Skip to main content
Cisco Meraki

MX64/64W and MX65/65W Hardware Replacement due to Security Certificate Expiration 2020

Overview

Glossary of terms

  • Impacted - A subset of MX64/64W and MX65/65W hardware devices

  • Dashboard alert - One or more of your MX64/64W or MX65/65W devices need to be replaced on or before July 22, 2020.

  • Failure - On July 22, 2020, some MX64/64W and MX65/65W devices will become unmanageable due to a dashboard security certificate expiry. This means the devices will remain online, but dashboard configuration updates will fail. Only configurations through the local status page will be applied to the device
     

A small percentage of MX64/64W and MX65/65W devices need to be replaced on or before July 22, 2020, due to a dashboard security certificate expiry. While this issue can be remedied on most Meraki devices with a firmware upgrade, a subset of MX64/64W and MX65/65W devices require a hardware replacement.

 

You can identify affected MX64/64W and MX65/65W devices via the link at the top right corner of the dashboard (Help > Hardware replacements). It is important to note that not all MX64/64W and MX65/65W devices are affected. The only units impacted are listed on the dashboard (Help > Hardware replacements). This page will list all affected MX64/64W and MX65/65W devices that are online or were online within the last three months. MX64/64W and MX65/65W units that have been placed into cold storage could be affected as well. To ensure that all affected units are identified and replaced, we recommend connecting any MX64/64W and MX65/65W device currently in cold storage to power and the Internet to allow our monitoring tool to identify these devices and populate the hardware replacements page accordingly. MX64/64W and MX65/65W devices need to be claimed and added to a network to show up on the hardware replacements page, if impacted. 

 

If the affected MX64/64W and MX65/65W device is not replaced on or before July 22, 2020, the device will remain online and will continue to pass traffic. However, the device will send an alert "unable to fetch config," and any configuration changes from the dashboard will not be updated on the device. Only configurations through the local status page will be applied to the device. Considering security updates, firmware updates, etc. are pushed via dashboard configurations, it is crucial to replace affected units on or before July 22, 2020. 

 

We emailed the five most recently active organization administrators informing them of this development. It is recommended that you touch base with your organization admins to avoid duplicate replacement requests that could delay the processing of your replacement unit(s).

 

When replacing units on your dashboard, you may see a licensing warning appear after adding the replacement MX. Once the old MX64/64W and MX65/65W device is removed from its network, the warning will disappear. We will continue to monitor all Meraki MX64/64W and MX65/65W devices through the dashboard for all of our customers. We will contact customers if we see anything that would make us believe there is an issue and offer a warranty RMA.

If your original unit was replaced with a different model, please contact licensing@meraki.com after replacing the unit to ensure your dashboard is in a compliant licensing state.

 

To learn more about the dashboard security certificate issue, refer to the document, Cisco Meraki Security Certificate Expiration 2020 FAQ

 

Frequently Asked Questions

If my affected devices are covered by Meraki Now, can I make use of the premium replacement options associated with the Meraki Now services?

Meraki Now services are only applicable in the event of a hardware failure that necessitates immediate replacement. As such, Meraki devices that are eligible for this proactive replacement program are not entitled to Meraki Now premium replacement services. Impacted devices will be replaced using the normal replacement process described in this document.

 

How will I know if I have an affected MX64/64W or MX65/65W device, and how do I request a replacement device?

Customers can use the dashboard to view pending hardware replacements (Help > Hardware replacements). We have also sent an email to the five most recently active organization administrators that accessed the dashboard. A walkthrough of the process is described in the Replacement Instructions section below.

 

Why am I just learning about this?

We informed customers as soon as we learned that our software remediation would not cover a subset of the MX64/64W and MX65/65W devices. We were able to remediate most of the impacted MX64/64W and MX65/65W devices via software remediation.

 

Can I have an MX64/64W and MX65/65W device that is affected but not listed on the Help > Hardware Replacements page? 

Yes, the hardware replacements page will display those affected devices which are online now or were online within the last three months. If you have an MX64/64W and MX65/65W device in cold storage, we strongly recommend connecting them to the Internet. MX64/64W and MX65/65W devices need to be claimed and added to a network to show up on the hardware replacements page, if impacted. Once online, if it is affected, it will be identified on the Hardware Replacements page.  lf this happens to be the case, please submit a replacement for these devices following the Replacement Instructions section below. 

 

MX65/65W vs MX64/64W in cold storage?

  • All MX64/64W manufactured after 2018-03-30 are not affected - Hence if you ordered an MX64/MX64W within the last year, you have nothing to worry about.
  • Some MX65/65W manufactured after 2017-12-23 are affected - If you cannot connect all your devices before July 22, 2020, we recommend pre-staging your MX65/65Ws before actual deployment.
     

Are other models affected?

Only a subset of MX64/64W and MX65/65W devices require hardware replacements for the dashboard certificate issue. To learn more about the dashboard security certificate issue, refer to the document, Cisco Meraki Security Certificate Expiration 2020 FAQ

 

What is the cost of the replacement?

