cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2731
Views
3
Helpful
8
Replies

Unable to remove Umbrella DNS from Inspection in FMC

Hi All,

I need to remove our Umbrella DNS policy from the Inspection part of a Acces Control Policy.

Setting the Umbrella policy to "None", the deployment fails.

I'm only able to apply a different policy, but not remove it entirely.

FMC >> vpn-addr-assign local
FMC >> policy-map type inspect dns preset_dns_map
FMC >> parameters
FMC >> no umbrella device-id 010a05988689d935
dk-dc-transit-ftd-dc01 >> [error] :
no umbrella device-id 010a05988689d935
^
ERROR: % Invalid input detected at '^' marker.
Config Error -- no umbrella device-id 010a05988689d9

Cheers

8 Replies 8

Hmm strange.  What version FMC are you using?

You could try to create a new Umbrella DNS policy, select it and deploy, and then once that is completed, try selecting None again.

--
Please remember to select a correct answer and rate helpful posts

I tried to apply a new policy, with the default, but the Umbrella connector is still there, so it routes the quires to Umbrella Cloud
 
Version 7.3.1 (build 19)
Model
Secure Firewall Management Center for VMware
Serial Number
None
Snort Version
2.9.21 (Build 1000)
Snort3 Version
3.1.36.100 (Build 2)
Rule Pack Version
2890
Module Pack Version
3266
LSP Version
lsp-rel-20230912-1032
VDB Version
build 371 (2023-09-01 16:01:22)
Rule Update Version
2023-09-12-001-vrt
Geolocation Update Version
Country Code: 2023-08-17-100, IP: 2023-08-17-100
OS
Cisco Firepower Extensible Operating System (FX-OS) 2.13.0 (build 1022)

UPDATE:

We spend some more time troubleshooting this issue, and discovered that everytime a new Domain bypass is created on the Umbrella Policy, an additional line "domain local bypass" is added to the "Global Umbrella" CMD. These no validation on this in the FMC GUI, and the value in the GUI cannot be "BLANK". We added "none" to the bypass list, and "none" was listed as a domain to be bypassed.

With Flexconfig we managed to remove the bypass config from the LINA code. We also tried to remove "umbrella device-id 010a05988689d9352" with Flexconfig but it failed. We did notice additional whitespace in the commandlet in the configuration.

Michael McPhee
Cisco Employee
Cisco Employee

 I am having the exact same issues - cdFMC is on version 7.4, while the 2110 is on 7.3.1. Unable to resolve via Flexconfig and cdFMC.

 

 

ste.ant
Level 1
Level 1

I'm running FMC and FTD 1150 at 7.2.5.1 and I am experiencing the same issue.

Steve

We had the issue resolved via a TAC case, unfortunately!

bill.whelan
Level 1
Level 1

I ran into the same issue when attempting to removing the Umbrella connector feature while troubleshooting DNS issues that some Anyconnect users were experiencing. Just curious what was the underlying issue that led you to try and remove it.

Hi, I had to involve TAC, they connected to my FTD devices and removed the Umbrella config using a process that a Cisco customer can not.
Steve
Review Cisco Networking for a $25 gift card