browse
Umbrella Diagnostic Tools: What to Provide Support
Support will often ask for the results of our diagnostic tool, especially when troubleshooting difficult issues. The steps to using the tool are straightforward.
You can access the diagnostic tool in different ways depending on how you interact with Umbrella.
Have the Umbrella Roaming Client?
If you have the standalone Umbrella Roaming Client, a diagnostic tool is built in. To access it:
Windows:
- If using a version below 2.3.x, download the diagnostic client manually below instead of running the built-in diagnostic.
- Click the Umbrella Roaming client icon in your system tray
- A status summary will appear. Click the link at the bottom that says Run Diagnostic Tool.
macOS:
- Click the Umbrella Roaming client icon from your Menu Bar
- A status summary will appear. Click the link at the bottom that says Run Diagnostic Tool.
Have the Cisco AnyConnect Umbrella Roaming Module?
For the Cisco AnyConnect Umbrella Roaming module, you need to run two tools: The AnyConnect DART and the roaming client Umbrella Diagnostic tool.
Windows:
- Run the DART as per the instructions listed here
- Run the diagnostic executable located here: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\UmbrellaDiagnostic.exe
macOS:
- Run the DART as per the instructions listed here
- Run the diagnostic executable located here: /opt/cisco/anyconnect/bin/UmbrellaDiagnostic.app
- Copy the files from "/opt/cisco/anyconnect/umbrella/data/beacon-logs/service/acumbrellacore*" to the ticket
Note: This Diagnostic Tool is not to be used for troubleshooting issues with Secure Web Gateway (SWG) Web Policies. Troubleshooting steps for SWG can be found here: Troubleshooting Umbrella Secure Web Gateway: Policy Debug and Diagnostic Tests
Have the Cisco Secure Client Umbrella Roaming Module?
For the Cisco Secure Client Umbrella Roaming module, you need to run two tools: The DART and the roaming client Umbrella Diagnostic tool.
Windows:
- Run the DART as per the instructions listed here
- Run the diagnostic executable located here: C:\Program Files (x86)\Cisco\Cisco Secure Client\UmbrellaDiagnostic.exe
macOS:
- Run the DART as per the instructions listed here
- Run the diagnostic executable located here: /opt/cisco/secureclient/bin/UmbrellaDiagnostic.app
- Copy the files from "/opt/cisco/secureclient/umbrella/data/beacon-logs/service/acumbrellacore*" to the ticket
Note: This Diagnostic Tool is not to be used for troubleshooting issues with Secure Web Gateway (SWG) Web Policies. Troubleshooting steps for SWG can be found here: Troubleshooting Umbrella Secure Web Gateway: Policy Debug and Diagnostic Tests
Don’t have the Roaming Client or AnyConnect?
Download and run the standalone diagnostic tool from the links below.
Microsoft Windows : Download here
- If prompted to download .NET 3.5, you can also download this config file and place it in the same location as the Umbrella diagnostic tool EXE. This will stop the .NET 3.5 prompt.
macOS : Download here
Linux: No tool, see Terminal instructions here
Now that you have found and launched your diagnostic tool, please see the next section for how to run it on your Operations System.
Microsoft Windows
When you first run the tool, you'll be asked for account information, ticket information and a domain to test with. This information is all optional, but if there is a specific domain you are having trouble accessing, please include it the Domain to test field:
Click Run tests.
A file will be created in C:\Windows\tmp or C:\Users\<username>\AppData\Local\Temp\. Send this file to Umbrella support.
Diagnostic tools below version 1.6.5 on Windows will not support cloud upload as of March 31, 2021. Please upload the generated file to support.
If the Diagnostic does not run, provide the results of the following command prompt commands:
Apple macOS
When you first run the tool, you'll be asked for account information, ticket information and a domain to test with. This information is all optional, but if there is a specific domain you are having trouble accessing, please include it the Domain to test field:
Click Run tests. The tests should only take a few moments to complete. A diagnostic_results.txt file will be generated. Please send this file to Umbrella support.
