Citrix SD-WAN

Release Notes for Citrix SD-WAN 11.3.2a Release

This release notes document describes the enhancements and changes that exist for the Citrix SD-WAN release Build 11.3.2a.

Note

Citrix SD-WAN 11.3.2a release addresses the security vulnerabilities described in https://support.citrix.com/article/CTX319135 and replaces Citrix SD-WAN 11.3.2 release.

What’s New

The enhancements and changes that are available in Build 11.3.2.

Network

Classes

Citrix SD-WAN displays only those classes that have traffic flowing on Virtual Paths and Dynamic Virtual Paths. If a class is displayed and shows 0 as the value, it means the traffic that was previously flowing has now stopped. However, if a class is not displayed at all, it means that there has never been any flow of traffic for that class, since the Virtual path service state has been reset (For example, software upgrade or reboot).

[ NSSDW-33974 ]

Fixed Issues

The issues that are addressed in Build 11.3.2.

Configuration and Management

After every configuration export from Citrix SD-WAN Center, the temporary files in the tmpfolder were not getting cleaned up.

[ SDWANHELP-2057 ]

After adding some network objects, configuration audit and export was failing.

[ SDWANHELP-2041 ]

Importing a large sized network configuration from the Citrix SD-WAN appliance to Citrix SD-WAN Center failed, due to limits on the allowed memory resources.

[ SDWANHELP-2034 ]

Citrix SD-WAN’s email notification adds an extra ‘CR’ character in the AUTH command which causes the SMTP session to terminate.

[ SDWANHELP-2028 ]

When an appliance is configured for both the DHCP IPv4 and the DHCP IPv6 addresses, but the network has only the DHCP IPv6 server configured, then the appliance keeps waiting for the DHCP IPv4 address and hence does not get assigned with the IPv6 address also.

[ NSSDW-33741 ]

A WAN link configured as a DHCP client leads to Virtual Path failure. This issue occurs when the name of the WAN link is changed and change management effected.

[ NSSDW-32110 ]

The WAN link path state goes DEAD when a Citrix SD-WAN appliance fails to detect a new port.

[ SDWANHELP-1998 ]

Install and upgrade

When MPLS WAN links are configured to use a WAN link template and enabled for the Intranet/Internet service, an unexpected audit error EC14203 occurs while compiling the configuration.

Citrix SD-WAN 11.3.1 and older releases might not throw an error when the WAN link permitted rates are set to a value lower than the minimum reserved bandwidth required for all services using the WAN link while configuring MPLS WAN Links with WAN link templates. When upgraded to Citrix SD-WAN 11.3.2 or later releases, the error is displayed. Set the correct WAN link permitted rates and activate the configuration before performing the upgrade.

[ SDWANHELP-2134 ]

Miscellaneous

Citrix SD-WAN Center GUI logs consume excessive disk space resulting in upgrade and STS failure.

[ SDWANHELP-1960 ]

Qualys security scanner tool caused one of the services of the Citrix SD-WAN appliance to consume high memory leading to unresponsiveness and reboot of the appliance.

[ SDWANHELP-1530 ]

Network

After upgrading to Citrix SD-WAN 11.3.1, MSS (Maximum Segment Size) clamping fails with PPPoE when the Maximum Transmission Unit (MTU) size is set to 1492 bytes.

[ SDWANHELP-2048 ]

Frequent route table changes in an SD-WAN site along with configuration update or dynamic routes purge might cause route synchronization issues in the remote site.

[ SDWANHELP-2043 ]

When in-band management is enabled and RADIUS server is accessible through the data plane, Wi-Fi WPA2-Enterprise authentication fails.

[ SDWANHELP-2032 ]

Application identification related entries for Application Routing, QoS, or DNS features are regularly added to the First Packet Classifier (FPC) hash table. When an aged-out entry is evicted from the table, on some occasions, the Citrix SD-WAN appliance can crash.

[ SDWANHELP-1980 ]

In case the appliance has a static route configured as summary route, and there is another same prefix route learned dynamically, then the summary route is not summarizing routes.

[ NSSDW-34355 ]

Adding import filters to remove previously imported OSPF/BGP routes can cause service crash.

[ NSSDW-34207 ]

Once SLAAC learns an IP and gateway address from a router, unless and until the current address expires, SLAAC will not relearn the IP if the gateway changes or we change network segments, even after rebooting the SD-WAN appliance. This might delay getting an address when moving ports.

[ NSSDW-33807 ]

Once SLAAC learns an IP and gateway address from a router, SLAAC will not relearn the gateway if the gateway changes (unless and until the current address expires).

Example:

  • Branch appliance learns its IP and gateway from gateway-1.
  • The network administrator decides to replace gateway-1 with a new gateway-2. The administrator configures gateway-2 the same as gateway-1 so that router advertisements send the same prefix info that gateway-1 was sending. However, gateway-2 has a different source address than gateway-1.
  • The branch appliance will not automatically learn gateway-2’s IP. (unless and until the current address times out)

[ NSSDW-33802 ]

A configuration update might result in not starting the DHCP server hosted on Prefix Delegation LAN Virtual Network Interface. Prefix Delegation is not supported with Citrix SD-WAN 11.3.1 release.

[ NSSDW-33664 ]

Enabling Static NAT on an Internet or Intranet Service with proxy NDP can cause the SD-WAN to respond to NDP for addresses owned and used by other hosts in the network.

[ NSSDW-33653 ]

The underlay site diagnostic bandwidth test is not supported in Citrix SD-WAN 11.3.1 release.

[ NSSDW-33597 ]

Platform and systems

Citrix Virtual WAN service might restart when the STS bundle is generated while the Dynamic Virtual Paths (DVPs) are up.

[ SDWANHELP-2123 ]

The System Status section on the Legacy UI dashboard displays the error message Unable to obtain system data because the system is busy. Click Refresh to retry. This issue occurs when site names contain the Done string.

[ SDWANHELP-2098 ]

A filter policy rule validation is performed during config update to distinguish between newly created vs modified rules. Due to a missing comparison check for match\_type, most of the connections to internet are being blocked by firewall as O\_DENIED

The workaround is to change default rule from Reject to Drop.

[ SDWANHELP-2078 ]

When real time statistics for application routes are fetched, either from the SD-WAN Orchestrator or from the SD-WAN Branch device, the device loses connectivity and crash is observed. This happens only when the number of application routes is more than 16 (including auto-generated application routes).

[ SDWANHELP-2066 ]

When HDX reporting is enabled and there isHDX traffic running through the Citrix SD-WAN appliance, occasionally Citrix SD-WAN appliance might observe core dump.

[ SDWANHELP-1957 ]

When two virtual IP addresses (one private and another one non-private) are created in the same subnet, an issue occurs that two routes are created for the same subnet and the subnet is not advertised to a remote site.

[ SDWANHELP-1739 ]

SD-WAN 210 appliance

Some carriers allow only IPv6 data sessions if the Packet Data Protocol (PDP) is enabled for IPv4 and(or) IPv6.

[ SDWANHELP-1777 ]

Known Issues

The issues that exist in release 11.3.2.

Configuration and Management

Unable to create a custom domain name based custom application rule. The option is grayed out in the UI.

[ SDWANHELP-2136 ]

High availability failover might happen while generating STS involving Citrix SD-WAN 2100 platform deployed in high availability mode.

[ SDWANHELP-2049 ]

Email notifications cannot be sent when the SMTP server name is set as FQDN. This issue occurs when the DNS server contains:

  • At least 2 IPv4 A records for the FQDN.
  • At least 1 IPv6 AAAA record for the FQDN.

[ SDWANHELP-2027 ]

If out-of-band management interfaces are connected, then the DNS setting can be updated only from the appliance UI.

If in-band management is configured, then the DNS settings updated using the appliance UI do not take effect. You can update the DNS settings only from Citrix SD-WAN Orchestrator service UI.

[ NSSDW-33932 ]

Citrix SD-WAN UI shows an error if a duplicate name is used for DNS Proxy across the network.

Workaround: Use a unique network-wide name for DNS Proxy.

[ NSSDW-33842 ]

Enable and Disable external modem does not work from the legacy UI.

Workaround: Use the SD-WAN Virtual WAN CLI to enable/disable external modem

[ NSSDW-32221 ]

When the user selects to view the status of the Internal modem, the legacy UI also shows the status of the external modem.

[ NSSDW-32219 ]

The Orchestrator UI and config compiler does not catch out of allowed range of DHCP lease interval, which causes dhcp daemon to fail.

[ NSSDW-25452 ]

Miscellaneous

When cloning a site with more than one HA interface, the second HA interface IP address is not getting cloned.

[ SDWANHELP-2005 ]

Network

Updating DNS settings on the Citrix SD-WAN 110 SE appliance with a static management IP fails on the new UI, but works on the legacy UI.

[ NSSDW-35639 ]

If local change management is applied on an SD-WAN appliance with no difference in the PPPoE configuration, the existing PPPoE sessions might not be restarted.

Workaround: Re-establish the PPPoE connections (under Monitoring > PPPoE).

[ NSSDW-25387 ]

SD-WAN 210 appliance

210 LTE modems reboot continuously if the firmware is set to AUTO-SIM and the modems’ firmware is not in the right state.

Workaround: Take out the SIM card, choose an appropriate firmware for the SIM card, and reinsert the SIM card.

[ SDWANHELP-2080 ]

Release Notes for Citrix SD-WAN 11.3.2a Release