Troubleshoot Umbrella Error: "Underlying Connection was Closed"

Available Languages

Download Options

  • PDF     (22.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (83.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (69.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 5, 2025
Document ID:224819

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to troubleshoot the Umbrella Connector error, "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on the Umbrella Connector. 

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Problem


    You notice that the Umbrella Connector service is displaying an error status on the Dashboard. When looking in the logs, you see these errors:



    1/30/2014 8:39:44 PM: Failed to sync! Response: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
    note-icon

    Note: The connector logs are located here: C:\Program Files (x86)\OpenDNS Connector\v1.x.x\OpenDNSAuditClient.log

    Solution


    This error is related to network connectivity, either a firewall blocking the traffic, or another packet inspection system that can require an exception putting in place to exempt the traffic from the connector. This is an overview of the likely destinations that need to be opened up:

    • The API (https://api.opendns.com)This is the main destination which the connector communicates with and is used for registration during installation, as well as health checks and updates.
    • OCSP (Online Certificate Status Protocol) validation: Make sure port 443 TCP is opened, and, if you have specific rules allowing/denying access by IP addresses, that all addresses related to ocsp.digicert.com are opened as well.


    Port 80/TCP

    • ocsp.digicert.com
    • crl4.digicert.com

    • crl3.digicert.com

    TLS and .NET

    See this article for more information on .NET and TLS failing. Messages can include "An unexpected error occurred on a receive". 

    Additional Information


    Full details of all required destinations as well as an explanation of what they are required for can be found in the Umbrella documentation.

    Revision History

    Revision Publish Date Comments
    1.0
    08-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products