NetScaler SD-WAN 9.3.1 Release Notes

This release notes describes known issues, and fixed issues applicable to Citrix NetScaler SD-WAN software release 9.3.1 for the SD-WAN Standard Edition, WANOP, and Enterprise Edition appliances.

For information about the previous release versions, see the NetScaler SD-WAN documentation on

Fixed Issues

SD-WAN 4100 and 5100 WANOP

Issue ID 688095 and 687990: In NetScaler SD-WAN 4100 and 5100 WANOP appliances, when the time zone or date is changed, the NetScaler instance reboots. While rebooting the CB broker is unable to communicate with the NetScaler instance and hence displays the IP address of the NetScaler instance as The corresponding IP address of the NetScaler instance is displayed after the reboot.

Change Management (Single Step Upgrade) SD-WAN GUI

Issue ID 691359: You can download LCM package by clicking on the active/staged hyperlink under Download Package when using the tar.gz files to perform change Management. This will download only the Virtual WAN package as in the previous release versions. If you use the .zip file of single step upgrade procedure to perform change management, the staged/active hyperlink under Download LCM Package downloads the single step upgrade package.

Issue ID 691746: In SD-WAN 1000 and 2000 appliances, when the software is upgraded from 8.1.0 to 9.3.0 and the appliance license is changed from SE to EE, the WAN Optimization node is not displayed in the Configuration and Monitoring tabs.

SD-WAN Center

Issue ID 683419: In the SD-WAN Center, read-only user login access generates the following GUI error:

Error in retrieving top applications.

Issue ID 692484: In the SD-WAN Center network map dashboard, sites with manually added Static or Dynamic Virtual paths are not accounted symmetrically for both the sites. When visualizing sites in the network map, only one of the sites constituting Static or Dynamic Virtual path is displayed.

Issue ID 692500: The SD-WAN Center dashboard does not work on Internet Explorer browser, all other pages of SD-WAN Center web interface works fine on Internet Explorer browser.

Known Issues


SD-WAN Appliances

Issue ID 686768: When you configure Primary MCN and Secondary MCN for the first time, the Primary MCN is incorrectly configured as secondary MCN.

Issue ID 677856: SD-WAN appliance will not honor drop or reject firewall filter rules for any traffic when the appliance goes to Fail-to-wire (FTW) mode.

SD-WAN VPX Appliances

Issue ID 694837: For High Availability in Amazon Web Services (AWS) environment, Virtual WAN service is disabled on a NetScaler SD-WAN VPX Primary (active) appliance citing duplicate IP address when the HA interface on the primary appliance goes down.

SD-WAN VPX Appliances Software Downgrade

Issue ID 670142: SD-WAN software downgrade for SD-WAN VPX appliances from release 9.1.1 to version 9.1.0 does not work in XenServer, ESXi, and AWS environments.

SD-WAN 4000 WANOP and 4000 SE

Issue ID 681550: On a NetScaler SD-WAN 4000 WANOP appliance, uploading DER encoded certificate for the SSL profile is ignored and no error message is displayed in the web GUI. Only PEM encoded certificates are accepted.

SD-WAN 4100 and 5100 WANOP

Issue ID 691656: When provisioning SD-WAN 4100 and 5100 WANOP appliances with NetScaler SD-WAN 9.3 build, the provisioning fails and a message that the NetScaler SD-WAN instance is down appears. Retrying the operation succeeds.

Two Box Mode

Issue ID 681680: After a factory reset on the SD-WAN SE appliance in a two box mode, configuration sync between SD-WAN WANOP and SD-WAN SE appliances fails due to stale SSL certificates.

Workaround: Disable and re-enable two-box mode on the SD-WAN WANOP appliance.

SD-WAN 1000 / 2000

Issue ID 681663: When you upgrade SD-WAN 1000 / 2000 appliance from release build version to 9.2.x, a warning is displayed in the browser.

Workaround: Perform the upgrade in an in-cognito mode window of the Google Chrome browser.

SD-WAN WANOP 4000, 4100, and 5100

Issue ID 688948: On SD-WAN WANOP 4000 platform editions with SVM running software release version earlier than 9.3.0, TACACS user with read-only viewer privilege setting did not require executable command for user profile in the remote TACACS server.

In release 9.3.x, read-only command needs to be configured for read only user in the remote TACACS server.

Sample user configuration in remote TACACS server:

user = tac_super1 {

        login = cleartext tac_super1_pwd

        cmd = superuser { permit .* }


user = tac_ro1 {

        login = cleartext tac_ro1_pwd

        cmd = read-only { permit .* } // earlier this was not required


Upgrade Failure

Issue ID 689362: In CB VPX, upgrade from 7.2.2 to image failed. The following error message is displayed- “Unable to upload patch. Patch size may be too large!” There is a limit for patch size in older builds.

SD-WAN GUI Audit Error

Issue ID 687693: In the NetScaler SD-WAN GUI, when you navigate to Basic view > Add Service Provider with maximum number in the Physical Rate field, the generated audit error is misleading - Integer must be less than or equal to XXX.XXX (decimal number).

Issue ID 687701: In the NetScaler SD-WAN GUI, Service Provider Queue rate value percentage is represented incorrectly when max value is added in the physical rate field.

MSI behavior on Standard Edition and Enterprise Edition Appliances

Issue ID 690826: On NetScaler SD-WAN Standard Edition appliance although there is no optimization feature, the new HDX implementation in 9.3.0_x prevents HDX sessions from being negotiated as Multistream or Multistream + Multiport even if policies are Enabled on XD Studio.

SD-WAN release 9.2.1_X did not exhibit this behavior. The SD MSI and MSI+MP policies were honored and sessions would get negotiated as multistream if these policies were set. This behavior is deprecated in 9.3.0_x. This behavior is applicable to Enterprise Edition appliance as well.


Issue ID 690794: HDX ICA/CGP over SSL session’s behavior In Virtual WAN Standard Edition:

  • HDX sessions are not being negotiated as multi stream sessions even though MSI is enabled on the appliance and MSI+MP policies are set on incoming ICA traffic.
  • HDX traffic is classified as belonging to Hyper Text Transfer Protocol Secure (https) application and web family.
  • HDX traffic falls under interactive_very_low class. This may cause issues in QoS, bandwidth allocation and so on as application QoS will not be triggered because the traffic is not classified as HDX sessions.

Issue ID 690805: HDX ICA/CGP over SSL behavior In Virtual WAN Enterprise Edition:

  • HDX sessions are negotiates as multi stream session.
  • HDX traffic is classified as belonging to Hyper Text Transfer Protocol Secure (https) application and web family.
  • HDX traffic falls under HDX_priority_tag_1 class. However, this traffic is not reported in Application QoS reports and in HDX reports in SD-WAN Center. However, in WANOP reports display CGP over SSL sessions as HDX session.


WAN GRE Tunnel

Issue ID 681171: a NetScaler SD-WAN appliance does not reassemble fragmented GRE tunnel packets properly.

IPsec Tunnel Configuration

Issue ID 681121: On a NetScaler SD-WAN VPX appliance, a web GUI error is displayed and configuration fails when you try to add and configure IPsec tunnel through the SD-WAN configuration editor.

**Workaround:** Configure IKE and IPsec parameters except protected networks and save the configuration. Edit the configuration to add protected networks.

Enterprise Edition as MCN – SSL Profile

Issue ID 680199: On a factory shipped Enterprise Edition appliance when you create an SSL profile and associate a Service Class to the profile with unidirectional setting, the SSL profile is not checked/enabled in the SSL Profile page of the SD-WAN EE web GUI. In addition, the service class is not associated to the SSL profile.

**Workaround:** Create a new SSL profile and associate unidirectional service classes.

Configuration and Reporting

Issue ID 683882: Audit errors are reported when you create more than one Service Class on an SD-WAN appliance with override options. This issue occurs only when you perform override for service class and create more than one service class. This behavior is not observed when you create only one Service Class under the default section.

Transparent proxy support for TLS 1.2

Issue ID 691900: In NetScaler SD-WAN WANOP 9.3.0, for SSL compression the SSL profile has to be configured in split mode only as transparent proxy mode is not supported

Change Management (Single Step Upgrade) SD-WAN GUI

Issue ID 691571: On low-end platform editions, such as the SD-WAN 400, 100, 2000, or VPX appliances with 4 GB or smaller memory assigned, if concurrent local change management package downloads are initiated the appliance runs out of memory and becomes unresponsive.

**Workaround**: Download local change management package one at a time, this reduces the load on the appliance.

Issue ID 691953: During software upgrade on an appliance using a Standard Edition license, a WAN optimization related waring message appears. After the scheduled upgrade and after the WAN optimization, SVM and XenServer hotfixes are installed the warning message is cleared.

Workaround: Clear the warning messages manually or open the SD-WAN web UI in an incognito browser window.

Issue ID 691080: The single step upgrade procedure fails on an SD-WAN MCN appliance in a high availability mode. Single Step Upgrade involves transmission of WAN Opt packages by MCN once Virtual WAN package Activation is done. If the MCN site is in HA, there is a possibility that on Activation of Virtual WAN packages the HA role might toggle. Due to this the Secondary appliance becomes Active which never had the WAN Opt packages uploaded hence would not be able to transmit it to other sites.

**Workaround**: If the HA toggle happens post Virtual WAN package activation, then manually perform HA toggle. Navigate to **Configuration** > **Appliance Settings** > **Administrator Interface** > **Miscellaneous** and click   **Switch HA Mode**. This will make the Primary appliance as Active MCN and hence the WAN Opt package transfer will resume.

Secure Peering Certificate and Keys

Issue ID 695363: In the SD-WAN GUI, on the Secure Peering Certificate and Keys page, the CA certificate contents are displayed when the private CA radio button is selected after setting the KeyStore password on a new appliance.

             **Workaround**: You need to switch between the radio buttons of the 'Private CA' and 'CA Certificate' once to get the correct contents displayed under 'Private CA' and 'CA Certificate' for Secure Peering Certificate and Keys.

Multicast Traffic

Issue ID 694894: When you configure Application QoS rule with match type as “Application” to match ‘icmp’ and change the class to Realtime, and mode to loadbalance which overrides the default rule, the multicast traffic is not processed.

DPI- ICMP Functionality

Issue ID 677356: A firewall policy for blocking ICMP as an application blocks only pings (echo requests). All other ICMP types are allowed to pass through.

**Workaround**: Instead of blocking ICMP as an application**,** block **IP-protocol** > **ICMP**.

DPI – Dual- mode IPERF test identifies traffic only from one node

Issue ID 678131: When dual-mode IPERF test is performed between two appliances, the traffic in NetScaler SD-WAN web management interface under Monitoring > Firewall > Connections with DPI identifies traffic flow only from one of the connections.

DPI –Traffic for Top App Family as “Standard” and Top App as “Unknown Virtual protocol” for a Standard Edition appliance

Issue IDs 678373, 678339, 678545, 675063, 676017: On a NetScaler SD-WAN Standard Edition appliance, enable EDT policy for MSI+MP for Win7 and Win2K12 XD 7.12 VDAs on ports 2598, 2599, 2600, 2601 and subsequently disable Session Reliability policy for Win7 VDA.

Start sending internet traffic and check the monitoring flows in the Standard-Edition web management interface for Classes, Rule groups – ICAUDP and ICACGPUDP, and Firewall. Check the Dashboard and Reporting page in SD-WAN Center web management interface. The results display Top Application Family as Standard and Top Applications as Unknown Virtual Protocol.

SD-WAN Center

Issue ID 692486: In the SD-WAN Center, intermittent 550 site information for all sites on the dashboard is displayed in yellow tile. These sites are considered as BAD sites. However, data for the sites gets auto corrected and displays correct information for all sites.

Issue ID 692487: In the SD-WAN Center dashboard, configuration setup for monitoring 400 or more sites can take approximately 4 minutes to load.

Issue ID 693436: The clear connections/flows clears SD WAN connection table entries and subsequently all the ICA sessions The SD-WAN Center dashboard shows incorrect results for HDX TCP and EDT classification sessions and reports it as “Not Classified”.

Issue ID 693026: For HDX configuration, only UDP ICA sessions are classified by ICA classifier. The FrameHawk ICA session are ignored. The SD-WAN DPI fails to classify the FrameHawk sessions.

Issue ID 694541: NetScaler SD-WAN Center dashboard reports an MSI + MP session as single stream instead of multi stream. When you configure any of the default ICA/CGP ports, 1494 or 2598 as part of the DPI ICA Port range under the Global Application Settings, the ports will not be honored.

**Workaround**: Do not use that port for the port range.



  • The number of users is equal to the total number of HDX sessions. The number of users is not based on distinct user names. That is, two sessions started by a single user on two different machines or the same machine is counted as two users.
  • HDX sessions are not being negotiated as Multi Stream Sessions even though MSI is enabled on the appliance and MSI+MP policies are set on incoming ICA traffic.
  • HTML5 receiver and ICA over SSL are not supported.

SD-WAN Center and Diagnostics Tool

  • SD-WAN web GUI Diagnostic tool will not be supported on UNTRUSTED links and Dynamic Virtual Paths.
  • In the SD-WAN Center Reporting page, the Application name, Application Family, and Site filter do not contain scrollable search drop-down menu.
  • For SD-WAN Standard Edition, a connection with high latency is displayed as Poor Connection in the Citrix Quality Indicator (CQI) Tool. While, in SD-WAN Center the Network HDX QOE is still displayed as Good.

Microsoft Azure

  • After a VM is created and booted in Azure, the interfaces cannot be added or deleted. The VM profile (RAM/HD/CPUs) can be changed.
  • Azure does not allow two network interfaces NIC on a VM to have IP address on same subnet. There is no L2 Support and bridging is not allowed. VPX-SE on Azure has to be deployed in Gateway mode.
  • There is no concept of MAC address spoofing in Azure Cloud. The LAN subnet of the VPX-SE and the LAN subnet of the Client/Server Host have to be different. This will require additional routing configuration to be done in two places. – User Defined Routes (UDR) have to be added in Azure directing all Virtual WAN Data traffic from the Client/Server LAN Subnet to the LAN interface of the VPX-SE in Azure. – Routes have to be added in the Virtual WAN Configuration File directing all Virtual WAN Data traffic coming from the WAN to the Client/Server LAN Subnet.
  • PCI Enumeration causes the order of NICs in an Azure VM to get switched on reboots. This might cause Management Subnet unreachability.

NetScaler SD-WAN 9.3.1 Release Notes