New MX 18.205 beta firmware - performance but DHCP relay and stability issues

cmr
Kind of a big deal
Kind of a big deal

New MX 18.205 beta firmware - performance but DHCP relay and stability issues

Security appliance firmware versions MX 18.205 changelog

What’s new

  • Significant performance improvements for MX250, MX450, and MX75 appliances.
  • Enhanced IPv6 support for AnyConnect and DNSv6
  • Improved AutoVPN’s self-recovery capabilities
  • Detailed, live firewall logs can now be seen through a new live tool
  • Adaptive Policy now supports SGT transport on the WAN interface for MXs in VPN Concentrator mode
  • Adaptive Policy now supports SGT assignments per-port and by VLANs.
  • Trusted Traffic Exclusions - IP addresses and objects, as well as applications can now be “allow listed” and bypass IDS/IPS inspection
  • Talos Content Filtering support in Group Policies
  • SD-Internet powered by NBAR2 traffic classifications

Legacy products notice

  • When configured for this version, Z1 and MX80 devices will run MX 14.56.
  • When configured for this version, MX400 and MX600 devices will run MX 16.16.9.
  • When configured for this version, MX64(W), MX65(W), MX84, MX100, and vMX100 devices will run MX 18.107.5.

Known issues

  • Due to an issue under investigation, uplink shaping will not limit traffic speeds on MX250, MX450, and MX75 appliances.
  • Due to an issue under investigation, mandatory DHCP will not function correctly on MX250, MX450, and MX75 appliances.
  • Due to an issue under investigation, MX250, MX450, and MX75 appliances will not relay DHCP traffic.
  • There is an increased risk of encountering device stability and performance issues on all platforms and across all configurations.
36 Replies 36
cmr
Kind of a big deal
Kind of a big deal

Live logs!

DarrenOC
Kind of a big deal
Kind of a big deal

Have they stopped showing logs were you get 1000’s truncated and are of no use to anyone 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Brash
Kind of a big deal
Kind of a big deal

Legitimately so excited for this feature.

In my opinion it is basically a must have for any security device

thomasthomsen
Head in the Cloud

Its here 🙂

Or ... something like it 🙂

thomasthomsen_0-1698061474834.png

 

cmr
Kind of a big deal
Kind of a big deal

Bizarrely upon release a number of our networks were scheduled for an upgrade to this version and they mainly contain MX65s, 84s and 100s... I think the auto upgrade feature hasn't read the release notes!

thomasthomsen
Head in the Cloud

Yep had that too.

thomasthomsen
Head in the Cloud

And lets not forget 🙂

thomasthomsen_0-1697525754291.png

 

PS: And RIP : "MX64(W), MX65(W), MX84, MX100, and vMX100 devices will run MX 18.107.5."

Sure I understand MX100, it was the oldest of the lot, but MX84 really ? (I know it was a "slow box" in comparison but still).

antonis_sp
Building a reputation

Always had issues with PPPoE and IPv6 not properly working. 

This (I guess)

  • Enhanced IPv6 support for AnyConnect and DNSv6

now provides umbrella DNSv6 for the PPPoE connection. 

peto
Getting noticed

when will it be available in the dashboard? I upgraded and nothing new in dashboard.

cmr
Kind of a big deal
Kind of a big deal

One of my networks upgraded to it 7.5 hours ago and it is an option even for networks running 17.x

Screenshot_20231017_090652_Chrome.jpg

peto
Getting noticed

I mean, that I upgraded to 18.205 successfully but I cannot see the new features in the dashboard

cmr
Kind of a big deal
Kind of a big deal

Which feature in particular were you looking for and what model MX is in the network?

peto
Getting noticed

this one: 

  • Trusted Traffic Exclusions - IP addresses and objects, as well as applications can now be “allow listed” and bypass IDS/IPS inspection
cmr
Kind of a big deal
Kind of a big deal

According to the 18.2 feature announcement, the performance boost for the MX75, MX250 and MX450 is up to 3 times as much!

 

Also 18.2 finally has a 3 WAN option for MX75,85,95 and 105!

 

Mult-WAN (2 Active + 1 Backup) [Private BETA]*

Reach out to your Meraki sales representative for more information.

Introducing two designated WAN ports with one backup WAN port.
ww
Kind of a big deal
Kind of a big deal

Half my network stopped working on this fw. No response back to syn packets and no logging about it. Back to 18.1 now.

cmr
Kind of a big deal
Kind of a big deal

I tried on my home MX and the work MX that I have behind (that has an SD-WAN connection to the hub) kept dropping off after about 15 minutes, so I too reverted to 18.1.

RaphaelL
Kind of a big deal
Kind of a big deal

Where is the new live tool for the firewall ?