The replacement unit and shipping will be at no cost to the customer. 

 

How can I keep track of the status of my replacement MX64/64W and/or MX65/65W device order?

The status of your replacement order will be reflected in the Support case that is opened to initiate the hardware replacement.

 

When will I receive my replacement MX64/64W and/or MX65/65W?

Your replacement unit(s) should ship out immediately after the case is opened and replacement is confirmed. However, please note that you may experience shipping delays due to COVID-19. 

 

Should I be worried about an impacted MX64/64W and MX65/65W device?

You should replace your affected MX64/64W and/or MX65/65W device on or before July 22, 2020 to avoid any issues. If the unit is not replaced on or before July 22, 2020, the device will remain online and will continue to pass traffic. However, the device will alert "unable to fetch config" as seen in the image below, and any configuration changes from the dashboard will not be updated on the device. Considering security updates, firmware updates, etc. are pushed via dashboard configurations, it is crucial to replace affected units on or before July 22, 2020.

Screen Shot 2020-05-20 at 3.02.30 AM.png

If your affected MX64/64W and/or MX65/65W gets rebooted after July 22, 2020, for any reason, it will be online on the dashboard and will continue to fetch configurations. However, the device still needs to be replaced as soon as possible. If you experience any issues after a reboot, please contact Meraki Support.

 

 

What is the difference between the affected MX64/65, MX64W/65W devices and the ones Meraki will replace them with?

The replacement units have gone through additional validation to ensure they pass quality assurance standards.

 

What is Meraki doing to ensure this doesn’t happen again?

We have added new quality control processes (e.g., independent validation of firmware features that interface with critical systems), adding a dedicated analytics team to identify operational anomalies ahead of wide-scale releases and have added additional accelerated lifetime tests.

 

Should I return my replaced MX64/64W and/or MX65/65W?

Yes. Your replacement MX64/64W and/or MX65/65W device will be shipped with a prepaid return label. We hope you will re-use the replacement device packaging for the return shipment. If you do not have a return label, please contact Support using the same case/ticket used for tracking the replacement.

 

Can I track replacement progress on my dashboard after receiving my replacement unit?

Yes, once you receive your replacement device and replace it on the dashboard, be sure to unclaim the faulty unit from your dashboard (Organization > Inventory). This will ensure replaced units are removed from the hardware replacements page (Help > Hardware replacements page). You can rely on the hardware replacements page to see how many devices are yet to be replaced.

 

Your replacement device will be shipped with a prepaid return label. We hope you will re-use the replacement device packaging for the return shipment. If you do not have a return label, please contact Support using the same case/ticket used for tracking the replacement.

 

What if I still have questions?

As always, Meraki Support is available 24x7.

Replacement Instructions

We emailed the five most recently active organization administrators, informing them of this development. It is recommended that you touch base with your organization administrators to avoid duplicate replacement requests and to avoid any delays in receiving your replacement unit(s).

 

Follow the instructions below to determine if you have affected devices in your organization.

  1. Log in to the Meraki Dashboard.
     

  2. Identify affected units on the Hardware replacements page, (Help > Hardware replacements) will present information on the number of affected devices. This is to simply help you identify the MX64/64W and/or MX65/65W devices which need to be replaced. If you have not received an email notification, or do not see a tile on the hardware replacement page entitled “Proactive replacement of some MX64/64W/65/65W” then none of your active MX64/64W/65/65W devices need to be replaced.

  3. If this issue impacts your organization, go to Help > Cases. Create a Support case with the following details. If you have multiple devices affected and need to be shipped to different locations, you will need to create a separate case per shipping address. 

Case Subject: “Replacing MX64/64W and/or MX65/65W Hardware with an Expiring Certificate”
Case body: Process the replacement of affected MX64/64W and/or MX65/65W

  •   Serial number(s): [Provide serial number(s) of all affected unit(s) (see Help > Hardware replacements) for the same Ship-to Address]
  •   Ship-to Name:
  •   Company name:
  •   Ship-to Address:
    • Street 1:
    • Street 2:
    • City:
    • State:
    • Postal code:
    • Country:
  •   Contact number:
  •   Email:
  1. A Support Engineer will process the replacement(s) and confirm via the case by providing the RMA number(s) and a tracking number to track your replacement.
     

  2. No further action is required until your replacement unit is received. 

Installing Your Replacement MX

Before making any changes to the existing MX device, be sure to claim the replacement MX in Organization > Inventory, then remove the faulty unit and add the replacement MX to the appropriate dashboard network.

When replacing units on your dashboard, you may see a licensing warning appear after adding the replacement MX device. Once the old MX64/64W and/or MX65/65W device is removed from its network, the warning should be dismissed. We will continue to monitor all Meraki MX64/64W and MX65/65W devices through the dashboard for all of our customers.

Please refer to our documentation on Replacing an Existing MX with a Different MX