I was able to fix this without having TAC do some intensive backdoor actions.
Go to FTD command line
system support diagnostic-cli
enable (if needed)
show run
![srauen_3-1723552950638.png srauen_3-1723552950638.png](https://community.cisco.com/t5/image/serverpage/image-id/226136i95F734C18D525540/image-dimensions/511x230?v=v2)
look for the dns policy map. Mine was similar to:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
umbrella tag UMBRELLAPOLICY device-id 0123456789
![srauen_2-1723552765549.png srauen_2-1723552765549.png](https://community.cisco.com/t5/image/serverpage/image-id/226135iD647A0435C6D9086/image-size/medium?v=v2&px=400)
Create a flex config object. Set it to apply once, append, and paste the policy map in with the 'no' form of the umbrella command. You don't need the message-length lines, and you don't need the device-id. UMBRELLAPOLICY will be based on your own configuration.
policy-map type inspect dns preset_dns_map
parameters
no umbrella tag UMBRELLAPOLICY
![srauen_1-1723552579724.png srauen_1-1723552579724.png](https://community.cisco.com/t5/image/serverpage/image-id/226134iCC118240DBE3CB08/image-dimensions/646x293?v=v2)
Do not remove the umbrella policy from the Access Control policy. Leave it as-is. Attach the flex config to the device, and deploy. The deploy completed for me, and the umbrella settings were effectively removed. Now remove the flex config policy from the device, set the dns umbrella policy to none, and deploy again. This got things back to normal for me.