I have an HA pair of MX100 firewalls acting as VPN hubs for MXs at remote sites. They are in Passthrough/VPN concentrator mode (sitting between my main internet firewalls and core switches), currently running version MX14.53. Last night, an auto-upgrade was initiated that upgraded the pair to 17.10.2. Routing through these firewalls to the internet firewalls was impaired. Log messages on my core switches showed the EIGRP neighbor relationship between the core switches and internet firewalls (ASAs) going down/up every 2 minutes. This impaired routing situation also resulted in loss of communication form the VPN concentrators and all remote MX routers. Rolling back the firmware resolved the issue. I don't have any security policies that should have impaired this communication. Has anyone else ran into this situation?
I don't really like the idea of having to stick to an old software version, but I also can't cripple the network either.
Something doesn't sound quite right here, if VPNC MXs logically sit between your perimeter firewall and core switches - VPNCs should sit 'off to one side' of one of those two layers (usually the Core routing, to make things simpler) If memory serves, EIGRP works layer 2, so I'd expect a VLAN directly between the Core and the firewalls, over which the EIGRP relationship is established. The VPNC MX might be connected to the same VLAN, but shouldn't be critical to the flow of that traffic (MX doesn't 'talk EIGRP') Now - I'm not saying the MX and its firmware wasn't directly involved in the issue though - if the problem started when the upgrade happened and was fixed as soon as you rolled back it's hard to argue with that - but I'd maybe look a bit deeper into your architecture. I'd recommend talking further with Support on that, if needs be - but maybe with your Meraki account TSA too..?