Issue
The Umbrella DNS Security module within the Cisco Secure Client (AnyConnect VPN Agent) remains in a "Disabled" state after applying the Umbrella profile file due to device registration fingerprint mismatch. This issue persists across various network environments, including both corporate office and personal hotspot connections.
Diagnostic artifacts, such as screenshots, DART bundle captures, and packet capture files, have indicated device registration failures linked to a fingerprint mismatch in the OrgInfo.json file:
- Umbrella module displays "Disabled" status.
- Issue occurs after applying Umbrella profile file.
- Problem is seen on multiple networks.
- Diagnostic logs and packet captures show device registration failures.
Environment
- Product: Cisco Secure Client (AnyConnect VPN Agent) with Umbrella module
- Platform: Windows OS
- Umbrella DNS Security feature
- Umbrella profile file and OrgInfo.json involved
- Network environments: corporate office, personal hotspot
- Diagnostic artifacts: DART bundle, packet capture, screenshot
- Software version: All
Resolution
This detailed workflow resolves the "Disabled" state of the Umbrella module by correcting the fingerprint mismatch in the OrgInfo.json file and re-registering the device with the Umbrella cloud service.
Download a New OrgInfo.json File from SSE Dashboard
To ensure the device registration uses the correct fingerprint:
- Obtain a fresh OrgInfo.json file.
- Download the updated OrgInfo.json file directly from the Cisco Secure Service Edge (SSE) dashboard.
Stop the Cisco Secure Client - AnyConnect VPN Agent Service
To halt the service is necessary to safely modify files associated with the Umbrella module:
Open Windows Services and stop the service named Cisco Secure Client - AnyConnect VPN Agent.
Delete All Contents from the Umbrella Module Folder
- Clear any potentially corrupted or outdated data from this location.
- Delete all files and folders inside:
C:/ProgramData/Cisco/Cisco Secure Client/Umbrella/
Caution: Possible. The details mentioned here appears to contain procedures or commands that could cause significant impact if executed. Please ensure the aforementioned procedures or commands have been evaluated by an SME or Business Unit before executing or recommending.
Upload the New OrgInfo.json File
- Place the newly downloaded OrgInfo.json into the designated Umbrella folder.
- Copy the new OrgInfo.json file into:
C:/ProgramData/Cisco/Cisco Secure Client/Umbrella/
Restart the Cisco Secure Client Service
Re-initialize the Cisco Secure Client for the changes to take effect. Start the Cisco Secure Client - AnyConnect VPN Agent service from Windows Services.
(If Issue Persists) Collect Diagnostic Data for Further Analysis
If the device still fails to register, gather a new DART bundle to facilitate deeper troubleshooting. Use the DART tool within Cisco Secure Client to collect a new diagnostic bundle.
After performing these steps, the Umbrella module must transition from a "Disabled" state to an operational state, enabling DNS security features as intended.
Cause
The root cause of the issue was an invalid or outdated OrgInfo.json file containing an incorrect device fingerprint value. This mismatch led to failed device registration requests to the Umbrella API, resulting in the module remaining disabled. The error was confirmed by log entries showing "fingerprint does not match" and "failed to create device id" during registration attempts.
Example log excerpt from DART logs:
{"error":"invalid_request","message":"fingerprint does not match","code":400,"code_text":"Bad Request"}
Device Registration: failed to create device id
Related Content
Feedback