@cmr it Also depends on what functions you need from the Meraki Dashboard on the switch. If the CS firmware supports is and the IOS-XE not you shouldn't upgrade. Otherwise I see in my opinion no reason to not upgrade. ... View more

Thank you for the suggestion! Just double-checked the settings on both Meraki and CheckPoint, we did set the IKE version to IKEv1, and on CheckPoint we've configured the encryption method to IKEv1 for IPv4 and IKEv2 for IPv6 only, but the issue still occurs intermittently. Also when the issue happens, we captured packets on both sides... both the MX250 and the Checkpoint are actively initiating Non-Meraki VPN negotiation traffic (UDP Port 500 and 4500) to each other, but neither is receiving inbound VPN packets properly... Based on this behavior... just guessing the VPN negotiation packets might be getting dropped somewhere along the ISP's path. Could that be the case? ... View more