browse
Overview
When a user tries to access google.com via Umbrella Secure Web Gateway (SWG), the user may receive an error message indicating "unusual traffic from your computer network" and need to perform Google's reCAPTCHA process by clicking the "I'm not a robot" checkbox to validate that the user is a human rather than a program (a "bot").
Root-cause of the reCAPTCHA validation
Google uses proprietary mechanisms to detect and block automated traffic. This type of traffic also violates Cisco Umbrella's terms of use. Cisco works with Google and other services to monitor, block, and/or isolate offending users.
Occasionally an IP address or range of IP addresses used by Umbrella's SWG for egress traffic will be flagged as suspicious by Google, and reCAPTCHA will be presented.
Most Cisco Umbrella customers use egress IP ranges that overlap with that of other customers, which is referred as "shared NAT". For more details on Umbrella SIG Egress IP ranges, please refer to the article mentioned here. If one customer's action triggers the reCAPTCHA, other customers use that egress IP address will also be required to perform the reCAPTCHA process.
Resolution/Workarounds
Option #1
Enable HTTPS Inspection for Google.com, so that Umbrella can insert a Forwarded (XFF) header. This header reduces ReCAPTCHA occurrence, and also improves geo-location.
Option #2
Upgrade your Umbrella service to use a "Reserved IP", rather than a shared NAT. A reserved IP is dedicated to your traffic, so the reCAPTCHA cannot be triggered by the behavior of other customers.
Option #3
Exclude Google traffic from going through Umbrella SWG. For Secure Client, Anyconnect or PAC file deployments, use External Domains to handle exclusions. For IPSec tunnels, exclusions may be configured on the device which provides the IPSec tunnel, or on a device that routes traffic to the IPSec tunnel.
Option #4
Use an alternate search engine.