Hey all,

I think I am having a very niche and intermittent problem with our umbrella.

I am seeing multiple users under the same internal IP address and this seems to be causing policy to be applied incorrectly, meaning that some restricted users are getting higher policies than they should and vice versa.

ex.
UserA is an elevated policy user with less restrictions, and User B is lower policy user with more restrictions. Occasionally, User A will appear in Cisco Umbrella with User B's Internal IP or vice versa. This causes User A to file a ticket because they are being blocked by umbrella on sites they should not be blocked on. Worse, the restricted user is now allowed more freedom and opens that account up to potential risks. This problem lasts from just a few minutes, to several hours, and I haven't been able to identify exactly what is causing Umbrella DNS to change the identity for the internal IPs.

I am not sure if this is an AD auth issue resulting in the internal IP being incorrectly assigned in umbrella, however it has been very difficult to track down what the root cause of the issue is. As far as i can tell, I can't find any logs in umbrella that would show this since umbrella is scrubbing AD auth log/security logs to assign identities to internal IPs via the virtual appliances. This is pushing me to think either a) the umbrella / VAs are not set-up correctly (seems ok to me according to the documentation). Or B) there is something happening in the AD authentication causing credentials to be incorrectly applied to a user until they re-auth to the domain.

Has anyone experienced this issue and have a solution?