Troubleshoot Umbrella Custom Block Page Bypass or User Code
Available Languages
Contents
Introduction
This document describes how to troubleshoot Cisco Umbrella issues with bypass or user codes on custom block pages.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on Cisco Umbrella.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Troubleshoot Custom Block Page Issues
There are various reasons a custom block page is not working. Some of the common reasons are reviewed in this article.
Common Scenarios
No HTTPS Inspection Enabled in Web Policy Block Page
To ensure the functionality of a web policy block, HTTPS inspection must be enabled in the ruleset.
Custom Block Page Not Linked to the Correct Policy
After creating your custom block page, ensure that it is linked to the correct policy:
1. Expand your policy.
2. Under Umbrella Default Block Page Applied, select Edit.
21385636885652
3. Select Use a Custom Appearance and select your custom block page form the dropdown menu:
21385636888340
Org ID =0 and Origin ID=30829397 in Diagnostic Info
21386106915476
This issue often occurs due to upstream blocking of Umbrella block page IPs "146.112.0.0/16" or, DoH is enabled on browser settings. If you are using Meraki MX and content filtering is enabled, you can consider disabling content filtering in your Meraki dashboard and incorporating Umbrella block page IPs "146.112.0.0/16","155.190.0.0/16","umbrella.com", and "opendns.com" into your allow/exclusion list similar to this screenshot:
21417585172628
Troubleshoot Bypass Code or User
There are various reasons why a bypass code or user is not working properly, or you are receiving different error messages.
Common Scenarios
Error Message: "The bypass Code you entered could not be found”
Similar to block page appearance, it is essential to ensure that bypass codes/ users created are appropriately associated with the corresponding policy. If a bypass code or user is connected to a different policy, attempting to use the bypass code or user can result this error message. Read more in the Umbrella documentation:
Block Page Does Not Show Administrative Bypass Section for Some Destinations
If the block page does not display the Administrative Bypass section for specific destinations, it can be blocked by your Application Block settings. The Bypass Code/User only works for Content Category and Block Destination List block types. To resolve this issue, consider removing the application and adding the domain/content category to this policy.
Error Message: "The login credentials you entered were invalid"
If Dashboard SSO is enabled, it is expected behavior to receive this error while logged in as a bypass user. Block Page Bypass (BPB) Users no longer bypass block pages or authenticate in any capacity to Umbrella. A BPB user is a user just like any other in Umbrella, but because of the way authentication is handled by SSO, it cannot be used to bypass block pages. Instead, you must use BPB codes.
Error Message: "The bypass code you entered has expired”
You are encountering this error message for these reasons:
- The bypass code expired if its expiration date has already passed.
- The error can occur if the bypass code expiration is set to a date beyond 03:14:07 UTC on Tuesday, 19 January 2038.
Page is Not Loading Correctly when I Use the Bypass Code/User
When the user accesses a blocked domain and enters the code to unblock the domain, a cookie is created on the user device with that domain.
For example, if the user is bypassing for YouTube, a cookie gets created for "youtube.com" and only this domain. In this case, the YouTube service requests information from different domains like "youtube-nocookie.com," "ytimg.l.google.com," and "googlesyndication.com," which is not allowed for this user policy. This causes YouTube not to load correctly.
Solution: If you still wish to use the Bypass Code/User, you can add all the domains the page relies on to retrieve this information to the allow list. You can find the most used service in this article:Block Page Bypass: Domains to Allow
Block Page Bypass Caveats
- If the blocked content is something embedded in the page (like Image, Stylesheet, Script) the user cannot see the BPB page to enter the code (even though Umbrella tries to display it).
- BPB codes can be configured to only unblock certain categories or destinations. This can lead to problems where part of the page is unblocked but embedded content is not. If in doubt, try to test with a "bypass everything" code.
- BPB is heavily affected by the Content Security Policy on websites which can block Umbrella's cookies and therefore prevent BPB working for embedded content. You need to whitelist some of these embedded domains to get it working. See "Block Page Bypass: Domains to Allow."
- BPB bypass events are currently not logged in Umbrella reports.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
23-Sep-2025
|
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)