Finally MX16 code is available in public beta, here are the firmware release notes.
MX64/65 is listed for "Future Support" regarding AnyConnect:
I really love the NBAR-integration. Does anybody know if this will work in a combined network? Until now, this is / was only supported on networks including MS and MR (https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Network-Based_Application_Recogniti...)
EDIT: as always, Meraki docs are a great ressource. Found out myself that is actually IS supported within a combined network:https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Network-Based_Applica...
Upgrade is currently scheduled, eager to test this out!
2nd EDIT: I can see NBAR information from the MRs in that network, not from MX though...
@CptnCrnch - thats the gotcha right there for NBAR - MS390 switches......anyone touching them?
@UCcert Definitely working with the MS390s and seeing the customer base growing!!! ... BUT not with anything older than MS14.16 firmware O:)
Wifi6 AP --> MS390 --> MX ... FULL STACK NBAR!!! 🤯 🤓
Thanks for the announcement!!!
Here are some reminders to make sure your dashboard is READY to go!
How do I enable this feature? Prerequisites?
Navigate to Network-wide > General and set "Traffic analysis" to "Detailed: collect destination hostnames." This will add Traffic analytics to your Monitor tab the next time you refresh (Network-wide > Traffic analytics).
To enable the Hostname visibility feature:
Enabling hostname visibility will allow you to view statistics about specific hostnames and IP addresses that are visited by clients on your network.
What are the feature integrations? Where do I see this?
Network-wide > Traffic analytics
Network-wide > Clients > Application details
Security & SD-WAN > Firewall > Enforce Layer 7 deny rules
Wireless > Firewall and traffic shaping > Enforce Layer 7 deny rules
Traffic shaping rules
Security & SD-WAN > SD-WAN & traffic shaping > Traffic shaping rules > Enforce L7 traffic shaping policy
Wireless > Firewall and traffic shaping > Enforce L7 traffic shaping policy
Security & SD-WAN > SD-WAN & traffic shaping > SD-WAN policies > VPN traffic > Enforce L7 SD-WAN policy
Group policy rules
Network-wide > Group policies > Layer 7 firewall > Enforce Layer 7 deny rules
How do I verify whether an app classification is supported? Protocol Pack details?
The signatures supported by NBAR2 on devices are delivered via Protocol Packs. Refer to the NBAR2 Protocol Pack library for more details on the app support - link
For more information regarding the NBAR integration, please refer to the following cross-product documentation:
I upgraded a Z3C to 16.4 and enabled Anyconnect VPN support.
I connected to it from a Windows 10 machine and it has been rock solid for the last hour.
I also tested the Anyconnect VPN client on Android 11 and it works too.
I have tested both Meraki and AD authentication and both work as expected.
Good job Meraki!
I've noticed bizarre traffic blocks on iOS devices (iPhones) on an MX67W running MX16. Various sites (including the site that Apple downloads iOS updates from) get blocked with the message "categories" or even no log messages. This seems to do with NBAR since rolling back to MX15 allows the sites once more.
I want to upgrade my Z3C to MX16, so I can use AnyConnect, but the firmware tab says I'm on the newest release but thats only 15.44?
Can you help me understand why I cant upgrade to 16.x?
You're on the so called "stable release". 16.4 is currently the "stable release candidate", so it has to be specifically chosen to be upgraded.
As mentioned if you click the stable release candidate you will see the mx 16.xx version. we are waiting for this to become stable just to be on the safe side, although i am pretty desperate for a more reliable vpn .
@mags1892 the only change that will occur for it to move from release candidate to stable is more people using it. We use 16.14 on all our SD-WAN and internet edge MXs without issue.
@mags1892 Yes at several sites, HA pairs of MX84 and MX100 in routed mode. We have an HA pair of MX250s in VPN concentrator mode, but those are only on 16.12 as we upgrade them less frequently.
Upgraded to 16.14 and its been a nightmare the uplnks from one of the switches failed to both mx100s, iva had to use standard ports now. waiting for new sfp transceivers.
However now i am on has anyone configured anyconnect vpn to run on the same network as the client vpn tool ?