Managing Conflicts Between Pulse Secure and Umbrella Roaming Client

Available Languages

Download Options

  • PDF     (14.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (82.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (68.5 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 5, 2025
Document ID:224789

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to manage conflicts between Pulse Secure and Umbrella Roaming Client.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on Umbrella Roaming Client.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Overview

    If you currently use Pulse Secure as a VPN client and are looking to install the Umbrella Roaming Client, this article is a must read. Though some users have reported limited success getting the the Cisco Umbrella roaming client to function with Pulse Secure VPN, it has numerous incompatibilities and is not supported at this time. 

    If you are experiencing issues with Umbrella Roaming client compatibility, the supported solution is to move to the AnyConnect Umbrella Roaming Security Module. This is included in your Umbrella DNS subscription as of April 2021. The primary account holder can access this software at software.cisco.com. If you are unsure which account has access or if there is an issue with access, please contact your account manager or the Umbrella support team at umbrella-support@cisco.com to reach out to your account manager on your behalf.

    Unsupported Deployments of Pulse Secure

    Pulse Secure is known to conflict with the Umbrella roaming client in these two scenarios:

    Pulse Windows 10 App style connection.

    • Impact: Pulse does not connect

    Pulse Secure

    • Impact: On disconnect, saved local DNS can remain on VPN values or 127.0.0.1 rather than WiFi/Ethernet values due to Pulse modification during VPN connection. This modification is a conflict between the Umbrella modifications and the Pulse modifications on the non-VPN NIC.
      • User connectivity is broken after disconnection until a DHCP lease renew occurs.
    • Solution: 
      • Switch to the Umbrella Roaming Security Module within AnyConnect. (AnyConnect VPN not required. License for AnyConnect for Umbrella use is included in your DNS package or can be provided to resolve this known conflict.)

    Pulse Secure with FQDN-Based Split Tunnel with Split-DNS

    • Impact: AC RSM does not go into encrypted/protected mode when used with pulse FQDN based split tunnel VPN. The VPN split-DNS configuration does not work as expected and behaves as tunnel-all DNS. Split-DNS for Pulse VPN works fine only when AC RSM is disabled.
    • Solution:
      • Switch to IP based split tunnel for VPN configuration

    Revision History

    Revision Publish Date Comments
    1.0
    05-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products