Release Notes

This release note describes known issues, and fixed issues applicable to Citrix NetScaler SD-WAN software release 10.0 for the SD-WAN Standard Edition, WANOP, and Enterprise Edition appliances.

For information about the previous release versions, see the NetScaler SD-WAN documentation on

Fixed Issues

SD-WAN appliance:

Issue ID 700046: NetScaler SD-WAN appliance crashes when you try to generate STS while processing high traffic volume.

SD-WAN VPX appliance high availability Deployment:

Issue ID 693737: In a high availability deployment with NetScaler SD-WAN VPX appliance on VMware ESXi platform, the virtual path service becomes inactive.

MPLS Quality of Service Queues:

Issue ID 697906: NetScaler SD-WAN service is disabled when MPLS Quality of Service queues with all tagged queues are configured through a WAN Link Template, and on receiving a packet without DSCP tag.

ICMP request:

Issue ID 695993: Packets sent to the SD-WAN (IP host) Virtual IP address from a trusted WAN interface is dropped when the flow table is exhausted or unable to allocate flows. In this case, proper ICMP reply was expected from the SD-WAN appliance.

IPsec Virtual Path:

Issue ID 699665: When you configure Virtual Path IPsec between MCN appliance and two of the branch appliances, and when you attempt to send traffic from Branch1 appliance to Branch2, WAN-to-WAN forwarding packets with large size are dropped by IPsec due to buffer overflow.

GRE Tunnels:

Issue ID 700183: When GRE tunnel is transmitted through an untrusted interface, for example. Internet Service, the ping requests are responded, but the IP host will not forward replies/messages back to the GRE tunnel.

Issue ID 699982: When GRE Routes with Gateway eligibility are enabled, ICMP Packets to check gateway eligibility are not guaranteed to be transmitted through the GRE Tunnel. When the tunnel is down or the gateway address does not route to the tunnel, the packet uses standard IP routing. This leads to a GRE route being eligible inappropriately.

DPI processing:

Issue ID 700285: Do not update VLAN ID in the packet descriptor after DPI processing is complete.

DPI multi-thread:

Issue ID 700247: When DPI multi-threading is enabled, it can cause conn_mgr/other threads to wait for connection lock on platforms. This occurs when the release conn->lock is removed before returning from firewall.

DPI – Dual-mode IPERF test identifies traffic only from one node

Issue ID 678131: When dual-mode IPERF test is performed between two appliances, the traffic in NetScaler SD-WAN web management interface under Monitoring > Firewall > Connections with DPI identifies traffic flow only from one of the connections.

BGP Peering:

Issue ID 700585: Disabling service on SD-WAN appliances configured with BGP peering for more BGP hold time duration, results in the BGP session becoming disabled after enabling the service.


Issue ID 703248: Ensure that you always enable the Internet for all Routing Domain option with multiple routing domains for the WAN link which is enabled to carry internet traffic. You should not enable this option for the WAN link which is not enabled to carry internet traffic.

DHCP-410 SE appliance:

Issue ID 701855: DHCP is enabled on lights out management by default on some factory shipped 410-SE appliances. Assign an unreachable IP address to the LOM.

Two Box Mode:

Issue ID 700181: The ability to reconfigure or disable two box mode is not possible when caches are configured with any other subnets other than /24.

Change Management process:

Issue ID 698803: As part of change management procedure during SD-WAN appliance staging phase, configuration fails when you change MTU on the intermediate router to 600.

IPsec Tunnel Configuration

Issue ID 681121: On a NetScaler SD-WAN VPX appliance, a web GUI error is displayed and configuration fails when you try to add and configure IPsec tunnel through the SD-WAN configuration editor.

    Workaround: Configure IKE and IPsec parameters except protected networks and save the configuration. Edit the configuration to add protected networks.

Enterprise Edition as MCN – SSL Profile

Issue ID 680199: On a factory shipped Enterprise Edition appliance when you create an SSL profile and associate a Service Class to the profile with unidirectional setting, the SSL profile is not checked/enabled in the SSL Profile page of the SD-WAN EE web GUI. In addition, the service class is not associated to the SSL profile.

