Kinda replying to everyone here.  Here's a lousy diagram of the connectivity:

The MX connects to a pass-through interface on a barracuda filter and then hands off the traffic to the core switch on a trunked interface using native vlan 1.  The MX only has 2 VLAN interfaces, VLAN 1 for data traffic and VLAN 99 which it uses to hand out mgmt DHCP addresses to the Meraki gear (switches, APs, etc).  

Here is the trunk ifc to the barracuda pass-through:

As far as the MX LAN port, there really isn't much to configure there except speed/duplex, so I'm not sure why you'd want to see that. It's currently set to auto/auto. 

Before everyone throws their hands up over the Barracuda....it's just bridging the traffic and watching it as it passes through and that's it.  Completely L2.  The mechanism for blocking the client is handled from a different interface on the LAN side (VLAN 1). So it's not doing anything to the traffic.  

So the flow is this:  Inet => MX (access vlan 500) => MX LAN ifc => Bcuda L2 => MS350 Trunked on native 1 => Client or access switch => Client

The MX can only talk on VLANs 1 & 99.  All the mismatched VLAN messages are referencing subnets which are being *routed* between the MX and the LAN.  L2 should not be involved except to ID the transport VLAN (1 or 99).

This is not a very sophisticated flow at all.   

Firmware on the MX is up to date:

-John

Is this happening because the trunk link to the switch is passing the broadcast traffic from all VLANs?  I can't see any other potential reason for the mismatch. 

This was my next step anyway.  I'll lock it down to 1,99 and see if the mismatch goes away. 

IMO, the MX should just be dropping broadcast traffic that doesn't match any of its VLAN interfaces instead of processing it and complaining about a mismatch.  The events don't show L2 broadcasts so why would its L3 interface even care about packets from subnets it doesn't have an interface for?  Its L2 should not even be handing those packets off to L3.