Suggestions on Stable MX Firmware version

nsingh
Here to help

Suggestions on Stable MX Firmware version

Hello,

 

We are trying to debate on to which OS upgrade would be the best and stable to upgrade as to looking at so many OS releases in the last August month.

 

We are running 14.53 and so far we have had unresolvable issues on 15.43 and 15.43.1. ( issues on Client VPN)

 

Any help or inputs are appreciated.

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

I think the majority of our clients are on MX 15.42.3 now.  I haven't had anyone reporting problems, but then we didn't have anyone reporting problems on any of the 15.42.x releases, so ...

 

The next biggest group is on 16.11 so they can use the far superior AnyConnect client VPN.  We migrate around a client a week to AnyConnect (and hence 16.11).  It's just so much better.

Inderdeep
Kind of a big deal
Kind of a big deal

@nsingh : 16.11 is stable without issues. Go with it !

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

Thanks for the response.

You guys have Beta release on production environment?? Thats brave

GrantP
Conversationalist

Oh boy. We were having issues with that same version of firmware for our MX-100, for half a year. We use AWS with a VPC to Meraki, and every time we upgraded the MX firmware from v14.x to v15.x, our connection to AWS would break. Certain indicators within Meraki showed that things were "working" on the Meraki side, but that the AWS side was not responding. We were told to pay for AWS support and to work with them on it, as the issue was apparently with AWS. We were getting desperate and nearly ponied up. 

 

Something kept nagging at me: the fact that the connection would work just fine for 5-10 minutes after the initial upgrade, or after we refreshed the VPC tunnel connection on the AWS side. Why would a firmware upgrade break everything, but allow things to work for a period of time after the swap?

 

Yesterday, we were finally able to get it going. Here are the steps we took. Huge props go out to Meraki support rep Lily Le for helping my team to zero in on the solution. 

 

  1. Upgrade to firmware 15.44
  2. Change the IKE version to IKEv2
    1. This will not work on IKEv1, from what I can tell
  3. Make sure something is set in the RemoteID section
    1. We just re-pasted our Public IP in the RemoteID
    2. The Local ID is still blank on our configuration
    3. This is a step we missed on all of our previous failed attempts
  4. On the AWS side, modify VPN tunnel options
  5. Verify your pre-shared key
  6. Uncheck IKEv1, and make sure IKEv2 is checked
    1. In previous attempts, we had the correct pre-shared key saved, but we also had both IKEv1 AND IKEv2 selected. In the successful attempt, we only had IKEv2 selected
  7. Confirm UP Tunnel Modification, then save
  8. Voila. Your VPC tunnel will take a few minutes to update its state, but you might be in business now 

 

In the end, Meraki was partially right- there was an AWS setting that needed to be changed. That said, on the Meraki side we also needed to have the RemoteID piece in place, and use IKEv2 (other reps I worked with in the past maintained we could still use IKEv1). 

 

I hope someone out there can benefit from our 6+ months of troubleshooting this issue!

cmr
Kind of a big deal
Kind of a big deal

@GrantP not that it helps you now, but the need to have the IDs set was part of the v15 release notes posted here a few times, also I'm not surprised that you needed IKEv2, it is a shame that the support desk didn't realise that!

 

@nsingh we've actually pretty much never run a stable release on the MXs since we first got them 2-3 years ago as we've always needed some of the features in the newer release trains.  We've never had an unexpected issue with this policy across our 26 MX/Z3s.  At the moment 20 are on beta with 6 on stable and you can guess where the only firmware warnings are...  I'd say the MR betas have had the odd issue, the same with the MSs, but (for us) the MX betas have always been stable (even the IPv6 ones).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels