New MX 17.9 Stable Release Candidate firmware - AnyConnect, IPv6, NBAR, EEE and other fixes

cmr
Kind of a big deal
Kind of a big deal

New MX 17.9 Stable Release Candidate firmware - AnyConnect, IPv6, NBAR, EEE and other fixes

Security appliance firmware versions MX 17.9 changelog

Important notice

  • While Meraki appliances have traditionally relied on UDP port 7351 for cloud communication and TCP ports 80 and 443 for backup communications, with MX 16 we are beginning a transition to using TCP port 443 as the primary means for cloud connectivity. In order to ensure proper connectivity to the Meraki cloud after this upgrade, please ensure that traffic using TCP port 443 between 209.206.48.0/20 is allowed through any firewalls that may be deployed upstream of your Meraki appliances.
  • HTTP proxy, which allows default management traffic from MX appliances to be sent through a proxy, is deprecated on MX 16 and higher firmware versions.
  • The transition to Cisco Talos intelligence for our content filtering services means that some URL categories have changed names, some categories are no longer available, and multiple new categories are now available. Please review your configuration after upgrading to ensure content filtering is effectively tailored to your needs and deployment environment.

Legacy products notice

  • When configured for this version, Z1, MX60, MX60W, MX80, and MX90 devices will run MX 14.56.
  • When configured for this version, MX400 and MX600 devices will run MX 16.16.5.

Bug fixes

  • Corrected an issue that resulted in DHCPv6 retransmissions occurring at the incorrect frequency.
  • Removed support for non-PCI-compliant ciphers from AnyConnect.
  • Fixed an issue that could result in being unable to successfully use some custom certificates with AnyConnect.
  • Resolved a rare race condition that could result in all BGP connections being lost after eBGP route changes.
  • Resolved a rare issue that resulted in routes to a deleted non-Meraki VPN peer remaining in the MX routing table.
  • Fixed an issue that resulted in MX appliances configured in passthrough mode to drop IPv6 fragmented packets.
  • Corrected an issue that resulted in MX appliances configured in passthrough mode failing to send an ICMP “packet too big” error message for packets arriving on the WAN interface.
  • Corrected an issue in the NBAR heuristic classification engine that could occasionally lead to large numbers of misclassifications.
  • Resolved several edge cases that could result in energy efficient Ethernet (EEE) being incorrectly enabled. The presence of EEE may have resulted in an increased likelihood of unexpected link state transitions.
  • Resolved a very rare issue that could result in otherwise healthy MX appliances losing connection to the MX Dashboard.

Known issues

  • After making some configuration changes on MX84 appliances, a brief period of packet loss may occur. This will affect all MX84 appliances on all MX firmware versions
  • Due to an MX 15 regression, the management port on MX84 appliances does not provide access to the local status page
  • Client traffic will be dropped by MX65(W), MX67(C,W), and MX68(W,CW) appliances if 1) The client is connected to a LAN port with 802.1X authentication enabled and 2) The VLAN ID of the port is configured to 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240.
  • There is an increased risk of encountering device stability and performance issues on all platforms and across all configurations.
5 REPLIES 5
MarcAEC
Getting noticed

Is this a "stable" release or not?  It can't be stable and have a known issue of "...an increased risk of encountering device stability and performance issues on all platforms and across all configurations."

sebas
Getting noticed

Indeed, i read the same "

  • There is an increased risk of encountering device stability and performance issues on all platforms and across all configurations."

 

So this does not feel stable, no explanation or whatsoever what is causing this and what it results to...

cmr
Kind of a big deal
Kind of a big deal

@MarcAEC stable release candidate,  though to be fair we run our entire 24/7 operations on it... 

MarcAEC
Getting noticed

To me, it can't be stable if a known issue is the increased risk of instability.  That's a known issue of beta software.

Armelin
Here to help

Firmware 17.9 compared to the stable version 15.44 increase a lot the device utilization. If this firmware is applied to MX100 with Advanced Security license, will create a lot of instability starting from VPN throughput (can allow a max of only 300 Mb/s), to high packet loss and also by increasing the response time. 
So, please do not apply this firmware on MX100 or smaller version.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels