Citrix SD-WAN

Release Notes

This release note describes What’s new, fixed issues, and known issues applicable to Citrix SD-WAN software release 11.2 version 1 for the SD-WAN Standard Edition, WANOP, Premium Edition appliances, and SD-WAN Center.

For information about the previous release versions, see the Citrix SD-WAN documentation.

What’s New

New User Interface Enhancements - The new user interface support is now extended to SD-WAN 210 appliances. All local users with Admin role and remote users have access to the new user interface. Local users can change their account password. Remote user accounts are authenticated through RADIUS or TACACS+ authentication servers. You can configure either the RADIUS or TACACS+ authentication server. Ability to perform SIM PIN operations and manage the LTE firmware are also introduced.

Gateway Service Optimization - You can now enable the first packet detection, classification, and selective routing (direct internet breakout or over the virtual path) of the traffic destined for Citrix Cloud and Citrix Gateway Service (control and data). This feature is only available via Orchestrator starting from SD-WAN version 11.2.1.

Citrix SD-WAN 6100 Premium Edition Appliance - The Citrix SD-WAN 6100 PE appliance is a 2U appliance. It has two 14-core processors for a total of 28 physical cores (with hyper-threading enabled), and 256 GB of memory. The Citrix SD-WAN 6100 PE appliance is shipped with the Citrix SD-WAN 10.2.7 image, upgrade the software to Citrix SD-WAN 11.2.1 and above to enable PE functionality.

Advanced Edge Security support for Citrix SD-WAN 210 SE appliances (Tech Preview) - Citrix SD-WAN 210 SE and 210 SE LTE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses. To enable advanced security capabilities on a Citrix SD-WAN 210 appliance, reimage the appliance software to Citrix SD-WAN and install the Advanced Security add-on license. For more details, see USB reimage Utility.


Activating the advanced security add-on license on the Citrix SD-WAN 210 appliance, for the first time, might take up to 20 minutes approximately.

LAG support for Citrix SD-WAN 2100 SE - Citrix SD-WAN 2100 SE appliance supports simple LAG (ACTIVE-BACKUP). The 802.3ad LACP protocol based negotiations are not supported in the current release. At any time only one port is active and the other ports are in backup mode.

Real-time Reports - Citrix SD-WAN Orchestrator allows you to view the real-time reports for the following security features:

  • Web Filtering: Provides the real-time report of the last 1000 web (HTTP, HTTPS) events from the total number of web requests.

  • Anti-Malware: Provides the real-time report of the last 1000 Anti-Malware events from the total number of the files scanned.

  • Intrusion Prevention: Provides the real-time report of the last 1000 logged and blocked intrusion prevention system events from the total number of intrusion events.

You can also click the individual slices of the pie chart or the legends beside the pie chart to view the top-10 event details of the Web Filtering, Anti-Malware, and Intrusion Prevention security features.

On-prem Orchestrator - From Citrix SD-WAN 11.2.1 release onwards, secure appliance connectivity is implemented on the On-prem SD-WAN Orchestrator along with the SD-WAN Appliance and On-prem SD-WAN Orchestrator Certificates, Domain, Authentication Type, and Advanced Configuration options. You can either use the On-prem SD-WAN Orchestrator IP address or Domain or both (IP address and domain) for enabling the On-prem SD-WAN Orchestrator connectivity.

RADIUS and TACACS+ Server - The timeout value for the RADIUS and TACACS+ server is increased from 10 seconds to 60 seconds.

Fixed Issues

SDWANHELP-1193: For an MCN in factory default state, the LCM package downloaded immediately after clicking staging but before activating the staged software, does not contain the necessary content.

SDWANHELP-1210: When both VRRP and HA are configured, the GUI access is interrupted, loss of connectivity and ping failure are observed. Do not initiate the VRRP instance on the HA standby appliance.

SDWANHELP-1299: A branch with dynamic virtual path established with another branch and WAN-to-WAN forwarding enabled, forwards the routes received over the dynamic virtual path to other sites. When the dynamic virtual path goes down, the learned routes are not removed from the other sites.

SDWANHELP-1326: After upgrading SD-WAN to 11.1.0/11.1.1, PPPoE links fail to get connected on the following platforms:

  • Citrix SD-WAN 410

  • Citrix SD-WAN 210

  • Citrix SD-WAN 1100

  • Citrix SD-WAN 4100

  • Citrix SD-WAN 5100

  • Citrix SD-WAN 6100

SDWANHELP-1330: SD-WAN Center did not deliver email notifications as email settings was set to null in the SD-WAN Center database.

SDWANHELP-1332: If a single data flow is sent on more than three different WAN links, the SD-WAN service might crash during NetFlow statistics collection.

SDWANHELP-1337: For AWS’s Elastic Compute Cloud (EC2), the SD-WAN instance having more than 32 GB memory, the virtual instance falls back to the default value of 16 static Virtual Paths. It leads to undefined behavior and possible crash scenarios when more than 16 static Virtual Paths are configured.

SDWANHELP-1365: In a High Availability GEO MCN setup with WAN-to-WAN forwarding enabled, an internet service down event can trigger an erroneous scenario wherein routes learned from the Secondary GEO MCN take higher precedence than the Primary GEO MCN.

SDWANHELP-1370: SNMP service enabled after provisioning the SD-WAN Center with the default community string as public causes a vulnerability issue. SD-WAN Center does not support SNMP service. So, the SNMP service is permanently disabled to resolve the vulnerability issue.

SDWANHELP-1384: Inter-routing domain service routes when created using network objects do not get added. The export route option for all inter-routing domain service routes to export the route to other connected sites does not work.

SDWANHELP-1385: The SD-WAN device serial number information might be lost and reset to Default string due to an issue in BIOS firmware v1.0b on the SD-WAN 210 platform.

SDWANHELP-1386: The user is unable to schedule path bandwidth testing on the SD-WAN appliance.

SDWANHELP-1432: Trace files are not parsed properly when the file name contains a + symbol.

SDWANHELP-1464: The SD-WAN service gets aborted while processing packets received over the intranet service configured over the Private MPLS link that has MPLS queues.

NSSDW-27587: A disk warning message occurs on the SD-WAN VPX appliance running as MCN with the default 40 GB disk space.

NSSDW-27727: Networks with VPX and VPXL instance using the IXGBEVF driver, used for certain Intel 10 GB NICs when SR-IOV is enabled, must not be upgraded to 11.0.1. It might result in a loss of connectivity. The issue is known to impact AWS instances with SR-IOV enabled.

NSSDW-27753: If SD-WAN was not registered with MAS before upgrading to SD-WAN 11.2.0 release, then it fails to register with MAS after upgrading to SD-WAN 11.2.0 release.

NSSDW-27928: You cannot enable or disable the modem if no configuration is done on the LTE modem.

NSSDW-27934: If Two-Box mode is enabled, you cannot upgrade from 11.2.0 release to any upper releases without disabling Two-Box mode and re-enabling it after the upgrade is complete.

NSSDW-27935: HTTP server alerts are not sent from Citrix SD-WAN appliances.

NSSDW-27938: STS bundle that is created using the CLI is not downloadable through the SD-WAN GUI.

NSSDW-28146: If Citrix SD-WAN 11.2.0 release is upgraded from 10.2 release or downgraded to 10.2 release once and later it is upgraded to 11.0/11.1 releases, then again downgrading back to 10.2 release fails. Similarly, after upgrading from Citrix SD-WAN Center from 10.2 release to 11.2.0 release, the downgrading of SD-WAN Center from 11.2.0 to 10.2 release was not supported.

NSSDW-28799: Creating a Custom dashboard provides you an option to set it as a primary dashboard. If you check and save the dashboard, you land on that saved dashboard by default with every login or when you navigate to the dashboard page.

NSSDW-29581: Edge security bandwidth rate is not aligned with the Advanced Edition license loaded in the SD-WAN Orchestrator.

NSSDW-29699: When you provision an SD-WAN appliance with 11.2.0 version freshly, single sign-on to MCN from SD-WAN Center does not work as expected. Features like Cloud Direct, Change Management, automated Azure deployment, Azure virtual WAN, Zscaler do not work from SD-WAN Center.

The issue is fixed in SD-WAN 11.2.1 version. When you upgrade from a freshly provisioned 11.2.0 version to 11.2.1 version, regenerate the Appliance certificate.

Known Issues

SDWANHELP-1292: Timezone setting done using the SD-WAN Center is not applied on the SD-WAN appliances.

  • Workaround: Set the timezone using the SD-WAN appliance GUI or Appliance REST APIs or Appliance CLI.

SDWANHELP-1323: MCN High Availability (HA) device shows not connected if the wire from the first HA interface is not plugged in (when multiple HA interfaces are defined).

  • Workaround: Remove the HA interface from the configuration if it is not physically connected.

NSSDW-27615: When SD-WAN 210 Standard Edition (SE) is converted to Advanced Edition (AE), the memory parameters (Huge Pages, Max Connections, Flow Limit, and Number of packet buffers) get reduced. The memory parameters remain unchanged even if the SD-WAN 210 AE appliance is converted back to SE.

NSSDW-29146: Once the appliance role is switched from Client to MCN in the legacy UI, the new user interface if open in other browsers, does not get logged out automatically. Having the new UI session open does not affect the legacy UI. Optionally, you can choose to close the new UI session. Once the appliance role is switched from MCN to Client in the legacy UI, you do not get redirected to the new UI automatically. You can continue to use the legacy UI. If you choose to use the new UI, browse https://< management-ip> in a new browser tab.

NSSDW-29513: VPX branch goes into single site mode, if the newly provisioned VM is first downgraded and then upgraded back to the version on which the VM was provisioned.

  • Workaround: Perform Local Change Management on the affected branch.

NSSDW-29526: When the MCN with HA performs partial site upgrade on the Geo MCN, the Geo MCN becomes the primary MCN. After the partial upgrade, the exiting standby MCN cannot detect the new primary MCN.

NSSDW-29819: At times, the Edge Security subsystem in the Citrix SD-WAN 210 appliance might fail and the appliance might not recover automatically.

  • Workaround: Reboot the Citrix SD-WAN 210 appliance.

NSSDW-29898: The security reports for the SD-WAN 210 AE appliance are not seen on the SD-WAN Orchestrator UI. The issue happens due to the first-boot timing issue, where the database user gets created but permissions are not granted.

NSSDW-29900: SD-WAN AE activation might fail consistently if the edge security component is stuck to an unresponsive state. Re-booting the failing appliance should resolve the issue and allow activation to proceed.

Release Notes