Important notice

• USB modems with MX/Z series devices running firmware MX 18 or newer will be limited to best effort support and will not be receiving any future firmware fixes or improvements.

Executive summary

• This is a maintenance release for MX 18.211 containing only bug fixes.
• The fixes are mostly focused on resolving VPN issues for the MX75, MX85, MX95, MX105, MX250, and MX450 appliances and also include several fixes for issues that occur at larger scale.
• Additional fixes are also present, so please read through the full details below.

Bug fixes - general fixes

• Resolved an issue that resulted in MX appliances temporarily failing to properly classify traffic while upgrading to MX 19. This issue was no longer present once the firmware upgrade had completed.
• Updated the AnyConnect VPN service.

Bug fixes - limited platforms

• Corrected an issue that could result in an unexpected device reboot when there were many teleworker VPN peers connected to an MX appliance. This was most likely to occur on MX250 and MX450 appliances given the scale of VPN connections they typically support.
• Fixed a rare issue that could result in MX appliances encountering an unexpected reboot when servicing many clients with a large number of network flows. This was more likely to occur on MX450 appliances supporting 10,000 or more active clients and 500,000 or more concurrent flows. Under conditions of heavy network traffic and system load, MX appliances will begin to more actively remove clients that have not been recently active from its databases. Additionally, MX appliances can limit the number of total concurrent clients that can be supported during these periods of high system load in order to maximize network performance and stability.
• Corrected an issue on MX75, MX85, MX95, MX105, MX250, and MX450 appliances that could cause HTTP traffic transferred across AutoVPN to fail when HTTP Content Caching was configured.
• Resolved an issue that resulted in MX75, MX85, MX95, MX105, MX250, and MX450 appliances dropping traffic destined to itself when the traffic was received over AutoVPN. This could cause a lack of response to things like an SNMP walk sent over AutoVPN.
• Resolved a very rare issue that could result in MX95, MX105, MX250, and MX450 appliances incorrectly broadcasting frames that were destined to the MX itself.
• Resolved an MX 18.211.4 regression that could result in Z4(C) appliances failing to provide PoE power to connected devices.
• Fixed an issue that could result in the cellular modem remaining active on Z3C, MX67C, and MX68CW appliances, even after it was disabled through the Meraki Dashboard.
• Resolved an issue that could prevent AutoVPN tunnels from forming over cellular interfaces when the Cellular Active Uplink configurations are changed.

Legacy products notice

• When configured for this version, Z1 devices will run MX 14.56.
• When configured for this version, MX400 and MX600 devices will run MX 16.16.9.
• When configured for this version, MX64(W), MX65(W), MX84, MX100, and vMX100 devices will run MX 18.107.13.

Known issues status

• This list is being reviewed and updated.

Known issues

• Trusted traffic exclusions will not function on Z4(C) appliances if AMP is configured.
• Due to a rare issue, MX appliances may fail to initiate non-Meraki site-to-site VPN connections when IKEv2 is used. This is most likely to occur when there are mismatched VPN subnets configured between the MX and the non-Meraki VPN peer. This will be resolved in MX 19.1 releases.
• Due to an issue under investigation, VMX-XL appliances fail to add local networks into the routing table.
• Due to an issue under investigation, MX appliances may incorrectly report 100% loss on the SD-WAN monitoring page.
• In rare cases MX75, MX85, MX95, MX105, MX250, and MX450 appliances may encounter an unexpected device reboot.
• Due to an issue under investigation MX75, MX85, MX95, MX105, MX250, and MX450 appliances may report an erroneous spike in network traffic usage.
• Due to issues under investigation, MX75 and MX85 appliances may encounter unexpected device reboots.
• Duplicate retrospective “malware download detected” emails may be erroneously sent.
• Due to an issue under investigation, making certain configuration changes to WAN interfaces (such as disabling or enabling an interface) can cause the IDPS process to fail. This issue may also cause high device utilization. The issue can be worked around by rebooting the MX appliance or disabling and then re-enabling IDPS.
• Due to an issue under investigation, MX75, MX85, MX95, MX105, MX250, and MX450 appliances can fail to establish iBGP sessions when the subnet associated with the highest-numbered VLAN participating in the site-to-site VPN has a 1:M VPN NAT rule configured.

Other

• When upgrading to MX 18.211.6 or higher, Z4C appliances will perform an upgrade of the integrated cellular modem. This may result in Z4Cs taking a longer time to complete the upgrade process.