MX16.4 is here.... release notes

Bruce · ‎03-09-2021

Finally MX16 code is available in public beta, here are the firmware release notes.

Important notice

This is an early-stage beta version for the MX 16 release. Due to this, we recommend taking additional caution before upgrading production appliances. Where applicable, MX 15 or MX 14 releases will provide a more stable upgrade alternative.
Due to a regression currently under investigation, MX appliances may be unable to establish cellular connectivity on both integrated cellular modems and external USB modems. We recommend that customers that rely on cellular connectivity in their deployments wait until a later MX 16 release to upgrade.

Legacy products notice

When configured for this version, Z1, MX60, MX60W, MX80, and MX90 devices will run MX 14.55.

Mx 16 new feature highlights

Added support for Cisco AnyConnect client VPN on Z3(C), MX67(C,W), MX68(W,CW), MX84, MX100, MX400, MX600, MX250, and MX450 appliances.
Added Network-Based Application Recognition (NBAR) integration.

Bug fixes

Stability improvements for MX67(C,W) and MX68(W,CW) platforms
Corrected an issue that resulted in MX appliances incorrectly using their WAN interface MAC address when 1) the MX appliances are configured in high availability, 2) the MX appliances are configured as one-armed VPN concentrators, and 3) traffic was being sourced from the shared virtual IP. MX appliances will now properly use the virtual MAC address in these cases.
Fixed an issue that could cause IDS/IPS rule lists to not update.
Updated the AnyConnect VPN service
Corrected an issue that could cause the IDS/IPS process from not restarting properly after a configuration update.
Resolved an issue where DNS responses directing clients to a content filtering blocked page were improperly forwarded to the WAN network when an MX was configured as a passthrough appliance or one-armed VPN concentrator.
Mitigated an issue that resulted in traffic flows being incorrectly mapped to a secondary WAN interface during the bootup process of MX appliances.
Fixed an issue that resulted in traffic from client devices connected through an AnyConnect client VPN connection to MX appliances configured as one-armed VPN concentrators not being processed correctly.
Resolved an issue when 1) Client VPN is enabled and 2) an MX appliance is configured in one-armed VPN concentrator mode, the MX appliance may be unable to establish connection to the Meraki Dashboard after a reboot.
Security and stability improvements

Known issues

After making some configuration changes on MX84 appliances, a brief period of packet loss may occur. This will affect all MX84 appliances on all MX firmware versions
Some stability-impacting issues present in MX 14 that affect a small population of MX67(C,W) and MX68(W,CW) appliances still exist.
Some stability-impacting issues present in MX 14 that affect a small population of Z3(C) appliances still exist.
Please note that until certification has been obtained, the Z3C will not be supported on Verizon's network.
World-wide device SKUs of the MX67C, MX68CW, and Z3C units cannot be deployed in North America and North America device SKUs of the MX67C, MX68CW, and Z3C units cannot be deployed outside of North America.
When deployed in warm spare / high availability (HA), MX67C and MX68CW do not support using their cellular connectivity to pass client traffic. In this deployment, the cellular connectivity can only be used for device monitoring or network troubleshooting. This is an expected limitation for these platforms.
MX67C, MX68CW, and Z3C units must be connected to the Meraki Dashboard initially to retrieve an update to allow for proper use of the integrated cellular connectivity. This is most likely to be an issue when bringing the units online for the very first time.
On the MX67(C,W) and MX68(W,CW) platforms, when the MX is providing PoE to a connected device, this information will not be reflected on the Meraki Dashboard.
Due to MX 15 regressions, USB cellular connectivity may be less reliable on some modems
Due to an MX 15 regression, the management port on MX84 appliances does not provide access to the local status page
Client traffic will be dropped by MX65(W), MX67(C,W), and MX68(W,CW) appliances if 1) The client is connected to a LAN port with 802.1X authentication enabled and 2) The VLAN ID of the port is configured to 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240.
Significant performance regressions for VPN traffic may be observed on MX84 and MX100 appliances
Group policies do not correctly apply to client devices
Z3(C) appliances that are upgraded to MX 16 versions cannot directly downgrade to MX 14 releases. They must first downgrade to an MX 15 release.
MX IDS security alerts are not detected for Anyconnect VPN traffic
BGP-learned routes may not be properly reflected in the Route Table page on the Meraki Dashboard, despite BGP and packet routing operating correctly.
There is an increased risk of encountering device stability issues on all platforms and across all configurations.

cmr · ‎03-09-2021

Note that MX64/65 though apparently able to run MX16, do not support AnyConnect yet...

