Guest

Preview Tool

Cisco Bug: CSCvu67042 - Umbrella DNS local domain bypass is not functioning with centralized data policy

Last Modified

Jul 15, 2020

Products (1)

  • Cisco XE SD-WAN Routers

Known Affected Releases

16.12.3

Description (partial)

Symptom:
When opening the urls that the domain name is configured under local domain list for Umbrella Security policy, the browser will show "the sites are not reachable/Unable to resolve the domain" and packet trace is indicating that the cEdge is dropping the dns query packet with the reason 'NoIPv4Route'.

Conditions:
When dns traffic is being matched from centralized data policy (Not for NAT).

For example, the below sequence 11 is matching all DNS traffic from service VPN.

 data-policy DATAPOLICY
!
  vpn-list VPNLIST
!
   sequence 11
    match
     source-data-prefix-list LAN  
     dns request 
    !
    action accept
!
   sequence 21
    match
     source-data-prefix-list LAN
    !
    action accept
     nat use-vpn 0
    !
   !
   default-action drop
!
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.