Product Documentation

NetScaler SD-WAN 9.3.2 Release Notes

Dec 05, 2017

This release notes describes known issues, and fixed issues applicable to Citrix NetScaler SD-WAN software release 9.3.2 for the SD-WAN Standard Edition, WANOP, and Enterprise Edition appliances.

For information about the previous release versions, see the NetScaler SD-WAN documentation on docs.citrix.com.

Fixed Issues

Issue ID 699095: NetScaler SD-WAN service restarts when a Dynamic virtual path is removed while traffic is traversing through it.

Issue ID 699115: NetScaler SDWAN appliance crashes and service gets disabled while handling route failovers for existing flows processed in the system.

Issue ID 698346: In the SD-WAN GUI, under Firewall Static NAT Policies, a new option “Proxy ARP” is added which is disabled by default. If “Proxy ARP” option is enabled, SD-WAN appliance will respond to the ARP requests received for the outside IP address based on the Static Inbound/Outbound NAT rule configured.

Issue ID 698202: In NetScaler SD-WAN the “Virtual Path” service type for Firewall Static NAT policies is added. You can now configure the Static Inbound/Outbound NAT for Virtual Path service by specifying the Source and Destination Zones, Inside, and Outside IP address.

Issue ID 697539: NetScaler SD-WAN might set faulty MTU’s due to the loss of MTU probes in a packet loss network. This could cause bad paths causing performance issues or impacting change management.

Issue ID 698659: When you upgrade SD-WAN release version 9.2 to 9.3 using the single step upgrade procedure, the upgrade fails due to exceeded file size limit.

Issue ID 677856: SD-WAN appliance will not honor drop or reject firewall filter rules for any traffic when the appliance goes to Fail-to-wire (FTW) mode.

Issue ID 697804: NetScaler SD-WAN Enterprise edition crashes when an optimized traffic flow becomes unoptimized.

Issue ID 692486: In the SD-WAN Center, intermittent 550 site information for all sites on the dashboard is displayed in yellow tile. These sites are considered as BAD sites. However, data for the sites gets auto corrected and displays correct information for all sites. 

Issue ID 694613/ 697736: When SD-WAN appliance in HA mode is peered with neighbor router through OSPF, changes to static routes from external (type 5) to type1 may result in neighboring router retaining the routes. This is more likely to happen when standby appliance becomes active.

Issue ID 698353: On NetScaler SD-WAN 4100/5100 platforms, packets may be erroneously dropped during application classification when DPI is enabled.

Issue ID 699375/699402: When a packet is lost in SureFT, it is supposed to be retransmitted. The retransmits occur, but with zero length data (observable though internal packet capture utility). Additionally, when the connection to the MCN is lost, it will continue to make requests to the MCN for all outstanding file blocks which may use as much as 100kbps for each transaction. The transactions never terminate leaving the branch continuing to request forever.

Issue ID 697294: NetScaler SD-WAN network might experience a service restart in scale environments when Paths or Virtual Paths are changing states frequently.

Issue ID 695506: In a HA mode, on a NetScaler SD-WAN 3000-SE secondary appliance, you cannot edit and configure LDAP authentication for user administration.

Issue ID 694594: On NetScaler SD-WAN Enterprise Edition appliances, configuration update causing WCCP router to reboot multiple times results in the WAN OP functionality to be disabled.

Issue ID 696499: On a NetScaler SD-WAN 5100-SE appliance, an unexpected service restart occurs due to an IPMI failure.

Issue ID 697548: When an MCN is deployed with an HA peer, an unexpected service restart may cause Change Management on both appliances to try to manage the network causing. When this occurs, failures in Change Management staging may be observed.

Issue ID 698350: In NetScaler SD-WAN, for Firewall Static NAT Inbound Policies, traffic received on the outside IP address configured is forwarded to the originator.

Issue ID 696748: When HA is configured and active for an MCN, change management may repeatedly fail for some appliances if a HA switch is triggered unexpectedly during a change management procedure. The failures may persist even after change management has been completed for the other appliances in the network. 

Known Issues

Platform

SD-WAN Appliances

Issue ID 686768: When you configure Primary MCN and Secondary MCN for the first time, the Primary MCN is incorrectly configured as secondary MCN.

SD-WAN VPX Appliances

Issue ID 694837: For High Availability in Amazon Web Services (AWS) environment, Virtual WAN service is disabled on a NetScaler SD-WAN VPX Primary (active) appliance citing duplicate IP address when the HA interface on the primary appliance goes down.

SD-WAN 4000 WANOP and 4000 SE

Issue ID 681550: On a NetScaler SD-WAN 4000 WANOP appliance, uploading DER encoded certificate for the SSL profile is ignored and no error message is displayed in the web GUI. Only PEM encoded certificates are accepted.

Two Box Mode

Issue ID 681680: After a factory reset on the SD-WAN SE appliance in a two box mode, configuration sync between SD-WAN WANOP and SD-WAN SE appliances fails due to stale SSL certificates.

    Workaround: Disable and re-enable two-box mode on the SD-WAN WANOP appliance.

SD-WAN 1000 / 2000

Issue ID 681663:  When you upgrade SD-WAN 1000 / 2000 appliance from release build version 9.1.2.26 to 9.2.x, a warning is displayed in the browser.

    Workaround: Perform the upgrade in an in-cognito mode window of the Google Chrome browser.

HDX CGP over SSL

Issue ID 690794: HDX ICA/CGP over SSL session’s behavior In Virtual WAN Standard Edition: 

  • HDX sessions are not being negotiated as multi stream sessions even though MSI is enabled on the appliance and MSI+MP policies are set on incoming ICA traffic.
  • HDX traffic is classified as belonging to Hyper Text Transfer Protocol Secure (https) application and web family.
  • HDX traffic falls under interactive_very_low class. This may cause issues in QoS, bandwidth allocation and so on as application QoS will not be triggered because the traffic is not classified as HDX sessions.

Configuration

WAN GRE Tunnel

Issue ID 681171: a NetScaler SD-WAN appliance does not reassemble fragmented GRE tunnel packets properly.

IPsec Tunnel Configuration

Issue ID 681121: On a NetScaler SD-WAN VPX appliance, a web GUI error is displayed and configuration fails when you try to add and configure IPsec tunnel through the SD-WAN configuration editor.

    Workaround: Configure IKE and IPsec parameters except protected networks and save the configuration. Edit the configuration to add protected networks.

Enterprise Edition as MCN – SSL Profile

Issue ID 680199: On a factory shipped Enterprise Edition appliance when you create an SSL profile and associate a Service Class to the profile with unidirectional setting, the SSL profile is not checked/enabled in the SSL Profile page of the SD-WAN EE web GUI. In addition, the service class is not associated to the SSL profile.

    Workaround: Create a new SSL profile and associate unidirectional service classes.

Configuration and Reporting

Issue ID 683882: Audit errors are reported when you create more than one Service Class on an SD-WAN appliance with override options. This issue occurs only when you perform override for service class and create more than one service class. This behavior is not observed when you create only one Service Class under the default section.

Transparent proxy support for TLS 1.2

Issue ID 691900: In NetScaler SD-WAN WANOP 9.3.0, for SSL compression the SSL profile has to be configured in split mode only as transparent proxy mode is not supported.

Change Management SD-WAN GUI   

Issue ID 698803: As part of change management procedure during SD-WAN appliance staging phase, configuration fails when you change MTU on the intermediate router to 600.

Change Management (Single Step Upgrade) SD-WAN GUI

Issue ID 691571: On low-end platform editions, such as the SD-WAN 400, 100, 2000, or VPX appliances with 4 GB or smaller memory assigned, if concurrent local change management package downloads are initiated the appliance runs out of memory and becomes unresponsive.

    Workaround: Download local change management package one at a time, this reduces the load on the appliance.

Issue ID 691953: During software upgrade on an appliance using a Standard Edition license, a WAN optimization related waring message appears. After the scheduled upgrade and after the WAN optimization, SVM and XenServer hotfixes are installed the warning message is cleared.

    Workaround: Clear the warning messages manually or open the SD-WAN web UI in an incognito browser window.

Issue ID 691080: The single step upgrade procedure fails on an SD-WAN MCN appliance in a high availability mode. Single Step Upgrade involves transmission of WAN Opt packages by MCN once Virtual WAN package Activation is done. If the MCN site is in HA, there is a possibility that on Activation of Virtual WAN packages the HA role might toggle. Due to this the Secondary appliance becomes Active which never had the WAN Opt packages uploaded hence would not be able to transmit it to other sites.

    Workaround: If the HA toggle happens post Virtual WAN package activation, then manually perform HA toggle. Navigate to Configuration > Appliance Settings > Administrator Interface > Miscellaneous and click Switch HA Mode. This will make the Primary appliance as Active MCN and hence the WAN Opt package transfer will resume.

Secure Peering Certificate and Keys

Issue ID 695363: In the SD-WAN GUI, on the Secure Peering Certificate and Keys page, the CA certificate contents are displayed when the private CA radio button is selected after setting the KeyStore password on a new appliance. 

    Workaround: You need to switch between the radio buttons of the 'Private CA' and 'CA Certificate' once to get the correct contents displayed under 'Private CA' and 'CA Certificate' for Secure Peering Certificate and Keys.

Multicast Traffic

Issue ID 694894: When you configure Application QoS rule with match type as "Application" to match 'icmp' and change the class to Real-time, and mode to load balance which overrides the default rule, the multicast traffic is not processed.

DPI Functionality

DPI- ICMP Functionality

Issue ID 677356: A firewall policy for blocking ICMP as an application blocks only pings (echo requests). All other ICMP types are allowed to pass through.

    Workaround: Instead of blocking ICMP as an application, block IP-protocol > ICMP.

DPI – Dual- mode IPERF test identifies traffic only from one node

Issue ID 678131: When dual-mode IPERF test is performed between two appliances, the traffic in NetScaler SD-WAN web management interface under Monitoring > Firewall > Connections with DPI identifies traffic flow only from one of the connections.

DPI –Traffic for Top App Family as "Standard" and Top App as "Unknown Virtual protocol" for a Standard Edition appliance

Issue IDs 678373, 678339, 678545, 675063, 676017: On a NetScaler SD-WAN Standard Edition appliance, enable EDT policy for MSI+MP for Win7 and Win2K12 XD 7.12 VDAs on ports 2598, 2599, 2600, 2601 and subsequently disable Session Reliability policy for Win7 VDA.

Start sending internet traffic and check the monitoring flows in the Standard-Edition web management interface for Classes, Rule groups – ICAUDP and ICACGPUDP, and Firewall. Check the Dashboard and Reporting page in SD-WAN Center web management interface. The results display Top Application Family as Standard and Top Applications as Unknown Virtual Protocol.

SD-WAN Center

Issue ID 692487: In the SD-WAN Center dashboard, configuration setup for monitoring 400 or more sites can take approximately 4 minutes to load.

Issue ID 693436:  The clear connections/flows clears SD WAN connection table entries and subsequently all the ICA sessions The SD-WAN Center dashboard shows incorrect results for HDX TCP and EDT classification sessions and reports it as “Not Classified”.

Issue ID 693026:  For HDX configuration, only UDP ICA sessions are classified by ICA classifier. The FrameHawk ICA session are ignored. The SD-WAN DPI fails to classify the FrameHawk sessions.

Issue ID 694541: NetScaler SD-WAN Center dashboard reports an MSI + MP session as single stream instead of multi stream. When you configure any of the default ICA/CGP ports, 1494 or 2598 as part of the DPI ICA Port range under the Global Application Settings, the ports will not be honored.

    Workaround: Do not use that port for the port range.

Issue ID 692487: In a network setup with 550 sites, if you perform any network level changes in the setup, it takes approximately ~5-8 mins for the information to be displayed in the SD- WAN center Dashboard. 

Limitations

HDX

  • The number of users is equal to the total number of HDX sessions. The number of users is not based on distinct user names. That is, two sessions started by a single user on two different machines or the same machine is counted as two users.
  • HDX sessions are not being negotiated as  Multi Stream Sessions even though MSI is enabled on the appliance and MSI+MP policies are set on incoming ICA traffic.
  • HTML5 receiver and ICA over SSL are not supported.

ICA UDP

  •  The audio over UDP ports; 16500 to 16509 for Real Time Transport traffic Classification and Reporting is not supported in release 9.3.1.x.

SD-WAN Center and Diagnostics Tool

  • SD-WAN web GUI Diagnostic tool will not be supported on UNTRUSTED links and Dynamic Virtual Paths.
  • In the SD-WAN Center Reporting page, the Application name, Application Family, and Site filter do not contain scrollable search drop-down menu.
  • For SD-WAN Standard Edition, a connection with high latency is displayed as Poor Connection in the Citrix Quality Indicator (CQI) Tool. While, in SD-WAN Center the Network HDX QOE is still displayed as Good.

Microsoft Azure

  • After a VM is created and booted in Azure, the interfaces cannot be added or deleted. The VM profile (RAM/HD/CPUs) can be changed.
  • Azure does not allow two network interfaces NIC on a VM to have IP address on same subnet. There is no L2 Support and bridging is not allowed. VPX-SE on Azure has to be deployed in Gateway mode.
  • There is no concept of MAC address spoofing in Azure Cloud. The LAN subnet of the VPX-SE and the LAN subnet of the Client/Server Host have to be different. This will require additional routing configuration to be done in two places.
        – User Defined Routes (UDR) have to be added in Azure directing all Virtual WAN Data traffic from the Client/Server LAN Subnet to the LAN interface of the VPX-SE in Azure.
        – Routes have to be added in the Virtual WAN Configuration File directing all Virtual WAN Data traffic coming from the WAN to the Client/Server LAN Subnet.
  • PCI Enumeration causes the order of NICs in an Azure VM to get switched on reboots. This might cause Management Subnet unreachability.