Symptom
Umbrella DNS Security not functioning and DNS packets are dropped
The API keys are populated on vManage and the DNS security policy is pushed to Cedges.
Post policy push we would start seeing failed registration attempts in the "debug umbrella device-registration" under show logg with issue being the expired certificate presented by cedge.
Router#show sdwan umbrella device-registration
DEVICE
NAME STATUS TAG ID DESCRIPTION
---------------------------------------------------------------------------
1 403 FORBID vpn1 403 Forbidden response received, retrying
Router#
Conditions
Umbrella DNS Security Feature enabled on the device. Day0 config or reboot / upgrade of existing device with the feature configured will lead to Umbrella registration failure and dropping DNS packets. This is applicable for all the current active SDWAN releases.
Workaround
Here is a copy of latest certificate (https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem) on to bootflash: trustidrootx3_ca.ca in cedge. Unconfigure the DNS security Umbrella registration config and add it back.
Further Problem Description
Latest certificate that has to be copied to the cedge in the directory - "#cat bootflash/trustidrootx3_ca."