 

RaphaelL_0-1697543367867.png

 

They always seem to release these things with GUI not quite ready yet. I wish they'd be more consistent with noting GUI comes later (which they've occasionally done), syncing the release with the GUI release, or just not even mentioning until the GUI is available.

DarrenOC
Kind of a big deal
Kind of a big deal

Sitting here with 🍿 watching for what’s working and what’s broken.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

So far ... nothing broken ... BUUUUTT .. on the other hand ... a lot of (some) stuff seems to be missing.

 

KarbonX1
Getting noticed

Does anyone know what exactly is giving this (up to) 3x performance boost on MX75? And what is boosted exactly, IPS, raw download/upload, VPN?

RaphaelL
Kind of a big deal
Kind of a big deal

Code optimization , mulithreading.  Again I'm not able to find the Cisco Live info about it. Those gains were announced at CLUS 2023

BrickBR
Here to help

Curious why the MX85 is missing from the list for performance enhancement. Isn't the 85 and 75 essentially the same hardware? 

MK2
Building a reputation

Just playing and found some issues: 1. The Summary page, where a symbolic picture of the MX shows up, says that the Internet1 Port ist disabled? Thats not correct. 2. The release note says more performance but the only thing I could recognize is that the CPU utilization under the "Summary Report" shows 99%? There not so much traffic ongoing - mhhhh.....strange performance enhancement 🙂

 

MK2_0-1698040345388.png

 

RaphaelL
Kind of a big deal
Kind of a big deal

My MX68CW after the upgrade. Traffic hasn't changed : 

 

RaphaelL_0-1698061502359.png

 

cmr
Kind of a big deal
Kind of a big deal

It's upgrade time 😉

MK2
Building a reputation

Support is confirming these issues. Requested updates for these bugs. Let's see how long they last.

RaphaelL
Kind of a big deal
Kind of a big deal

  • When configured for this version, MX64(W), MX65(W), MX84, MX100, and vMX100 devices will run MX 18.107.5.

18.107.6 is out. Does that mean that MX64(W), MX65(W), MX84, MX100, and vMX100 can't run a more recent patch ? Or they simply forgot to edit the changelogs ?

thomasthomsen
Head in the Cloud

Do anyone have some numbers on those : "Significant performance improvements for MX250, MX450, and MX75 appliances." ?

Because the numbers for the MX250 and MX450 with all security features enabled, are lower on the current Sizing guide then the one before that.

It's supposed to be around that :

MX450 : 2.5x NAT , 3x VPN

MX250 : 2x NAT , 3x VPN  

 

Not sure if ALL that performance was enabled with 18.205 or more is coming in 18.2XX

RaphaelL
Kind of a big deal
Kind of a big deal

Updated changelog : 

 

Removed : 

When configured for this version, Z1 and MX80 devices will run MX 14.56.

(?)

 

Added : 

  • Some MX67(C,W) and MX68(W,CW) appliances may experience difficulty upgrading to this firmware version from their factory default firmware.
  • MX67C, MX68CW, and Z3C appliances may encounter an issue where they are unable to communicate with the integrated modem. This state can be cleared by rebooting the device.
  • When MX67C, MX68CW, and Z3C appliances are repeatedly unable to communicate with the integrated modem, they will attempt to reset the modem to restore connectivity. In some cases, this reset procedure may fail, requiring the appliance to be physical power cycled to restore connectivity with the modem.
  • Due to an MX 17 regression, the integrated cellular modem on MX67C, MX68CW, and Z3C appliances may fail to acquire an IP address via DHCP. This can be resolved with a physical power cycle of the appliance.
  • When using a cellular active uplink with the primary uplink configured as cellular, the Dynamic DNS hostname will not function properly.
  • MX67C, MX68CW, and Z3C appliances may erroneously detect a SIM card as missing. This state can be cleared by rebooting the device.
  • Due to an MX 18.2 regression, MX75, MX85, MX95, and MX105 appliances have significantly increased device utilization.
  • NBAR may prematurely reach its peak capacity for the amount of concurrent flows that it can track. When this happens, the classification of traffic may be less accurate.
  • Due to an MX 18.2 regression, control traffic generated by MX75, MX250, and MX450 appliances may not be routed correctly when the destination is on the MX LAN.
harmankardon
Building a reputation

Yikes, this firmware looks like bad news for MX devices with integrated cellular modem. Their support for the integrated modem product line seems to be consistently 1 step forward, 1 step back. MX 16 was brutal, then MX 17 got better, now MX 18 back to brutal.

Yeah I agree. Those issues are also present in MX 18.107. It needs to be fixed asap.

CptnCrnch
Kind of a big deal
Kind of a big deal

This is the first firmware release that I had to roll back due to issues with clients not able to connect to the outside world anymore.

Wifikohai
Comes here often

After upgrade third party vpn stopped working. Appears as up but there are no traffic between peers.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels