Citrix SD-WAN

Release Notes

This release notes describes what’s new, fixed issues, and known issues applicable to Citrix SD-WAN software release 11 version 2 for the SD-WAN Standard Edition, WANOP, Premium Edition appliances, and SD-WAN Center.

For information about the previous release versions, see the Citrix SD-WAN documentation.

What’s New

Edge Security - The Citrix SD-WAN Edge Security capability enables advanced security on Citrix SD-WAN branch appliances. It simplifies information security management by providing a single management and reporting pane for Network Edge Security. It eliminates the need for multiple branch solutions by consolidating routing, SD-WAN, and security capabilities on a single appliance. This reduces network complexity, operational cost, and provides a more secure network edge. The Edge Security stack includes the following security functionality:

  • Web Filtering
  • Anti-Malware
  • Intrusion Prevention


The Edge Security is only supported for Citrix SD-WAN deployments managed through the Citrix SD-WAN orchestrator.

LTE network and roaming support - You can now select the mobile network on your Citrix SD-WAN appliances that support the internal LTE modem. The supported networks are 3G, 4G, or both. The roaming option is enabled by default on your LTE appliances, you can choose to disable it.

For more information on LTE network and roaming support, see:

Metered link redesign - In Citrix SD-WAN UI, a new option - Approximate Data Already Used is added under Metered/Standby Link section. To track proper metered link usage, the user must enter the approximate usage on the metered link if the link has already been used for some days in the current billing cycle. This approximate usage is used only for the first cycle.

DHCP support on Fail-To-Wire port - The DHCP client capability is now extended on fail-to-wire port for the branch site with serial High Availability (HA) deployments. This enhancement:

  • Allows the DHCP client configuration on the untrusted interface group that has fail-to-wire bridge pair and serial HA deployments.

  • Allows DHCP interfaces to be selected as part of Private Intranet WAN links in addition to Internet WAN links.

Checkpoint firewall - The Checkpoint Firewall is integrated with the SD-WAN 1100 platform to provide advanced security for branch appliances. The Checkpoint Firewall supplies the next-generation firewall features such as URL Filtering, Antivirus, SSL Inspection, and Intrusion Prevention. This integration offers the ability to deploy the secure SD-WAN at the branch locations using Citrix SD-WAN Center while managing the security policies with the Check Point management platform.

Enable packet duplication for ICA real-time - Packet duplication is now enabled by default for HDX real-time traffic when multi-stream Independent Computing Architecture (ICA) is in use.

Support 256 virtual paths with SD-WAN SE in Azure - Earlier, 128 virtual paths were supported in Azure. From release 11.2 onwards, 256 virtual paths are supported with SD-WAN SE in Azure.

Subnet support - From release 11.2 onwards, Citrix SD-WAN UI allows /31 subnets for configuring the network address.

TLSv1.3 protocol support in HTTPS and new algorithms support in SSH - Citrix SD-WAN now has TLSv1.3 protocol support in HTTPS access and also has new algorithms support in SSH access.

Cloud Direct support - From release 11.2 onwards, the Cloud Direct service is supported on SD-WAN 2100, 4100, and 6100 appliances. Both SD-WAN Center and Orchestrator allow the Cloud Direct service feature to be deployed on SD-WAN 2100, 4100, and 6,100 appliances. SD-WAN Center supports up to 250 Mbps subscription licenses for Cloud Direct.

WAN link bandwidth sharing when Cloud Direct service is inactive - A WAN link bandwidth is no longer needed to be reserved exclusively for the Cloud Direct service. If the Cloud Direct service is not active then the other services such as virtual path, internet, or intranet services configured on that WAN link can use the bandwidth as per the configured shares.

Fixed Issues

SDWANHELP-1098: Citrix SD-WAN Optimization Rules UI crashes after adding or modifying any of its rules name with double quotes. This is applicable for Application Classifiers, Links, Service Classes, and Traffic Shaping Policies rules.

SDWANHELP-1159: Citrix SD-WAN does not advertise the routes to the OSPF neighbor. This happens when the routes are changed at SD-WAN appliance or virtual paths flap happens which causes virtual WAN routes to be resynced across the sites. In this case, if the link to the OSPF peer is lossy, SD-WAN appliance might enter a state where it never advertises the SD-WAN routes to the OSPF neighbor.

SDWANHELP-1169: The SD-WAN service gets aborted when a packet is scheduled for transmission for a DVP that is pending removal. The software erroneously tries to remove it from an empty packet list.

SDWANHELP-1189: During the software appliance upgrade, the installation process can fail on the SD-WAN 210 Standard Edition (SE) appliances. To continue with the upgrade process, the appliance must be rebooted.

SDWANHELP-1222: In rare conditions, when connection tracking is enabled on an SD-WAN appliance, a specific combination of IP addresses, packet length, and IP protocol, might cause an error in checksum validation. Hence, the UDP or TCP packets inappropriately get dropped.

SDWANHELP-1241: In few cases, appliance information is not shown on the SD-WAN Center Inventory and Status page due to the crash of SD-WAN Center service.

SDWANHELP-1248: In few cases, the SD-WAN service might be aborted while processing the Internet Group Management Protocol (IGMP) packets in multi routing domain configurations.

SDWANHELP-1253: The Citrix SD-WAN appliance might drop internet traffic in multi routing domain configurations.

SDWANHELP-1256: During a configuration update in an SD-WAN appliance, when a branch removes all but one Routing Domain, the Network Address Translation (NAT) might fail for Internet traffic.

SDWANHELP-1276: On cloning a site in the Citrix SD-WAN Center, the access interfaces don’t get cloned properly. The IP addresses remain the same as the original site even if the modification was done during cloning.

SDWANHELP-1284: If Citrix SD-WAN had BGP enabled, it was not allowed to forward BGP packets originated from and destined for other peers to go over the virtual path to other sites.

SDWANHELP-1385: The SD-WAN device serial number information might be lost and reset to Default string due to an issue in BIOS firmware v1.0b on SD-WAN 210 platform.

NSSDW-21808: The provisioned appliance information on SD-WAN Center gets cleared before the actual de-provision operation gets completed on the appliance. If any error occurred during de-provisioning, then you cannot perform any Palo Alto specific operations on the appliance from SD-WAN Center.

NSSDW-25440: Significant packet loss or network delays might be observed in Azure on instances with network acceleration enabled.

NSSDW-27341: In Citrix SD-WAN Center, you cannot perform the configuration for the Notification Settings that are Email Alerts, SNMP Traps, Syslog, and HTTP.

NSSDW-27530: In Citrix SD-WAN, changing the access interface IP address for a WAN Link can bring down the paths that are associated with the WAN Link.

NSSDW-28146: If Citrix SD-WAN 11.2.0 release is upgraded from 10.2 release or downgraded to 10.2 release once and later it is upgraded to 11.0/11.1 releases, then again downgrading back to 10.2 release fails.

Similarly, after upgrading from Citrix SD-WAN Center from 10.2 release to 11.2.0 release, the downgrading of SD-WAN Center from 11.2.0 to 10.2 release was not supported.

NSSDW-28971: Once you log into the SD-WAN appliances and virtual machines, you might gain root shell access with the 11.x based image using a hardcoded password. The affected SD-WAN platforms are 110 and VPXs provisioned with 11.x images. This is a CLI related issue and not applicable for the GUI.

Known Issues

NSSDW-23558: Citrix SD-WAN Edge Security is not interoperable with the Cloud Direct and Cloud Security features.

NSSDW-25452: The Citrix SD-WAN Orchestrator UI and the Citrix SD-WAN configuration compiler do not catch out of the allowed range of DHCP lease interval, which causes the DHCP daemon to fail.

  • Workaround - Specify the valid lease time for DHCP is 300–86400 sec.

NSSDW-27105: The Data Plane Development Kit (DPDK) crashed every time when one of the ports is brought down while traffic is going through. At that time DPDK crashes, SD-WAN service gets restarted and the virtual path is dead. After a few minutes the Virtual Path comes UP automatically.

NSSDW- 27139: Citrix SD-WAN Edge Security is not interoperable with the WANOP feature.

NSSDW-27587: A disk warning message occurs on the SD-WAN VPX appliance running as MCN with the default 40 GB disk space.

  • Workaround – It is recommended to use 120/240 GB virtual disks for the SD-WAN MCN VPX with up to 128/256 virtual path support.

NSSDW-27719: Convertible management port cannot be used for VPX deployed on hypervisors using the IXGBEVF driver. This might result in critical software errors and the service being disabled.

NSSDW-27727: Networks with VPX and VPXL instance using the IXGBEVF driver, used for certain Intel 10 GB NICs when SR-IOV is enabled, must not be upgraded to 11.2.0. This might result in a loss of connectivity. This issue is known to impact AWS instances with SR-IOV enabled.

NSSDW-27817: The Web filtering functionality of Citrix SD-WAN Edge Security by default closes the TCP connection when the user tries to access blocked sites when using the HTTPS protocol, instead of redirecting the user to an informative webpage with details about the request being blocked.

NSSDW-27847: Overlapping IP addresses across different Routing Domains are not supported by Citrix SD-WAN Edge Security. The session log messages also do not contain the routing Domain information.

NSSDW-27850: Citrix SD-WAN Anti Malware engine redirects the user to a non-routable IP address when it detects a virus in an HTTP webpage. In a result, the end-user browser becomes unresponsive while trying to retrieve it until it times out.

NSSDW-27928: You cannot enable or disable the modem if no configuration is done on the LTE modem.

  • Workaround: Perform a configuration change, for example - update Access Point Name (APN).

NSSDW-27934: If Two-Box Solution is enabled, you cannot upgrade from the 11.2.0 release to any upper releases without disabling Two-Box Solution and re-enabling it after the upgrade is complete.

  • Workaround: It is recommended that customers using Two-Box Solution must upgrade to 11.2.1 (Future release) instead of 11.2.0 release.

NSSDW-27935: HTTP server alerts will not be sent from Citrix SD-WAN appliances.

  • Workaround: Use Citrix SD-WAN Center to send HTTP server alerts.

NSSDW-27938: STS bundle that is created via the CLI is not downloadable through SD-WAN GUI.

  • Workaround: Use Citrix SD-WAN GUI to create the STS bundle.

SDWANHELP-1547: After a configuration update, WAN links might not be available for Internet or Intranet traffic.

  • Workaround: Restart the gateway device, reset the SD-WAN port, or restart the SD-WAN service.
Release Notes