New MX 18.105 Stable Release Candidate - fixes for VPNs, smaller appliances, performance for larger.

cmr
Kind of a big deal
Kind of a big deal

New MX 18.105 Stable Release Candidate - fixes for VPNs, smaller appliances, performance for larger.

Security appliance firmware versions MX 18.105 changelog

New features

  • Added support for forwarding Secure Group Tags (SGT) on traffic. This is available on Z3(C), MX64(W), MX65(W), MX67(C,W), and MX68(W,CW), MX75, MX84*, MX85, MX95, MX100, MX250, and MX450 appliances and enables full stack (MR+MS+MX) Adaptive Policy operation. * Please see the known issues for important information about SGT on MX84 appliances.

Bug fixes

  • MX appliances will now drop additional types of erroneous traffic received from AnyConnect VPN clients.
  • Resolved a rare case that could result in non-Meraki VPN traffic being incorrectly forwarded when MX appliances were configured in passthrough mode.
  • Performance improvements for MX250 and MX450 appliances.
  • Corrected an issue that resulted in client traffic being will be dropped by MX65(W), MX67(C,W), and MX68(W,CW) appliances when 1) The client was connected to a LAN port with 802.1X authentication enabled and 2) The VLAN ID of the port was configured to 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240.
  • Fixed several rare cases that could result in a device reboot.
  • Fixed an issue that could result in MX appliances replying to ARP messages for an incorrect IP address when 1) The MX was configured to operate as the standby/spare device in a high availability configuration and 2) the MX appliance was configured to operate in passthrough mode.

Legacy products notice

  • When configured for this version, Z1 and MX80 devices will run MX 14.56.
  • When configured for this version, MX400 and MX600 devices will run MX 16.16.6.

Known issues

  • After making some configuration changes on MX84 appliances, a brief period of packet loss may occur. This will affect all MX84 appliances on all MX firmware versions
  • Due to an MX 15 regression, the management port on MX84 appliances does not provide access to the local status page
  • When SGT is enabled on MX84 appliances, any packet larger than 1440 bytes will be dropped. Due to this, we recommend that the SGT feature only be enabled in lab or other non-production environments on MX84 appliances.
  • There may be an increased risk of encountering device stability and performance issues.

Other

  • If DNS is not available on the MX’s IPv6 uplink, MX appliances will now attempt to fetch a configuration using DNS over HTTPS to the Meraki cloud.
6 REPLIES 6
zeestrat-nina
Conversationalist

Hi, the email I received from Meraki regarding the MX 18.105 update also mentioned support for the following: "- Added support for configuring VPN exclusion rules for non-Meraki VPN peers". This is however missing from this post and in the firmware upgrade page on the dashboard.

Could you please elaborate if this support is added or not and preferably some documentation on this new feature?

thomasthomsen
A model citizen

Is the SGT support also across AutoVPN ? So "true" End-to-End ?

This is what I expected when I saw this new firmware. But the documentation is not yet updated. This would be great although IMO this feature is quite useless with only the MS390 supporting it on the switch side. 

Lurick
Here to help

Does this also fix the connectivity and resolution issues with slow response times for wireless clients that I've seen reported on 17.x and 18.x firmware?

 

Edit: Does not seem to have fixed anything compared to previous 18.x and latest 17.x code.

Slow wifi client issues, wifi calling doesn't work, several issues with this code as well. 17.x does the same thing on the latest version too. Issues not present in 16.x codes

I agree. The Wi-fi issue has not been fixed.

CptnCrnch
Kind of a big deal

Running good so far. Looking forward to playing around with SGT forwarding in the next few days!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels