Security appliance firmware versions MX 16.16 changelog Important notice While Meraki appliances have traditionally relied on UDP port 7351 for cloud communication and TCP ports 80 and 443 for backup communications, with MX 16 we are beginning a transition to using TCP port 443 as the primary means for cloud connectivity. In order to ensure proper connectivity to the Meraki cloud after this upgrade, please ensure that traffic using TCP port 443 between 209.206.48.0/20 is allowed through any firewalls that may be deployed upstream of your Meraki appliances. HTTP proxy, which allows default management traffic from MX appliances to be sent through a proxy, is deprecated on MX 16 and higher firmware versions. Legacy products notice When configured for this version, Z1, MX60, MX60W, MX80, and MX90 devices will run MX 14.56. New feature highlights Added support for Cisco AnyConnect client VPN on Z3(C), MX67(C,W), MX68(W,CW), MX75, MX84, MX85, MX95, MX100, MX105, MX400, MX600, MX250, and MX450 appliances. Added Network-Based Application Recognition (NBAR) integration. Added support for using a cellular uplink concurrently with a wired uplink, as opposed to the cellular uplink only being available for failover. Added firmware support for SD-Internet functionality Bug fixes Corrected several cases where disabled ports on MX95, MX105, MX250, and MX450 would be in a disconnected state as opposed to fully disabled. This could cause devices connected to disabled ports to show the connection as active. Corrected several cases where wireless SSIDs would reset during a WAN or cellular failover event for MXW appliances that were configured to operate in warm spare / high availability. Corrected an issue that resulted in the user name being displayed incorrectly on the Clients page in Dashboard for AnyConnect VPN clients connected via SAML authentication. Further upgrade reliability improvements for MX64(W) and MX65(W) appliances. TCP and UDP Performance improvements in cases where many clients are transmitting traffic. Resolved an issue that could affect the reachability of subsets of AutoVPN routes if two MX appliances were joined to the AutoVPN topology using the same IP address. Fixed a rare case that could result in a device reboot when ICMP traffic was sent from a ClientVPN client to a non-Meraki VPN peer. Performance improvements on the MX 95, 105, 250, and 450 appliances. Corrected an issue that could cause SFP links to fail to establish if the modules were hotplugged into MX95, MX105, MX250, and MX450 appliance ports. Resolved a case that could cause WAN uplinks to disconnect and reconnect intermittently (“flap”) on MX95, MX105, MX250, and MX450 appliances when an SFP module was plugged into the WAN2 port without anything connected to the module. Fixed a rare case where non-Meraki VPN connections would not attempt to form when devices were configed in a warm spare / HA topology. Corrected an issue that resulted in traffic not being properly routed when 1) An MX was configured with a specific ECO-only static routing configuration and 2) a WAN uplink had a failover event and subsequently recovered from the failover (failback). Corrected inaccuracies in the SNMP ifTable data on MX95/105 appliances. Fixed an MX 16 regression that resulted in incorrect port LED behavior on MX64(W) appliances. Resolved an issue which resulted in MXs not fragmenting packets whose length exceeds the WAN MTU before encrypting them and sending them over a non-Meraki VPN tunnel. Improved the reliability of application classification decisions made by the NBAR traffic engines. Stability improvements for all platforms Known issues After making some configuration changes on MX84 appliances, a brief period of packet loss may occur. This will affect all MX84 appliances on all MX firmware versions Due to MX 15 regressions, USB cellular connectivity may be less reliable on some modems Due to an MX 15 regression, the management port on MX84 appliances does not provide access to the local status page Client traffic will be dropped by MX65(W), MX67(C,W), and MX68(W,CW) appliances if 1) The client is connected to a LAN port with 802.1X authentication enabled and 2) The VLAN ID of the port is configured to 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240. Other Added the ability to set static speed and duplex settings on LAN SFP ports on MX85 appliances. Updated the IP spoofing Event Log messages to be more intuitive and human readable
... View more