Citrix SD-WAN

Citrix SD-WAN 10.2.6 Release Notes

Introduction

This release note describes what’s new, fixed issues, and known issues applicable to Citrix SD-WAN software release 10.2 version 6 for the SD-WAN Standard Edition, WANOP, Premium Edition appliances, and SD-WAN Center.

For information about the previous release versions, see the Citrix SD-WAN

Note

CVE-2019-19781 - Vulnerability in Citrix SD-WAN WANOP appliances (applicable ONLY for 4000-WO, 4100-WO, 5000-WO, 5100-WO Platform models) leading to arbitrary code execution is fixed in release 10.2.6b. For more information, see CVE KB.

What’s New

IPFIX templates

The IPFIX template defines the order in which the data stream is to be interpreted. The collector receives a template record, followed by the data records. Templates 611, 612 and 613, to export IPFIX flow data, are introduced in Citrix SD-WAN 10.2.6.

Application Flow Info (IPFIX) option exports data sets as per templates 611 and 612 and Basic Properties (IPFIX) option exports data sets as per template 613.

SD-WAN Standard Edition (SE) VPX password change

From 10.2.6 release onwards, it is mandatory to change the default admin user account password while provisioning any SD-WAN appliance or deploying a new SD-WAN SE VPX. This change is enforced using both CLI and UI.

A system maintenance account - CBVWSSH, exists for development and debugging and has no external login permissions. The account can only be accessed through a regular administrative user’s CLI session.

SD-WAN 210-LTE firmware upgrade

With 10.2.6 release, the LTE active firmware is updated as part of the single step upgrade package. To upgrade, you need to update the schedule window using the Change Management Setting page or wait for the default scheduled time to upgrade the LTE firmware (daily at 21:20:00).

Fixed Issues

SDWANHELP-961: This issue potentially affects SD-WAN 4000 and 5000 WO appliances. After the appliance is running 10.1.0 to 10.2.5 for over a year, there is a possibility of too much data being kept in the logs.

SDWANHELP-1000: Whenever NetFlow is enabled with high availability (HA) setup, HA flap occurs due to lack of resource.

SDWANHELP-1035: Routes are not propagated correctly to remote sites via the MCN and RCN.

SDWANHELP-1046: Installing wildcard certificate on SD-WAN Center is getting failed because of a problem in apache reload in older version of apache. In result, HTTPS certificate was not getting installed.

SDWANHELP-1049: Virtual WAN virtual machine (VM) on XenServer based platforms might have large time offset over time. In this case, the time on the virtual WAN VM shows inaccurate after reboot.

SDWANHELP-1070: The time is not synced to the hardware clock after being changed. For example, manual time update or NTP time update.

SDWANHELP-1078: Eliminate excessive log spamming caused by mailer-daemon is trying to log in to TACACS+ Server.

SDWANHELP-1095: The FTP Application Layer Gateway (ALG) might not parse FTP sessions correctly if EPSV or EPRT modes are used causing a failure in the FTP session.

SDWANHELP-1096: In rare conditions, SD-WAN service restart can occur during Deep Packet Inspection (DPI).

SDWANHELP-1106: Export and Import of large sized configuration files on SD-WAN Center from MCN fails on earlier 10.2.x versions.

SDWANHELP-1112: BGP autonomous system (AS) number supports a 32bit number.

SDWANHELP-1113: Intermittently unable to access management GUI on WANOP only platforms after upgrading to 11.0.2.

SDWANHELP-1114: While opening the graphs through the SD-WAN Center reporting page, it navigates to the graphs page but does not show any graphs.

SDWANHELP-1116: During configuration update we might miss sync event processing due to high availability (HA) flap, which might result the appliance in problem state, where route sync does not happen with other branches and results in network outage.

SDWANHELP-1149: When you upload a new HTTPS certificate, it fails to apply and the old certificate is restored.

SDWANHELP-1160: The Citrix SD-WAN Center displays duplicate IP addresses under WAN links for a site in the Configuration Editor. The issue occurs when the fourth number in any two WAN link IP addresses starts with the same digit and varies by the number of digits like 4, 45, 486.

SDWANHELP-1164: On transferring the appliance settings from SD-WAN Center, if the password, in the appliance settings, contains dollar symbol followed by some character, then the transfer fails. For example, the passwords test$1, test$1$d will fail. But test1$ will work.

SDWANHELP-1169: The service gets aborted when a packet is scheduled for transmission for a DVP that is pending removal. The software erroneously tries to remove it from an empty packet list. The software has been updated.

SDWANHELP-1176: Due to some orphan entries in the configuration database, the GET API for config_editor/virtual_paths throws some exceptions along with the response. The Cascade Delete has been fixed to avoid the orphan database entries.

SDWANHELP-1189: During the software appliance upgrade, the installation process can fail on the SD-WAN 210 Standard Edition (SE) appliances. On the failure detection, the appliance automatically reboots to avoid the issue so the upgrade can proceed.

SDWANHELP-1201: The LTE modem can reboot on its own sporadically. On start of a data session, the modem keeps reporting an error - service is not supported. The fix is to automatically disable and re-enable the modem to recover the failure.

SDWANHELP-1241: In few cases, appliance information is not shown on the SD-WAN Center Inventory and Status page due to the crash of SD-WAN Center service.

NSSDW-23795: In few cases, NetFlow/IPFIX collectors (for example, Solar winds) reporting results in MYSQL error=(1064) in SDWAN_firewall.log. This issue results into incorrect plotting of bandwidth usage graphs.

NSSDW-24895: Increase the Citrix SD-WAN Center Software Upgrade buffer required for upgrading to newer releases.

NSSDW-24215: On Citrix SD-WAN appliances, SNMP generic walk is not functional. The fix is to properly handle the SNMP generic walk request and provide the response until the end of the SNMP Object Identifier (OID).

NSSDW-24862: Citrix SD-WAN is not sending the NetFlow data to the collectors at regular interval.

NSSDW-25147: When the PPPoE feature is configured in SD-WAN appliances, the point-to-point protocol daemon (PPPD) runs to establish the PPPoE sessions. This configuration is vulnerable to CVE-2020-8597, a buffer overflow vulnerability. This issue is fixed starting from 11.1.0 release.

NSSDW-25265: The Citrix SD-WAN Center dashboard inventory table fails to display any data.

NSSDW-25067: A warning message or a busy message is displayed when the LTE modem is disabled and re-enable it attempted before the operating mode has switched to Lower Power. The fix is to warn the user and show the current operating mode before performing the enable/disable operation.

NSSDW-25135: At times, during Zscaler deployment, wrong configurations were used to create the mapping. The issue occurs due to erroneous duplicate entries in the database. The fix ensures that there are no duplicate entries in the database.

NSSDW-25440: Significant packet loss or network delays might be observed in Azure on instances with network acceleration enabled.

Known Issues

NSSDW-22748: IPFIX reports exported to the CA Management tool are not processed correctly per the IPFIX Specification. The issue only applies to the CA Management tool and is not seen when IPFIX reports are exported to collectors like SolarWinds, Splunk.

SDWANHELP-1159: Citrix SD-WAN doesn’t advertise the routes to the OSPF neighbor. This happens when the routes are changed at SD-WAN or virtual paths flap happens which causes virtual WAN routes to be resynced across the sites. In this case, if the link to OSPF peer is lossy, SD-WAN might enter a state where it never advertises the SD-WAN routes to OSPF neighbor.

Workaround: Stop and restart the virtual WAN service.

Citrix SD-WAN 10.2.6 Release Notes