Monitor the Umbrella Connector

You can view detailed statistics for DNS inspection with Umbrella enabled.

ciscoasa(config)# show service-policy inspect dns [detail]

Without the detail keyword, you see all the basic DNS inspection counters plus Umbrella configuration information. The status field provides the HTTP status code for the system’s attempt to register with Cisco Umbrella. The detailed output shows DNSCrypt statistics and the keys used.

Monitor Umbrella Syslog Messages

You can monitor the following Umbrella-related syslog messages:

  • %ASA-3-339001—DNSCrypt certificate update failed after trying a number of times. Check that there is a route to Umbrella and that the egress interface is up and functioning correctly. Check that the public key configured for DNSCrypt is correct. You might need to obtain a new key from Umbrella.
  • %ASA-3-339002—Umbrella device registration failed with error code . The error codes have the following meanings:
    • 400—There is a problem with the request format or content. The token is probably too short or corrupted. Verify that the token matches the one on the Umbrella Dashboard.
    • 401—The API token is not authorized. Try reconfiguring the token. If you refreshed the token in the Umbrella Dashboard, then you must ensure that you use the new token.
    • 409—The device ID conflicts with another organization. Please check with the Umbrella administrator to see what the issue might be.
    • 500—There is an internal server error. Check with the Umbrella administrator to see what the issue might be.
  • %ASA-6-339003—Umbrella device registration was successful.
  • %ASA-3-339004—Umbrella device registration failed due to missing token. You must obtain an API token from Cisco Umbrella and configure it in the global Umbrella settings.
  • %ASA-3-339005—Umbrella device registration failed after retries. Check the syslog 339002 messages to identify the errors that you need to fix.

Verify Operation < Monitor the Umbrella Connector > Delete an ASA