Thanks for posting this. I am curious what your test environment looks like? Specifically are you running the Teams traffic through the VPN (full tunnel)? Also, what do your layer 7 rules look like? I'm not blocking much using the layer 7 rules so I'm wondering if maybe I wouldn't be affected as much moving to 16.16 or 16.16.1.  ... View more

Got it. Thanks for the update.  ... View more

Okay thanks, I know how that goes. Here's to hoping it was just an anomaly!  ... View more

Anyone know if these NBAR issues with 16.16 have been resolved in 16.16.1?  ... View more

I'm curious if the downgrade resolved the issue? We are looking at upgrading a number of sites to 16.16 but would obviously like to avoid these type of issues. Did you happen to upgrade to 16.16.1 or just 16.16?  ... View more

Thanks for the update Francois. I will follow the new thread in your new post. ... View more

Hi Francois,   Unfortunately, I wasn't able to find a fix for the Palo Alto issue of not clearing the "long lived sessions". They gave me the same KB article. I spent hours on the phone with Palo Alto and Meraki support (even got both companies on a conference call once) but they couldn't fix it. Palo Alto said it is working as it should be for IPsec and SIP sessions, and Meraki said the Palo Alto should be clearing the sessions since it is handling the ISP fail over.    I had hung Palo Alto sessions affecting the Meraki IPsec VPN tunnels and a SIP trunk for my SBC. Both were behind the Palo Alto.    I ended up re-configuring my MX250's in NAT mode (instead of VPN concentrator) and bypassing the Palo Alto with a dedicated WAN interface on the MX to each of my ISP's.  ... View more

Hi Cole,   I have been running a HA pair MX250 in the VPN concentrator mode behind a Palo Alto firewall for a year now and it has been working fine even with the unfriendly NAT error. I think it is because the Meraki sets up the auto VPN with outbound traffic to the cloud. Support sometimes gets hung up on it, but it works.    One thing to note is if you are using PBF rules on the Palo Alto for ISP fail over, I've found that the Palo Alto will not clear the Meraki IPsec sessions when failing to the backup ISP (or failing back to the primary). In order to get the Meraki VPN to fail over you have to either clear the Palo Alto IPsec sessions, or restart the Meraki to re-establish the IPsec tunnels.  ... View more