Meraki

Community

MX64 | IPSec VPN issue after upgrading firmware from 14.x to 18.x

Nolan_Nguyen
New here
yesterday
yesterday

MX64 | IPSec VPN issue after upgrading firmware from 14.x to 18.x

Dear all,

 

I'm Nolan.

I'm seeking for you guys advice on this issue:

 

Previous situation:

  • MX64 (network: CRESCENT MALL) was running firmware version 14.x
  • MX64 successfully established an IPSec Site-to-Site VPN tunnel to a VM hosted on FPT Cloud (Vietnam)
  • On the MRs, we have configured WiFi authentication via RADIUS, pointing to the AD Server hosted on that VM
  • Everything worked properly without any issues

 

Current situation:

  • After upgrading the MX64 to firmware version 18.x
  • The IPSec VPN tunnel can still be established successfully
  • However, WiFi users are no longer able to authenticate via RADIUS
  • Using Wireshark, we noticed that the VPN packet size is larger than MTU allowed over the VPN, which may cause packet drops during AD authentication

 

As I checked with Support Team → the non-Meraki site-to-site VPN's MTU is set to 1400 for this MX64... and to adjust the MTU, this requires MX19.1.11 or higher firmware

 

→ replacing the MX64 or reconfigure the AD Server (FPT VM) are currently not good options due to customer policy

→ I just wonder is the IPSec VPN MTU in firmware 14.x different from MTU in firmware 18.x?

 

Thank you for your support!

--

Nolan Nguyen (Mr.)

0 Kudos
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I believe you installed version 19.1.11, which allows legacy MX systems to run version 18.107.13, correct?

There are some known bugs in this version. Please check this.

 

Known issues

  • During the upgrade process, MX appliances upgrading from version prior to MX 19 may experience a failure to properly classify traffic. This issue will be resolved once the appliance has completed the upgrade to MX 19. (MX-36307)
  • Due to an issue under investigation, MX appliances may incorrectly route traffic destined to subnets learned through eBGP over a Non-Meraki VPN connection. (MX-34803)
  • When failover is configured between non-Meraki VPN tunnels, the Route Table page on Dashboard may incorrectly show the route for the primary VPN tunnel is inactive. (MX-36316)
  • During the upgrade process, MX appliances upgrading from versions prior to MX 19 will experience a failure to connect to non-Meraki VPN peers if any VPN peer names contain a space. This issue will be resolved once the appliance has completed the upgrade to MX 19. (MX-36312)

 

I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Nolan_Nguyen
New here
yesterday
yesterday

Hi alemabrahao,

 

Thank you for your information.

 

As I checked last month, this MX64 only allows firmware 18.xxx.
I will check with user on firmware upgrade by tomorrow.

 

It would be better if I can upgrade it to 19.xxx

 

Thank you!

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

The problem with RADIUS is that it uses UDP and does not respect TCP MTU settings.  This is especially painful when using certificate-based authentication, which creates large RADIUS packets.

 

There is a RADIUS attribute called Framed-MTU.  You configure this on your RADIUS server.  It tells the supplicant (aka the AP) what MTU to use.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.