MX16.4 is here.... release notes

Kind of a big deal

MX16.4 is here.... release notes

Finally MX16 code is available in public beta, here are the firmware release notes.


Important notice

  • This is an early-stage beta version for the MX 16 release. Due to this, we recommend taking additional caution before upgrading production appliances. Where applicable, MX 15 or MX 14 releases will provide a more stable upgrade alternative.
  • Due to a regression currently under investigation, MX appliances may be unable to establish cellular connectivity on both integrated cellular modems and external USB modems. We recommend that customers that rely on cellular connectivity in their deployments wait until a later MX 16 release to upgrade.

Legacy products notice

  • When configured for this version, Z1, MX60, MX60W, MX80, and MX90 devices will run MX 14.55.

Mx 16 new feature highlights

  • Added support for Cisco AnyConnect client VPN on Z3(C), MX67(C,W), MX68(W,CW), MX84, MX100, MX400, MX600, MX250, and MX450 appliances.
  • Added Network-Based Application Recognition (NBAR) integration.

Bug fixes

  • Stability improvements for MX67(C,W) and MX68(W,CW) platforms
  • Corrected an issue that resulted in MX appliances incorrectly using their WAN interface MAC address when 1) the MX appliances are configured in high availability, 2) the MX appliances are configured as one-armed VPN concentrators, and 3) traffic was being sourced from the shared virtual IP. MX appliances will now properly use the virtual MAC address in these cases.
  • Fixed an issue that could cause IDS/IPS rule lists to not update.
  • Updated the AnyConnect VPN service
  • Corrected an issue that could cause the IDS/IPS process from not restarting properly after a configuration update.
  • Resolved an issue where DNS responses directing clients to a content filtering blocked page were improperly forwarded to the WAN network when an MX was configured as a passthrough appliance or one-armed VPN concentrator.
  • Mitigated an issue that resulted in traffic flows being incorrectly mapped to a secondary WAN interface during the bootup process of MX appliances.
  • Fixed an issue that resulted in traffic from client devices connected through an AnyConnect client VPN connection to MX appliances configured as one-armed VPN concentrators not being processed correctly.
  • Resolved an issue when 1) Client VPN is enabled and 2) an MX appliance is configured in one-armed VPN concentrator mode, the MX appliance may be unable to establish connection to the Meraki Dashboard after a reboot.
  • Security and stability improvements

Known issues

  • After making some configuration changes on MX84 appliances, a brief period of packet loss may occur. This will affect all MX84 appliances on all MX firmware versions
  • Some stability-impacting issues present in MX 14 that affect a small population of MX67(C,W) and MX68(W,CW) appliances still exist.
  • Some stability-impacting issues present in MX 14 that affect a small population of Z3(C) appliances still exist.
  • Please note that until certification has been obtained, the Z3C will not be supported on Verizon's network.
  • World-wide device SKUs of the MX67C, MX68CW, and Z3C units cannot be deployed in North America and North America device SKUs of the MX67C, MX68CW, and Z3C units cannot be deployed outside of North America.
  • When deployed in warm spare / high availability (HA), MX67C and MX68CW do not support using their cellular connectivity to pass client traffic. In this deployment, the cellular connectivity can only be used for device monitoring or network troubleshooting. This is an expected limitation for these platforms.
  • MX67C, MX68CW, and Z3C units must be connected to the Meraki Dashboard initially to retrieve an update to allow for proper use of the integrated cellular connectivity. This is most likely to be an issue when bringing the units online for the very first time.
  • On the MX67(C,W) and MX68(W,CW) platforms, when the MX is providing PoE to a connected device, this information will not be reflected on the Meraki Dashboard.
  • Due to MX 15 regressions, USB cellular connectivity may be less reliable on some modems
  • Due to an MX 15 regression, the management port on MX84 appliances does not provide access to the local status page
  • Client traffic will be dropped by MX65(W), MX67(C,W), and MX68(W,CW) appliances if 1) The client is connected to a LAN port with 802.1X authentication enabled and 2) The VLAN ID of the port is configured to 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240.
  • Significant performance regressions for VPN traffic may be observed on MX84 and MX100 appliances
  • Group policies do not correctly apply to client devices
  • Z3(C) appliances that are upgraded to MX 16 versions cannot directly downgrade to MX 14 releases. They must first downgrade to an MX 15 release.
  • MX IDS security alerts are not detected for Anyconnect VPN traffic
  • BGP-learned routes may not be properly reflected in the Route Table page on the Meraki Dashboard, despite BGP and packet routing operating correctly.
  • There is an increased risk of encountering device stability issues on all platforms and across all configurations.
19 Replies 19
Kind of a big deal
Kind of a big deal

Note that MX64/65 though apparently able to run MX16, do not support AnyConnect yet...

Kind of a big deal
Kind of a big deal

Here to help

Some good features in there. Always being asked about the VPN Client choice for Meraki.

