Citrix SD-WAN Orchestrator for On-premises 14.3

Release Notes for SD-WAN Orchestrator for On-premises 13.2 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix SD-WAN Orchestrator for On-premises release Build 13.2.


This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What’s New

The enhancements and changes that are available in Build 13.2.

Configuration and Management

Restore previous version

Citrix SD-WAN Orchestrator for On-premises introduces the Restore previous version functionality. When the Restore previous version option is selected, Citrix SD-WAN Orchestrator for On-premises initiates a network wide activation of the previous configuration and restores the previously activated configuration / software) on your network.

[ SDW-22042 ]

Licensing Enhancements

After the licenses are retrieved and upgraded to production, the Upgrade to Production button label changes to Upgraded to production indicating that the license upgrade is already done.

[ SDW-20674 ]

API - Site address resolution:

When a site is created using an API, the site address is automatically obtained using the latitude and longitude values, passed as part of site creation, using Google Maps API.

[ SDW-20654 ]

Network menu restructure

The Citrix SD-WAN Orchestrator for On-premises Global Configuration menu has been restructured to aid better categorization and discoverability of the key functions of Citrix SD-WAN. Also, each delivery service is now available in both the delivery channels and in every key function page to cater admin configuration from global or per function context. For example, an admin can configure Citrix SIA service globally under a delivery channel on Day 0 and can also perform Day N functions under Security under Cloud Security Services to make any changes.

The configuration pages at the network level are enhanced as follows:

  • Network Config Home is renamed to Network Home.
  • Delivery Services under Configuration > Delivery Channels is now renamed to Service Definitions.
  • Under Configuration > Security, the Network Encryption page is renamed to Network Security.
  • The pages under Configuration > Security are logically grouped as follows for easy discoverability:

    Group Menu options
    SD-WAN Overlay Security Network Security
      Virtual Path IPsec
    Base Firewall Firewall Zone
      Firewall Defaults
      Firewall Policies
    IPsec & GRE Certificates
      IPsec Encryption Profiles
      IPsec Service
      GRE Service
    Wi-Fi Security RADIUS Profiles
      SSID Profiles
  • You can configure the following services either from Configuration > Delivery Channels > Service Definition or from Configuration > Security:

    • IPsec
    • GRE
  • The ECMP Groups page is moved under Configuration > Routing.

  • You can configure BGP, OSPF, Multicast Groups, and VRRP at the network level under Configuration > Routing. You can select a site and click Go. It takes you to the specific configuration page at the site level. Previously, these configurations were available only at the site level.

  • You can configure the Cloud Direct service either from Configuration > Delivery Channels > Service Definition or from Configuration > Routing > SaaS & Cloud On Ramp

  • The Application and DNS settings page is renamed to App Settings and Groups.

  • DPI related settings which were earlier under Configuration > App & DNS Settings > Application Settings is moved under Configuration > App Settings & Groups > DPI Settings.

  • Network Location Service page which was under Configuration > Delivery Services is placed directly under Configuration.

[ SDW-14698 ]

Rollback on error

During network deployment (activation), sites that fail to connect to Citrix SD-WAN Orchestrator for On-premises are rolled back to the previous version to try and restore the connectivity. Rollback in such sites is initiated post being offline for a certain specified time (currently 30 mins).

If any one of the sites in the network is trying to rollback, then a pop-up box appears with two options to either Rollback the entire network or ignore those sites and end the deployment.

The Rollback on Error feature must be enabled before initiating a network deployment.

[ SDW-11153 ]


IP Rules

The Override Service option is added under the IP Rules > Virtual Path Traffic Policy section. When the Traffic Policy is selected as Override Service, you can select the service type as Intranet, Internet, pass-through, or Discard to which the virtual path service overrides.

[ SDW-22213 ]

Configuration Difference

A Config Diff feature is newly added at the Network level under Configuration. The Config Diff capability helps you to review the difference between any two versions of configuration checkpoints. You can also view the configurations both at the global and site levels.

[ SDW-4563 ]

Appliance settings

Citrix SD-WAN Orchestrator for On-premises introduces an option to configure the management network priority. You can select In-Band or Out-of-Band as the management interface for your network. This option is available only if the SD-WAN appliance is running a software version of 11.4.2 or later.

[ NSSDW-35774 ]

Platform and systems

Certificate authentication

Citrix SD-WAN Orchestrator for On-premises supports appliance authentication for static and dynamic virtual paths using Public Key Infrastructure (PKI) as an extra security feature. Enabling the feature extends the existing virtual path authentication mechanism by distributing PKI certificates over the data path, by the appliance initiating the exchange. The PKI enhancement also supports Certificate Revocation List (CRL) management for centralized revocation of compromised certificates.

[ SDW-19295 ]

Provider audit log and Network audit log enhancements

The Provider Audit logs and Network Audit logs pages are enhanced with the following options:

  • Source IP - This field displays the IP address of the endpoint from which an SD-WAN feature is configured. This field is displayed on the Audit logs page and the Audit Info page.
  • Export as CSV - This option enables you to export the audit logs to a CSV format.
  • What changed - This section displays the logs of all the changes made to the features through the UI. Enable the Log Payloads toggle button to view this section on the Audit Info page. Currently, this section is available on the Network Audit Info page.

[ SDW-19219 ]

Custom Ports, Protocol Configuration for Domain Name Based Applications

The Domain name-based applications now support configurable ports and protocol in Citrix SD-WAN Orchestrator for On-premises. When you select the Configure Port check box, you can edit, add, or delete any port or the port range as required. Also, you can change/select the protocol as TCP, UDP, or Any. Previously (and with the configure port check box disabled), only ports 80 and 443, and protocol Any were supported for domains grouped under an application.

[ NSSDW-29930 ]

Fixed Issues

The issues that are addressed in Build 13.2.


The Citrix SD-WAN Orchestrator for On-premises UI is inaccessible. This issue occurs when services running in {page.productname}} fail to respond to heartbeat requests and the restart limit has exceeded.

[ SDWANHELP-2544 ]

Upload of the software upgrade package fails on Citrix SD-WAN Orchestrator for On-premises. This issue occurs when a user moves away from the upload page when the upload of the software package is in progress.

[ SDWANHELP-2495 ]

Platform and systems

An SD-WAN appliance running a software version of 11.4.1 goes into Grace mode when licenses are assigned to the appliance from Citrix SD-WAN Orchestrator for On-premises.

[ SDW-23171 ]

Known Issues

The issues that exist in release 13.2.

Configuration and Management

On a newly imported Citrix SD-WAN Orchestrator for On-premises instance, staging gets stuck in the Preparing package state. This issue occurs when the staging process is initiated shortly after creating a new virtual machine.

Workaround: Retry the staging process.

[ SDW-20863 ]


The service state of an SD-WAN appliance running a software version of 11.4.2 is displayed as BAD on the Citrix SD-WAN Orchestrator for On-premises UI . The error message displayed is No Response from Orchestrator URL. This issue occurs when a custom domain is configured in Citrix SD-WAN Orchestrator for On-premises.

Workaround: Reboot the SD-WAN appliance.

[ SDW-23322 ]

The Restore previous version operation fails with the Activation Failed(ER101) error message for the sites in PSU when the partial site upgrade list is modified and a change management (stage and activate) is performed on a network.

Workaround: Perform another round of change management before applying the Restore previous version action.

[ SDW-23227 ]

In some scenarios, after deploying Cloud Direct for the sites and pushing the configurations (Stage and activate), the Cloud Direct service does not come up.

Workaround: Enable Cloud Direct service manually for each site.

[ SDW-22493 ]

The software version previously selected on the Deployment > Settings > Partial Site Upgrade > Software Version page of the UI is not being retained when the users come back to this page.

Workaround: Select the partial site upgrade software version manually for each site by clicking navigating to Deployment > Select Sites.

[ SDW-22374 ]

Sometimes, the UI displays an error after a configuration of management interface settings is performed. However, the configuration is successful and a refresh is required for the updated settings to appear on the UI.

[ SDW-22139 ]

In a provider managed setup, the announcements added by the provider administrators are not getting displayed to customers at their login.

[ SDW-18491 ]

Platform and systems

Customer is not able to send push notification to their own HTTP Server.

[ SDW-23134 ]

Release Notes for SD-WAN Orchestrator for On-premises 13.2 Release