The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Troubleshooting

Check the scenarios below if you have difficulty validating the Umbrella module for AnyConnect for Android OS after first installing it.

First launch of App

On the first launch there should be request for AnyConnect VPN session as shown below. You must accept the connection request by clicking “Ok” for the Umbrella protection to start.

Mandatory Security Step

This cannot be bypassed; the behavior is built into Android OS for security reasons.

Is this a VPN to Umbrella?

The Umbrella Module for AnyConnect uses a VPN-like mechanism but it is not in a traditional VPN. This VPN-like mechanism is used to intercept DNS queries so that the module can process them (add metadata, encrypt and forward to Umbrella). The Android operating system’s user interface does not show this distinction, so it appears as if a VPN were running.

When Umbrella protection starts, a green checkmark appears under the Umbrella UI subheading with the text “You are protected by Umbrella”.

Virtual Appliance in the Network

If an Umbrella Virtual Appliance (VA) supporting HTTPS is configured in the network, the Umbrella module detects this and backs off. If a VA is not present, or is present but does not support HTTPS, then the Umbrella module remains active.

An Internal Site Isn’t Loading

The Umbrella module makes a best effort to automatically detect internal (intranet) sites and route DNS appropriately to the local DNS server. However, these mechanisms may not work in all scenarios. Therefore it’s important to enter your internal / intranet domains in the Domain Management tools in the Umbrella dashboard. For more details, refer to Domain Management instructions.

Configuration Issues

If the Umbrella Section in AnyConnect app doesn’t display a green checkmark, check the configuration details pushed from the MDM. If you don’t have access, contact your administrator.

You can check if the configuration is available by clicking on the menu button at the top right in AnyConnect -> “Diagnostics” -> “Logging and System Information” -> “System” Tab -> “Managed Configuration” section

Verify that the managed configuration pushed by the administrator is available.

Check for VPN Connection and Policy

  1. Verify that the “key” icon (or something similar) is displayed in the notification panel for the VPN session created by AnyConnect.
  2. Open a browser.
  3. Clear the cache.
  4. Load http://policy-debug.checkumbrella.com. The page should load and display a URL to the active policy in the Umbrella dashboard. The format of the URL should be: https://dashboard.umbrella.com/o/<orgid>/#/configuration/policy/<policyid>.
  5. Verify that the organization ID displayed in the URL is the same as your Umbrella organization ID.

Check Block Page

Open http://www.internetbadguys.com/. You should see an Umbrella block page displaying the domain that was blocked along with the IP address of your device and the reasons for blocking. If you do not see the Umbrella block page, follow these steps:

  1. Select Settings -> Apps -> AnyConnect -> Force Close.
  2. Restart AnyConnect.
  3. Reopen http://www.internetbadguys.com/ and check for the Umbrella block page.

Get the Android ID

  1. Launch AnyConnect.
  2. Open Umbrella Security.
  3. Click Options, then open Umbrella Statistics. The Android ID is listed in that window.

Check Device Registration

  1. Find the android_id for your Android device.
  2. Login to https://dashboard.umbrella.com/,
  3. Choose the org id associated with the device.
  4. Navigate to Deployments -> Core Identities -> Mobile Devices.
  5. Verify that the android_id is listed.

Missing CA Certificate

If the Umbrella block page is not displayed but you see, instead, a warning about an insecure page, then there might be an error due to a missing Umbrella root certificate.

  1. Download the Cisco Umbrella root certificate. For more information about downloading the root certificate, click here.
  2. Secure the device with your PIN, password or pattern lock.
  3. Install the certificate you downloaded.
  4. Select the certificate file.
  5. Reload the block page in your browser.

Org ID on Policy Page is 0

If the http://policy-debug.opendns.com URL shows 0 for the org id and bundle (policy) id, then refresh the page. Alternatively, clear the browser cache, try an incognito window, or try a different browser.

App installation is Blocked

In order to download apps from the Google Play Store, a Gmail ID should be configured in the MDM. If the ID is configured and the app still cannot be downloaded, the MDM admin may have chosen to disallow installation of apps from the Play Store.

Offboarding Users

In order to fully remove an end user there are two steps:

  • Delete the user from the Mobile Devices page in the Umbrella Dashboard.
  • Delete the Cisco Umbrella Module for AnyConnect for Android OS from the user's device.

Known Issues

  • App download fails in Google Play Store after enabling Umbrella AnyConnect client. This is a known limitation from Google on Android OS versions below v10. To avoid this, you must download Apps before enabling the Umbrella App. Google has fixed this behavior in their Android OS 10. Check the issue tracker.
  • In Android 10 and later, Google restricts reading serial numbers from the device. As a result, the Serial number field in the Umbrella dashboard displays “unknown” for Android 10 and later devices.
  • Avoid using the Wifi Assistant; it may conflict with AnyConnect and DNS interception.
  • Private DNS must be turned off for DNS interception to function properly.
  • Click for information about unusual DNS queries showing in Umbrella reports.
  • Huawei phones, when running in Work Profile mode, do not automatically start AnyConnect, even when the app was previously open. This does not apply to Huawei phones in Fully Managed mode.

Push the Umbrella Certificate < Troubleshooting > Frequently Asked Questions

Updated 2 months ago


Troubleshooting


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.