Meraki

Community

Security Center blocked Cisco Umbrella DNS Resolver

JessIT1
Building a reputation
yesterday
yesterday

Security Center blocked Cisco Umbrella DNS Resolver

This destination got blocked:

dns.sse.cisco.com
208.67.222.222:443

OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt

 

and caused all kinds of connection issues today, once I whitelisted it, everything that was broke was fixed..so false positive.

How does Cisco Meraki block Cisco Umbrella DNS..

3 Replies 3
Mloraditch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Sounds like a bad definition may have gotten out there OR something got screwed up on the Umbrella servers. I suggest opening a support case. You definitely shouldn't be seeing something like this.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
JessIT1
Building a reputation
yesterday
yesterday

I had opened a case with Cisco Umbrella, here is their response:

 

Thank you for contacting Cisco TAC and for providing the details around case 699946238. My name is Daniel Zapata and I’ll be your new case owner. From what you’ve described, your Meraki IDS is blocking traffic to Cisco Umbrella’s DNS endpoint (dns.sse.cisco.com / 208.67.222.222:443), flagging it as "OpenSSL SSLv3 large heartbeat response – possible SSL Heartbleed attempt." because dns.sse.cisco.com is Umbrella’s resolver endpoint and is expected traffic, you may consider creating an IDS exception or whitelisting 208.67.222.222 on your Meraki dashboard to prevent this false-positive block. Also verify that your Meraki firmware and IDS signatures are up to date, as signature refinements often resolve Heartbleed-style false positives.

 

I am also opening a case with Meraki support about it.

 

 

 

JessIT1
Building a reputation
yesterday
yesterday

 

Response from Meraki:  Thank you for reaching out to Cisco Meraki Technical Support!

 

I would like to provide some clarity regarding the issue you experienced this morning, where traffic to the Cisco Umbrella DNS endpoint (dns.sse.cisco.com, IP: 208.67.222.222) was blocked by the Cisco Meraki Intrusion Detection System (IDS).

 

The IDS detected what it interpreted as an "OpenSSL SSLv3 large heartbeat response – possible SSL Heartbleed attempt" in the encrypted traffic to the Umbrella DNS resolver. This detection was a false-positive, meaning the IDS mistakenly flagged legitimate traffic as a security threat. As a result, the traffic was blocked, causing connection issues across your network.

 

Once the IP address 208.67.222.222 is added to the IDS whitelist in the Meraki dashboard, normal connectivity could be restored, confirming that this was indeed a false-positive.

 

To whitelist this IP address, please go to Security & SD-WAN > Threat protection > Trusted IP Addresses/Subnets and add the corresponding IP. This will help prevent future false-positive blocks from this IP.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.