If you would like to run the test manually, please issue the following commands:
- /usr/bin/dig +time=10 myip.opendns.com
- /usr/sbin/traceroute -I -w 2 208.67.222.222
- /usr/sbin/traceroute -I -w 2 208.67.220.220
- /usr/sbin/traceroute -I -w 2 api.opendns.com
- /usr/sbin/traceroute -I -w 2 bpb.opendns.com
- /usr/sbin/traceroute -I -w 2 block.opendns.com
- /usr/bin/dig @208.67.222.222 +time=10 debug.opendns.com txt
- /usr/bin/dig @208.67.222.222 -p 5353 +time=10 debug.opendns.com txt
- /usr/bin/dig +time=10 debug.opendns.com txt
- /usr/bin/dig +time=10 whoami.akamai.net
- /usr/bin/dig +time=10 whoami.ultradns.net
- /usr/bin/dig @208.67.222.222 +time=10 myip.opendns.com
- /usr/bin/dig @ns1-1.akamaitech.net +time=10 whoami.akamai.net
- /usr/bin/dig @pdns1.ultradns.net +time=10 whoami.ultradns.net
- /usr/bin/nslookup -timeout=10 -class=chaos -type=txt hostname.bind. 4.2.2.1
- /usr/bin/nslookup -timeout=10 -class=chaos -type=txt hostname.bind. 192.33.4.12
- /usr/bin/nslookup -timeout=10 -class=chaos -type=txt hostname.bind. 204.61.216.4
- ping -n 5 www.opendns.com (www.opendns.com)
- ping -n 5 rtr1.pao.opendns.com
- ping -n 5 rtr1.sea.opendns.com
- ping -n 5 rtr1.lax.opendns.com
- ping -n 5 rtr1.chi.opendns.com
- ping -n 5 rtr1.nyc.opendns.com
- ping -n 5 rtr1.lon.opendns.com
- ping -n 5 rtr1.mia.opendns.com
- ping -n 5 rtr1.sin.opendns.com
- ping -n 5 rtr1.fra.opendns.com
- ping -n 5 rtr1.hkg.opendns.com
- ping -n 5 rtr1.ams.opendns.com
- ping -n 5 rtr1.ber.opendns.com
- ping -n 5 rtr1.cdg.opendns.com
- ping -n 5 rtr1.cph.opendns.com
- ping -n 5 rtr1.dfw.opendns.com
- ping -n 5 rtr1.otp.opendns.com
- ping -n 5 rtr1.prg.opendns.com
- ping -n 5 rtr1.ash.opendns.com
- ping -n 5 rtr1.wrw.opendns.com
- ping -n 5 rtr1.syd.opendns.com
- ping -n 5 rtr1.jnb.opendns.com
- ping -n 5 rtr1.yyz.opendns.com
- ping -n 5 rtr1.yvr.opendns.com
- ping -n 5 rtr1.nrt.opendns.com
- /bin/ps wwaux
- /sbin/ifconfig -a
- /usr/sbin/scutil --dns
- /usr/sbin/netstat -rn
- /usr/bin/curl -Ls block.a.id.opendns.com/monitor.php
- /usr/bin/curl -Ls -c /dev/null bpb.opendns.com/monitor/
Linux/Unix
To provide diagnostic information for a Linux/Unix machine, please run the following commands and provide the results in your reply to the support ticket:
nslookup -type=txt debug.opendns.com.
nslookup -type=txt debug.opendns.com. 208.67.222.222
nslookup -type=txt debug.opendns.com. 208.67.222.222 -port=443
nslookup -type=txt debug.opendns.com. 208.67.222.222 -port=5353
traceroute 208.67.222.222
traceroute api.opendns.com.
traceroute bpb.opendns.com.
ifconfig
If you are asked to test a specific domain:
nslookup domain.com
nslookup domain.com 208.67.222.222
nslookup domain.com 208.67.220.220
nslookup domain.com 4.2.2.1
traceroute domain.com
Below are two example screenshots of the results of these commands. Your results will look similar but results will be unique to your Umbrella dashboard.
Want to learn more?
Visit our tutorial video series here:
https://learn.umbrella.com/getting-started-with-dns-layer-security-webinar (login required)