IPv4 and IPv6 DNS Protection Status
After you deploy the Umbrella module in the installed Cisco Secure Client (formerly known as AnyConnect), new state changes appear in the Cisco Secure Client endpoint. Within the Cisco Secure Client graphical user interface (GUI), the Roaming Security tile provides the status information. If you do not see a displayed state, the Umbrella module is installed, but Internet Security (OrgInfo.json) is not deployed.
Table of Contents
Prerequisites
- Administrative privileges on the user device.
Procedure
View status information in the Cisco Secure Client Umbrella module on the user device.
- Open the Cisco Secure Client.
- Navigate to Roaming Security > Statistics to access the DNS and IP security information.
DNS and IP Layer State Descriptions
State | Description | Condition |
---|---|---|
Reserved | Checking Connection Status. No active network connections. The Umbrella module waits for an active network connection. | This operating state occurs during the following conditions:
|
Open | You are not currently protected by Secure Access. There is at least one active network connection; however, the Roaming Security agent can not connect to the Secure Access resolvers over port 53/UDP or 443/UDP on any active connection. The user is not protected by Secure Access and traffic events are not reported to Secure Access. The system’s DNS settings revert to their original settings—DHCP or Static. | This operating state occurs during the following conditions:
|
Protected | You are protected by Secure Access. A network connection is active, and the Umbrella module is able to connect to Secure Access resolvers over port 53/UDP, but not 443 UDP. The user is protected by Secure Access and traffic events are reported to Secure Access, but the connection is not encrypted. | This state may occur when the module is first activated or when there is a network interface change. |
Encrypted | You are protected by Secure Access. The Umbrella module has established a connection to Secure Access resolvers over port 443/UDP. The user is protected by Secure Access and traffic events are reported to Secure Access. The DNS queries are encrypted. Internal Domains are forwarded to DHCP-delegated or statically-set DNS servers and are therefore not encrypted. | This operating state occurs during the following conditions:
|
Protected Network | You are on a network protected by Secure Access. The user device is behind a protected network—a network managed by Secure Access—and the organization has “Disable Behind Protected Networks” enabled in their dashboard. The Umbrella agent has reverted the DNS settings back to what was set through DHCP or statically set. The connection is not encrypted. | This operating state occurs during the following conditions:
Policy configured through the instance of Secure Access ("Disable Behind Protected Networks") dictates that the Umbrella module should be disabled when on a protected network. Note: This state is not possible for all subscriptions because there is no network-level protection. |
VPN Trusted Network State | Disabled while you are on a trusted network. The Umbrella module DNS protection is not active because the current endpoint network is configured as a Cisco Secure Client VPN trusted network. | This operating state occurs during the following conditions:
The Secure Access policy rule indicates that the Umbrella module should be disabled when on an Cisco Secure Client VPN trusted network. Note: This setting is true for all roaming package customers and cannot be changed by the administrator. |
Disabled due to VPN State | Disabled while your VPN is active. The Umbrella module DNS protection is not active because the endpoint currently has an active Cisco Secure Client VPN tunnel established. | This operating state occurs during the following conditions:
Policy rule configured with Secure Access requires that the Umbrella module is disabled when a Cisco Secure Client VPN tunnel is established. Note: This setting is true for all Umbrella module configurations. An administrator can not change the setting. |
No OrgInfo.json State | You are not currently protected by Secure Access. The Umbrella profile is not deployed. The Umbrella module DNS protection is not active because the endpoint currently has an active AnyConnect VPN tunnel established. | This operating state occurs when the OrgInfo.json file is not deployed to the correct directory. For more information, see Download the OrgInfo.json File. |
Agent Unavailable State | You are not currently protected by Secure Access. Service unavailable. The Umbrella module DNS protection is not active because the Roaming Security agent is not running. | This operating state occurs when the Umbrella agent service is not currently running because of a crash or manual service stop. |
Missing .NET Dependency State (Windows only) | You are not currently protected by Secure Access. Microsoft 4.0 NET framework is not installed. Roaming Security module DNS protection is not active because the Roaming Security agent is not running. The .NET runtime framework is missing. | This operating state occurs when the Umbrella agent service is not running due to a missing .NET 4.0 runtime. |
Disabled | (IPv6 only) A Secure Access administrator disables DNS protection over IPv6. | This operating state occurs when the Secure Access administrator disables DNS protection on IPv6 through the instance of Secure Access. |
Disabled (no network) | (IPv6 only) Cisco Secure Client disables DNS protection over IPv6. | If the Cisco Secure Client Umbrella module detects an IPv6 link-local address while performing an IPv6 connectivity probe, then the client disables DNS protection over IPv6. |
Not Required | The client is not attempting coverage in this state, as it is not expected nor required. This state applies individually to IPv4 and to IPv6 on Windows. | The client was not able to find a suitable local DNS resolver for the IP Protocol, and therefore is disabled awaiting the discovery of a suitable local DNS resolver. This is most common when on a dual stack network, but only IPv4 resolvers are configured. |
Interpret Internet Security Diagnostics < IPv4 and IPv6 DNS Protection Status > Customize Windows Installation of Cisco Secure Client
Updated about 1 year ago