MX 17.8 Release Out! - Fixed Throughput Issues with Certain Models

Mloraditch
Building a reputation

MX 17.8 Release Out! - Fixed Throughput Issues with Certain Models

This big one: Resolved an issue that resulted in MX84 and MX100 appliances having significantly reduced VPN throughput.

and a few others for 17.7 and some to match 16.16.3

 

Important notice

  • While Meraki appliances have traditionally relied on UDP port 7351 for cloud communication and TCP ports 80 and 443 for backup communications, with MX 16 we are beginning a transition to using TCP port 443 as the primary means for cloud connectivity. In order to ensure proper connectivity to the Meraki cloud after this upgrade, please ensure that traffic using TCP port 443 between 209.206.48.0/20 is allowed through any firewalls that may be deployed upstream of your Meraki appliances.
  • HTTP proxy, which allows default management traffic from MX appliances to be sent through a proxy, is deprecated on MX 16 and higher firmware versions.
  • The transition to Cisco Talos intelligence for our content filtering services means that some URL categories have changed names, some categories are no longer available, and multiple new categories are now available. Please review your configuration after upgrading to ensure content filtering is effectively tailored to your needs and deployment environment.

Legacy products notice

  • When configured for this version, Z1, MX60, MX60W, MX80, and MX90 devices will run MX 14.56.
  • When configured for this version, MX400 and MX600 devices will run MX 16.16.3.

Bug fixes

  • BGP stability improvements.
  • Resolved a case that resulted in MX appliances improperly routing traffic to clients behind an IPv6 static route.
  • Resolved several rare cases that could result in device reboots.
  • Resolved a rare case where port speed and duplex settings applied via the local status page would not be honored if settings had previously been configured on MX 12 or earlier.
  • Resolved a rare issue that could result in MX appliances performing content filtering lookups for an improperly derived URL when the certificate exchange used to establish an HTTPS connection was fragmented.
  • Corrected an issue that could result in dynamic DNS certificates used for AnyConnect VPN failing to renew.
  • Resolved an issue that could result in a disruption to traffic routing when configuration changes were made to MX appliances with a large number of AutoVPN routes.
  • Fixed an issue that could result in Z3(C) appliances erroneously showing an orange power LED while they were connected and online.
  • Corrected an issue that resulted in MX appliances not responding to ICMPv6 ping messages received on PPPoE WAN uplinks.
  • Resolved an issue that resulted in MX84 and MX100 appliances having significantly reduced VPN throughput.
  • Corrected an issue that resulted in the PoE status icons not being displayed in Dashboard for MX95 and MX105 appliances.

Known issues

  • After making some configuration changes on MX84 appliances, a brief period of packet loss may occur. This will affect all MX84 appliances on all MX firmware versions
  • Due to an MX 15 regression, the management port on MX84 appliances does not provide access to the local status page
  • Client traffic will be dropped by MX65(W), MX67(C,W), and MX68(W,CW) appliances if 1) The client is connected to a LAN port with 802.1X authentication enabled and 2) The VLAN ID of the port is configured to 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240.
  • There is an increased risk of encountering device stability and performance issues on all platforms and across all configurations.

Other

  • MX appliances now support forwarding IPv6 no next header packets when configured in passthrough mode.
11 REPLIES 11
harmankardon
Getting noticed

Hoping this resolves what I believe to be a rebooting issue with some of our MX67C firewalls running 17.6 and 17.7.

nick025025025
Conversationalist

Unfortunately 17.8 did not resolve our site-to-site VPN throughput.  As of this moment, 16.16 and 17.8 wrecks our site-to-site VPN throughput.  Firmware 15 works just fine.

cmr
Kind of a big deal
Kind of a big deal

@nick025025025 what throughput issues are you seeing?  We've been using 16.x for many months and now 17.8 without obvious issues.

 

nick025025025
Conversationalist

I wish I could give you details.  Meraki has yet to identify the issue.  We have a simple setup, with one Meraki peer, and two non-Meraki VPN peers.  Issues are with the non-Meraki peers.  One is a cloud backup solution that chokes when on 16.x, and 17.8.  Revert back to 15.x and the performance returns.

cmr
Kind of a big deal
Kind of a big deal

That makes sense; we only have Meraki peers, hence having a different experience.

It is a bit ridiculous that it is taking this long to get a stable version like 15.  It has only been like 2 years.... Do they not have developers anymore to get a stable version?  One that will work well over VPN?  

Current stable version is 15.44 - Released May 26, 2022.

As most of the Meraki devices are running on this version, this is showing as stable version. 

 

Stable firmware version is decided by firmware version that is running in most  % of Meraki devices (based on millions of devices).If the number of meraki devices are running the firmware version 16.16 or 17.xx is higher , then these will be notified as stable version.

 

Every time updated firmware versions are notified to Meraki organization from backend, we can check the release notes and decides if we want to have that improvement or not. If we don't want it, we can certainly reject it and we will be never prompted for that firmware upgrade. When next firmware release is done, we may or may not get the prompt for firmware upgrade and we can cancel it if required.

 

 

cmr
Kind of a big deal
Kind of a big deal

@Pavithran 16.16 and 16.16.6 are both stable releases, see below from our dashboard:

Screenshot_20221013_205222.jpg

Ya... Its showing three versions for me.

 

Pavithran_0-1665693191864.png

 

cmr
Kind of a big deal
Kind of a big deal

@Pavithran If you upgraded to MX16 then the 15.44.3 would disappear, it only remains as you have some MXs on MX15.

Owen
Getting noticed

Did they fix the issue where the firewalls forward traffic on their LAN ports before configuration is applied when the MX reboots? Have only been waiting 4 years for that one to be fixed, oh well. Can't rush these things 🙄

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels