Introduction
This document describes common error, warning, and informational messages on the Sites and Active Directory page and provides resolution steps.
Background Information
The Umbrella Sites and Active Directory page is located at Settings > Sites and AD.
Virtual Appliances
Virtual Appliances Syncing
[Information] This VA has registered but has never synced
- Syncing can take up to 10 minutes.
- Ensure you meet the network requirements: Guide to Active Directory Communication Flow: Connectors > Virtual Appliances > DCs and the Cloud.
- Open a support case if the problem persists.
[Error] This VA was syncing at one point but has since stopped
- If you deleted the VA, remove it from the Umbrella dashboard: Removal Instructions - Umbrella Insights.
- Confirm network requirements: Guide to Active Directory Communication Flow: Connectors > Virtual Appliances > DCs and the Cloud.
- Open a support case if the problem persists.
Connector Connections
[Information] This VA was previously connected to one or more Connectors, but is now connected to none
- If you removed any Connectors, ignore this message and remove the Connector from the dashboard.
- Confirm network requirements: Guide to Active Directory Communication Flow: Connectors > Virtual Appliances > DCs and the Cloud.
- Open a support case if the problem persists.
[Warning] This Virtual Appliance is connected to some, but not all, of the Connectors for this site
- If you removed any Connectors, ignore this message and remove the Connector from the dashboard.
- Confirm prerequisites: Virtual Appliance User Guide: Prerequisites.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
[Warning] DNS queries forwarded by this VA to Umbrella are not encrypted
- The Virtual Appliance supports DNSCrypt between itself and Umbrella public DNS resolvers. DNS packets forwarded from the VA are encrypted by DNSCrypt, which is enabled by default.
- Unencrypted traffic is a problem that must be resolved. When encryption cannot be established between your VA and Umbrella, this warning occurs. Encryption is established with a probe sent on port 53 (UDP/TCP). If a firewall or IPS/IDS performs deep packet inspection and expects only DNS traffic, the probe can fail. Review your firewall configuration.
- If you use an ASA, view the document on packet inspection for more information.
- DNSCrypt is available in Virtual Appliances at 1.5.x or higher. If you have only a single VA that has not been upgraded, this message appears. For upgrading information: Update Virtual Appliances.
- More details: New VA Warning: Enabling DNSCrypt on your Virtual Appliance.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
Local Domain Config
[Information] This VA does not have any local domains configured
High Availability and Redundancy
[Error] This VA is not redundant within its site (2+ VA required per site)
- Install a second VA for high availability: The importance of running two Umbrella Virtual Appliances.
Query Failure Rate
[Error] A large percentage of DNS queries to this VA are failing
AD Connectors
Connectors – Syncing
[Information] This Connector has registered but has never synced
- Syncing can take up to 10 minutes.
- Ensure you meet network requirements: Identity Integrations: Prerequisites
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
[Error] This Connector was syncing at one point but has since stopped
- Ensure you meet network requirements: Guide to Active Directory Communication Flow: Connectors > Virtual Appliances > DCs and the Cloud.
- Cisco announced EOL of TLS 1.0/1.1. Unsupported Windows versions (Windows Server 2008, 2008 R2, or Windows 7) do not support TLS 1.2 by default. Reinstall the connector on a supported server version (Windows Server 2012 or higher).
- If the connector is deployed on WS 2012 or greater and stopped syncing to Umbrella, ensure that the connector is running version 1.6.31 or higher.
- Connectors version 1.6.31 or higher function on WS 2008/2008 R2 if running .NET 4.5.2 or higher, but redeployment on a supported server is recommended.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
Connectors – Connections Possible
[Information] This Connector has either no VA or no DC to connect to
- Sites must contain at least one of each component type.
- Review setup documentation:Identity Integrations: Prerequisites and Active Directory Integration > Step 2: Prepare your Active Directory Environment.
Connectors – DC Connections
[Information] This Connector has no DC to connect to
[Information] There are one or more DCs that the Connector could connect to, but it has not connected to any yet
- Syncing can take up to 10 minutes.
- Ensure you meet prerequisites: Identity Integrations: Prerequisites.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
[Warning] The Connector is connected to some, but not all, DCs
[Error] The Connector was once connected, but is not currently connected to any of the DCs available
Connectors – Virtual Appliance (VA) Connections
[Information] There are one or more VAs that the Connector could connect to, but it has not connected to any yet
- Remove any unused VAs from the dashboard.
- Syncing can take up to 10 minutes after removal.
- Ensure you meet network requirements: Identity Integrations: Prerequisites.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
[Warning] The Connector is reporting timeout errors while attempting to connect to some VAs
[Error] The Connector is connected to some, but not all, VAs
- Remove unused VAs from the dashboard.
- Syncing can take up to 10 minutes after removal.
- Ensure you meet network requirements: Guide to Active Directory Communication Flow: Connectors > Virtual Appliances > DCs and the Cloud.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
[Error] The Connector was once connected but is not currently connected to any of the VAs available
- Remove unused VAs from the dashboard.
- Syncing can take up to 10 minutes after removal.
- Ensure you meet network requirements: Guide to Active Directory Communication Flow: Connectors > Virtual Appliances > DCs and the Cloud.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
[Information] The Connector is not syncing events in parallel to VAs. Events processing can be slower than expected
- The Umbrella Connector service is tested to support 10 assets (Domain Controllers and Virtual Appliances) per CPU.
- Upgrade the server with the required number of CPUs based on the number of Domain Controllers and Virtual Appliances in the Umbrella Site.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
[Warning] The Connector is reporting drops while attempting to send events to some VAs
- The Umbrella Connector service is tested to support a continuous ~850 events (no hard limit) per second across all Domain Controllers in an Umbrella Site. If the overall rate is higher, drops can occur. Increasing the number of cores in a Connector box can help.
- Enable load-balancing functionality with two or more connectors to share load of multiple domain controllers. This is an advanced feature which must be enabled by opening a support case with Umbrella support.
Domain Controllers
DC – Connector Connections
[Information] Was at one point connected to one or more Connectors but is now connected to none
- If the Connector was removed, either redeploy the Connector or remove the Domain Controller.
- Confirm network requirements: Guide to Active Directory Communication Flow: Connectors > Virtual Appliances > DCs and the Cloud.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
[Information] This Domain Controller has never connected to a Connector
- To send information about login events to a Virtual Appliance, the DC must have a Connector installed in the same site.
- For Connector installation information: Install the Connector..
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
[Error] This Domain Controller has no Connectors to connect to
- To send information about login events to a Virtual Appliance, the DC must have a Connector installed in the same site.
- For Connector installation information: Install the Connector.
- If reinstalling the Connector or moving it from one machine to another, ignore this message.
[Warning] This Domain Controller is connected to some, but not all, Connectors
- Check permissions: Required Permissions for the Cisco_Connector User.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
[Error] WMI state of this Domain Controller is down. The Domain Controller is not responding to the WMI connection from the Connector
- This could be a temporary problem due to the load on the Domain Controller.
- Check if the WMI connection can be established using WBEMTest tool.
- Reduce the load on the DC by stopping other unused applications monitoring security events.
- Restart the Connector service to initiate a fresh WMI connection after reducing DC load.
- Collect logs: Providing support with AD connector logs.
- Open a support case if the problem persists.
Feedback