NetScaler SD-WAN 10.0.3 Release Notes

This release note describes known issues, and fixed issues applicable to SD-WAN software release version 10.0 version 3 for the SD-WAN Standard Edition, WANOP, and Enterprise Edition appliances, and SD-WAN Center.

For information about the previous release versions, see the NetScaler SD-WAN documentation.

Fixed issues

Issue ID 713545: In NetScaler SD-WAN release 10 version 2, when dynamic virtual path is disabled and enabled within a short period followed by configuration or registry update, the SD-WAN service restarts.

Issue ID 713538: In NetScaler SD-WAN release 10.0 version 2, the SD-WAN service restarts when the number of Internet load balanced flows exceeds the limit supported by the appliance.

Issue ID 712187: In NetScaler SD-WAN release 9.3 version 5, route update or resync for a virtual path UP event could be affected when processing existing virtual path DOWN event causing the routes to be removed from route neighbors and not reinserted.

Issue ID 712093: In NetScaler SD-WAN release 10 version 2, the License event alert is generated even when the configured WAN link rate is less than twice the licensed bandwidth due to licensed bandwidth misinterpreted as 1 Mbps instead of 1 Gbps.

Issue ID 711992: The transmit mode settings are incorrectly displayed in the SD-WAN web management interface because the transmit mode settings are not overwritten for the Egress flows.

Issue ID 709996: An SD-WAN WANOP internal consistency check causes the appliance to restart.

Issue ID 701328: When you configure an Internet link, the Virtual Path, Ping, and Traceroute diagnostics tools stop working.

Issue ID 682728: You can clone a site based your deployment requirements, however you do not need to configure HA as part of a new configuration.

Issue ID 709418: If a new site that has a WAN link with public IP address learning enabled is added to the network, after configuration change, it is possible that a WAN path on the network will go DEAD.

Issue ID 713013: Unable to log into the SD-WAN Center web management interface because of high disk usage.

Issue ID 712292: The SD-WAN Center web management interface does not display description for the cause of a license event.

Known issues


SD-WAN VPX appliances

  • Issue ID 694837: For High Availability in Amazon Web Services (AWS) environment, Virtual WAN service is disabled on a NetScaler SD-WAN VPX Primary (active) appliance citing duplicate IP address when the HA interface on the primary appliance goes down.
  • Issue ID 702889: RCN branch that is changed from GEO to Client is not updated to latest build even though it has an active Virtual path available with the RCN.
  • Issue ID 701517: Over provisioning of the XenServer can lead to SD-WAN VPX appliance crash.

SD-WAN 4000 WANOP and 4000 SE

  • Issue ID 681550: On a NetScaler SD-WAN 4000 WANOP appliance, uploading DER encoded certificate for the SSL profile is ignored and no error message is displayed in the web GUI. Only PEM encoded certificates are accepted.

SD-WAN 2100 EE

  • Issue ID 704923: The Domain Join/ Delegate user Pre-check Tools Summary Status table is not displayed you try to access them.

    Workaround: You can obtain the status summary by selecting the More option in the summary dialog page.

Two box mode

  • Issue ID 681680: After a factory reset on the SD-WAN SE appliance in a two-box mode, configuration sync between SD-WAN WANOP and SD-WAN SE appliances fails due to stale SSL certificates.

    Workaround: Disable and re-enable two-box mode on the SD-WAN WANOP appliance.

SD-WAN 1000 / 2000

  • Issue ID 681663: When you upgrade SD-WAN 1000 / 2000 appliance from release build version to 9.2.x, a warning is displayed in the browser.

    Workaround: Perform the upgrade in an incognito mode window of the Google Chrome browser.


  • Issue ID 690794: HDX ICA/CGP over SSL session’s behavior In Virtual WAN Standard Edition:

    • HDX sessions are not being negotiated as multi stream sessions even though MSI is enabled on the appliance and MSI+MP policies are set on incoming ICA traffic.

    • HDX traffic is classified as belonging to Hyper Text Transfer Protocol Secure (https) application and web family.

    • HDX traffic falls under interactive > very > low class. This can cause issues in QoS, bandwidth allocation, and so on, as application QoS is not triggered because the traffic is not classified as HDX sessions.

DPI functionality

DPI- ICMP functionality

  • Issue ID 677356: A firewall policy for blocking ICMP as an application blocks only pings (echo requests). All other ICMP types are allowed to pass through.

