Important notice

• USB modems with MX/Z series devices running firmware MX 18 or newer will be limited to best effort support and will not be receiving any future firmware fixes or improvements.

Bug fixes

• Fixed an issue that could result in MX250 and MX450 appliances improperly forwarding LLDP and BPDU frames from LAN out the WAN interface(s) during the bootup process.
• Corrected an issue that could result in MX65(W), MX67(C,W), MX68(W,CW), MX75, and MX85 appliances losing static IP configuration after entering into failsafe mode.
• Resolved a rare issue that could result in HTTP file downloads failing when AMP was enabled.
• Stability improvements for MX64W and MX65W appliances.
• Mitigated an issue that could cause network instability during AutoVPN connectivity changes when MX appliances had large numbers of routes.
• Stability improvements for MX67W and MX68(W,CW) appliances.
• Corrected an MX 18.1 regression that resulted in VPN status information about WAN2 not being properly reported. This resulted in the information on the VPN status page being incorrect.
• Fixed a rare issue that could occur during firmware updates that resulted in MX appliances unexpectedly having configurations that were out of date.
• Corrected an MX 18.107.7 regression that could cause MX appliances that 1) have Mandatory DHCP enabled and 2) are rebooted to encounter severe disruptions to network traffic.
• Fixed an issue that resulted in MX appliances failing to initialize a service required for encrypted communication with Umbrella.
• Resolved a rare issue that could result in SFP+ ports on MX250 and MX450 appliances unexpectedly toggling between up and down states when forwarding incorrectly sized MDNS packets.
• Fixed a rare issue that could result in AutoVPN traffic being routed incorrectly after an uplink failover or failback when 1) the MX appliance was configured to operate in High Availability mode (HA), 2) a virtual IP address was used, and 3) a teleworker VPN was configured.
• Resolved an issue that could result in devices connected to MX68(W,CW) appliances failing to negotiate full 802.11at PoE power.

Legacy products notice

• When configured for this version, Z1 devices will run MX 14.56.
• When configured for this version, MX400 and MX600 devices will run MX 16.16.9.

Known issues status

• This list of issues is currently being maintained and there may be new updates in the future.

Known issues

• Due to unknown causes, the NBAR traffic analysis engine may fail to classify traffic in some cases. (MX-25589)
• Due to a rare issue with no known method of reproduction, MX appliances may reboot unexpectedly. (MX-25065)
• MX64W and MX65W appliances may experience unexpected device reboots for reasons currently under investigation. 
• MX67C, MX68CW, and Z3C appliances may erroneously detect a SIM card as missing. This state can be cleared by rebooting the device. 
• MX67W and MX68(W,CW) appliances may experience unexpected device reboots for reasons currently under investigation. A potential cause may be oversized wireless packets. 
• In rare circumstances the intrusion detection and prevention process may crash and restart. In some circumstances this can cause a minor disruption to network traffic. This issue is expected to be resolved through an update to the IDS/IPS container rather than the MX firmware version. 
• Clients using an older version of the AnyConnect client may not be able to successfully perform Duo multi-factor authentication. This can be resolved by updating the AnyConnect client to 4.10.05085 or higher. 
• Due to unknown reasons, MX64W and MX65W may experience unexpected device reboots. This is most likely related to the wireless subsystem. 
• MX67C, MX68CW, and Z3C appliances may encounter an issue where they are unable to communicate with the integrated modem. This state can be cleared by rebooting the device. 
• Due to a rare issue with no known method of reproduction, MX appliances have been documented to fail to fetch an updated device configuration for several days. 
• In rare cases, MX67(C,W) and MX68(W,CW), MX75, MX85, MX95, and MX105 appliances with intrusion prevention configured may erroneously block SIP traffic from client VPN clients. This is most likely related to an issue with IP fragmentation and reassembly. 
• In rare cases, MX67(C,W) and MX68(W,CW), MX75, MX85, MX95, and MX105 appliances with intrusion prevention configured may result in increased latency for Citrix. This may be related to an issue with IP fragmentation and reassembly. 
• MX67C, MX68CW, and Z3C appliances may fail to apply custom APNs.
• Due to a rare issue under investigation, MX67C and MX68CW appliances may unexpectedly fail to detect some working SIM cards. 
• In rare cases, MX67C, MX68CW, and Z3C appliances may fail to enter into a "Ready" state despite being able to register to a cellular network and obtain an IP address for the modem. 
• When MX67C, MX68CW, and Z3C appliances are repeatedly unable to communicate with the integrated modem, they will attempt to reset the modem to restore connectivity. In some cases, this reset procedure may fail, requiring the appliance to be physical power cycled to restore connectivity with the modem. 
• Due to an MX 17 regression, the integrated cellular modem on MX67C, MX68CW, and Z3C appliances may fail to acquire an IP address via DHCP. This can be resolved with a physical power cycle of the appliance. 
• When using a cellular active uplink with the primary uplink configured as cellular, the Dynamic DNS hostname will not function properly. 
• MX67W and MX68(W,CW) appliances may experience a crash of the wireless subsystem that results in a device reboot. 
• Due to architectural changes to support content filtering powered by Talos, MX devices will no longer report the category that caused a URL to be blocked by content filtering when in full list mode. 
• Due to a rare issue with no known method of reproduction, MX95, MX105, MX250, and MX450 appliances may encounter unexpected device reboots. 
• Due to reasons still under investigation, MX85 appliances may be more likely to encounter an unexpected device reboot on this version. 
• The Non-Meraki VPN service may fail to properly establish IKEv2 tunnels when the MX appliance is acting as the IKEv2 responder and many allowed subnets are configured.

Other

• Control traffic for Meraki authentication will now only be routed out the WAN interface(s). Previously it could be unintentionally directed out other interfaces, based on the routing configuration.