    Workaround: Create a SSL profile and associate unidirectional service classes.

Known Issues


SD-WAN VPX Appliances:

Issue ID 694837: For High Availability in AWS (AWS) environment, Virtual WAN service is disabled on a NetScaler SD-WAN VPX Primary (active) appliance citing duplicate IP address when the high availability interface on the primary appliance goes down.

Issue ID 702889: RCN branch that is changed from GEO to Client does not get updated to latest build even though it has an active Virtual path available by using the RCN.

Issue ID 701517: Over provisioning of the XenServer can lead to SD-WAN VPX appliance crash.

SD-WAN 4000 WANOP and 4000 SE:

Issue ID 681550: On a NetScaler SD-WAN 4000 WANOP appliance, uploading DER encoded certificate for the SSL profile is ignored and no error message is displayed in the web GUI. Only PEM encoded certificates are accepted.

SD-WAN 2100 EE and 5100 EE

Issue ID 704923: The Domain Join/ Delegate user Pre-check Tools Summary Status table is not displayed you try to access them.

    Workaround: You can obtain the status summary by selecting the ‘More’ option in the summary dialog page.

Two Box Mode:

Issue ID 681680: After a factory reset on the SD-WAN SE appliance in a two box mode, configuration sync between SD-WAN WANOP and SD-WAN SE appliances fails due to stale SSL certificates.

    Workaround: Disable and re-enable two-box mode on the SD-WAN WANOP appliance.

SD-WAN 1000 / 2000:

Issue ID 681663: When you upgrade SD-WAN 1000 / 2000 appliance from release build version to 9.2.x, a warning is displayed in the browser.

    Workaround: Perform the upgrade in an in-cognito mode window of the Google Chrome browser.


Issue ID 690794: HDX ICA/CGP over SSL session’s behavior In Virtual WAN Standard Edition:

  • HDX sessions are not being negotiated as multi stream sessions even though MSI is enabled on the appliance and MSI+MP policies are set on incoming ICA traffic.
  • HDX traffic is classified as belonging to HTTP Secure (https) application and web family.
  • HDX traffic falls under interactive_very_low class. This can cause issues in QoS, bandwidth allocation and so on as application Quality of Service will not be triggered because the traffic is not classified as HDX sessions.


Virtual WAN Configuration:

Issue ID 704926: Configuration error occurs when you attempt to override service in a Virtual Path by changing the IP Rule properties.

Issue ID 704156: Activating LCM package for RCN on an appliance with release version 9.x, prepares packages for its branches only when virtual path with MCN is active and running.

Issue ID 704160: The Site Name in Virtual WAN configuration should be configured with alpha numeric characters between 3-15 characters only. This is due to the hostname restrictions in WAN Optimization which is required for domain join operation.

Issue ID 704645: Appliance staging of latest software version might not occur for some Regional Control Node (RCN) and its branch sites.

Workaround: Download the LCM package for RCN, and perform local change management on RCN only to upgrade the RCN network to latest build. This applies latest software version to all RCN branch sites.

Application Steering:

Issue ID 699285: The Application family added as one of the match types in the Application Object which is used for Application Routes configuration is not considered for steering.

Custom Application Reporting:

Issue ID 703794: If an existing application name is changed and change management is performed, the new application name might not be listed in the SD-WAN Center under the Top Sites-> Application drop-down menu. When the page is hard refreshed, then the new application name gets listed and reported, when traffic matches the application.

WAN GRE Tunnel:

Issue ID 681171: A NetScaler SD-WAN appliance does not reassemble fragmented GRE tunnel packets properly.

Transparent proxy support for TLS 1.2:

Issue ID 691900: In NetScaler SD-WAN WANOP 9.3.0, for SSL compression the SSL profile has to be configured in split mode only as transparent proxy mode is not supported.

Change Management (Single Step Upgrade) SD-WAN GUI:

Issue ID 691571: On low-end platform editions, such as the SD-WAN 400, 100, 2000, or VPX appliances by using 4 GB or smaller memory assigned, if concurrent local change management package downloads are initiated the appliance runs out of memory and becomes unresponsive.

