Citrix SD-WAN

Release Notes for Citrix SD-WAN 11.4.3a Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix SD-WAN release Build 11.4.3a.

Note

Citrix SD-WAN 11.4.3a release addresses the security vulnerabilities described in https://support.citrix.com/article/CTX370550 and replaces release 11.4.3.

What’s New

The enhancements and changes that are available in Build 11.4.3a.

Enhancement of DHCP logs

The Citrix SD-WAN appliance can generate DHCP server logs for IP addresses. Whenever IP addresses are allocated to the endpoints, logs are generated. The logs contain details such as the timestamp of the IP address allocation and lease duration, MAC address, the client ID and so on.

[ NSSDW-36840 ]

Hardware monitoring support: You can monitor hardware components, such as power supply, disk, health status and can check the status via the CLI command hw_mon. The severe hardware events are logged in Citrix SD-WAN events.

[ NSSDW-36660 ]

NAT log enhancements

From Citrix SD-WAN 11.4.3 release onwards, the static and dynamic NAT logs are enhanced to display information related to the translated IP addresses and translated IP ports. The following are the newly introduced fields:

Translated IP address

  • natsrc - Translated source IP address
  • natdest - Translated destination IP address

NAT type

  • snat - When snat is 1, it means that the connection is passing through the source NAT translation.
  • dnat - When dnat is 1, it means that the connection is passing through the destination NAT translation.

Translated Port

  • natsport - Translated source port address
  • natdport - Translated destination port address

[ NSSDW-34602 ]

Fixed Issues

The issues that are addressed in Build 11.4.3a.

In a case of scaled deployment on configuration change on any site or WAN link, the routing engine restart causes BGP sessions to flap.

[ SDWANHELP-2594 ]

Legacy GUI leaves CGI session files under a temporary directory. These CGI sessions are cleaned up during boot up, which can prevent Citrix SD-WAN service from running.

[ SDWANHELP-2567 ]

Citrix SD-WAN LTE service can hang due to LTE modem transaction timeout errors.

[ SDWANHELP-2565 ]

A possible memory leak issue is fixed while adding a dynamic rule.

[ SDWANHELP-2563 ]

The t2_app crashes when statistics are requested with an incorrect DB index due to a rare race condition in the Citrix SD-WAN UI.

[ SDWANHELP-2548 ]

Memory assigned to Palo Alto VM (VM-50 Model) on Citrix SD-WAN 1100 is increased to 5.5 GB.

[ SDWANHELP-2534 ]

A possible memory leak in ICA classification is fixed.

[ SDWANHELP-2527 ]

Appliance crashes when a DNS learned entry for a domain name-based application causes the first packet classification table to reach the maximum limit.

[ SDWANHELP-2480 ]

Citrix SD-WAN appliances allow only desired traffic on the management port, which prevents users from accessing the MiRIC management GUI when enabled.

[ SDWANHELP-2479 ]

Trying to enter the IP address with prefix was failing validations for source/destination IP fields in Firewall Filter Policies.

[ SDWANHELP-2471 ]

When the number of flows are constantly high and beyond the maximum flow capacity limit of an appliance, a change in flow mapping may some time cause data path restart.

[ SDWANHELP-2456 ]

After the management port is down/up, a source IP of communication to a Syslog Server becomes 169.254.200.2

[ SDWANHELP-2450 ]

The Citrix SD-WAN Center dashboard does not load any information.

[ SDWANHELP-2373 ]

Static Routes support GRE tunnels as a delivery service. Routes using the GRE tunnels delivery service have issues when GRE tunnels are deleted without properly deleting the static routes first.

This fix deletes the routes configured using the GRE tunnel as delivery service automatically when GRE tunnels are deleted.

[ NSSDW-37846 ]

In Citrix SD-WAN 11.4.2 release, uploading a signed CSR certificate from Citrix SD-WAN Orchestrator for On-premises fails for files with .der extension.

[ NSSDW-37813 ]

AT&T 3G network sunset is planned for February 2022. Citrix SD-WAN 110 LTE modem is set to voice-centric and it does not support VoLTE after AT&T’s 3G sunset.

[ NSSDW-37736 ]

Citrix SD-WAN Orchestrator service connectivity fails when the DNS provided by an LTE dongle or a Management port is not reachable. Even though the network has switched to In-band Management for connectivity.

[ NSSDW-37428 ]

In-band management

From Citrix SD-WAN 11.4.2 release onwards, it is mandatory to configure In-band management on the SD-WAN appliance, to establish connectivity to Citrix SD-WAN Orchestrator service through an In-band management port. Otherwise, the appliance loses connectivity to Citrix SD-WAN Orchestrator service when the management port is not connected and the In-band IP address is also not configured.

