Understand Umbrella Roaming Client and Npcap

Available Languages

Download Options

  • PDF     (4.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (79.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (63.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 7, 2025
Document ID:225154

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes an interaction between the roaming client and the npcap software. If you are not using npcap, this article does not apply.

    Background Information

    When using npcap, the symptom of this interaction a total DNS failure for A and AAAA record types while the roaming client is active. TXT records can still succeed, allowing the roaming client to enter an encrypted mode.

    What is Npcap?

    Npcap is a third party software for packet capturing. During installation, npcap can install a npcap network interface onto the computer in order to facilitate captures. To confirm if npcap is installed in a way that can interfere with us, validate if there is a npcap network interface. If so, read on!

    Impacts and Resolution

    In some cases, the presence of the npcap driver can cause DNS sent to the roaming client to not reach its final destination. The impact is A and AAAA records time out and fail, resulting in a failure to load webpages. The browser error is most commonly a DNS failure NXDOMAIN. The roaming client can remain in "Protected and Encrypted" mode despite the full DNS failure due to Umbrella checks being made against TXT records, and npcap only is known to impact A and AAAA records.

    To validate if npcap is the root cause:

    1. Open up the network and sharing center
    2. Click to view network interfaces
    3. Right click and disable the npcap interface
    4. Confirm if the issue immediately resolves

    If the issue vanishes immediately upon disabling the npcap network interface, this confirms that the npcap NIC and driver are the root cause of the DNS resolution issue and can need to be uninstalled in order to run the roaming client correctly. This interoperability interaction occurs at the npcap level before DNS arrives to 127.0.0.1:53 where the roaming client is bound.

    Revision History

    Revision Publish Date Comments
    1.0
    07-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products