Guides
ProductDeveloper
Guides

IPv4 and IPv6 DNS Protection Status

After you install the AnyConnect Umbrella Roaming Security module, new state changes appear in the AnyConnect endpoint. Within the AnyConnect user interface, the Roaming Security tile provides status information. If you do not see a displayed state, the Roaming Security Module is installed, but the OrgInfo file is not deployed.

AnyConnect as of 4.8 MR2

View status information in the AnyConnect roaming security module.

  1. Open the AnyConnect Secure Mobile Client.
  2. Navigate to Roaming Security > Statistics.
826

DNS and IP Layer State Descriptions

State

Description

Condition

Reserved

Checking Connection Status.
No active network connections. The Roaming Module waits for an active network connection.

This operating state occurs during the following conditions:

  • When the module is first activated.

  • When a network interface change occurs. For example, as detection of a new network adapter, IP changes on an existing adapter, or a new VPN tunnel being established or torn down.

Open

You are not currently protected by Umbrella.

There is at least one active network connection; however, the roaming client cannot connect to Umbrella for Government resolvers over port 53/UDP or 443/UDP on any active connection. The user is not protected by Umbrella or reporting to Umbrella. The system’s DNS settings will revert to their original settings—DHCP or Static.

This operating state occurs during the following conditions:

  • No UDP port 443 or UDP port 53 connectivity to Umbrella for Government resolvers (IPv4 or IPv6)).

  • No Umbrella DNS VA is configured on the local network.

  • The VPN tunnel may temporarily be in a state of tear down or establishment.

Protected

You are protected by Umbrella. A network connection is active, and the Roaming Module is able to connect to Umbrella for Government resolvers over port 53/UDP, but not 443 UDP. The user is protected and reporting to Umbrella, but the connection is not encrypted.

This state may occur when the module is first activated or when there is a network interface change.

Encrypted

You are protected by Umbrella.
The Umbrella roaming client has established a connection to Umbrella for Government resolvers over port 443/UDP. The user is protected and reporting to Umbrella, and the DNS queries are encrypted. Internal Domains are forwarded to DHCP-delegated or statically-set DNS servers and are therefore not encrypted.

This operating state occurs during the following conditions:

  • UDP port 443 connectivity to Umbrella for Government resolvers (IPv4 or IPv6).

  • TCP port 443 and TCP port 53 connectivity to Umbrella for Government resolvers (IPv4 or IPv6).
    Note: TCP is only used when UDP responses are truncated.

Protected Network

You are on a network protected by Umbrella.
The computer is behind a Protected Network, and the organization has “Disable Behind Protected Networks” enabled in their dashboard. The Umbrella roaming client has reverted the DNS settings back to what was set through DHCP or statically set. The connection is not Encrypted.

This operating state occurs during the following conditions:

  • The current endpoint network egress IP address is registered with the same Umbrella account as the endpoint.

  • Resolvers used are the Umbrella cloud resolvers.

  • Policy configured through the Umbrella dashboard ("Disable Behind Protected Networks") dictates that the Umbrella module should be disabled when on a protected network.

Note: This state is not possible for all Umbrella roaming package customers because there is no network-level protection.

Behind Virtual Appliance

You are protected by an Umbrella virtual appliance (VA).
The computer is connected to a Network that has VAs configured for DNS servers. The Roaming Module disables itself and reverts the DNS settings back to what was set through DHCP or statically set. The connection is not Encrypted.

This operating state occurs when the endpoint configured DNS address (through DHCP or statically) is the Umbrella VA address.

VPN Trusted Network State

Disabled while you are on a trusted network.
Local Umbrella module DNS protection is not active because the current endpoint network is configured as an AnyConnect VPN trusted network.

This operating state occurs during the following conditions:

  • AnyConnect VPN module is reporting the Trusted Network Detection state as trusted.

  • AnyConnect VPN tunnel is either not connected or established in full tunnel mode.

  • The policy configured through the Umbrella dashboard dictates that the Umbrella module should be disabled when on an AnyConnect VPN trusted network.

Note: This setting is true for all roaming package customers and cannot be changed by the administrator.

Disabled due to VPN State

Disabled while your VPN is active.
Local Umbrella module DNS protection is not active because the endpoint currently has an active AnyConnect VPN tunnel established.

This operating state occurs during the following conditions:

  • AnyConnect VPN module is reporting the Trusted Network Detection state as not trusted.

  • AnyConnect VPN tunnel is established in full tunnel mode.

  • Policy configured with the Umbrella dashboard dictates that the Umbrella module should be disabled when an AnyConnect VPN tunnel is established.

Note: This setting is true for all roaming package customers and cannot be changed by the administrator.

No OrgInfo.json State

You are not currently protected by Umbrella.
Profile is missing. Local Umbrella module DNS protection is not active because the endpoint currently has an active AnyConnect VPN tunnel established.

This operating state occurs when the OrgInfo.json file was not deployed to the proper directory:

  • Windows: %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella

  • Mac: opt/cisco/anyconnect/umbrella

Agent Unavailable StateYou are not currently protected by Umbrella.
Service unavailable. Local Umbrella module DNS protection is not active because the Umbrella agent is not running.
This operating state occurs when the Umbrella agent service is not currently running because of a crash or manual service stop.
Missing .NET Dependency State (Windows only)You are not currently protected by Umbrella.
Microsoft 4.0 NET framework is not installed. Local Umbrella module DNS protection is not active because the Umbrella agent is not running. The .NET runtime framework is missing.
This operating state occurs when the Umbrella agent service is not running due to a missing .NET 4.0 runtime.
Disabled(IPv6 only) An Umbrella administrator disables DNS protection over IPv6.This operating state occurs when the Umbrella administrator disables DNS protection on IPv6 through the Umbrella dashboard.
Disabled (no network)(IPv6 only) AnyConnect client disables DNS protection over IPv6.If the AnyConnect roaming security module detects an IPv6 link-local address while performing an IPv6 connectivity probe, then the client disables DNS protection over IPv6.
Not RequiredThe client is not attempting coverage in this state, as it is not expected nor required. This state applies individually to IPv4 and to IPv6 on Windows.The client was not able to find a suitable local DNS resolver for the IP Protocol, and therefore is disabled awaiting the discovery of a suitable local DNS resolver. This is most common when on a dual stack network, but only IPv4 resolvers are configured.

Install the Root Certificate < IPv4 and IPv6 DNS Protection Status > Interpret Diagnostics