Citrix SD-WAN 11.0.3 Release Notes
Introduction
This release note describes what’s new, fixed issues, and known issues applicable to Citrix SD-WAN software release 11.0 version 3 for the SD-WAN Standard Edition, WANOP, Premium Edition appliances, and SD-WAN Center.
For information about the previous release versions, see the Citrix SD-WAN documentation.
Note
CVE-2019-19781 - Vulnerability in Citrix SD-WAN WANOP appliances (applicable ONLY for 4000-WO, 4100-WO, 5000-WO, 5100-WO Platform models) leading to arbitrary code execution is fixed in release 10.2.6b. For more information, see CVE KB.
The 11.0.3.1018 release contains security fixes and Citrix recommends the patch be applied by all customers on Amazon Web Services.
What’s New
Multiple hubs support for Microsoft Virtual WAN
With 11.0.3 release, one branch can be connected to multiple hubs within an Azure Virtual WAN resource. One Azure virtual WAN resource can be connected with multiple on-premises branch sites. A Branch site needs to be associated with Azure WAN resources to establish IPsec tunnels.
SD-WAN Standard Edition (SE) VPX password change
From 11.0.3 release onwards, it is mandatory to change the default admin user account password while provisioning any SD-WAN appliance or deploying a new SD-WAN SE VPX. This change is enforced using both CLI and UI.
A system maintenance account - CBVWSSH, exists for development and debugging and has no external login permissions. The account can only be accessed through a regular administrative user’s CLI session.
SD-WAN 210-LTE Firmware upgrade
With 11.0.3 release, the LTE active firmware is updated as part of the single step upgrade package. To upgrade, you need to update the schedule window using the Change Management Setting page or wait for the default scheduled time to upgrade the LTE firmware (daily at 21:20:00).
Fixed Issues
SDWANHELP-941: During configuration update we might miss resetting the virtual path change event and might result in this bug where we won’t bring down the routes even when the corresponding virtual path goes down.
SDWANHELP-961: This issue potentially affects SD-WAN 4000 and 5000 WANOP appliances. After the appliance is running 10.1.0 to 10.2.5 for over a year, there is a failure possibility of too much data being kept in the logs.
SDWANHELP-988: RADIUS and TACACS+ users are not able to generate diagnostic package from SD-WAN Center UI. Diagnostic package creation through terminal is failing for all users. The Configuration > Licensing option is not available on the SD-WAN Center UI.
SDWANHELP-1000: Whenever NetFlow is enabled with high availability (HA) setup, HA flap occurs due to lack of resource.
SDWANHELP-1023: SD-WAN service restarts can occur when the packets are incorrectly routed after NAT translation.
SDWANHELP-1035: Routes are not propagated correctly to remote sites via the MCN and RCN.
SDWANHELP-1042: SD-WAN crashes when user relaunches a published application which was disconnected in an existing HDX session and closes it.
SDWANHELP-1049: Virtual WAN virtual machine (VM) on XenServer based platforms might have large time offset over time. In this case, the time on the virtual WAN VM shows inaccurate after reboot.
SDWANHELP-1051: With license server versions less than v11.16.3, they might result in some denial-of-service (DOS) attacks impacting all legacy license servers less than 11.16.3.
SDWANHELP-1070: The time is not synced to the hardware clock after being changed. For example, manual time update or NTP time update.
SDWANHELP-1088: Some of the SD-WAN appliance GUI pages might become unresponsive if an appliance is rebooted after the PAC file feature is enabled.
SDWANHELP-1095: The FTP Application Layer Gateway (ALG) might not parse FTP sessions correctly if EPSV or EPRT modes are used causing a failure in the FTP session.
SDWANHELP-1112: BGP autonomous system (AS) number supports a 32bit number.
SDWANHELP-1113: Intermittently unable to access management GUI on WANOP only platforms after upgrading to 11.0.2.
SDWANHELP-1116: During configuration update we might miss sync event processing due to high availability (HA) flap, which might result the appliance in problem state, where route sync does not happen with other branches and results in network outage.
SDWANHELP-1123: When configuring a Routing Domain with only a DHCP interface, an audit error is displayed.
SDWANHELP-1160: The Citrix SD-WAN Center displays duplicate IP addresses under WAN links for a site in the Configuration Editor. The issue occurs when the fourth number in any two WAN link IP addresses starts with the same digit and varies by the number of digits like 4, 45, 486.
SDWANHELP-1164: On transferring the appliance settings from SD-WAN Center, if the password, in the appliance settings, contains dollar symbol followed by some character, then the transfer fails. For example, the passwords test$1, test$1$d will fail. But test1$ will work.
SDWANHELP-1169: The service gets aborted when a packet is scheduled for transmission for a DVP that is pending removal. The software erroneously tries to remove it from an empty packet list. The software has been updated.
SDWANHELP-1176: Due to some orphan entries in the configuration database, the GET API for config_editor/virtual_paths throws some exceptions along with the response. The Cascade Delete has been fixed to avoid the orphan database entries.
SDWANHELP-1189: During the software appliance upgrade, the installation process can fail on the SD-WAN 210 Standard Edition (SE) appliances. On the failure detection, the appliance automatically reboots to avoid the issue so the upgrade can proceed.
SDWANHELP-1201: The LTE modem can reboot on its own sporadically. On start of a data session, the modem keeps reporting an error - service is not supported. The fix is to automatically disable and re-enable the modem to recover the failure.
SDWANHELP-1385: The SD-WAN device serial number information might be lost and reset to Default string due to an issue in BIOS firmware v1.0b on SD-WAN 210 platform.
SDWANHELP-1365: In a High Availability GEO MCN setup with WAN-to-WAN forwarding enabled, an internet service down event might trigger an erroneous scenario wherein routes learned from Secondary GEO MCN take higher precedence than the Primary GEO MCN.
NSSDW-22847: The Multi-hop check box in BGP was shown checked in the SD-WAN UI by default when BGP is enabled. But the setting was not enabled unless the user disables and enables it back again.
NSSDW-25032: The Multiple Exit Discriminator (MED) was not advertised to the neighbor when a BGP policy is configured with MED metrics and bound to a neighbor. This issue was wrong network prefix (32) being set by the compiler.
NSSDW-25067: A warning message or a busy message is displayed when the LTE modem is disabled and re-enable it attempted before the operating mode has switched to Lower Power. The fix is to warn the user and show the current operating mode before performing the enable/disable operation.
NSSDW-25135: At times, during Zscaler deployment, wrong configurations were used to create the mapping. The issue occurs due to erroneous duplicate entries in the database. The fix ensures that there are no duplicate entries in the database.
NSSDW-25147: When the PPPoE feature is configured in SD-WAN appliances, the point-to-point protocol daemon (PPPD) runs to establish the PPPoE sessions. This configuration is vulnerable to CVE-2020-8597, a buffer overflow vulnerability. This issue is fixed starting from 11.1.0 release.
NSSDW-25440: Significant packet loss or network delays might be observed in Azure on instances with network acceleration enabled.
NSSDW-28971: Once you log into the SD-WAN appliances and virtual machines, you might gain root shell access with the 11.x based image using a hardcoded password. The affected SD-WAN platforms are 110 and VPXs provisioned with 11.x images. This is a CLI related issue and not applicable for GUI.
Known Issues
NSSDW-23264: Fetching a remote license fails if SD-WAN Center build is on 11.x whereas appliance build is on 10.x.
Workaround: Downgrade SD-WAN Center builds to the same as 10.x that SD-WAN appliance is configured with.
NSSDW-23132: After upgrade to 11.x, actual traffic interruption time might be very large value in seconds.
Workaround: Subsequent Change Management displays correct value, this is only a display problem.
NSSDW-23134: A consistent software push might happen while trying to add a site into the network when the network was just upgraded to 11.x.
Workaround: Perform Change Management once again.
NSSDW-23485: Cloud Direct does not allow operation if an active configuration on MCN has dot character in name.
Workaround: Update the configuration file name without including DOT.
SDWANHELP-1110: In a rare scenario, an interruption might be observed in the data-path service in the lower-end appliances (210/410) when short-lived Dynamic Virtual Paths are continuously created.
Workaround: Disable Dynamic Virtual Path (DVP) or adjust the configuration to avoid short-lived DVPs.
SDWANHELP-1159: Citrix SD-WAN doesn’t advertise the routes to the OSPF neighbor. This happens when the routes are changed at SD-WAN or virtual paths flap happens which causes virtual WAN routes to be resynced across the sites. In this case, if the link to OSPF peer is lossy, SD-WAN might enter a state where it never advertises the SD-WAN routes to OSPF neighbor.
Workaround: Stop and restart the virtual WAN service.
NSSDW-27727: Networks with VPX and VPXL instance using the IXGBEVF driver, used for certain Intel 10 GB NICs when SR-IOV is enabled, must not be upgraded to 11.0.3. This might result in a loss of connectivity. This issue is known to impact AWS instances with SR-IOV enabled.