Umbrella Virtual Appliance Intermittent Connectivity Issues

Available Languages

Download Options

  • PDF     (4.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (81.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (65.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 8, 2026
Document ID:225976

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

Two Umbrella Virtual Appliances (VAs) in the same region were experiencing intermittent status changes from green to red. One VA remained stable while the other intermittently lost connectivity to Umbrella

Environment

  • Technology: Security - Network Protection

  • Sub-technology: Umbrella - Virtual Appliance (VAs)

  • Two Umbrella Virtual Appliances deployed in the same region

  • Network infrastructure with edge router configuration

  • ISP connectivity for internet access

Resolution

The resolution involved identifying and addressing a network-level configuration issue that was blocking UDP traffic on port 5353. The following diagnostic and resolution steps were taken:

Diagnostic Steps Performed

Step 1: Initial Diagnostic Data Collection

Traceroute screenshots and show-tech bundles were collected for both VAs to compare their connectivity patterns and identify the scope of the issue.

Step 2: Network Connectivity Testing

Firewall and perimeter edge router tests were conducted to verify UDP port 5353 reachability, which consistently returned "destination not reached" responses for the affected traffic.

Step 3: Service Process Verification

Analysis of the show-tech bundle confirmed that the umbrella-connector process was running properly on the affected VA, indicating that the issue was not with the internal VA processes but rather with network connectivity.

Step 4: ISP Investigation

A case was opened with the Internet Service Provider to investigate UDP port 5353 reachability issues at the network level.

Root Cause Identification and Resolution

The underlying cause was identified as UDP port 5353 not being enabled on the edge router configuration. This network-level blockage prevented the affected VA from establishing proper connectivity to Umbrella DNS services over UDP port 5353, while TCP port 443 traffic remained unaffected.

Step 5: Edge Router Configuration Correction

The edge router configuration was updated to enable UDP port 5353, allowing proper communication between the Umbrella VA and the Umbrella DNS-over-UDP endpoint.

Cause

The root cause of the intermittent Umbrella Virtual Appliance connectivity issues was a network configuration problem where UDP port 5353 was not enabled on the edge router. This blocking prevented the affected VA from establishing proper DNS-over-UDP connectivity to Umbrella services, while TCP traffic on port 443 remained unaffected. The issue manifested as intermittent health check failures because the VA could not consistently reach the Umbrella DNS endpoint over the required UDP port 5353 protocol.

Related Content

Revision History

Revision Publish Date Comments
1.0
27-May-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • TAC

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products