Thank you for this post.  Meraki support has never been much help with Non-Meraki S2S VPN.  The issues were so obviously on their side too.  Well documented issues littering the forums online with multiple peer brands but they take the easy way out and try blaming the peer anyway.  I upgraded our MX to the 15.37 firmware and the issues have completely gone away.  I can see on our Sophos UTM 9 that it no longer thinks the MX is behind a NAT. ... View more

I have this exact same configuration and issues you are describing.  Our Sophos UTM 9 in our datacenter thinks our MX's are NAT-T when they are not.  We experience the same unstable S2S IPSEC VPN issues you describe.  We have no problems with our remote sites on Cradlepoint, Just the Meraki sites.   I'm wondering if there is a way to turn off NAT-T on the Sophos and manually NAT through the MG21.  I have not found a solution yet.  Please update the post if you do. ... View more