Umbrella SWG traffic is load-balanced across a number of proxy instances and we do not always provide a persistent egress IP for each connection. This can cause issues in rare circumstances with websites or web applications that validates the source IP of the connection.
For example, a website may choose to store the source IP of the user along with their "session". Typically (but not always) this would be websites which require login credentials where the source IP might be "validated" to check the session is still valid. These websites may not work correctly with Umbrella in the default configuration.
The source IP of outgoing connections is only persistent when HTTPS Decryption is disabled.
Note: IP Persistence is currently not available in the Rio de Janeiro datacenter.
IP Persistence Problems
The behaviour of each website is different and therefore the symptoms of the problems can differ depending on the website. Cisco are unable to confirm why a website is behaving unexpectedly. Typical symptoms of the problem include...
- The website may return an unexpected error / timeout page or redirect the user back to a login page.
- A website may fail to function or render properly.
- The problem may occur at random points or work after refreshing the site.
- There are no clear 5XX errors (eg. certificate errors) presented by Umbrella
- There are no policy blocks (eg. redirect to block.opendns.com/swg) presented by Umbrella
- There are no other obvious connection failures - the website just behaves differently with Umbrella.
Enable IP Persistence
To validate if a problem is caused by IP persistence, simply disable HTTPS Decryption for the target domain(s) used by the website.
- This can be achieved by adding the domain to a 'Selective Decryption' list in 'Policies > Selective Decryption'.
- The selective decryption list must then be applied to the relevent Policy in 'Policies > Web Policy'.