Citrix SD-WAN

Release Notes for Citrix SD-WAN 11.4.2a Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix SD-WAN release Build 11.4.2a.

Notes

  • For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Citrix SD-WAN 11.4.2a release addresses the security vulnerabilities described in https://support.citrix.com/article/CTX330728 and replaces release 11.4.2. In addition to the enhancements and bug fixes that were available in release 11.4.2, release 11.4.2a contains the following bug fixes - SDWANHELP-2480 and SDWANHELP-2456.

What’s New

The enhancements and changes that are available in Build 11.4.2a.

Miscellaneous

In-band management

From Citrix SD-WAN 11.4.2a release onwards, it is mandatory to configure In-band management on the SD-WAN appliance, to establish connectivity to Citrix SD-WAN Orchestrator service through an In-band management port. Otherwise, the appliance loses connectivity to Citrix SD-WAN Orchestrator service when the management port is not connected and the In-band IP address is also not configured.

[ NSSDW-37174 ]

LTE interfaces

You can now configure the LTE interface-based WAN link as a Private Intranet WAN link using Citrix SD-WAN Orchestrator service. This enhancement provides you the flexibility of configuring the LTE interface as a Public Internet WAN link or a Private Intranet WAN link.

[ NSSDW-37064 ]

Orchestrator Connectivity Status

The New UI for the SD-WAN dashboard displays the following Orchestrator connectivity status:

  • Online State
  • Service State
  • DNS State
  • Local Gateway State
  • Failed Reason
  • Connected Through

[ NSSDW-36434 ]

Platform and systems

Domains and applications

The Domain name-based applications now support configurable ports and protocol in Citrix SD-WAN Orchestrator service. When you select the Configure Port check box, you can edit, add, or delete any port or the port range as required. Also, you can change/select the protocol as TCP, UDP, or Any. Previously (and with the Configure Port check box disabled), only ports 80 and 443, and protocol Any were supported for domains grouped under an application.

[ NSSDW-29930 ]

Fixed Issues

The issues that are addressed in Build 11.4.2a.

Miscellaneous

Appliance crashes when a DNS learned entry for a domain name based application causes the first packet classification table to reach the maximum limit.

[ SDWANHELP-2480 ]

When the number of flows are constantly high and beyond the maximum flow capacity limit of an appliance, a change in flow mapping may sometimes cause data path restart.

[ SDWANHELP-2456 ]

For an unencrypted path with VLAN tags, such as HA control paths, some SD-WAN control packets were sent with an incorrect Ethernet header making the paths unstable or dead.

[ SDWANHELP-2384 ]

An audit error id displayed while deploying standalone RCN without any branches.

[ SDWANHELP-2381 ]

When ICMP probes for Internet service are enabled from Citrix SD-WAN Orchestrator service, the SD-WAN service is restarted if the Internet WAN link goes down, on the following appliances-

  • Citrix SD-WAN 2100
  • Citrix SD-WAN 4100
  • Citrix SD-WAN 5100
  • Citrix SD-WAN 6100

[ SDWANHELP-2378 ]

The Citrix SD-WAN Center dashboard does not load any information.

[ SDWANHELP-2373 ]

While pushing changes to the network appliances from the MCN through the Change Management process, the SD-WAN Service on the appliances restarted disconnecting the appliance for approximately 2 minutes.

[ SDWANHELP-2366 ]

Unable to configure LAG groups for Citrix SD-WAN 5100 model.

[ SDWANHELP-2339 ]

Unable to download PAC file on Citrix SD-WAN appliance models that support PE.

[ SDWANHELP-2336 ]

When path encryption in turned off, high MTU and loss are observed in the path.

[ SDWANHELP-2327 ]

In the SD-WAN Orchestrator HA set-up, the standby appliance crashes when the appliance software is upgraded from a version lower than 11.3.0 to version 11.4.1, 11.3.2 or lower.

[ SDWANHELP-2315 ]

Gradually increasing packet loss is observed at a Site, which has dead virtual paths with other remote sites, WAN link configured in standby mode, and heartbeat disabled.

[ SDWANHELP-2276 ]

The option to toggle the columns displayed under the Monitoring > Flows page is not functioning as expected. Despite selecting or filtering the columns, the following message is displayed:

Please select at least one column.

[ SDWANHELP-2272 ]

LTE modem reboots continuously when the QMI proxy process stays in a defunct state.

[ SDWANHELP-2270 ]

Multiple authentication requests for the same user are sent when an SSH connection to SD-WAN is established using TACACS+ authentication, resulting in excessive logging.