CptnCrnch · ‎03-09-2021

MX64/65 is listed for "Future Support" regarding AnyConnect:

https://documentation.meraki.com/Meraki_Internal/Draft_Articles/AnyConnect_on_MX_Security_Appliance

Kev_Almond · ‎03-10-2021

Some good features in there. Always being asked about the VPN Client choice for Meraki.

CptnCrnch · ‎03-10-2021

I really love the NBAR-integration. Does anybody know if this will work in a combined network? Until now, this is / was only supported on networks including MS and MR (https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Network-Based_Application_Recogniti...)

EDIT: as always, Meraki docs are a great ressource. Found out myself that is actually IS supported within a combined network:https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Network-Based_Applica...

Upgrade is currently scheduled, eager to test this out!

2nd EDIT: I can see NBAR information from the MRs in that network, not from MX though...

UCcert · ‎03-10-2021

@CptnCrnch - thats the gotcha right there for NBAR - MS390 switches......anyone touching them?

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

cmr · ‎03-10-2021

Hopefully NBAR will be ported to other edge switches like the MS355, MS225 and MS210 at least, we cold then test it!

DashboardDunce · ‎03-10-2021

@UCcert Definitely working with the MS390s and seeing the customer base growing!!! ... BUT not with anything older than MS14.16 firmware O:)

Wifi6 AP --> MS390 --> MX ... FULL STACK NBAR!!! 🤯 🤓

DashboardDunce · ‎03-10-2021

@Bruce!
Thanks for the announcement!!!

Here are some reminders to make sure your dashboard is READY to go!

How do I enable this feature? Prerequisites?

Navigate to Network-wide > General and set "Traffic analysis" to "Detailed: collect destination hostnames." This will add Traffic analytics to your Monitor tab the next time you refresh (Network-wide > Traffic analytics).

To enable the Hostname visibility feature:

Navigate to Network-wide > General.
Select "Traffic analysis enabled" from the Traffic analysis drop-down menu located in the Traffic analysis section.
Select “Report specific hostnames” from the Hostname visibility drop-down menu.
Click Save Changes

Enabling hostname visibility will allow you to view statistics about specific hostnames and IP addresses that are visited by clients on your network.

What are the feature integrations? Where do I see this?

Application Tracking

Network-wide > Traffic analytics
Network-wide > Clients > Application details

Firewall rules

Security & SD-WAN > Firewall > Enforce Layer 7 deny rules
Wireless > Firewall and traffic shaping > Enforce Layer 7 deny rules

Traffic shaping rules

Security & SD-WAN > SD-WAN & traffic shaping > Traffic shaping rules > Enforce L7 traffic shaping policy
Wireless > Firewall and traffic shaping > Enforce L7 traffic shaping policy

SD-WAN policy

Security & SD-WAN > SD-WAN & traffic shaping > SD-WAN policies > VPN traffic > Enforce L7 SD-WAN policy

Group policy rules

Network-wide > Group policies > Layer 7 firewall > Enforce Layer 7 deny rules
Network-wide > Group policies > Traffic shaping > Enforce L7 traffic shaping policy

How do I verify whether an app classification is supported? Protocol Pack details?

The signatures supported by NBAR2 on devices are delivered via Protocol Packs. Refer to the NBAR2 Protocol Pack library for more details on the app support - link

For more information regarding the NBAR integration, please refer to the following cross-product documentation:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Network-Based_Applica...

Happy NBAR'ing!!!

jbright · ‎03-10-2021

I upgraded a Z3C to 16.4 and enabled Anyconnect VPN support.

I connected to it from a Windows 10 machine and it has been rock solid for the last hour.

I also tested the Anyconnect VPN client on Android 11 and it works too.

I have tested both Meraki and AD authentication and both work as expected.

Good job Meraki!