the LAG.

SDWANHELP-1673: Citrix SD-WAN request to download the PAC file from the server is being intercepted and served by SD-WAN itself when management IP matches the local route.

SDWANHELP-1684: When Certificate Revocation Lists were enabled, there was an error causing repeated download attempts of the CRL.

Known Issues

NSSDW-20500: On Citrix SD-WAN 5100 PE appliance, when you initiate domain join operation, a warning message can display stating that WANOP is initializing.

  • Workaround: Rejoin the domain after 2 minutes.

NSSDW-23134: After upgrading the MCN from 10.x to 11.x release, the MCN consistently tries to push the 10.x software package to the newly added site with the 11.x build.

  • Workaround: Perform Change Management once again to resolve consistent software push.

NSSDW-29819: At times, the Edge Security subsystem in the Citrix SD-WAN 210 appliance might fail and the appliance might not recover automatically.

  • Workaround: Reboot the Citrix SD-WAN 210 appliance.

NSSDW-31082: Traffic between wireless clients is isolated from the datapath in Citrix SD-WAN 110 platform. As a result, it is not part of the packet captures.

NSSDW-31476: After the configuration update for one-arm mode with the LAG interface, due to ARP entry mismatch for VIPs of the LAG interface in the router (PBR), the virtual path goes down.

  • Workaround: Clearing ARP on the router (PBR), the ARP entry is learned properly and the virtual path comes UP.

NSSDW-31696: A change in the SSL inspection root Certificate Authority (CA) and the key will not be propagated to the SD-WAN appliance unless another edge security-related setting is also changed. This results in the SSL inspection being performed with the previous root CA.

  • Workaround: Change another setting related to edge security, then stage and activate it. This triggers the download and application of the root CA and key.

NSSDW-31998: DHCPv4 and DHCPv6 mode on the LTE interface can cause SD-WAN device to lose IP address after configuration updates.

  • Workaround: Restart the service.

NSSDW-32110: A WAN link configured as a DHCP client leads to Virtual Path failure. This issue occurs when the name of the WAN link is changed and change management effected.

  • Workaround: Restart the Citrix Virtual Wan Service.

NSSDW-32139: Dynamic NAT might not function correctly or cause a service interruption during configuration update if used for both IPv4 and IPv6 on an Internet Service with Internet Load Balancing enabled.

NSSDW-32185: An audit error during configuration prevents users from configuring the Internet service on a site unless all the WAN links are configured with access interfaces of the same IP types.

NSSDW-32197: Wi-Fi feature does not support High Availability (HA) in Citrix SD-WAN 11.3 release.

NSSDW-32212: When Internet Service is enabled on WAN links that have an IPv6 access interface, service interruption might occur after configuration update.

  • Workaround: Restart the service.

NSSDW-32219: When the user selects to view the status of the Internal modem, the legacy UI also shows the status of the external modem as well.

NSSDW-32221: Enable and Disable the external modem does not work from the legacy UI.

  • Workaround: Use Citrix SD-WAN virtual WAN CLI to enable/disable the legacy UI.

NSSDW-32257: Appliance settings are not getting applied to Citrix SD-WAN when pushed from Citrix SD-WAN Center.

  • Workaround: Use RestAPI to set these appliance settings.

SDWANHELP-1400: For an internet service route in a non-default routing domain and a path eligibility configured, when the path goes down and the remote site that does not have the given routing domain configured, the internet route is not marked unreachable.

SDWANHELP-1733: After Citrix SD-WAN Center is upgraded to 11.3 software version, the licensing page shows zero license count in the license details, even though all the devices that were hitherto licensed by this SD-WAN Center continue to be licensed.

Release Notes