New MX 18.208.0.1 stable release candidate firmware - some VPN fixes!

cmr
Kind of a big deal
Kind of a big deal

New MX 18.208.0.1 stable release candidate firmware - some VPN fixes!

Security appliance firmware versions MX 18.208.0.1 changelog

Important notice

  • USB modems with MX/Z series devices running firmware MX 18 or newer will be limited to best effort support and will not be receiving any future firmware fixes or improvements.

Bug fixes

  • Corrected an MX 18.2 regression that caused MX appliances configured in passthrough mode to be unable to establish VPN tunnels to tunneled SSIDs configured on MR devices.
  • Fixed an MX 18.2 regression that resulted in MX appliance improperly dropping traffic from non-Meraki VPN peers when that traffic was received over a PPPoE uplink.

Legacy products notice

  • When configured for this version, Z1 devices will run MX 14.56.
  • When configured for this version, MX400 and MX600 devices will run MX 16.16.9.
  • When configured for this version, MX64(W), MX65(W), MX84, MX100, and vMX100 devices will run MX 18.107.8.

Known issues status

  • This list is being reviewed and updated. Many existing issue reports have not been confirmed to affect MX 18.2XX firmware versions.

Known issues

  • There is an increased risk of encountering device stability and performance issues on all platforms and across all configurations.
  • Due to a rare issue with no known method of reproduction, MX75, MX85, MX95, MX105, MX250, and MX450 appliances may fail to forward traffic from some clients.
  • MX appliances that have configured adaptive policy may encounter frequent connectivity state changes for AutoVPN tunnels.
  • Devices manufactured by Ingenico may experience an unstable physical Ethernet connection when directly connected to MX68(W,CW) appliances.
  • Due to rare issues, MX250 and 450 appliances may encounter unexpected device reboots.
  • Due to an MX 18.107.7 regression, MX appliances that 1) have Mandatory DHCP enabled and 2) are rebooted, can encounter severe disruptions to network traffic. We recommend customers with Mandatory DHCP enabled do not upgrade to this firmware version.
  • Due to rare issues, MX250 and 450 appliances may encounter unexpected device reboots.
  • Due to an MX 18.2 regression, MX appliances do not honor flow preferences for Internet traffic when the preferred uplink is cellular and the license edition is Advanced Security. Devices operating under the SD-WAN+ license are not affected.
  • The Non-Meraki VPN service may fail to properly establish IKEv2 tunnels when the MX appliance is acting as the IKEv2 responder and many allowed subnets are configured.
  • In rare cases, MX67C, MX68CW, and Z3C appliances may fail to enter into a "Ready" state despite being able to register to a cellular network and obtain an IP address for the modem.
  • Due to an issue with no known method of reproduction, the IDS and IPS process may unexpectedly restart.
  • MX75, MX85, MX95, MX105, MX250, and MX450 appliances in VPN concentrator mode may fail to forward traffic received from AutoVPN clients.
  • MX75, MX85, MX95, MX105, MX250, and MX450 appliances may inconsistently forward traffic to clients with a 1:1 NAT rule configured.
  • Due to an MX 18.2 regression, MX75, MX85, MX95, MX105, MX250, and MX450 appliances will fail to form AutoVPN tunnels with other MX appliances via their LAN interfaces.
6 Replies 6
ww
Kind of a big deal
Kind of a big deal

Autovpn on a lan interface?

  • Due to an MX 18.2 regression, MX75, MX85, MX95, MX105, MX250, and MX450 appliances will fail to form AutoVPN tunnels with other MX appliances via their LAN interfaces.
cmr
Kind of a big deal
Kind of a big deal

Indeed, perhaps it was meant to be a new feature?

rhbirkelund
Kind of a big deal
Kind of a big deal

Yeah, I was also puzzled by that one, while skimming through the list.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
KimSkifter
Comes here often

Well, this should cover most issues...
Damm it, Meraki... we are actually running live and production on your products!

 

KimSkifter_0-1710339584338.png

 

Osberg
Here to help

Agree, I know that the 18.2 train is "new" but when you publish this as a stable release candidate, there is no room for these type of know issues. 

I have a hard time understanding how Meraki is willing to play with companies productions network like this. 

Frank Osberg | Domain Architect @ Solar A/S
LinkedIn - Twitter
Found this helpful? Give me some Kudos! Much Thanks
Tishman
Here to help

what is the fix for this 

  • The Non-Meraki VPN service may fail to properly establish IKEv2 tunnels when the MX appliance is acting as the IKEv2 responder and many allowed subnets are configured. ?

As i am facing same when i have configured IKev2 between meraki and FTD all child SA are working fine but after it does Rekey SA only come up when initiated from FTD side but does not work if initiated from meraki  kindly help how to fix this 

note: I am using FQDN instead IP and remote Identity as email

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels