Citrix SD-WAN

Release Notes for Citrix SD-WAN 11.2.3b Release

This release note describes fixed issues and known issues applicable to Citrix SD-WAN software release 11.2 version 3 for the SD-WAN Standard Edition, WANOP, Premium Edition appliances, and SD-WAN Center.

For information about the previous release versions, see the Citrix SD-WAN documentation.


Citrix SD-WAN 11.2.3b release addresses the security vulnerabilities described in It replaces releases 11.2.3 and 11.2.3a.

Fixed Issues

NSSDW-29862: Citrix SD-WAN Center virtual machine running on VMware ESXi hypervisor might hang while taking a snapshot.

NSSDW-31612: To make the Citrix SD-WAN Orchestrator on-premises manage SD-WAN appliances shipped with 11.2.1 or 11.2.2 software, you must upgrade the SD-WAN appliance software to the 11.3.0 version.

NSSDW-32629: Auto-generated summary routes created for the Regional Control Node (RCN) network is assigned a cost of 30,000 instead of 65534.

SDWANHELP-1314: Unable to configure Interface groups for Citrix SD-WAN 210 and 110 appliances using the REST API through the MCN. The fix provides the support to configure the interface groups for Citrix SD-WAN 210 or 110 site model and BASE submodels through REST APIs.

SDWANHELP-1323: MCN high availability device shows not connected if the wire from the first high availability interface is not plugged in (when multiple high availability interfaces are defined).

SDWANHELP-1368: SNMP Walk did not show the correct MAC address information for interfaces.

SDWANHELP-1400: For an internet service route in a non-default routing domain and a path eligibility configured, when the path goes down and the remote site that does not have the given routing domain configured, the internet route is not marked unreachable.

SDWANHELP-1437: Disabling the insecure TLS1.0 and TLS1.1 between Citrix SD-WAN and SD-WAN Center connectivity.

SDWANHELP-1485: Packets received on Internet/Intranet service might get associated with the wrong WAN link when multiple WAN link gateways are resolved to the same MAC address.

SDWANHELP-1507: An issue in the configuration module was causing the export route setting to be true while the WAN to WAN forwarding setting was disabled for the site. After the fix, the export route is correctly set to false if the WAN to WAN forwarding is disabled and when the user has not explicitly set the export route setting.

SDWANHELP-1509: Unable to change the default community string (public) for the SNMP trap message in Citrix SD-WAN.

SDWANHELP-1513: DNS settings were not getting updated using DHCP when the Management port is acting as a DHCP client.

SDWANHELP-1520: The issue is with the IP learning on the branch site, where the stale IP details are not cleared for the disconnected WAN link. These stale IP details cause a virtual path between a branch to another branch in a DEAD state. As part of the fix, clean up the old IP details on the branch appliance during the IP learning.

SDWANHELP-1531: In Citrix SD-WAN Center reporting page, the data in the Top applications report of a site was inconsistent with the data in the Top sites report. It happened due to an unwanted regex match of the site name.

SDWANHELP-1537: Citrix SD-WAN Center authentication for TACACS based users was failing for a few combinations of passwords having $ and # characters in the password. This issue was present in the 11.2.0 release.

SDWANHELP-1547: After a configuration update, WAN links might not be available for Internet or Intranet traffic.

SDWANHELP-1558: Internet service does not use the backup links when the primary link goes down.

SDWANHELP-1580: While public IP address learning is enabled on a branch WAN link, the RCN might not learn the new public IP address and results in a dead path if:

  • There is a configuration version mismatch between the branch and the RCN
  • The public IP address of the branch WAN link has changed

SDWANHELP-1616: Office365 local internet breakout might not work when multiple routing domains are enabled on a site.

SDWANHELP-1617: When regional subnets are created, the summary routes are auto-created with 65534 costs. When this route is advertised to another site, the cost is rolled over and becomes a non-summary route with the lowest cost.

SDWANHELP-1627: Connections redirected through the hosted firewalls (Palo Alto) and routed over the Virtual Path service experience high latency issues.

SDWANHELP-1641: A crash in the configuration compiler occurs when the auto path group is not set in WAN Link usage for the Dynamic virtual path when it is configured on an LTE-E1 interface.

SDWANHELP-1646: The management port must not be added in the Link Aggregation Group (LAG), hence the management interface is not listed while forming the LAG.

SDWANHELP-1673: Citrix SD-WAN request to download PAC file from the server is being intercepted and served by SD-WAN itself when management IP matches local route.

SDWANHELP-1684: When Certificate Revocation Lists were enabled, there was an error causing repeated download attempts of the CRL.

SDWANHELP-1686: Use of the same high availability IPs at different sites was not allowed previously. The high availability IPs are now treated as private allowing them to be used at different sites.

SDWANHELP-1736: Citrix SD-WAN Center’s email notification adds an extra < CR > character in the command which causes the SMTP session to terminate.

SDWANHELP-1783: During the dynamic virtual path creation, if the protocol message arrives with an unexpected IP type of service (TOS) value, it might result in core dump.

SDWANHELP-1787: Import and Export of large network configurations (when the configuration file size exceeded 16 MB) on Citrix SD-WAN Center were failing.

SDWANHELP-1804: After upgrading Citrix SD-WAN device to the 11.2.2 version, more than one VRRP device acts as Master because of the wrong VRRP advertisement packet size sent by SD-WAN device.

SDWANHELP-1866: On Citrix SD-WAN 110 and 210 platforms, if the management port is configured as a data port, the Host ID might change after upgrading to a newer version. The SD-WAN appliances will use the grace license if this issue occurs.

Known Issues

NSSDW-25387: If local change management is applied on an SD-WAN appliance with no difference in the PPPoE configuration, the existing PPPoE sessions might not be restarted.

  • Workaround: Re-establish the PPPoE connections (under Monitoring > PPPoE).

NSSDW-25452: Citrix SD-WAN Orchestrator UI and Citrix SD-WAN configuration compiler do not catch out of the allowed range of DHCP lease interval, which causes the DHCP daemon to fail.

  • Workaround: Specify the valid lease time for DHCP is 300–86400.

NSSDW-28788: The client subnets are not exported when the deployment is in Bridge mode.

NSSDW-29146: Once the appliance role is switched from Client to MCN in the legacy UI, the new user interface if open in other browsers, does not get logged out automatically. Having the new UI session open does not affect the legacy UI. Optionally, you can choose to close the new UI session. Once the appliance role is switched from MCN to Client in the legacy UI, you do not get redirected to the new UI automatically. You can continue to use the legacy UI. If you choose to use the new UI, browse https://< management-ip> in a new browser tab.

NSSDW-29513: VPX branch goes into single site mode, if the newly provisioned virtual machine is first downgraded and then upgraded back to the version on which the virtual machine was provisioned.

  • Workaround: Perform Local Change Management (LCM) on the affected branch.

NSSDW-29526: When the MCN with high availability performs partial site upgrade on the Geo MCN, the Geo MCN becomes the primary MCN. After the partial upgrade, the exiting standby MCN cannot detect the new primary MCN.

NSSDW-32879: During staging, the Change Management page might occasionally freeze on the preparing packages step.

  • Workaround: Reattempt staging by clicking the change preparation tab.

SDWANHELP-1292: Timezone Settings change on Citrix SD-WAN Center does not take effect on some pages. Time is still shown in UTC.

SDWANHELP-1491: ICMP connections getting WAN to WAN forwarded between Virtual Path and Intranet service over IPsec tunnel experience packet loss.

SDWANHELP-1454: An incorrect WAN Link use setting of Auto was allowed for Internet service which caused a crash. The configuration code has been corrected to block users from selecting the Auto option for WAN Link use for Internet service. An audit has also been added to catch this misconfiguration.

SDWANHELP-1549: Ignore WAN link status behavior is restored to SD-WAN 10.2 release behavior. For Internet/Intranet traffic, only the link that has paths in UP state is used. If all paths on the links that are configured to be used for Internet/Intranet service are dead and the Ignore WAN link status option is enabled, then the highest bandwidth link is used for Internet/Intranet traffic.

SDWANHELP-1737: When you add a new local user in Citrix SD-WAN Center, a yellow banner appears with a message that the firewall access is changed from Enabled to Disabled.

SDWANHELP-1739: When two virtual IP addresses (one private and another one non-private) are created in the same subnet, an issue occurs that two routes are created for the same subnet and the subnet is not advertised to a remote site.

SDWANHELP-1755: Snapshot extensions of Azure are not working in the build root environment.

SDWANHELP-1764: You cannot Stage and Activate a new configuration change. The memory and CPU fields are assigned some default values and that cannot be changed as there is no option available in the SD-WAN Orchestrator UI currently. This issue occurs as the default values vary from customer to customer.

SDWANHELP-1780: The Public IPv4 Address field was grayed out under the Basic section of the configuration editor.

SDWANHELP-1799: In the case of DHCP server configuration when service restart or upgrade, there is a timing condition due to which one or more interfaces are not able to respond to DHCP client requests.

  • Workaround: Restart the DHCP server from Citrix SD-WAN UI.

SDWANHELP-1806: An SHA-256 checksum error occurs during downloading when a customer staging an appliance with a new configuration.

SDWANHELP-1808: Incoming VOIP call over T-Mobile Germany carrier fails with Citrix SD-WAN 210 appliance.

SDWANHELP-1835: In rare conditions, Citrix SD-WAN service might crash while processing the packets received over the dynamic virtual path at the time of dynamic virtual path removal.

Release Notes for Citrix SD-WAN 11.2.3b Release