[ NSSDW-37174 ]

Citrix SD-WAN service might crash when DHCP server assigns new address with DVP and HA configuration.

[ NSSDW-36513 ]

In rare cases, when there is a route change in the routing table, the Citrix SD-WAN service gets reloaded.

[ NSSDW-36289 ]

When CRL processing is enabled, a memory issue in the third-party cryptography library can cause a core dump.

[ NSSDW-35679 ]

When the internal license of Edge Security antivirus and anti-malware components expires, Citrix SD-WAN stops detecting the virus and malware.

[ NSSDW-35596 ]

When Citrix SD-WAN configuration with summary routes is loaded, the appliance might reload continuously.

[ NSSDW-34670 ]

In case an appliance has a static route configured as summary route, and there is another same prefix route learned dynamically, then the summary route is not summarizing the routes.

[ NSSDW-34355 ]

Citrix SD-WAN allows only DHCP on mobile broadband devices, which does not work for customers who have static IP assignment on their data plan.

[ NSSDW-33971 ]

Once SLAAC learns an IP and gateway address from a router, unless and until the current address expires, SLAAC will not relearn the IP if the gateway changes or we change network segments, even after rebooting the SD-WAN appliance. This might delay getting an address when moving ports.

[ NSSDW-33807 ]

Once SLAAC learns an IP and gateway address from a router, SLAAC will not relearn the gateway if the gateway changes (unless and until the current address expires).

Example:

  • Branch appliance learns its IP and gateway from gateway-1.

  • The network administrator decides to replace gateway-1 with a new gateway-2. The administrator configures gateway-2 the same as gateway-1 so that router advertisements send the same prefix info that gateway-1 was sending. However, gateway-2 has a different source address than gateway-1.

  • The branch appliance will not automatically learn gateway-2’s IP. (unless and until the current address times out)

[ NSSDW-33802 ]

Auto-generated summary routes created for the Regional Control Node (RCN) network is assigned a cost of 30,000 instead of 65534.

[ NSSDW-32629 ]

Appliance settings are not getting applied to Citrix SD-WAN when pushed from Citrix SD-WAN Center.

[ NSSDW-32257 ]

WPA3 failed authentications are not reported under site-level alerts.

[ NSSDW-32053 ]

On performing reauthentication, negative values are displayed for upload and download data in Wi-Fi client reports.

[ NSSDW-31903 ]

Platform and systems

Adding a custom SNMP community string for the first time doesn’t remove the existing community string configuration.

[ SDWANHELP-2561 ]

Known Issues

The issues that exist in release 11.4.3a.

If Partial Site Upgrade was disabled followed by an upgrade of the whole network to a new software version, then some of the sites might get auto-corrected back to the older version.

Workaround: If another change management is triggered then the downgraded sites upgrades to the expected software version.

[ SDWANHELP-2586 ]

Citrix SD-WAN service might crash sometimes on the Advanced Edition (AE) platform with an Internet load balancing configuration.

Workaround: Configure Internet service in primary and secondary mode.

[ SDWANHELP-2521 ]

If an appliance using out-of-band port for SNMP service, switches to the in-band port, all the management service for the appliance connects to internet through the in-band port. The SNMP requests send to out-of-band port fail.

Workaround: Configure an external SNMP service to send request to in-band port if out-of-band port fails.

[ SDWANHELP-2358 ]

In VPX, without a valid license, the daemon gets restarted automatically. In this case, sometimes the daemon might get crashed. There is no user impact as the daemon comes up fine automatically.

[ NSSDW-37981 ]

The traffic rates displayed on the Monitoring classes table of the UI are approximately 150 Kbps lesser when traffic of the real-time, interactive high, interactive medium, and interactive low class types are initiated at the same time.

[ NSSDW-37568 ]

The Orchestrator connectivity status in the New UI Dashboard is displayed as BAD/Unknown for Citrix SD-WAN appliances that are managed through the MCN.

[ NSSDW-37462 ]

In rare conditions, if a branch site has one of the WAN links with a static public IP address, then the formation of the dynamic virtual path fails.

Workaround:

Restart the Virtual WAN Service at the branch site with the static Public IP address.

[ NSSDW-36429 ]

In Citrix SD-WAN BGP configuration, when the router ID for a routing domain is changed, the SD-WAN dynamic routing protocol might restart.

[ NSSDW-35657 ]

A configuration change made to a firewall dynamic NAT policy or a port forwarding rule might result in a core dump.

[ NSSDW-34603 ]

When the user selects to view the status of the Internal modem, the legacy UI also shows the status of the external modem.

[ NSSDW-32219 ]

Release Notes for Citrix SD-WAN 11.4.3a Release