Guidelines and Limitations for Configuring SASE Tunnels on Umbrella

SASE topology supports:

  • Only PSK-based authentication

  • IKEv2 

  • High availability

General Configuration Guidelines

  • The management center does not discover tunnels created directly on Umbrella or by other applications.

  • You can add only devices managed by the management center as endpoints for the SASE topology. You cannot add extranet devices.

    For high availability pairs, the HA pair names appear in the endpoint list.

  • When you delete a tunnel from the management center and if it is unable to delete the tunnel from Umbrella, you must manually delete it by logging into Umbrella.

  • You cannot edit or delete a SASE topology if the deployment to Umbrella is in progress. You can view the tunnel deployment status in the:

    • Cisco Umbrella Configuration dialog box of the wizard

    • Notifications page under the Deployments and Tasks tabs

    • Site to Site VPN Monitoring dashboard

  • If you check the Deploy configuration on threat defense nodes check box in the wizard, the Umbrella SASE topology configuration is deployed on the threat defense only after the tunnels are deployed on Umbrella.

    The management center requires the local tunnel ID to deploy the Umbrella configuration on the threat defense. Umbrella generates the complete tunnel ID (<prefix>@<umbrella generated ID>-umbrella.com) only after the management center deploys the tunnel on Umbrella.

  • The management center does not recognize topologies with the Umbrella data center as an extranet hub, created before version 7.3, as SASE topologies. You must create new SASE topologies in version 7.3 and delete the existing topology.

Limitations

SASE topology does not support:

  • Clustering

  • Certificate-based authentication

  • IKEv1