browse
Overview
This guide details common error messages you may see displayed on Umbrella's Sites and Active Directory page (Settings > Sites and AD). These are informational messages, warnings and errors originating from Virtual Appliances (VAs), Connectors, and the Domain Controllers.
Virtual Appliances
Virtual Appliances Syncing
Resolution: Syncing can take up to 10 minutes. Ensure you meet the network requirements: Guide to Active Directory Communication Flow: Connectors, Virtual Appliances, DC's and the Cloud
If the problem persists, open a Support case.
Resolution: If the VA was deleted, remove it from the Umbrella dashboard: Removal Instructions - Umbrella Insights
Next, confirm network requirements: Guide to Active Directory Communication Flow: Connectors, Virtual Appliances, DC's and the Cloud
If the problem persists, open a Support case.
Connector Connections
-
[Information] This VA was previously connected to one or more Connectors, but is now connected to none
Resolution: Were any Connectors removed? If so, this message can be ignored and the Connector should be removed from the dashboard.
Next, confirm network requirements: Guide to Active Directory Communication Flow: Connectors, Virtual Appliances, DC's and the Cloud
If the problem persists, open a Support case.
- [Warning] This Virtual Appliance is connected to some, but not all, of the Connectors for this site.
Resolution: Were any Connectors removed? If so, this message can be ignored and the Connector should be removed from the dashboard. Confirm prerequisites: Virtual Appliance User Guide: Prerequisites
If the problem persists, first collect logs: Providing support with AD connector logs, then open a Support case.
Resolution: The Virtual Appliance supports DNSCrypt between itself and Umbrella's public DNS resolvers. This means any information contained in the DNS packets forwarded from the VA are encrypted by DNSCrypt and cannot be intercepted. This feature is enabled by default for best protection.
Unencrypted traffic is considered a problem that should be resolved. When encryption cannot be established between your VA and Umbrella, this warning will occur. Encryption is established with a probe sent on port 53 (UDP/TCP) and if you have a firewall or IPS/IDS doing deep packet inspection and expecting to see only DNS traffic, the probe may fail. In other words, the encrypted packets may not match the expected traffic on that port. Please review your firewall configuration if that is the case and open a case with Support if you believe that you are allowing this traffic.
Are you getting this message when you have an ASA? View this document on packet inspection for more information.
DNSCrypt is only available in Virtual Appliances at 1.5.x or higher. If you only have a single VA, and that VA hasn't been upgraded, this message will also appear. For information on upgrading your VA, please read: Update Virtual Appliances
Further details on this can be found at New VA Warning: Enabling DNSCrypt on your Virtual Appliance
If the problem persists, first collect logs: Providing support with AD connector logs, then open a Support case.
Local Domain Config
Resolution: Ensure you configured local domains: Local DNS Forwarding
High Availability and Redundancy
Resolution: Install a second VA at this time for the reasons listed here: The importance of running two Umbrella Virtual Appliances
Query Failure Rate
Resolution: open a Support case.
AD Connectors
Connectors – Syncing
Resolution: Syncing can take up to 10 minutes. Ensure you meet the network requirements: Identity Integrations: Prerequisites
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
Resolution: Ensure you meet the network requirements: Guide to Active Directory Communication Flow: Connectors, Virtual Appliances, DC's and the Cloud
Cisco announced EOL of TLS 1.0/1.1. If your connector is running on an unsupported Windows version (Windows Server 2008 or 2008 R2 or Windows 7), these platforms do not support TLS 1.2 by default, and so you will need to reinstall the connector on a supported server version (Windows Server 2012 or higher). If your connector is deployed on WS 2012 or above and stopped syncing to Umbrella, ensure that the connector is running version 1.6.31 or higher.
Connectors version 1.6.31 or higher will function on WS 2008/2008 R2, provided the system is running .NET 4.5.2 or higher. However it is recommended to redeploy the connector on a supported server version.
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
Connectors – Connections Possible
-
[Information] This Connector has either no VA or no DC to connect to
- Resolution: Sites must contain a minimum of one of each of the three component types. Please review the following setup documentation and ensure you meet all requirements: Identity Integrations: Prerequisites
- Active Directory Integration – Step 2: Prepare your Active Directory Environment
Connectors – DC Connections
Resolution: Sites must contain a minimum of one of each of the three component types. Please review the following setup documentation and ensure you meet all requirements: Prepare Your Active Directory Environment
- [Information] There are one or more DCs that the Connector could connect to, but it has not connected to any yet.
Resolution: Syncing can take up to 10 minutes. Ensure you meet the prerequisites: Identity Integrations: Prerequisites
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
Resolution: Confirm prerequisites: Identity Integrations: Prerequisites
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
- [Error] The Connector was once connected, but is not currently connected to any of the DCs available.
Resolution: Confirm prerequisites: Identity Integrations: Prerequisites
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
Connectors – VA Connections
- [Information] There are one or more VAs that the Connector could connect to, but it has not connected to any yet.
Resolution: Make sure that any VAs that were previously deployed, but are now not being used are removed from the dashboard. Syncing can take up to 10 minutes after these VAs are removed.
Syncing can take up to 10 minutes. Ensure you meet network requirements: Identity Integrations: Prerequisites
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
Resolution: If the Virtual Appliance is not on the same Local Area Network (LAN) as this Connector, considering segregating your deployment using Umbrella sites Connect Multiple Active Directory Domains to Umbrella
Make sure that any VAs that were previously deployed, but are now not being used are removed from the dashboard. Syncing can take up to 10 minutes after these VAs are removed.
Ensure you meet network requirements: Identity Integrations: Prerequisites
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
Resolution: Make sure that any VAs that were previously deployed, but are now not being used are removed from the dashboard. Syncing can take up to 10 minutes after these VAs are removed.
Ensure you meet network requirements: Guide to Active Directory Communication Flow: Connectors, Virtual Appliances, DC's and the Cloud
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
- [Error] The Connector was once connected but is not currently connected to any of the VAs available.
Resolution: Make sure that any VAs that were previously deployed, but are now not being used are removed from the dashboard. Syncing can take up to 10 minutes after these VAs are removed.
Ensure you meet network requirements: Guide to Active Directory Communication Flow: Connectors, Virtual Appliances, DC's and the Cloud
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
- [Information] The Connector is not syncing events in parallel to VAs. Events processing can be slower than expected.
Resolution: The Umbrella Connector service is tested to support 10 assets (Domain Controllers and Virtual Appliances) per CPU.
Upgrade the server with required number of CPUs based on the number of Domain Controllers and Virtual Appliances in the Umbrella Site.
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
Resolution: The Umbrella Connector service is tested to support a continuous ~850 (no hard limit) events per second across all Domain Controllers in an Umbrella Site. If the overall rate is higher, it is more likely to see drops. Increasing number of cores in a Connector box may help.
It is also possible to enable load-balancing functionality. This utilizes two or more connectors to share the load of multiple domain controllers. This is an advanced feature which must be enabled with Umbrella support by opening a Support case.
Domain Controllers
DC – Connector Connections
Resolution: If Connector was removed, either redeploy Connector or remove Domain Controller. Next, confirm network requirements: Guide to Active Directory Communication Flow: Connectors, Virtual Appliances, DC's and the Cloud.
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
Resolution: In order for the DC to send information about login events to a Virtual Appliance, it must have a Connector installed in the same site.
If you have not yet installed the Connector, read here for more information on installing the Connector: Install the Connector
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
- [Error] This Domain Controller has no Connectors to connect to. In order for the DC to send information about login events to a Virtual Appliance, it must have a Connector.
Resolution: In order for the DC to send information about login events to a Virtual Appliance, it must have a Connector installed in the same site.
If you have not yet installed the Connector, read here for more information on installing the Connector: Install the Connector. If you are reinstalling the Connector or moving it from one machine to another, this message can be ignored.
Resolution: Please check permissions based on these articles: Required Permissions for the Cisco_Connector User.
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.
- [Error] WMI state of this Domain Controller is down. The Domain Controller is not responding to the WMI connection from the Connector. This could be a temporary problem due to the load on the Domain Controller.
Resolution: Check if the WMI connection can be established using WBEMTest tool. Try to reduce the load on the DC by stopping other unused applications monitoring the security events.
The connector is not trying to connect to this Domain Controller to avoid high resource utilization. So the Connector service needs to be restarted to initiate a fresh WMI connection once the DC load is reduced.
If the problem persists, first collect logs: Providing support with AD connector logs; then, open a Support case.