Introduction and links to set up guides.
Version 2.2.150 of the roaming client contains a known issue where the state "Unprotected (Blocked A records)" is reported when the client was previously Protected in prior client versions. If you are seeing this message, please read on for cause and workarounds to remove the error until a resolution is available in a future release. To receive updates on future releases, please subscribe to our release notes.
The error message looks like the below image:
Version 2.2.150 of the roaming client includes a new DNS validation check to confirm that A records are resolvable before going encrypted. This serves as insurance to avoid entering the protected and encrypted state in the presence of conflicting 3rd party software such as Bluecoat/K9 and npcap. It is intended as a supplementary check after entering the protected state to ensure that DNS A record resolution is possible.
There is currently a known issue which can result in this check preventing causing the client to enter an Unprotected state. This occurs when the client is failing over from Protected and Encrypted checks to Protected and Unencrypted checks. Rather than successfully entering protected and unencrypted, the A record check causes the client to enter an Unprotected state due to the A record check. Cisco is aware of this issue and is working towards a permanent solution.
Additionally, the time between a state change and a return to unencrypted/protected mode may be delayed.
Temporary workaround solution
The current temporary solution is to allow UDP 443 to 220.127.116.11 and 18.104.22.168 on your network. This is the prerequisite port and destination for DNS encryption for the roaming client. DNS Encryption is an optional feature; however, encrypted mode is the workaround for this issue at this time.
A fix is available in a pre-release roaming client. Please contact support to receive this pre-release fix.
For any questions or further support, please contact firstname.lastname@example.org.