Showing results for 
Search instead for 
Did you mean: 

Integration ASAv with umbrella

 We have ASAv ( version 9 in and 3DES license) in aws cloud


We have integrated ASAv with umbrella by following all steps described in cisco doc


however we still see umbrella status as UNKNOWN ,  on umbrella the Policy name is NEW Policy , so we identified that on ASA it has to be put with dash and not underscore  NEW-Policy


But even if policy tag is wrong , does UNKNOWN status rely on Tagging also

The token API , Certificate everything is correct


Umbrella registration: tag: NEW_Policy, status: UNKNOWN, device-id: , retry 0
Umbrella resolver mode: fail-close
Umbrella resolver ipv4: - operational
Umbrella resolver ipv6: 2620:119:53::53 - operational
Umbrella: bypass 0, req inject 0 - sent 0, res recv 0 - inject 0, local-domain-bypass 0
DNScrypt egress: rcvd 174269, encrypt 0, bypass 74269, inject 0
DNScrypt ingress: rcvd 388473, decrypt 0, bypass 88473, inject 0
DNScrypt: Certificate Update: completion 269, failure 0




Hello ,anyone ?


What does the unknown status on ASAv mean? I cant find the http code also



Hi Skywalker_007. 

haven't done it myself but I would expect the unknown mean its not reachable or there is inspection that blocking the flow such as sfr module. I can see the guide for configuring the connection advising to exclude port 53 and 443 to the umbrella IP's.

I hope this helps. 


Kind Regards

Taqi Al-shamiri 

Hi ,


Does ASAv has firepower ?


Because sfr is for firepower .



Hi Skywalker_007,

Apologies on my previous response as I assumed its an ASA X series which they have the module. ASAv as stated in your case doesn't have a module. Therefore, the sfr section doesn't apply to your scenario. However, checking the connectivity reason could be a good start to troubleshooting your issue.


Hopefully someone else might have a better idea on the possible reasons for this issue.  




I changed the TAG to correct one;


I can now see status as 

Umbrella registration: tag: VPN, status: 400 BAD REQ, device-id: , retry 0


I matched the API token and it is same .


for ASAv , i generated a token under the option Legacy network Devices in umbrella as per cisco documentation


I cant figure out why it does not work or integrate

Content for Community-Ad

This widget could not be displayed.