Troubleshoot Network and Tunnel Identities for CSC Users

Available Languages

Download Options

  • PDF     (123.2 KB)
    View with Adobe Reader on a variety of devices
Updated:September 29, 2025
Document ID:225082

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to troubleshoot Network and Tunnel identities for Cisco Secure Client (CSC) users.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on Cisco Umbrella Secure Web Gateway (SWG).

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Overview

    Network and Tunnel Identities for Cisco Secure Client Users is now Generally Available to customers. Umbrella can now apply network/tunnel-based rulesets/rules to CSC SWG installed computers when they are connected to a company network. This feature was enabled for all customers on January 27, 2022.

    Reviewing Your Deployment

    This enhancement resulted in a change in the applied policy for a customer in this scenario: 

    • Using CSC SWG module
    • Have Registered Networks or Network Tunnels in Umbrella
    • Have created Web Rulesets for Tunnels / Networks (non-default)
    • Have Web Rulesets/Rules for Tunnels at ahigher priority than rules for CSC, AD Users, or AD Groups

    Web Policy Settings

    Your web policy was not applied as expected if:

    • The Network/Tunnel rules are at a higher precedence than rules which affect CSC.
    • The Network/Tunnel rules are at a higher precedence than rules which affect Users/Groups.

    To ensure that the rules are behaving as expected, depending on the desired outcome, you can:

    • Increase the priority of CSC, User, and Group rules to maintain the current behaviour where CSC provided identities are always applied; or
    • Leave the Network/Tunnel rules at a higher priority so that CSC users are subject to the Network/Tunnel policy when visiting the office network.

    Troubleshooting

    If your web policy is not being applied correctly you can check by using the Web Policy Tester on the Umbrella Dashboard:

    Web Policy Tester4409292051348

    If you have any questions about how your rules and rulesets are being applied, you can use the Umbrella Policy Debug Tool, copy or download the results, and submit a ticket to Cisco Umbrella Support with the results included.

    Revision History

    Revision Publish Date Comments
    1.0
    29-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products