Issue
The user is attempting to validate that reserved IP addresses are functioning correctly when using Cisco Secure Access with the Zero Trust Access ZTA TIA client. The reserved IPs provided for validation are:
- Reston, Virginia, USA: 151.186.128.84
- San Jose, California, USA: 151.186.131.49
The workflow involves routing Internet traffic through the ZTA TIA client, not the Umbrella Roaming module. Umbrella SWG Module backed off as soon as TIA is active. When performing an external IP check (such as using "whatsmyip") and validating from activity search report the expected reserved IP addresses are not observed.
Environment
- Technology: Solution Support (SSPT - contract required)
- Subtechnology: Secure Access
- Reserved IPs provided: 151.186.128.84 (Reston, VA), 151.186.131.49 (San Jose, CA)
- Internet traffic routed via ZTA TIA client (not Umbrella Roaming module)
- No specific software version or hardware platform mentioned
Resolution
These steps detail the current workflow for validating reserved IP functionality with Secure Access and ZTA client, as well as the actions being taken based on the case data.
Step 1: Attempt IP Validation via External Service
- Initiate an external IP check using a public service (such as "whatsmyip") and activity search report using advanced filer called "Egress IP (Reserved) to verify that Internet traffic routed through the ZTA client appears to originate from the assigned reserved IP address.
Description of expected output:
- Expected: The output must display either X.X.X.X or X.X.X.X, depending on your current geolocation and Secure Access configuration.
- Actual: The reserved IPs do not appear in the output.
Step 2: Backend Provisioning Check and Update
Collaborate with TSE3 to perform this task.
The backend configuration must be updated to ensure that reserved IPs are applied for ZTA TIA (Traffic Internet Access) traffic. This process can involve coordination with the product management team and system provisioning correction. If your org is provisioned for RIP in DCv2, then use ZTA TIA.
case is NOT supported. This is the root cause of the issue. To address, engage PM to correct the provisioning to AWS DC to apply RIP for ZTA TIA traffic.
No CLI command was found which shows the change from non-working CLI.
Step 3: Monitor for Backend Changes
Await confirmation that the backend change has been implemented so reserved IP assignment is active for ZTA TIA traffic.
No CLI command or output is available showing the backend change or successful validation. Placeholder for future verification steps.
Cause
The cause of the issue is the reserved IP addresses are not currently applied to ZTA TIA traffic due to a required backend configuration change. As a result, external IP validation does not show the expected reserved IPs. The provisioning for reserved IP assignment is pending correction, according to the workflow noted in the case.
Related Content
Feedback