    Workaround: Download local change management package one at a time, this reduces the load on the appliance.

Issue ID 691953: During software upgrade on an appliance using a Standard Edition license, a WAN optimization related warning message appears. After the scheduled upgrade and after the WAN optimization, SVM and XenServer hotfixes are installed the warning message is cleared.

    Workaround: Clear the warning messages manually or open the SD-WAN web UI in an incognito browser window.

Issue ID 705037: In the new Global Multi-Region Summary table, the “Total Sites” value appeared is less than the sum of the remaining columns. For example; if a branch node is not connected, it is possible that the branch is counted twice; once as “Not Connected” and once as “Preparing/Staging.”

Secure Peering Certificate and Keys:

Issue ID 695363: In the SD-WAN GUI, on the Secure Peering Certificate and Keys page, the CA certificate contents are displayed if the private CA radio button is selected after setting the Keystore password on a new appliance.

    Workaround: You need to switch between the radio buttons of the ‘Private CA’ and ‘CA Certificate’ once to get the correct contents displayed under ‘Private CA’ and ‘CA Certificate’ for Secure Peering Certificate and Keys.

Multicast Traffic:

Issue ID 694894: When you configure Application Quality of Service rule with match type as “Application” to match ‘icmp’ and change the class to Real-time, and mode to load balance which overrides the default rule, the multicast traffic is not processed.


Issue ID 704561:  Unable to make the routing domain as default for a site after disabling it.


  1. Disable site routing domain (all).
  2. Enable routing domain for the site without making it default. Select Apply.
  3. Make the enabled routing domain for the site as default. Select Apply.

Issue ID 705255: Dynamic routes can be installed by using path eligibility, LOCAL service as part of Import filters. In NetScaler SD-WAN 10.0, if the path becomes inactive, then all routes are termed as REACHABLE – YES, and ELIGIBLE - NO instead of REACHABLE - NO and ELIGIBLE – NO. These routes which are ineligible will stay in the remote SD-WAN routing table instead of being purged.

DPI Functionality

DPI- ICMP Functionality:

Issue ID 677356: A firewall policy for blocking ICMP as an application blocks only pings (echo requests). All other ICMP types are allowed to pass through.

    Workaround: Instead of blocking ICMP as an application, block IP-protocol > ICMP.

DPI –Traffic for Top App Family as “Standard” and Top App as “Unknown Virtual protocol” for a Standard Edition appliance:

Issue IDs 678373, 678339, 678545, 675063, 676017: On a NetScaler SD-WAN Standard Edition appliance, enable EDT policy for MSI+MP for Win7 and Win2K12 XenDesktop 7.12 VDAs on ports 2598, 2599, 2600, 2601 and subsequently disable Session Reliability policy for Win7 VDA.

Start sending internet traffic and check the monitoring flows in the Standard-Edition web management interface for Classes, Rule groups – ICAUDP and ICACGPUDP, and Firewall. Check the Dashboard and Reporting page in SD-WAN Center web management interface. The results display Top Application Family as Standard and Top Applications as Unknown Virtual Protocol.

SD-WAN Center

Issue ID 693436: The clear connections/flows clear SD WAN connection table entries and all the later ICA sessions. The SD-WAN Center dashboard shows incorrect results for HDX TCP and EDT classification sessions and reports it as “Not Classified.”

Issue ID 693026: For HDX configuration, only UDP ICA sessions are classified by ICA classifier. The Framehawk ICA session is ignored. The SD-WAN DPI fails to classify the Framehawk sessions.

Issue ID 704713: The Licensing tab under Configuration view in the SD-WAN Center UI displays the “Under Construction” message after an upgrade from release version 9.3 to release version 10.0.

Workaround: You can clear the browser cache with Ctrl+Shift+R on Chrome, Shift+Ctrl+Delete in a Mozilla browser, after which the UI displays the Licensing tab. You can also log out and log in after you upgrade the SD-WAN Center.

Release Notes