Release Notes for Citrix SD-WAN 11.3.1 Release
This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix SD-WAN release 11.3.1.
Note
Citrix SD-WAN 11.3.1a release addresses the security vulnerabilities described in https://support.citrix.com/article/CTX297155 and replaces release 11.3.1.
What’s New
Configuration and Management
Citrix SD-WAN New UI enhancements for clients
The Citrix SD-WAN New UI includes the following enhancements:
- Management IP Allow list configuration.
- Metered link statistics.
- Orchestrator connectivity status.
- Appliance model, bandwidth, and license type displayed in the header.
[ NSSDW-33155 ]
The look and feel of the Citrix SD-WAN New UI is changed to reflect the new color and font as per Citrix rebranding.
[ NSSDW-30842 ]
The following SNMP MIBs are added:
- Appliance Statistics
- The percentage of CPU utilized for the Appliance
- The percentage of RAM utilized for the Appliance
- WAN Link Statistics table
- The Max LAN To WAN Physical Rate in Kbps for the WAN Link
- The Max WAN To LAN Physical Rate in Kbps for the WAN Link
- The LAN To WAN Allowed Rate in Kbps for the WAN Link
- The WAN To LAN Allowed Rate in Kbps for the WAN Link
[ NSSDW-30592 ]
Default/Fallback Configuration
From Citrix SD-WAN 11.3.1 release onwards, Citrix SD-WAN provides an ability to manually configure the static IP addresses that can be assigned to the WAN ports in the absence of DHCP to use In-band management for initial provisioning.
[ NSSDW-27033 ]
In-band Management supports High Availability device pairs. The appliances in a High Availability pair communicate with each other using in-band access.
[ NSSDW-24534 ]
You can enable or disable a virtual interface in an interface group using the Enable check box.
[ NSSDW-24512 ]
NDP Router Advertisement - In an IPv6 network, SD-WAN appliance periodically multicasts Router Advertisement (RA) messages to announce its availability and convey information to the neighboring appliances in the SD-WAN network. Neighbor Discovery protocol (NDP) running on the SD-WAN appliances uses these Router Advertisements to determine the neighboring devices on the same link. It also determines each other’s link-layer addresses, find neighbors, and maintain reachability information about the paths to active neighbors.
Note
Citrix SD-WAN Orchestrator services do not support IPv6 addresses.
The following features of Citrix SD-WAN appliances support IPv6 address:
- Management plane features
- Management interface
- RADIUS server
- TACACS+ server
- SMTP server
- Syslog server
- HTTP server
- DNS server
- App Flow/IPFIX
- SNMP
- Remote licensing
- Centralized licensing
- NTP server
- Allow list
- New User Interface for SD-WAN appliances
- Diagnostics
Note
After configuring the above listed features, if you disable IPv4 or IPv6 protocol, then the features do not work as expected.
- Data plane features
- Static Routing
- Internet Service over IPv6 WAN Links
- Intranet Service over IPv6 WAN Links
- Router Advertisement
- DHCP Client
- DHCP Server/Relay
- Application QoS
- Firewall
- In-band Management
- High Availability
- IP Rules
- IPv6 supported over LTE links
[NSSDW-1938, NSSDW-21915]
Miscellaneous
From Citrix SD-WAN 11.3.1 onwards, the Check Point VM version 80.20 and above are supported for provisioning VM on new sites.
[ NSSDW-30833 ]
Network
You can configure one router ID for the entire protocol and also one router ID per routing domain. With this enhancement, you can enable stable dynamic routing across multiple instances with different router ID’s converging in a stable manner. If you configure a router ID for a specific routing domain, the specific router ID overrides the protocol level routing domain.
[ NSSDW-30132 ]
From Citrix SD-WAN 11.3.1 release, an extra 8 bytes PPPoE header is considered for adjusting TCP Maximum Segment Size (MSS). The extra 8 bytes PPPoE header adjusts the MSS in the synchronize packets based on the MTU.
[ NSSDW-22779 ]
Fixed Issues
Configuration and Management
-
During the database archival of large networks, the statistical records on the MCN appliance were not getting inserted into the statistics database tables for a few minutes.
[ SDWANHELP-1872 ]
-
During interface changes, VRRP might still use old interface data which might result in core dump.
