Oh boy. We were having issues with that same version of firmware for our MX-100, for half a year. We use AWS with a VPC to Meraki, and every time we upgraded the MX firmware from v14.x to v15.x, our connection to AWS would break. Certain indicators within Meraki showed that things were "working" on the Meraki side, but that the AWS side was not responding. We were told to pay for AWS support and to work with them on it, as the issue was apparently with AWS. We were getting desperate and nearly ponied up.
Something kept nagging at me: the fact that the connection would work just fine for 5-10 minutes after the initial upgrade, or after we refreshed the VPC tunnel connection on the AWS side. Why would a firmware upgrade break everything, but allow things to work for a period of time after the swap?
Yesterday, we were finally able to get it going. Here are the steps we took. Huge props go out to Meraki support rep Lily Le for helping my team to zero in on the solution.
Upgrade to firmware 15.44
Change the IKE version to IKEv2
This will not work on IKEv1, from what I can tell
Make sure something is set in the RemoteID section
We just re-pasted our Public IP in the RemoteID
The Local ID is still blank on our configuration
This is a step we missed on all of our previous failed attempts
On the AWS side, modify VPN tunnel options
Verify your pre-shared key
Uncheck IKEv1, and make sure IKEv2 is checked
In previous attempts, we had the correct pre-shared key saved, but we also had both IKEv1 AND IKEv2 selected. In the successful attempt, we only had IKEv2 selected
Confirm UP Tunnel Modification, then save
Voila. Your VPC tunnel will take a few minutes to update its state, but you might be in business now
In the end, Meraki was partially right- there was an AWS setting that needed to be changed. That said, on the Meraki side we also needed to have the RemoteID piece in place, and use IKEv2 (other reps I worked with in the past maintained we could still use IKEv1).
I hope someone out there can benefit from our 6+ months of troubleshooting this issue!
@GrantP not that it helps you now, but the need to have the IDs set was part of the v15 release notes posted here a few times, also I'm not surprised that you needed IKEv2, it is a shame that the support desk didn't realise that!
@nsingh we've actually pretty much never run a stable release on the MXs since we first got them 2-3 years ago as we've always needed some of the features in the newer release trains. We've never had an unexpected issue with this policy across our 26 MX/Z3s. At the moment 20 are on beta with 6 on stable and you can guess where the only firmware warnings are... I'd say the MR betas have had the odd issue, the same with the MSs, but (for us) the MX betas have always been stable (even the IPv6 ones).