Resolve User-IP VA Mappings Jumping Across IPs

Available Languages

Download Options

  • PDF     (14.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (80.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (64.5 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 29, 2025
Document ID:225323

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to resolve user-IP Cisco Umbrella Virtual Appliance (VA) mappings jumping across IPs.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on Cisco Umbrella.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Problem

    Umbrella is unable to identify end-users properly, and it looks as though the mappings are jumping across IP addresses.

    Solution

    The solution is to simply exclude shared systems from the Connector by their IP address so that it does not push these events to the appliances. In the Umbrella dashboard under Deployments > Configuration > Service Account Exceptions, add the appropriate exception as an IP address. 

    IP mappings can be cleared from each Virtual Appliance using config admap as described in the Umbrella Virtual Appliance Commands knowledge base article.

    Cause

    Each Virtual Appliance builds a table of mappings between users, machines, and their known IP addresses. It has a function that can "collapse" entries in this table if it sees logon events common across more than one IP. In cases where shared systems generate a large number of logon events across multiple users, those collapsed entries can "drift" their assignment to different users unexpectedly.

    Revision History

    Revision Publish Date Comments
    1.0
    29-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products