Security appliance firmware versions MX 16.8 changelog
Important notice
- This is an early-stage beta version for the MX 16 release. Due to this, we recommend taking additional caution before upgrading production appliances. Where applicable, MX 15 or MX 14 releases will provide a more stable upgrade alternative.
Legacy products notice
- When configured for this version, Z1, MX60, MX60W, MX80, and MX90 devices will run MX 14.56.
Bug fixes
- Resolved an additional case that could result in AutoVPN configuration changes causing brief periods of packet loss.
- Corrected an issue that resulted in AutoVPN tunnel status reflecting as disconnected when 1) An uplink failover occurred, and 2) the MX appliance was unable to contact the VPN registry for one than one minute.
- Resolved an issue where ping reply messages were dropped when 1) an AutoVPN spoke is configured to form a VPN connection with two hubs, 2) a ping request message is sent from a client behind the AutoVPN spoke, 3) the ping request message is destined to a client behind the primary AutoVPN hub, 4) the ping response from the destination client, reached over the AutoVPN connection to the primary hub, is routed back to the AutoVPN spoke via the secondary AutoVPN hub. This happens only in cases where the secondary AutoVPN is configured with a default static route to the LAN.
- Update the AnyConnect VPN service
- Fixed an issue that could result in Z3(C) appliance LAN ports not correctly processing traffic when the appliance was booted using a cellular uplink while no devices were plugged in to its LAN or WAN ports.
- Stability improvements for MX84, MX100, MX250, and MX450 appliances.
- Security improvements
- Stability improvements
Known issues
- Significant performance regressions for VPN traffic may be observed on MX84 and MX100 appliances
- After making some configuration changes on MX84 appliances, a brief period of packet loss may occur. This will affect all MX84 appliances on all MX firmware versions
- Due to an MX 15 regression, the management port on MX84 appliances does not provide access to the local status page
- Some stability-impacting issues present in MX 14 that affect a small population of MX67(C,W) and MX68(W,CW) appliances still exist.
- World-wide device SKUs of the MX67C, MX68CW, and Z3C units cannot be deployed in North America and North America device SKUs of the MX67C, MX68CW, and Z3C units cannot be deployed outside of North America.
- When deployed in warm spare / high availability (HA), MX67C and MX68CW do not support using their cellular connectivity to pass client traffic. In this deployment, the cellular connectivity can only be used for device monitoring or network troubleshooting. This is an expected limitation for these platforms.
- On the MX67(C,W) and MX68(W,CW) platforms, when the MX is providing PoE to a connected device, this information will not be reflected on the Meraki Dashboard.
- Client traffic will be dropped by MX65(W), MX67(C,W), and MX68(W,CW) appliances if 1) The client is connected to a LAN port with 802.1X authentication enabled and 2) The VLAN ID of the port is configured to 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240.
- Client traffic will be dropped by MX65(W), MX67(C,W), and MX68(W,CW) appliances if 1) The client is connected to a LAN port with 802.1X authentication enabled and 2) The VLAN ID of the port is configured to 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240.
- MX67C, MX68CW, and Z3C units must be connected to the Meraki Dashboard initially to retrieve an update to allow for proper use of the integrated cellular connectivity. This is most likely to be an issue when bringing the units online for the very first time.
- Some stability-impacting issues present in MX 14 that affect a small population of Z3(C) appliances still exist.
- Please note that until certification has been obtained, the Z3C will not be supported on Verizon's network.
- Z3(C) appliances that are upgraded to MX 16 versions cannot directly downgrade to MX 14 releases. They must first downgrade to an MX 15 release.
- Due to MX 15 regressions, USB cellular connectivity may be less reliable on some modems
- Group policies do not correctly apply to client devices
- MX IDS security alerts are not detected for AnyConnect VPN traffic
- BGP-learned routes may not be properly reflected in the Route Table page on the Meraki Dashboard, despite BGP and packet routing operating correctly.
- There is an increased risk of encountering device stability issues on all platforms and across all configurations.
