Resolve Warning VA "is in a state of attention"

Available Languages

Download Options

  • PDF     (30.1 KB)
    View with Adobe Reader on a variety of devices
Updated:October 1, 2025
Document ID:225114

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to resolve the VA warning stating your VA "is in a state of attention" related to enabling DNSCrypt.

    Overview

    Virtual Appliance (VA) supports DNSCrypt encryption between itself and OpenDNS public Domain Name System (DNS) resolvers. DNSCrypt encrypts DNS packets that the VA forwards, preventing interception of sensitive information. DNSCrypt is enabled by default for optimal protection, but you can encounter issues if a firewall blocks the encrypted traffic between your VA and the public DNS resolvers.

    Unencrypted DNS traffic is a security risk that you must address. When encryption cannot be established between your VA and OpenDNS, your Umbrella dashboard displays a warning that the affected Virtual Appliance "is in a state of attention" to ensure you maintain the best possible protection.

    Virtual Appliance Error Messages

    If you click View Details, you see a message indicating that DNS queries forwarded by this VA to OpenDNS are not encrypted.

    Click View Details

    Note: DNSCrypt is available only in Virtual Appliances running version 1.5.x or higher. If you have only one VA and it has not been upgraded, this message also appears.

    Resolve the DNSCrypt Warning

    To resolve the warning and restore DNSCrypt protection:

    1. Review your firewall or Intrusion Prevention System (IPS)/Intrusion Detection System (IDS) configuration.
    2. Ensure that your firewall or IPS/IDS allows encrypted DNSCrypt traffic for the VA.
    3. Allow outbound and inbound traffic on port 53 (UDP/TCP) to these OpenDNS IP addresses:
      • 208.67.220.220
      • 208.67.222.222
      • 208.67.222.220
      • 208.67.220.222
    4. If you use a firewall or IPS/IDS with deep packet inspection, verify that it does not block or interfere with encrypted DNSCrypt packets. Some devices can block these packets if they expect only standard DNS traffic on port 53.
    5. Confirm that encrypted traffic can flow both outbound and inbound between your network and OpenDNS resolvers on all devices in the path.
    note-icon

    Note: If your firewall or IPS/IDS blocks DNSCrypt traffic, DNS resolution can fail for users behind the VA.

    If you believe your firewall already allows this traffic but the warning persists, open a support case for further assistance.

    For more information about Cisco ASA firewall behavior and possible error messages related to deep packet inspection and DNSCrypt, see: Why is Cisco ASA Firewall blocking DNSCrypt functionality from the Umbrella Virtual Appliance?

    Revision History

    Revision Publish Date Comments
    1.0
    01-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Lauren Dubravec
      Technical Education Content Developer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products