[ SDWANHELP-2087 ]

Email notifications cannot be sent when the SMTP server name is set as FQDN. This issue occurs when the DNS server contains:

  • At least 2 IPv4 A records for the FQDN.
  • At least 1 IPv6 AAAA record for the FQDN.

[ SDWANHELP-2027 ]

In rare cases, when there is a route change in the routing table, the Citrix SD-WAN service gets reloaded.

[ NSSDW-36289 ]

When CRL processing is enabled, a memory issue in the third-party cryptography library can cause a core dump.

[ NSSDW-35679 ]

When the internal license of Edge Security antivirus and anti-malware components expires, Citrix SD-WAN stops detecting the virus and malware.

[ NSSDW-35596 ]

When Citrix SD-WAN configuration with summary routes is loaded, the appliance might reload continuously.

[ NSSDW-34670 ]

In case appliance has a static route configured as summary route, and there is another same prefix route learned dynamically, then the summary route is not summarizing routes.

[ NSSDW-34355 ]

Citrix SD-WAN UI shows an error if a duplicate name is used for DNS Proxy across the network.

[ NSSDW-33842 ]

Once SLAAC learns an IP and gateway address from a router, unless and until the current address expires, SLAAC will not relearn the IP if the gateway changes or we change network segments, even after rebooting the SD-WAN appliance. This might delay getting an address when moving ports.

[ NSSDW-33807 ]

Once SLAAC learns an IP and gateway address from a router, SLAAC will not relearn the gateway if the gateway changes (unless and until the current address expires).

Example:

  • Branch appliance learns its IP and gateway from gateway-1.
  • The network administrator decides to replace gateway-1 with a new gateway-2. The administrator configures gateway-2 the same as gateway-1 so that router advertisements send the same prefix info that gateway-1 was sending. However, gateway-2 has a different source address than gateway-1.
  • The branch appliance will not automatically learn gateway-2’s IP. (unless and until the current address times out)

[ NSSDW-33802 ]

Auto-generated summary routes created for a Regional Control Node (RCN) network is assigned a cost of 30,000 instead of 65534.

[ NSSDW-32629 ]

Appliance settings are not getting applied to Citrix SD-WAN when pushed from Citrix SD-WAN Center.

[ NSSDW-32257 ]

Known Issues

The issues that exist in release 11.4.2a.

Miscellaneous

The ICA Connections page on the SD-WAN WANOP UI displays an error and the page shows no connections.

[ SDWANHELP-2431 ]

If an appliance using out-of-band port for SNMP service switches to in-band port, all the management services for the appliance connect to the Internet through the in-band port. The SNMP requests sent to the out-of-band port fail.

Workaround: Configure an external SNMP service to send request to in-band port if out-of-band port fails.

[ SDWANHELP-2358 ]

Unable to install Citrix SD-WAN VPX on VMware Hypervisor. Citrix SD-WAN VPX is not supported on an AMD Opteron(tm) or older version of the AMD processor. Citrix SD-WAN is qualified and recommended on the AMD EPYC processor only.

[ SDWANHELP-2309 ]

The traffic rates displayed on the Monitoring classes table of the UI are approximately 150 Kbps lesser when traffic of the real-time, interactive high, interactive medium, and interactive low class types are initiated at the same time.

[ NSSDW-37568 ]

When the DNS configured on the Management port is invalid or not reachable, appliances will not be able to connect to SD-WAN Orchestrator service due to DNS resolution error even if the In-band is configured with DNS proxy and internet service

Workaround: Configure a valid DNS on the Management port or clear the DNS and let it use the default configured DNS (9.9.9.9).

[ NSSDW-37467 ]

The Orchestrator connectivity status in the New UI Dashboard is displayed as BAD/Unknown for Citrix SD-WAN appliances that are managed through the MCN.

[ NSSDW-37462 ]

Citrix SD-WAN Orchestrator service connectivity fails when the DNS provided by an LTE dongle or a Management port is not reachable, even though the network has switched to In-band Management for connectivity.

[ NSSDW-37428 ]

In rare conditions, if a branch site has one of the WAN links with a static public IP address, then the formation of the dynamic virtual path fails.

Workaround:

Restart the Virtual WAN Service at the branch site with the static Public IP address.

[ NSSDW-36429 ]

In Citrix SD-WAN BGP configuration, when the router ID for a routing domain is changed, the SD-WAN dynamic routing protocol might restart.

[ NSSDW-35657 ]

A configuration change made to a firewall dynamic NAT policy or a port forwarding rule might result in a core dump.

[ NSSDW-34603 ]

WPA3 failed authentications are not reported under site-level alerts.

[ NSSDW-32053 ]

Release Notes for Citrix SD-WAN 11.4.2a Release