Release Notes for Cisco IOS XE SD-WAN Release 16.11.x and Cisco SD-WAN Release 19.1.x


The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on standards documentation, or language that is used by a referenced third-party product.

These release notes accompany the Cisco IOS XE SD-WAN Software Release 16.11, which provides Cisco SD-WAN capabilities for Cisco IOS XE SD-WAN routers, and the compatible Cisco SD-WAN Software Release 19.1 for Cisco SD-WAN controller devices—including vSmart controllers, vBond orchestrators, vManage NMS, and vEdge routers.

New and Enhanced Software Features

New Features

  • Additional DHCP options–This release adds support for vEdge routers for DCHP server options 43 and 191, which you can use when you configure the IP addresses of a default gateway, DNS server, and TFTP server in the service-side network and the network mask of the service-side network.

  • Advanced Malware Protection (AMP) integration–Equips SD-WAN platforms to provide protection and visibility through stages of the malware lifecycle, before, during, and after.

  • Cisco PKI support for SD-WAN controllers–Support for migration from Symantec certificates to Cisco-signed certificates.

  • CLI template support–This release support the use of a CLI template for deploying IOS-XE SD-WAN routers.

  • Cloud onRamp Auto-scale support for AWS–This feature provides an AWS Transit-VPC architecture that allows the dynamic discovery of all of the applications (host VPCs) that are running in any specific region of an AWS and create a transit VPC with vEdge Cloud and then map the application to specific VPN segments.

  • Cloud OnRamp configuration for IaaS–Extends the fabric of the Cisco SD-WAN overlay network into public clouds by creating Cloud vEdges or Cisco Cloud Services Routers (CSRs), which provide the connectivity to cloud applications that customers host on these public clouds.

  • Container reload and reboot–The container reload feature lets you re-install a snort container image, and the container reboot feature lets you stop and then start a snort container.

  • Custom packaging for Cloud onRamp for CoLocation–You can now edit VM packages to update default configuration items.

  • Customizable service chain for Cloud onRamp for CoLocation–You can now create a customizable service chain with day0 configurations.

  • Forward-directed broadcast packets–You can configure forwarding of IP-directed broadcast packets for vEdge routers on selected LAN interfaces.

  • Forward error correction–You can configure forward error correction (FEC) on IOS-XE SD-WAN routers, which provides for the recovery of lost packets on a link by sending extra “parity” packets for every group (N) of packets.

  • IPv6 for transport–This release supports the configuration of IPv6 for Gigabit Ethernet on IOS-XE SD-WAN routers, PPPoA, PPPoE, IPoE, Cellular, Multilink, and T1/E1 interfaces.

  • ISR 4461–This release adds support for the Cisco ISR 4461, a new member of the Cisco 4000 Integrated Services Router series.

  • Micro-tenancy RBAC by VPN–You can create sub-tenants for a tenant, based on a VPN or groups of VPNs. A device at a site can be configured with multiple sub-tenants (VPNs).

  • NAT64–This release supports NAT64 to facilitate communication between IPv4 and IPv6 IOS-XE SD-WAN routers.

  • Serial file allowed list validation–Provides validation of a device serial file that vManage sends to vBond or vSmart to ensure that the file has not been tampered with.

  • Standard IPSEC support–This release provides support for standard IPSEC (IKEv1/IKEv2) tunnels over a service VPN for IOS-XE SD-WAN routers.

  • Support for enterprise certificates–vEdge and IOS-XE-SD-WAN routers support enterprise certificates for device verification.

  • Support for EIGRP–This release adds support for Enhanced Interior Gateway Routing Protocol (EIGRP) on the service side for IPv4 for IOS-XE SD-WAN routers.

  • SWIM support for all devices in a Cloud onRamp for CoLocation cluster–vManage provides image management for an entire Cloud onRamp for CoLocation cluster.

New and Enhanced Hardware Features

New Features

  • Support for ISR 4461: The Cisco IOS XE SD-WAN software runs on ISR 4461 from IOS XE SD-WAN Release 16.11

Important Notes, Known Behavior, and Workarounds

  • Devices operating with Cisco SD-WAN XE 16.11.1a cannot be downgraded to 16.10.4.

  • Use of port-channels on the Service Side VPN is not supported on Cisco IOS XE SD-WAN devices.

  • Bridge Domain Interface (BDI) is not supported on the Cisco ASR1000.

Resolved and Open Bugs

About the Cisco Bug Search Tool

Use the Cisco Bug Search Tool to access open and resolved bugs for a release.

The tool allows you to search for a specific bug ID, or for all bugs specific to a product and a release.

You can filter the search results by last modified date, bug status (open, resolved), severity, rating, and support cases.

Resolved Bugs

All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved Bug Search.