I really love the NBAR-integration. Does anybody know if this will work in a combined network? Until now, this is / was only supported on networks including MS and MR (


EDIT: as always, Meraki docs are a great ressource. Found out myself that is actually IS supported within a combined network:

Upgrade is currently scheduled, eager to test this out!


2nd EDIT: I can see NBAR information from the MRs in that network, not from MX though...

Kind of a big deal
Kind of a big deal

@CptnCrnch  - thats the gotcha right there for NBAR - MS390 switches......anyone touching them?

Darren OConnor |

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Kind of a big deal
Kind of a big deal

Hopefully NBAR will be ported to other edge switches like the MS355, MS225 and MS210 at least, we cold then test it!

@DarrenOC Definitely working with the MS390s and seeing the customer base growing!!! ... BUT not with anything older than MS14.16 firmware O:) 

Wifi6 AP --> MS390 --> MX ... FULL STACK NBAR!!! 🤯  🤓

Meraki Employee
Meraki Employee

Thanks for the announcement!!!

Here are some reminders to make sure your dashboard is READY to go!

How do I enable this feature? Prerequisites?


Navigate to Network-wide > General and set "Traffic analysis" to "Detailed: collect destination hostnames." This will add Traffic analytics to your Monitor tab the next time you refresh (Network-wide > Traffic analytics). 




To enable the Hostname visibility feature:

  1. Navigate to Network-wide > General.
  2. Select "Traffic analysis enabled" from the Traffic analysis drop-down menu located in the Traffic analysis section.
  3. Select “Report specific hostnames” from the Hostname visibility drop-down menu. 
  4. Click Save Changes


Enabling hostname visibility will allow you to view statistics about specific hostnames and IP addresses that are visited by clients on your network. 


What are the feature integrations? Where do I see this?


Application Tracking 

  • Network-wide > Traffic analytics

  • Network-wide > Clients > Application details

Firewall rules

  • Security & SD-WAN > Firewall > Enforce Layer 7 deny rules

  • Wireless > Firewall and traffic shaping > Enforce Layer 7 deny rules

Traffic shaping rules

  • Security & SD-WAN > SD-WAN & traffic shaping > Traffic shaping rules > Enforce L7 traffic shaping policy

  • Wireless > Firewall and traffic shaping > Enforce L7 traffic shaping policy

SD-WAN policy

  • Security & SD-WAN > SD-WAN & traffic shaping > SD-WAN policies > VPN traffic > Enforce L7 SD-WAN policy

Group policy rules

  • Network-wide > Group policies > Layer 7 firewall > Enforce Layer 7 deny rules

  • Network-wide > Group policies > Traffic shaping > Enforce L7 traffic shaping policy


How do I verify whether an app classification is supported? Protocol Pack details?

The signatures supported by NBAR2 on devices are delivered via Protocol Packs. Refer to the NBAR2 Protocol Pack library for more details on the app support - link  



For more information regarding the NBAR integration, please refer to the following cross-product documentation:

Happy NBAR'ing!!!


A model citizen

I upgraded a Z3C to 16.4 and enabled Anyconnect VPN support.

I connected to it from a Windows 10 machine and it has been rock solid for the last hour.

I also tested the Anyconnect VPN client on Android 11 and it works too.

I have tested both Meraki and AD authentication and both work as expected.

Good job Meraki!

Here to help

I've noticed bizarre traffic blocks on iOS devices (iPhones) on an MX67W running MX16. Various sites (including the site that Apple downloads iOS updates from) get blocked with the message "categories" or even no log messages. This seems to do with NBAR since rolling back to MX15 allows the sites once more.




I want to upgrade my Z3C to MX16, so I can use AnyConnect, but the firmware tab says I'm on the newest release but thats only 15.44? 


Can you help me understand why I cant upgrade to 16.x? 






Kind of a big deal
Kind of a big deal

You're on the so called "stable release". 16.4 is currently the "stable release candidate", so it has to be specifically chosen to be upgraded.

Seems release client is 16.14 here 

As mentioned if you click the stable release candidate you will see the mx 16.xx version. we are waiting for this to become stable just to be on the safe side, although i am pretty desperate for a more reliable vpn .

Kind of a big deal
Kind of a big deal

@mags1892 the only change that will occur for it to move from release candidate to stable is more people using it.  We use 16.14 on all our SD-WAN and internet edge MXs without issue.

@cmr Are you running a primary and spare mx ?

Kind of a big deal
Kind of a big deal

@mags1892 Yes at several sites, HA pairs of MX84 and MX100 in routed mode.  We have an HA pair of MX250s in VPN concentrator mode, but those are only on 16.12 as we upgrade them less frequently.

Here to help

Do you know when it will be released the firmware that supports more than 2 WANs in the MX ?

Here to help

Upgraded to 16.14 and its been a nightmare the uplnks from one of the switches failed to both mx100s, iva had to use standard ports now. waiting for new sfp transceivers.

However now i am on has anyone configured anyconnect vpn to run on the same network as the client vpn tool ? 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.