Cisco Meraki Security Certificate Expiration 2020 FAQ
What is the security certificate expiration 2020 issue about?
Beginning July 2020, any Cisco Meraki hardware running old, unsupported versions of firmware will not be able to download their configurations from dashboard. These unsupported old firmware versions have a security certificate that expires on July 2020. If devices running this old version of firmware try to connect with the Meraki dashboard after July 2020, they will be unable to connect due to the expired certificate.
What Meraki devices are impacted?
Any Cisco Meraki devices that need to fetch configurations from the dashboard - MR, MS, MX, MV - and are running old firmware versions with the old certificate are impacted.
Is Cisco encountering the same problem with any of their other products?
No, this is an issue that impacts only Cisco Meraki devices.
What firmware versions have the new certificate?
The list of firmware builds that are post-2020 compliant can be found in the table 1 below.
Any devices running firmware versions that are older than those listed below will need to be upgraded before July 2020.
Product |
Firmware version with the fix (new certificate) |
MS |
9.15 and all builds after |
MR |
24.x: 24.9 and later in series; 25.x: 25.3 and later and all builds after |
MX |
12.26, 13.13 and all builds after with the exception of 14.1 |
MV |
1.9 and all builds after. |
What is the recommended firmware version that the affected networks/ devices should be upgraded to ?
- The recommended firmware version to upgrade the devices to would be the respective latest stable for that platform. If for some reason you are not able to upgrade the devices to the latest stable version, please make sure you upgrade it to a firmware version that has the new certificate (Refer to the table above).
- You can find the latest stable firmware versions for all the products on the Organization > Firmware Upgrades > Overview page.
How can I find out which networks or devices are impacted and need to be upgraded?
Network level
- To figure out what networks are running lower firmware versions in the organization you can navigate to the Organization > Firmware Upgrades Page.
- Click on the All networks tab that provides you a list of all networks with their current firmware version and status. You can filter by device type and set the firmware status to Upgrade available
- From this list you can figure out which networks are running older versions (Refer to above firmware table) that have the security certificate issue and need to be upgraded.
- Once you have figured out which networks are impacted, schedule the upgrade to the latest stable firmware version.
- For steps to schedule the firmware upgrades you can refer to the document Scheduling Firmware Upgrades.
Device/ Hardware Level
Note: If your dashboard banner states that you would need to call Meraki Support to upgrade your devices, this means that the custom settings are at the device level and you cannot upgrade those devices yourself. Support has to remove the custom setting for you for the device to upgrade. The below device/ hardware level discovery gives you visibility to what might be affected. Please note that the moment support removes the custom settings, the device will try to upgrade to the configured network version. Hence, make sure you plan for an outage window for the upgrade to not cause any network disruptions.
-
To figure out if any of the devices have a custom firmware pinned to them and are not upgrading to the configured network version, you can navigate to the product page for the respective product (Switches/ Wireless/ Cameras/ Security Appliance) and add the "Firmware version" column to the list as shown below:
- If the firmware column states: “Firmware version locked, please contact support” that means the device has custom firmware settings and you should call in to support to remove the setting and have the device upgraded to the latest stable. Support should be able to find out if the custom firmware set for the device is an affected firmware or not.
- Another way to find out if a device has a custom firmware, is to navigate to the summary page of the device for MX/MS/MR/MV. For instance, for switches go to Switch > Switches, scroll down to the firmware section and you should if the device firmware has a custom setting and is locked.
If I have received notification for uninstalled MX100 that are affected and needs immediate installation and upgrade, how do I get more details on the affected devices?
You can contact Meraki support or your sales representative for details regarding the affected devices. Once you get a list of the devices affected, please make sure to have them installed and upgraded to the recommended firmware version before July 2020, else the MX100 would not be able to connect to the meraki dashboard beyond that date and would require an RMA to fix the issue.
If I have received notification for MX64/64W or MX65/65W that are affected and needs to replaced immediately, how do I get more details on the affected devices?
A small percentage of MX64/65 and MX64W/65W devices need to be replaced on or before July 22, 2020, due to a dashboard security certificate expiry. While this issue can be remedied on most Meraki devices with a firmware upgrade, a subset of MX64/65 and MX64W/65W devices require a hardware replacement. You can identify affected MX64/65 and MX64W/65W devices via the link at the top right corner of the dashboard (Help > Hardware replacements) for more details see MX64/65 and MX64W/65W Hardware Replacement due to Dashboard Security Certificate
I received scheduled network upgrades notification referencing Security Certificate Issue. What should I do?
These network upgrades have been scheduled to help make sure the devices on unsupported firmware versions are upgraded to supported firmware versions prior to July 2020. These upgrades provide customers with an option to reschedule or cancel upgrades until May 31st. However, after May 31st these CANNOT be canceled/ rescheduled. After May 31st, mandatory upgrades will be pushed to networks to make sure we fix these networks before the certificate expiration happens.
I have upgraded the impacted network and devices however I still continue to see the banner alert on the dashboard. Is that expected?
Yes, it is expected. Please note that the banners won't disappear automatically after the impacted networks/ devices have been upgraded and might still show up on the dashboard for a while. However, if you have confirmed that your impacted networks have been upgraded correctly, you can ignore these banners. If you are not sure feel free to reach out to Meraki Support for assistance.