NetScaler SD-WAN 9.2.1 Release Notes

This release notes describes the fixed issues, known issues, and limitations applicable to Citrix NetScaler SD-WAN software release 9.2.1 for the SD-WAN Standard Edition, WANOP, and Enterprise Edition appliances.


  • This release note document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • The [# XXXXXX] labels for issue descriptions are internal tracking IDs used by the SD-WAN support team.

What’s New in Release 9.2.1 (build 1002)

The following new features and enhancements were introduced in NetScaler SD-WAN Release 9.2.1 build 1002:

Security Fix

NetScaler SD-WAN release 9.2.1, build 1002 has new images with security fix for CVE-2017-14602.

This vulnerability is only present when the above versions are used on the following appliance models:

  • Citrix NetScaler SD-WAN model 5100 WAN Optimization appliances
  • Citrix NetScaler SD-WAN (CloudBridge) model 5000 WAN Optimization appliances
  • Citrix NetScaler SD-WAN model 4100 WAN Optimization appliances
  • Citrix NetScaler SD-WAN (CloudBridge) model 4000 WAN Optimization appliances

For additional information related to this security fix, impacted editions, and platforms, refer to the security bulletin posted at

Fixed Issues

SD-WAN 4000 WANOP and 4000 SE

  • Issue ID 680778: A configuration audit error occurs in two-box mode deployment when a NetScaler SD-WAN 4000 SE appliance with two interface groups is configured with first interface group having bridged pair with two ethernet interfaces selected, and second interface group is connected to the WANOP appliance. The error occurs when the first interface group is enabled with WCCP listener indicating that multiple ethernet interfaces cannot be enabled with WCCP. When you revert configuration by disabling WCCP on the first interface group and enabling it on the second interface group, the same configuration audit error is displayed even though only one ethernet interface is enabled on the interface group.

  • Issue ID 680825: On a NetScaler SD-WAN 4000 appliance with release version 9.2, the HTTP service does not work for one of the SD-WAN instances and fails to start or restart the HTTPS service.

  • Issue ID 679121: While upgrading SD-WAN 4000 appliance from old releases to 9.2 release, the SD-WAN GUI appears before the upgrade process is completed. The old image is listed in the GUI.

SD-WAN 4100 SE

  • Issue ID 675715: On a NetScaler SD-WAN 4100 SE appliance, changing Interface settings for 1G interface does not work and causes link to become inactive. For example; changing the speed to 100MB does not work. The interface settings change option is disabled for all 1G ports similar to the 10G ports as it is not supported on the 4100-SE bare metal platform.

TCP Fragmented traffic

  • Issue ID 681472: Virtual WAN drops TCP Fragmented traffic when firewall connection tracking is enabled.

NTP Server Time Settings

  • Issue ID 680987: On NetScaler SD-WAN 2000 appliances, when you change the NTP server settings, the Enterprise Edition appliance time settings sync up with the new NTP server time settings and the correct time zone format is displayed. However, the new NTP server time settings on a WANOP appliance are not synchronized with the new NTP server time settings.

Diagnostic tool

  • Issue ID 680251: In a NetScaler SD-WAN VPX appliance setup, multiple IPREF client TCP sessions are initiated while server session is still on causing the server to display additional entries even when the client has stopped sending any further traffic.

Rules Group Tab

  • Issue ID 681562: The Rule group tab in SD-WAN Center report page does not show any data for the configured applications.

DPI- No audit error on disabling DPI

  • Issue ID 681175: If an application object created with DPI application is associated to a firewall policy template, and is used in firewall and then if the DPI is disabled, there is no audit error message displayed indicating that there are rules still associated with firewall as the firewall is still functional.

SSL Profile Name

  • Issue ID 681482: In a NetScaler SD-WAN VPX appliance setup, when you create an SSL profile and try to edit the profile and save it, the following error message is displayed: “No object with profile name exists”.

SSL Profile Page

  • Issue ID 681443: When creating or editing an SSL profile, the settings are saved but the application does not redirected to the SSL Profile home page.


  • Issue ID 681649: Unable to enable DHCP Server and Relay for management from the UI. On selecting Enbale DHCP Server, the fields Lease Time, Domain Name, Start IP Address and End IP Addresss should be editable, but these fields are not editable.

Security Vulnerability

  • Issue ID 690709: Unauthenticated remote code execution on NetScaler SD-WAN. This security hotfix addresses the vulnerabilities as described in the security bulletin article (CTX225990).

Known Issues

SD-WAN 4000 WANOP and 4000 SE

  • Issue ID 681550: On a NetScaler SD-WAN 4000 WANOP appliance, uploading DER encoded certificate for the SSL profile is ignored and no error message is displayed in the web GUI. Only PEM encoded certificates are accepted.

Two Box Mode

  • Issue ID 681680: After a factory reset on the SD-WAN SE appliance in a two box mode, configuration sync between SD-WAN WANOP and SD-WAN SE appliances fails due to stale SSL certificates.

    Workaround: Disable and re-enable two box mode on the SD-WAN WANOP appliance.

SD-WAN 1000 / 2000

  • Issue ID 681663: When you upgrade SD-WAN 1000 / 2000 appliance from release build version to 9.2.x, a warning is displayed in the browser.

    Workaround: Perform the upgrade in an in-cognito mode window of the Google Chrome browser.


  • Issue ID 675452: NetScaler SD-WAN WANOP client info displays OS version as Windows 8 even when plugin is installed in Windows 10 OS.


  • Issue ID 683520: In the SD-WAN GUI, changing the interface settings for interface under Configuration > Appliance Settings > Network adapters > Ethernet does not work for the SD-WAN 1000-EE, 2000-EE and 400-SE platforms.

WAN GRE Tunnel

  • Issue ID 681171: Fragmented GRE tunnel packets are not reassembled properly by a NetScaler SD-WAN appliance.

IPSec Tunnel Configuration

  • Issue ID 681121: On a NetScaler SD-WAN VPX appliance, a web GUI error is displayed and configuration fails when you try to add and configure IPSec tunnel through the SD-WAN configuration editor.

    Workaround: Configure IKE and IPsec parameters except protected networks and save the configuration. Edit the configuration to add protected networks.

Enterprise Edition as MCN – SSL Profile

  • Issue ID 680199: On a factory shipped Enterprise Edition appliance when you create an SSL profile and associate a Service Class to the profile with unidirectional setting, the SSL profile is not checked/enabled in the SSL Profile page of the SD-WAN EE web GUI. Also, the service class is not associated to the SSL profile.

    Workaround: Create a new SSL profile and associate unidirectional service class (es).

Simplified Configuration

  • Issue ID 678342: In the SD-WAN configuration editor, secondary level confirmation is not provided when deleting a WAN Link, Interface Group, or Static Route from the Basics view.

Ethernet Interfaces Configuration

  • Issue ID 680585: In a NetScaler SD-WAN Standard Edition appliance web GUI, the Basic View under Configuration Editor allows you to create Interface without selecting ethernet interfaces. The created interface is displayed in the Advanced View as VLAN 0 instead of displaying in the Basic View.

Configuration and Reporting

  • Issue ID 683882: Audit errors are reported when you create more than one Service Class on an SD-WAN appliance with override options. This issue occurs only when you perform override for service class and create more than one service class. It is not observed when you create only one Service Class under the default section.

DPI- ICMP Functionality

  • Issue ID 677356: A firewall policy for blocking ICMP as an application blocks only pings (echo requests). All other ICMP types are allowed to pass through.

    Workaround: Instead of blocking ICMP as an application, block IP-protocol > ICMP.

DPI – Dual- mode IPERF test identifies traffic only from one node

  • Issue ID 678131: When dual-mode IPERF test is performed between two appliances, the traffic in NetScaler SD-WAN web management interface under Monitoring > Firewall > Connections with DPI identifies traffic flow only from one of the connections.

DPI - Traffic classified as unknown when the traffic flows through EE appliances

  • Issue ID 677504: Applications are classified as Unknown protocol when the traffic flows through EE appliances, because the compressed traffic is not classified. Therefore, the Firewall rules do not work on EE appliance with DPI enabled when rules are configured with Application, Application Family or Application Object firewall policies. This issue occurs only when a WANOP Service Class Compression policy is configured on a Standard Edition/Enterprise Edition or Standard Edition/Standard Edition appliance with a WANOP deployment mode.

DPI – Any application traffic sent via GRE Tunnel is reported as GRE in SD-WAN Center

  • Issue ID 680994: Ideally, any application traffic (example HTTP) sent through the GRE tunnel should be classified by DPI reported as both GRE and the real application traffic (example HTTP) in the Application section of Reporting page in SD-WAN Center. Due to this bug, the real application (example HTTP) is also reported as GRE traffic. This bug is only a reporting issue and the real classification has no issues in the site level DPI. Both the classification and firewall actions after DPI will have no impact in any site.

DPI –Traffic for Top App Family as “Standard” and Top App as “Unknown Virtual protocol” for a Standard Edition appliance

  • Issue IDs 678373, 678339, 678545, 675063, 676017: On a NetScaler SD-WAN Standard Edition appliance, enable EDT policy for MSI+MP for Win7 and Win2K12 XD 7.12 VDAs on ports 2598, 2599, 2600, 2601 and subsequently disable Session Reliability policy for Win7 VDA.

    Start sending internet traffic and check the monitoring flows in the Standard-Edition web management interface for Classes, Rule groups – ICAUDP and ICACGPUDP, and Firewall. Check the Dashboard and Reporting page in SD-WAN Center web management interface. The results display Top Application Family as Standard and Top Applications as Unknown Virtual Protocol.

SD-WAN Center – GUI Error

  • Issue ID 683419: In the SD-WAN Center, read-only user login access generates the following GUI error: Error in retrieving top applications.


SD-WAN Center and Diagnostic Tool

  • SD-WAN web GUI Diagnostic tool will not be supported on UNTRUSTED links and Dynamic Virtual Paths.
  • In the SD-WAN Center Reporting page, the Application name, Application Family, and Site filter do not contain scrollable search drop-down menu.

Microsoft Azure

  • A VM in Azure can have Public IP on only one interface. This VM needs to be on the WAN link to establish Virtual Path. Management is accessed over Private network. While configuring SD-WAN SE-VPX, network interfaces have to added in following order:

    1. WAN interface (Private IP, Public IP)

    2. LAN interface (Private IP)

    3. Management interface (Private IP)

  • After a VM is created and booted in Azure, the interfaces cannot be added or deleted. The VM profile (RAM/HD/CPUs) can be changed.
  • Azure does not allow two network interfaces NIC on a VM to have IP address on same subnet. There is no L2 Support and bridging is not allowed. SE-VPX on Azure has to be deployed in Gateway mode.
  • There is no concept of MAC address spoofing in Azure Cloud. The LAN subnet of the SE-VPX and the LAN subnet of the Client/Server Host have to be different. This will require additional routing configuration to be done in two places.

    • User Defined Routes (UDR) have to be added in Azure directing all Virtual WAN Data traffic from the Client/Server LAN Subnet to the LAN interface of the SD-WAN SE-VPX in Azure.

    • Routes have to be added in the Virtual WAN Configuration File directing all Virtual WAN Data traffic coming from the WAN to the Client/Server LAN Subnet.

  • PCI Enumeration causes the order of NICs in an Azure VM to get switched on reboots. This might cause Management Subnet unreachability.