Secure Access Help Center

IPv4 and IPv6 DNS Protection Status

After you deploy the Umbrella module in the installed Cisco Secure Client (formerly known as AnyConnect), new state changes appear in the Cisco Secure Client endpoint. Within the Cisco Secure Client graphical user interface (GUI), the Roaming Security tile provides the status information. If you do not see a displayed state, the Umbrella module is installed, but Internet Security (OrgInfo.json) is not deployed.

Table of Contents

Prerequisites

  • Administrative privileges on the user device.

Procedure

View status information in the Cisco Secure Client Umbrella module on the user device.

  1. Open the Cisco Secure Client.
  2. Navigate to Roaming Security > Statistics to access the DNS and IP security information.
826

DNS and IP Layer State Descriptions

StateDescriptionCondition
ReservedChecking Connection Status.

No active network connections. The Umbrella module waits for an active network connection.		This operating state occurs during the following conditions:

  • When the module is first activated.

  • When a network interface change occurs. For example, as detection of a new network adapter, IP changes on an existing adapter, or a new VPN tunnel being established or torn down.

OpenYou are not currently protected by Secure Access.

There is at least one active network connection; however, the Roaming Security agent can not connect to the Secure Access resolvers over port 53/UDP or 443/UDP on any active connection.

The user is not protected by Secure Access and traffic events are not reported to Secure Access. The system’s DNS settings revert to their original settings—DHCP or Static.		This operating state occurs during the following conditions:

  • No UDP port 443 or UDP port 53 connectivity to Secure Access resolvers (IPv4 or IPv6)).

  • The VPN tunnel may temporarily be in a state of tear down or establishment.

ProtectedYou are protected by Secure Access.

A network connection is active, and the Umbrella module is able to connect to Secure Access resolvers over port 53/UDP, but not 443 UDP.

The user is protected by Secure Access and traffic events are reported to Secure Access, but the connection is not encrypted.		This state may occur when the module is first activated or when there is a network interface change.
EncryptedYou are protected by Secure Access.

The Umbrella module has established a connection to Secure Access resolvers over port 443/UDP.

The user is protected by Secure Access and traffic events are reported to Secure Access.

The DNS queries are encrypted. Internal Domains are forwarded to DHCP-delegated or statically-set DNS servers and are therefore not encrypted.		This operating state occurs during the following conditions:


  • UDP port 443 connectivity to Secure Access resolvers (IPv4 or IPv6).


  • TCP port 443 and TCP port 53 connectivity to Secure Access resolvers (IPv4 or IPv6).
    Note: TCP is only used when UDP responses are truncated.

Protected NetworkYou are on a network protected by Secure Access.

The user device is behind a protected network—a network managed by Secure Access—and the organization has “Disable Behind Protected Networks” enabled in their dashboard.

The Umbrella agent has reverted the DNS settings back to what was set through DHCP or statically set. The connection is not encrypted.		This operating state occurs during the following conditions:


  • The current endpoint network egress IP address is registered with the same Secure Access account as the endpoint.


  • Resolvers used are the Secure Access resolvers.



Policy configured through the instance of Secure Access ("Disable Behind Protected Networks") dictates that the Umbrella module should be disabled when on a protected network.

Note: This state is not possible for all subscriptions because there is no network-level protection.
VPN Trusted Network StateDisabled while you are on a trusted network.

The Umbrella module DNS protection is not active because the current endpoint network is configured as a Cisco Secure Client VPN trusted network.		This operating state occurs during the following conditions:


  • AnyConnect VPN module is reporting the Trusted Network Detection state as trusted.


  • AnyConnect VPN tunnel is either not connected or established in full tunnel mode.


The Secure Access policy rule indicates that the Umbrella module should be disabled when on an Cisco Secure Client VPN trusted network.

Note: This setting is true for all roaming package customers and cannot be changed by the administrator.
Disabled due to VPN StateDisabled while your VPN is active.

The Umbrella module DNS protection is not active because the endpoint currently has an active Cisco Secure Client VPN tunnel established.		This operating state occurs during the following conditions:


  • Cisco Secure Client VPN module is reporting the Trusted Network Detection state as not trusted.


  • Cisco Secure Client VPN tunnel is established in full tunnel mode.


    • Policy rule configured with Secure Access requires that the Umbrella module is disabled when a Cisco Secure Client VPN tunnel is established.

    Note: This setting is true for all Umbrella module configurations. An administrator can not change the setting.
No OrgInfo.json StateYou are not currently protected by Secure Access.

The Umbrella profile is not deployed. The Umbrella module DNS protection is not active because the endpoint currently has an active AnyConnect VPN tunnel established.		This operating state occurs when the OrgInfo.json file is not deployed to the correct directory. For more information, see Download the OrgInfo.json File.
Agent Unavailable StateYou are not currently protected by Secure Access.

Service unavailable. The Umbrella module DNS protection is not active because the Roaming Security agent is not running.		This operating state occurs when the Umbrella agent service is not currently running because of a crash or manual service stop.
Missing .NET Dependency State (Windows only)You are not currently protected by Secure Access.

Microsoft 4.0 NET framework is not installed. Roaming Security module DNS protection is not active because the Roaming Security agent is not running. The .NET runtime framework is missing.		This operating state occurs when the Umbrella agent service is not running due to a missing .NET 4.0 runtime.
Disabled(IPv6 only) A Secure Access administrator disables DNS protection over IPv6.This operating state occurs when the Secure Access administrator disables DNS protection on IPv6 through the instance of Secure Access.
Disabled (no network)(IPv6 only) Cisco Secure Client disables DNS protection over IPv6.If the Cisco Secure Client Umbrella module detects an IPv6 link-local address while performing an IPv6 connectivity probe, then the client disables DNS protection over IPv6.
Not RequiredThe client is not attempting coverage in this state, as it is not expected nor required. This state applies individually to IPv4 and to IPv6 on Windows.The client was not able to find a suitable local DNS resolver for the IP Protocol, and therefore is disabled awaiting the discovery of a suitable local DNS resolver. This is most common when on a dual stack network, but only IPv4 resolvers are configured.

Interpret Internet Security Diagnostics < IPv4 and IPv6 DNS Protection Status > Customize Windows Installation of Cisco Secure Client

Updated 5 months ago