Meraki

Community

New MX 15.44 stable release candidate firmware - MAC error from 15.43 and other assorted fixes

cmr
Kind of a big deal
Kind of a big deal
‎Aug 31 2021 3:55 AM
‎Aug 31 2021 3:55 AM

New MX 15.44 stable release candidate firmware - MAC error from 15.43 and other assorted fixes

Security appliance firmware versions MX 15.44 changelog

Important notice

  • Due to underlying changes present in MX 15, MX appliances will now strictly validate the remote ID parameter during VPN tunnel formation. If you notice issues with non-Meraki VPN tunnel connectivity after upgrading to MX 15 for the first time, please ensure the remote ID configured in the site-to-site VPN page for a given non-Meraki peer matches what is configured as the local ID on that device.
  • This firmware version contains important changes required for communications between MX appliances and the AMP and ThreatGrid clouds. Customers utilizing the ThreatGrid integration will need to upgrade to MX 14.56, MX 15.42.3, MX 16.7, or higher before October 1, 2021. Customers utilizing the AMP-only integration will need to upgrade to MX 14.56, MX 15.43, MX 16.7, or higher before December 1, 2021

Legacy products notice

  • When configured for this version, Z1, MX60, MX60W, MX80, and MX90 devices will run MX 14.56.

Bug fixes

  • Corrected an issue where DHCP traffic being routed across AutoVPN would be dropped on MX appliances configured to operate in passthrough mode if the source port of the DHCP traffic was 67 and the destination port of the traffic was 68.
  • Corrected a rare issue that could result in the service responsible for synchronizing information between primary and spare MX appliances not initializing properly.
  • Resolved an issue that resulted in MX250 and MX450 appliances being unable to properly utilize some MA-SFP-1GB-TX SFP modules.
  • Corrected an MX 15 regression that resulted in communications to the VPN registry service failing on the WAN2 interface when the MX appliance was configured to use manual NAT traversal for AutoVPN site-to-site VPN connections.
  • Resolved an MX 15.43 regression that resulted in MX appliances that were configured to 1) operate as an in-line passthrough or a one-armed VPN concentrator and 2) were configured to operate in high availability (HA) mode using an incorrect MAC address for management and connection monitoring traffic.
  • Corrected an issue that could result in clients being unable to wirelessly associate to MX65W appliances in rare cases.
  • Fixed an issue that could result in the MX appliance failing to properly install all source-based default routes when a large number were configured.

Known issues

  • After making some configuration changes on MX84 appliances, a brief period of packet loss may occur. This will affect all MX84 appliances on all MX firmware versions.
  • Please note that until certification has been obtained, the Z3C will not be supported on Verizon's network.
  • When deployed in warm spare / high availability (HA), MX67C and MX68CW do not support using their cellular connectivity to pass client traffic. In this deployment, the cellular connectivity can only be used for device monitoring or network troubleshooting. This is an expected limitation for these platforms.
  • MX67C, MX68CW, and Z3C units must be connected to the Meraki Dashboard initially to retrieve an update to allow for proper use of the integrated cellular connectivity. This is most likely to be an issue when bringing the units online for the very first time.
  • On the MX67(C,W) and MX68(W,CW) platforms, when the MX is providing PoE to a connected device, this information will not be reflected on the Meraki Dashboard.
  • Once a Z3 has been updated to this firmware version it can only run MX 14.31 or MX15.8 and higher. This is an expected result of updates to the device booting mechanisms and this limitation will not be resolved in future releases.
  • The DES encryption algorithm is no longer supported for use in formation of VPN tunnels.
  • Creating VPN tunnels using aggressive mode IKE is no longer supported.
  • Due to MX 15 regressions, USB cellular connectivity may be less reliable on some modems.
  • Due to an MX 15 regression, the management port on MX84 appliances does not provide access to the local status page.
  • Client traffic will be dropped by MX65(W), MX67(C,W), and MX68(W,CW) appliances if 1) The client is connected to a LAN port with 802.1X authentication enabled and 2) The VLAN ID of the port is configured to 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240.
If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
5 Replies 5
thomasthomsen
Kind of a big deal
‎Aug 31 2021 6:04 AM
‎Aug 31 2021 6:04 AM

Are these HA bugs in 16.11 ? If so, any news on when a 16 release will be available with these fixes ?

0 Kudos
nsingh
Here to help
‎Sep 3 2021 11:45 AM
‎Sep 3 2021 11:45 AM

Hello,

 

We are trying to debate on to which OS upgrade would be the best and stable to upgrade as to looking at so many OS releases in the last August month.

 

We are running 14.53 and so far we have had unresolvable issues on 15.43 and 15.43.1. ( issues on Client VPN)

 

Any help or inputs are appreciated.

 

0 Kudos
In response to nsingh
cmr
Kind of a big deal
Kind of a big deal
‎Sep 3 2021 12:28 PM
‎Sep 3 2021 12:28 PM

@nsingh what issues did you have with the client VPN.  We use 16.11 but for SD-WAN and internet access, it is stable for us and the new traffic classification feature is very useful.  However we don't use the client VPN so hopefully someone who does will comment.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
nsingh
Here to help
‎Sep 3 2021 12:57 PM
‎Sep 3 2021 12:57 PM

Thanks for your response!

 

That's the whole issue, not many use Meraki's client VPN.

 

The issue is the PPP tunnel does not establish correctly so users loose internet after connecting to the client VPN + for some users the client VPN disconnects like every 2- 3 mins randomly, they again login, it disconnects again.

 

May I ask what Client VPN you use?

0 Kudos
In response to nsingh
cmr
Kind of a big deal
Kind of a big deal
‎Sep 3 2021 1:08 PM
‎Sep 3 2021 1:08 PM

We use Sophos XGs for our enterprise edge and client VPN, it has an SSL version based on openVPN and an IPSEC version.  There are a couple of dedicated clients (one SSL only, the other for both) and it supports a mix of full tunnel and split tunnel with multiple profiles, 2FA and pretty much any OS including IOS devices, Raspberry PIs and many more.  However their SD-WAN solution isn't a patch on Meraki's!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.