[ SDWANHELP-1867 ]
-
Hosted Firewall configuration on the local GUI does not load when the Firewall VM is in shutdown state.
[ SDWANHELP-1839 ]
-
You cannot choose the Backup Management Network as None while configuring virtual IP addresses.
[ SDWANHELP-1824 ]
-
The Public IPv4 Address field was grayed out under the Basic section of the configuration editor.
[ SDWANHELP-1780 ]
-
Auto-generated summary routes created for a Regional Control Node (RCN) network is assigned a cost of 30,000 instead of 65534.
[ NSSDW-32629 ]
-
Appliance settings are not getting applied to Citrix SD-WAN when pushed from Citrix SD-WAN Center.
[ NSSDW-32257 ]
-
An audit error during configuration prevents users from configuring Internet service on a site unless all the WAN links are configured with access interfaces of the same IP types.
[ NSSDW-32185 ]
License
-
On Citrix SD-WAN 110 and 210 platforms, if the management port is configured as a data port, the Host ID might change after upgrading to a newer version. The SD-WAN appliances use the grace license if this issue occurs.
[ SDWANHELP-1866 ]
Miscellaneous
-
When you view Citrix SD-WAN Center 11.3.0 login page on a browser in fullscreen mode, the Citrix logo and product name are not displayed correctly.
[ SDWANHELP-1910 ]
-
Network admin role has access to perform the security admin role specific activities which must not be allowed as per the definition of network admin role.
[ SDWANHELP-1906 ]
-
Import and Export of large network configurations (when the configuration file size exceeded 16 MB) on Citrix SD-WAN Center were failing.
[ SDWANHELP-1787 ]
-
Citrix SD-WAN Center’s email notification adds an extra
CR
character in the AUTH command which causes the SMTP session to terminate.[ SDWANHELP-1736 ]
Network
-
When a packet received on LAN side or over local service that requires fragmenting is sent over LAN GRE, SD-WAN service crashes.
[ SDWANHELP-1846 ]
-
For an internet service route in a non-default routing domain and a path eligibility configured, when the path goes down and the remote site that does not have the given routing domain configured, the internet route is not marked unreachable.
[ SDWANHELP-1400 ]
-
When Internet Service is enabled on WAN links that have an IPv6 access interface, service interruption might occur after configuration update.
[ NSSDW-32212 ]
-
Wi-Fi feature does not support High Availability (HA) in Citrix SD-WAN 11.3 release.
[ NSSDW-32197 ]
-
Dynamic NAT might not function correctly or cause a service interruption during configuration update if used for both IPv4 and IPv6 on an Internet Service with Internet Load Balancing enabled.
[ NSSDW-32139 ]
-
DHCPv4 and DHCPv6 mode on the LTE interface can cause SD-WAN device to lose IP address after configuration updates.
[ NSSDW-31998 ]
Platform and systems
-
When the firewall NAT information is dumped using the CLI, the appliance crashes.
[ SDWANHELP-1901 ]
-
The firewall rules allow the ICMP ping request received on an untrusted interface but drops the ping response and therefore the SD-WAN service crashes.
[ SDWANHELP-1865 ]
-
When transparent DNS forwarding is enabled, the processing of large DNS response packets might lead to stack overflow due to not having proper boundary conditional checks. One use case is when cloud service might need to learn IPs from DNS to enable classification of Office 365 default category.
[ SDWANHELP-1891 ]
-
After upgrading Citrix SD-WAN device to 11.2.2 version, more than one VRRP device acts as Master because of the wrong VRRP advertisement packet size sent by SD-WAN device.
[ SDWANHELP-1804 ]
-
During the Dynamic Virtual Path (DVP) creation, if the protocol message arrives with an unexpected IP type of service (TOS) value, it might result in core dump.
[ SDWANHELP-1783 ]
-
For the path MTU discovery, the path MTU probe events are enqueued for processing during a timer kick-off. A segmentation failure occurs in case if a probe event is not valid when the actual execution is attempted.
[ SDWANHELP-1754 ]
-
When GRE tunnel reachability changes from UP to Down, the GRE tunnel routes which are GRE tunnel eligible do not get updated with the change in reachability status.
[ SDWANHELP-1623 ]
-
In Azure HA deployment, SD-WAN paths do not come up when the secondary access interface is configured on the WAN link.
[ SDWANHELP-1578 ]
Known Issues
Configuration and Management
-
Citrix SD-WAN UI shows an error if a duplicate name is used for DNS Proxy across the network.
- Workaround: Use a unique network-wide name for DNS Proxy.
[ NSSDW-33842 ]
-
When an appliance is configured for both DHCP IPv4 and DHCP IPv6 addresses, but the network has only DHCP IPv6 server configured, then the appliance keeps waiting for the DHCP IPv4 address and hence does not get assigned with the IPv6 address also.
[ NSSDW-33741 ]
-
When in-band HA is configured, the SD-WAN UI allows a user to log in to only one of the ports (443, 444, or 445) in a web browser. For example, if a user has logged in to
https://<ip-address>
and logs in tohttps://<ip-address>:444
in another tab, the user gets logged out ofhttps://<ip-address>
.- Workaround: Use a different supported web browser other than the one used to access the Citrix SD-WAN device.
[ NSSDW-33336 ]
-
Enable and Disable external modem does not work from the legacy UI.
- Workaround: Use the SD-WAN Virtual WAN CLI to enable/disable external modem
[ NSSDW-32221 ]
-
When the user selects to view the status of the Internal modem, the legacy UI also shows the status of the external modem.
[ NSSDW-32219 ]
-
A WAN link configured as a DHCP client leads to Virtual Path failure. This issue occurs when the name of the WAN link is changed and change management effected.
- Workaround: Restart the Citrix Virtual Wan Service.
[ NSSDW-32110 ]
-
The Orchestrator UI and config compiler does not catch out of the allowed range of DHCP lease interval, which causes the DHCP daemon to fail.
[ NSSDW-25452 ]
Network
-
Once SLAAC learns an IP and gateway address from a router, unless and until the current address expires, SLAAC will not relearn the IP if the gateway changes or we change network segments, even after rebooting the SD-WAN appliance. This might delay getting an address when moving ports.
- Workaround: You can manually initiate a release/relearn of the SLAAC IP and Gateway IP from the web UI (or the CLI).
[ NSSDW-33807 ]
-
Once SLAAC learns an IP and gateway address from a router, SLAAC will not relearn the gateway if the gateway changes (unless and until the current address expires).
Example:
- Branch appliance learns its IP and gateway from gateway-1.
- The network administrator decides to replace gateway-1 with a new gateway-2. The administrator configures gateway-2 the same as gateway-1 so that router advertisements send the same prefix info that gateway-1 was sending. However, gateway-2 has a different source address than gateway-1.
- The branch appliance will not automatically learn gateway-2’s IP. (unless and until the current address times out)
Workaround: You can manually initiate a release/relearn of the SLAAC IP and Gateway IP from the web UI (or the CLI)
[ NSSDW-33802 ]
-
A configuration update might result in not starting the DHCP server hosted on Prefix Delegation LAN Virtual Network Interface. Note that Prefix Delegation is not supported with Citrix SD-WAN 11.3.1 release.
- Workaround: Disable and enable Citrix Virtual WAN service.
[ NSSDW-33664 ]
-
Enabling Static NAT on an Internet or Intranet Service with proxy NDP can cause the SD-WAN to respond to NDP for addresses owned and used by other hosts in the network.
- Workaround: Citrix recommends you to use Dynamic NAT instead of Static NAT with Citrix SD-WAN 11.3.1 release.
[ NSSDW-33653 ]
-
The underlay site diagnostic bandwidth test is not supported in Citrix SD-WAN 11.3.1 release.
[ NSSDW-33597 ]
-
If local change management is applied on an SD-WAN appliance with no difference in the PPPoE configuration, the existing PPPoE sessions might not be restarted.
- Workaround: Re-establish the PPPoE connections (under Monitoring > PPPoE).
[ NSSDW-25387 ]
Platform and systems
-
On the following platforms, when HDX reporting is enabled, if there is a parsing error after the connection is classified to HDX and starts reporting statistics, the appliance crashes when there is a new HDX connection:
- Citrix SD-WAN 2100
- Citrix SD-WAN 4100
- Citrix SD-WAN 5100
- Citrix SD-WAN 6100
[ SDWANHELP-1882 ]