MX100 firmware upgrade broke eigrp

SOLVED
RANT
Comes here often

MX100 firmware upgrade broke eigrp

I have an HA pair of MX100 firewalls acting as VPN hubs for MXs at remote sites. They are in Passthrough/VPN concentrator mode (sitting between my main internet firewalls and core switches), currently running version MX14.53. Last night, an auto-upgrade was initiated that upgraded the pair to 17.10.2. Routing through these firewalls to the internet firewalls was impaired. Log messages on my core switches showed the EIGRP neighbor relationship between the core switches and internet firewalls (ASAs) going down/up every 2 minutes. This impaired routing situation also resulted in loss of communication form the VPN concentrators and all remote MX routers. Rolling back the firmware resolved the issue. I don't have any security policies that should have impaired this communication. Has anyone else ran into this situation?

I don't really like the idea of having to stick to an old software version, but I also can't cripple the network either.

1 ACCEPTED SOLUTION
alemabrahao
Kind of a big deal

@RANT 

First I strongly recommend downgrading to version 16.16.6, if you look we have several other threads open related to instabilities from version 17.10.x.

Meraki even removed version 17.10.1 from the stable release list and 17.10.2 is a stable release candidate.

View solution in original post

5 REPLIES 5
GreenMan
Meraki Employee

Something doesn't sound quite right here, if VPNC MXs logically sit between your perimeter firewall and core switches - VPNCs should sit 'off to one side' of one of those two layers  (usually the Core routing, to make things simpler)   If memory serves, EIGRP works layer 2, so I'd expect a VLAN directly between the Core and the firewalls, over which the EIGRP relationship is established.   The VPNC MX might be connected to the same VLAN,  but shouldn't be critical to the flow of that traffic (MX doesn't 'talk EIGRP')
Now - I'm not saying the MX and its firmware wasn't directly involved in the issue though - if the problem started when the upgrade happened and was fixed as soon as you rolled back it's hard to argue with that - but I'd maybe look a bit deeper into your architecture.   I'd recommend talking further with Support on that, if needs be - but maybe with your Meraki account TSA too..?

alemabrahao
Kind of a big deal

@RANT 

First I strongly recommend downgrading to version 16.16.6, if you look we have several other threads open related to instabilities from version 17.10.x.

Meraki even removed version 17.10.1 from the stable release list and 17.10.2 is a stable release candidate.

@alemabrahao sorry to disagree, but not everything is going wrong because of 17.x. 😉

I performed a lot of tests with this version, and It has a lot of issues, like performance, VPNs, etc.

In this case, @GreenMan's explanations make perfect sense.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels