Meraki

cmr · ‎Feb 5 2026

Security appliances software versions MX 19.2.7 changelog

Important notice

As of MX 19.1, Cisco Meraki will no longer support USB-based Cellular Failover on the MX and Z platforms.
Starting with MX 19.1 firmware on vMX platforms, Meraki has begun to deprecate the use of 3DES encryption for Phase 2 (IPsec) of Client and IPsec VPN connections due to its insecure nature. Subsequent firmware releases will continue to deprecate it on all platforms.

New feature highlights

Added support for Diffie-Hellman Groups 15 (3072-bit ECDH) and 21 (521-bit ECDH encryption) in IPsec and AutoVPN configurations, ensuring interoperability with modern cryptographic standards and enhances security postures for sensitive communications.
Added support for Active-Active Non-Meraki VPN peer connections.
Modem firmware visibility on dashboard - Z4C.
Expanded the list of built-in APNs for Z3C, Z4C, MX67C, and MX68CW appliances.

Executive summary

This is the first Stable / Recommended release for MX 19.2. It contains new functionality that continues to expand the available choices for VPN connectivity and strengthens cellular serviceability.
For customers already running MX 19.2, this maintenance release contains a range of fixes across AnyConnect VPN and Site-to-Site VPN. It also improves device stability and the consistency of network performance. Please read through the full details below.
This release contains fixes and improvements for the C8455-G2-MX that launched at the end of 2025. Please read through the full details below.
Additionally, MX 19.2 contains several important fixes for MX85 appliances that have been shown to significantly reduce cases of unexpected device reboots. We strongly encourage customers on versions prior to MX 19.2 to consider upgrading.
With the promotion of MX 19.2 to Stable / Recommended release, we strongly encourage customers to begin their process of migrating from older releases. We do not intend for additional fixes to become available through future MX 19.1 releases.

Bug fixes - general fixes

Resolved several cases that could result in an unexpected device reboot. (MX-42084) (MX-42484) (MX-41540) (MX-43044) (MX-44148) (MX-44723)
Resolved a rare issue that could result in AutoVPN traffic being dropped. (MX-43737)
Fixed a rare issue that could result in AnyConnect Client VPN incorrectly rejecting valid authentication attempts. (MX-34380)
Corrected a rare issue that could result in disruption to AnyConnect client VPN connectivity if Mobile Device Management (MDM) had ever been enabled in the organization. (MX-44403)
Corrected an issue that could result in some devices connected via client VPN not being displayed in the Clients page on the Dashboard. (MX-21479)
Corrected an issue with the VPN status reporting for IPsec VPN peers when a primary and secondary tunnel configuration was in place. (MX-41539)
Fixed a rare issue that could result in a temporary network performance reduction in cases where a previous large burst of flow all expired at the same time. (MX-45842)
Fixed a rare issue that could result in firewall rule configurations being unnecessarily reloaded. This may have introduced momentary reductions in network performance, especially when complex firewall rule sets were in use. (MX-45846)
Fixed a very rare issue that could result in elevated device workload when processing HTTP traffic with out of order packets. (MX-44666)
Resolved a regression that could result in traffic being incorrectly dropped when 1) a port forward, 1:1 NAT, or 1:M NAT was configured, 2) a static default route (0.0.0.0/0) was also configured, and 3) a LAN client was responding to a WAN-initiated connection. (MX-43847)
Fixed an issue that could result in periods of incomplete data when viewing a 2-hour window of Dashboard latency graph data on the Appliance Status page. (MX-21351)

Bug fixes - limited platform fixes

Resolved an issue that could result in network routing problem when 1) C8455-G2-MX appliances were configured for warm spare (HA) and 2) an administrator swapped the primary and spare roles of the two appliances. (MX-44412)
Fixed an issue that could result in IPsec VPN traffic failing on C8455-G2-MX appliances. (MX-45847)
Corrected an issue that resulted in C8455-G2-MX appliances being unable to start the processes for performing ThousandEyes monitoring. (MX-45840)
Resolved an issue that resulted in XDR flows not being exported correctly on C8455-G2-MX. (MX-45844)
Resolved an issue that resulted in C8455-G2-MX appliances sending additional, unneeded ARP responses (MX-45841)
Corrected an issue that could result in some SFP modules failing to be recognized on C8455-G2-MX appliances. (MX-45843)
Corrected an issue that resulted in MX85 appliances erroneously dropping CDP and LLDP frames. (MX-44332)

Legacy products notice

When configured for this version, MX64(W), MX65(W), MX84, MX100, and vMX100 devices will run MX 18.107.13.

Known issues status

This list is being reviewed and updated.

Other

The product complies with EN 18031-1:2024 and EN 18031-2: 2024
Clarified the wording for the Cellular Override options in the Local Status Page. (MX-29835)

If my answer solves your problem please click Accept as Solution so others can benefit from it.

RaphaelL · ‎Feb 6 2026

Quite curious about this one :

Added support for Diffie-Hellman Groups 15 (3072-bit ECDH) and 21 (521-bit ECDH encryption) in IPsec and AutoVPN configurations, ensuring interoperability with modern cryptographic standards and enhances security postures for sensitive communications.

Pretty sure we are going to see a hit in performance

KarstenI · ‎Feb 6 2026

I am not really sure about that one. Group15 should be much slower than the already available Group14, and for Gr21, I am not sure about availability on other platforms. I had hoped for Group19, which is the de facto standard everywhere else. And it is only for key exchange; throughput will likely remain unchanged unless there are additional optimizations.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

RaphaelL · ‎Feb 6 2026

Yeah I think you are right.

I'm always a bit hesitant when I see changes to AutoVPN , we have suffered so much in the past.

But tbh MX19 has been SO much stable. Kudos to Meraki

KarstenI

Yes, quite stable. I just have to ignore that the update to 19.1 bricked my MX75 ... 😎

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

ITSDigital · ‎Feb 7 2026

Interesting release, we will be testing on a single MX75 hub and seeing how it performs.

ITSDigital

We've now deployed to over 100 MX67/75s.

No known issues seen (we only use AutoVPN, and no SFP modules)

nlev

Updated MX105 to 19.2.7 and lost both WAN 1 and WAN 2 SFP connections but device is still up and running on WAN 3 which is not ideal.

We have RJ45 to SFP adapter modules installed in WAN 1 and WAN 2 since the RJ45 WAN ports are disabled when using WAN 3.

Luckily, we had WAN 3 connected, but without WAN 3 and the RJ45 SFPs we probably wouldn't have run into this issue in the first place. Anyone else seeing issues with WAN ports showing down after upgrade to 19.2.7?

nlev

Update: I tried rolling back the firmware update and still encountered the same issue with SFPs not enabling after MX reboot. It seems the issue is not related to 19.2.7, it was just revealed when the MX rebooted for firmware upgrade.

I ended up removing the copper RJ45 SFPs, disabling backup WAN 3 and reverting back to using the RJ45 ethernet ports on the MX. We lose the benefit of WAN 3, but at least we can reboot the MX ok without the SFPs going offline.

peto

after upgrading to this version my non-meraki IPSec stopped working. The other end is ASAv.

Dunky

Thanks for posting this @peto

Has anyone else experienced issues with 3rd party IPsec VPN's, specifically to Azure?

If there are issues then I will delay upgrading to 19.2.7

peto

reply from support: It appears that following your upgrade to version 19.2.7, your device began experiencing a known issue that has already been addressed in firmware version MX 26.1.2 (new public beta).

I did the upgrade and everything works now.

Dunky

Thanks for the update @peto

Did you have any issues with IPsec VPNs between MX and Azure?

peto

no issues yet with 26.1.2

Dunky

Sorry, I meant on 19.2.7

peto

my ipsec was between MX and ASAv. The problem was that phase2 was not able to establish under any condition while on 19.2.7. after upgrading to 26.1.2 everything started to work

Edu_Chico

Hello guys,

Any issues when upgrading an MX105 to this new version?
Were you able to find out what’s going on with the SFPs?
I have two with two fiber SFPs for the WAN, and I’m thinking about upgrading soon.
I’m currently on version 19.2.3 and everything is working fine.”

annejoan

Comment:
“Great to see the MX 19.2.7 recommended release bringing important VPN fixes and updated terminology. Improvements like better AutoVPN support and stronger encryption options can really enhance network stability and security for organizations. Firmware updates like this help ensure smoother connectivity and more reliable performance across devices.

Understanding complex systems—whether it’s networking infrastructure or mathematical models—often requires clear visualization and structured analysis. That’s why many students and professionals rely on the texas instruments ti 84 plus graphing calculator to explore equations, analyze graphs, and simplify problem-solving in a more interactive way.”

hart88

Has anyone had any issues with the WAN SFPs after upgrading to ver. 19.2.7?

nlev

I did. See my post above. The issue ended up being unrelated to 19.2.7 and existed in previous versions as well. It's just that the SFPs don't come up after a reboot.

wittyparrot

Hello guys,

Has anyone upgraded to 19.2.7 on a VMX-M, and what are your impressions. Has it been stable?
Running AutoVPN to a bunch of sites, and wondering if we should go to 19.2.7 or stop at 19.1.12 as latest patch.