This article refers to computers where the Umbrella roaming Client and BlueCoat are installed. This article refers to the use of a BlueCoat filtering agent installed on a the machine. This may or may not coincide with a PAC or proxy configuration.
The Umbrella roaming client and Umbrella Roaming Security Module in AnyConnect are currently not compatible with BlueCoat software-based filtering which attempts to control DNS.
- Cisco AnyConnect Umbrella Roaming Security Module
- Umbrella Roaming Client
AnyConnect Roaming Module and roaming client below 2.2.150
When the roaming client or roaming module is active, all DNS will appear to fail. This causes an apparent loss of usability on the machine and a loss of the ability to access web resources. More specifically, any DNS requests to an A record will fail; however, other record types such as AAAA or TXT will succeed.
When the roaming client is uninstalled or temporarily stopped, normal network behavior returns.
The roaming client will not recognize DNS is failing since only A records will fail, and therefore the client will remain active and encrypted.
Roaming client 2.2.150 and above
When the roaming client is active, the client will fail over into an open state with the message
"we have detected potential interference with A and/or AAAA DNS queries; there may be some software on the system that is causing problems"
This is a new detection method for software that overrides A-Records but does not modify TXT records. We will flag this behavior and disable to prevent loss of DNS.
To validate if you are currently observing this issue, confirm the following is true:
- The following scenarios will result in failing DNS (or A-record mode disable)
- BlueCoat active and:
- Roaming client or module protected and encrypted
- Roaming client or module protected and unencrypted
- BlueCoat process manually killed (not uninstalled). Redirection is active, but the underlying proxy is offline.
- Roaming client or module protected
- Roaming client uninstalled or stopped
- BlueCoat active and:
- The following will result in no issue
- The roaming client or module active with BlueCoat uninstalled (after a reboot)
- The BlueCoat web filter installed and no roaming client running
When DNS is failing, all A records will fail, but TXT records will continue to not be redirected by BlueCoat and will function.
Root Cause and Solution
The root cause of this compatibility issue is twofold.
- The BlueCoat software redirects A record queries (the most common DNS records for viewing web pages) so that only it may answer these queries. This DNS may leave the network, but it is prevented from responding to the system. The roaming client has no way to override this.
- The roaming client determines DNS availability by checking TXT record responses which are unique to the Umbrella resolvers. Since BlueCoat is not enforcing TXT records, the roaming client's tests will continue to succeed even after all A records begin to fail. This A record failure and TXT record success will cause the roaming client to stay encrypted, effectively perpetuating a broken state with the BlueCoat software.
The BlueCoat's selective DNS proxy enforcement at a low level in the system causes a direct compatibility issue with the roaming client. The user impact is a loss of DNS and web browsing ability based on DNS.
The only solution at this time is to cease the use of the BlueCoat workstation software that redirects DNS and instead utilize Umbrella-based content restrictions. BlueCoat may add an ability to disable DNS enforcement at a future time.