Fixes a couple of VPN client bugs that could cause a device hang
- This is a beta version for the next major MX release. Due to this, we recommend taking additional caution before upgrading production appliances. Where applicable, MX 14 releases will provide a more stable upgrade alternative.
- The DES encryption algorithm is no longer supported for use in formation of VPN tunnels.
- Creating VPN tunnels using aggressive mode IKE is no longer supported.
Supported products notice
- Z1, MX60, MX60W, MX80, and MX90 devices are not supported on MX 15 and newer releases.
- Resolved an issue that could result in the client VPN process entering a hung state and consuming excess CPU cycles when many client VPN connections were concurrently active
- Fixed a case that resulted in the client VPN process crashing when more than 505 concurrent client VPN connections were established.
- After making some configuration changes on MX84 appliances, a brief period of packet loss may occur. This will affect all MX84 appliances on all MX firmware versions
- Some stability-impacting issues present in MX 14.19 that affect a small population of MX250 and MX450 devices still exist.
- Some stability-impacting issues present in MX 14 that affect a small population of MX67(C,W) and MX68(W,CW) appliances still exist.
- Some stability-impacting issues present in MX 14 that affect a small population of Z3(C) appliances still exist.
- Please note that until certification has been obtained, the Z3C will not be supported on Verizon's network.
- World-wide device SKUs of the MX67C, MX68CW, and Z3C units cannot be deployed in North America and North America device SKUs of the MX67C, MX68CW, and Z3C units cannot be deployed outside of North America.
- When deployed in warm spare / high availability (HA), MX67C and MX68CW do not support using their cellular connectivity to pass client traffic. In this deployment, the cellular connectivity can only be used for device monitoring or network troubleshooting. This is an expected limitation for these platforms.
- MX67C, MX68CW, and Z3C units must be connected to the Meraki Dashboard initially to retrieve an update to allow for proper use of the integrated cellular connectivity. This is most likely to be an issue when bringing the units online for the very first time.
- On the MX67(C,W) and MX68(W,CW) platforms, when the MX is providing PoE to a connected device, this information will not be reflected on the Meraki Dashboard.
- Once a Z3 has been updated to this firmware version it can only run MX 14.31 or MX15.8 and higher. This is an expected result of updates to the device booting mechanisms and this limitation will not be resolved in future releases.
- Due to MX 15 regressions, USB cellular connectivity may be less reliable on some modems
- Due to an MX 15 regression, the management port on MX84 appliances does not provide access to the local status page
- Devices connected to ports 3-7 may have issues communicating with devices connected to ports 8-12 on MX68(W,CW) appliances.
- Client traffic will be dropped by MX65(W), MX67(C,W), and MX68(W,CW) appliances if 1) The client is connected to a LAN port with 802.1X authentication enabled and 2) The VLAN ID of the port is configured to 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240.
- MX250 and MX450 appliances will not apply the configured VLAN ID to traffic transmitted on their WAN interfaces if VLANs are also enabled on the LAN for other downstream clients and traffic.
- The following types of management traffic will not always egress a WAN interface: 1) Traffic used by MX appliances to register with the AMP Cloud in order to retrieve the security disposition of downloaded files, 2) Traffic being sent to the Meraki Cloud for the purposes of performing Meraki Authentication for Client VPN, and 3) Traffic sent to the Meraki Cloud using the HTTP backup communication channel. These types of traffic will follow the routing of normal clients, which means it may be routed across static routes and VPN connections, especially in cases where a default route (0.0.0.0/0) is in use.
- As a new major version evolving through beta, there are a number of new, uncommon issues that may result in device reboot that we are continuing to investigate and work through. In particular, the Z3(C), MX84, MX100, MX400, MX600, MX250, and MX450 appliances have unresolved issues that we are tracking closely and continuing to investigate and drive towards resolution.