Bug ID



ENH - all user groups for cEdge are configured with same privilege 15


cEdge: Control connections fail if DNS server is not reachable thru one TLOC interface in ECMP


The requirement to shutdown Dialer interface before its deletion causes an issue for vManage


Not able to restart config-db after cleaning up disk space issue under /opt/data


vManage needs to adjust memory threshold for warnings on cEdge platform


Login banner does not take me to next line when I give '\n' for cEdge devices.


NTP template attach fails with a non default vrf and source interface configured


ASR-1002-HX crash at headend running 16.9.3


Timeout Seen When Previewing Policy Using UI Policy Builder


ping and traceroute functionality to bypass routing and specify next-hop for SDWAN fabric tshoot


monitor/network/wan/tunnel - real time table columns are reverse selection


cedge_cli_template: Unable to move interface from global vpn


No fallback to datacenter when INET link is down


MIPS images writing a bunch of FP printf() output to main console


Adjust NAT timeout values in vManage templates for cEdge


vEdge-1000 using DIA and ZBFW having issues intermittenly with iframes of specific site after zbfw s


linux_iosd memory goes up on ISR1100 over extended soak


SPF type5 LSA might not be flushed with overlapping prefixes


allow service SNMP in the Tunnel properties in VPN Interface template


omp route tag shown up incorrectly in IOS rib database


ISR ipv6/dhcp tloc got DCONFAIL failure when connecting to vbond


vpn 65538 [ umbrella ] missing when upgrading from 16.9 to 16.11


Fixing Renewal/Revocation of enterprise certs on cEdge- follow up commit of CSCvo36029

Open Bugs

All open bugs for this release are available in the Cisco Bug Search Tool through the Open Bug Search.

Bug ID



Deleting a segment on network builder doesn't delete the segment completely


Setting "Collect admin-tech on reboot" to On in System Feature template does not work for cedge


cEdge VRF ID changes removes the VRRP virtual IP from IOSD and not from confd


workaround for failure to update ikev1 to ikev2 config from vmanage.


vManage-UTD: In security dashboard, issues in displaying signature names


BGP Oper model rpc reply error with aggregate bgp ipv6 route.


MT Cluster: Failed to commit Kafka Error seen on one of the vManage during any device operation


Unable to generate config preview if secondary IP add is added when primary is dynamic


Need next hop use interface together with address as option for the ipv6 static route


Template push is failing with max character (2048) values for banner template


Enabling/Disabling overlay-as under omp causes service BGP route to be removed from omp.


Redistribute bgp and ospf with route policy from Eigrp template fails to attach to the cEdge device


XE router crashed while un-configuring vrf vpn configuration


Unable to attach ipv6 acl to SVI interface which is used under transport VPN


Unable to support default value for VRRP timer on VPN interface Ethernet template


cEdge ISRv Certificate installation is failing with RPC error


vEdge x86 and mips file sizes have grown almost double from 18.4 branch to 19.1 branch


OSPF Feature Template : Area nssa summary and translate not configured on CSR


Control Node down , Control Site Down Alarms missing on graceful shutdown of transport interfaces


cEdge - Template attach fails for a cedge device if theres a central policy with cflowd activated


TAIL-F: Passwords more than 32 characters in length fail when doing push from vManage (CSCvo93386)


Centralized Policy APIs providing incorrect results for isActivatedByVsmart and reference count


snmp-server trap-source configuration is not generated for cEdge by vManage


IPv4 Control connection flaps when WAN transport interface configured ipv6 address


Cedge-vManage-19.1 - vManage radio button for turning off Tunnel fails and throws error message


upgrade fail on ISRv with only 2 images in system due to cdb space issue


config preview fails when bandwidth & clock rate set to global on T1/E1 interface template


banner multiline tag is causing an issue with the quotes


Upper/lower case of Ipv6 address from template attach may cause device go offline


NTP template attach is missing source interface when non default vrf and source interface configured


Vedge 1k running 19.2.1 constantly reboots with the reason "USB controller disabled or enabled"

ROMmon Requirements Matrix

The following table lists the minimum ROMmon versions supported on the corresponding devices and releases:

Table 1. ROMmon Versions


ROMmon Version for 16.10 Devices

ROMmom Version for 16.11 Devices




ISR 4000



ISR 1000




ROMmon auto-upgrade is supported on the ISR 4000 series routers, beginning with 16.9.1 and all subsequent releases/throttles.


ROMmon auto-upgrade is supported on the ISR 1000 series routers, beginning with 16.10.3 and 16.12.1b.


For the ISR 1000 series routers, ROMmon version 16.8(1r) is not compatible with 16.10 releases and ROMmon version 16.9(1r) is not compatible with 16.9 releases. If an ISR 1000 series router is upgraded to a 16.10 release without auto-upgrade support, it is required that ROMmon be upgraded to 16.9(1r) or later by the user.

The ISRv router is running the minimum required version of the CIMC and NFVIS software, as shown in the following table.

Table 2. Minimum CIMC and NFVIS Software Versions for ISRv Routers

Hardware Platform