    Workaround: Instead of blocking ICMP as an application, block IP-protocol > ICMP.

DPI –Traffic for top app family as “standard” and top app as “unknown virtual protocol” for a Standard edition appliance

  • Issue IDs 678373, 678339, 678545, 675063, 676017: On a NetScaler SD-WAN Standard Edition appliance, enable EDT policy for MSI+MP for Win7 and Win2K12 XD 7.12 VDAs on ports 2598, 2599, 2600, 2601 and then disable Session Reliability policy for Win7 VDA.

    Workaround: Start sending internet traffic and check the monitoring flows in the Standard-Edition web management interface for Classes, Rule groups – ICAUDP and ICACGPUDP, and Firewall. Check the Dashboard and Reporting page in SD-WAN Center web management interface. The results display Top Application Family as Standard and Top Applications as Unknown Virtual Protocol.

SD-WAN Center

  • Issue ID 693436: The clear connections/flows clear SD WAN connection table entries and later all the ICA sessions. The SD-WAN Center dashboard shows incorrect results for HDX TCP and EDT classification sessions and reports it as “Not Classified.”
  • Issue ID 693026: For HDX configuration, only UDP ICA sessions are classified by ICA classifier. The FrameHawk ICA sessions are ignored. The SD-WAN DPI fails to classify the FrameHawk sessions.


Virtual WAN configuration

  • Issue ID 704926: Configuration error occurs when you attempt to override service in a Virtual Path by changing the IP Rule properties.
  • Issue ID 704160: The Site Name in Virtual WAN configuration should be configured with alpha-numeric characters between 3-15 characters only. This is due to the hostname restrictions in WAN Optimization which is required for domain join operation.

Application steering

  • Issue ID 699285: The Application family added as one of the match types in the Application Object, which is used for Application Routes configuration is not considered for steering.

Custom application reporting

  • Issue ID 703794: When an existing application name is modified and change management is performed, the new application name cannot be listed in the SD-WAN Center under the Top Sites-> Application drop-down menu. If the page is hard refreshed, then the new application name gets listed and reported, if traffic matches the application.

WAN GRE tunnel

  • Issue ID 681171: NetScaler SD-WAN appliance does not reassemble fragmented GRE tunnel packets properly.

Transparent proxy support for TLS 1.2

  • Issue ID 691900: In NetScaler SD-WAN WANOP 9.3.0, for SSL compression the SSL profile has to be configured in split mode only as transparent proxy mode is not supported.

Change Management (single step upgrade) SD-WAN GUI

  • Issue ID 691953: During software upgrade on an appliance using a Standard Edition license, a WAN optimization related warning message appears. After the scheduled upgrade and after the WAN optimization, SVM and XenServer hotfixes are installed the warning message is cleared.

    Workaround: Clear the warning messages manually or open the SD-WAN web UI in an incognito browser window.

  • Issue ID 705037: In the new Global Multi-Region Summary table, the “Total Sites” value displayed is less than the sum of the remaining columns. When a branch node is not connected, it is possible that the branch is counted twice; once as “Not Connected” and once as “Preparing/Staging.”


  • Issue ID 704561: Unable to make the routing domain as default for a site after disabling it.


    1. Disable site routing domain (all).
    2. Enable routing domain for the site without making it default. Click Apply.
    3. Make the enabled routing domain for the site as default and click Apply.
  • Issue ID 705255: Dynamic routes can be installed with path eligibility, LOCAL service as part of Import filters. In NetScaler SD-WAN 10.0, if the path becomes inactive, then all routes are termed as REACHABLE – YES, and ELIGIBLE - NO instead of REACHABLE - NO and ELIGIBLE – NO. These routes which are ineligible stay in the remote SD-WAN routing table instead of being purged.

Secure peering certificate and keys

  • Issue ID 695363: In the SD-WAN GUI, on the Secure Peering Certificate and Keys page, the CA certificate contents are displayed when the private CA radio button is selected after setting the Key Store password on a new appliance.

    Workaround: Switch between the radio buttons of the ‘Private CA’ and ‘CA Certificate’ once to get the correct contents displayed under ‘Private CA’ and ‘CA Certificate’ for Secure Peering Certificate and Keys.

Multicast traffic

  • Issue ID 694894: When you configure Application QoS rule with match type as “Application” to match ‘icmp’ and change the class to Real-time, and mode to load balance which overrides the default rule, the multicast traffic is not processed.

NetScaler SD-WAN 10.0.3 Release Notes