Skip to main content



Cisco Defense Orchestrator

Configure a SASE Tunnel for Umbrella

Note: The Umbrella organization and the ASA device you want to create the tunnel for must already be onboarded to CDO. 

If the ASA or Umbrella organization associated with the tunnel you just deployed is in an unhealthy state, CDO may not be able to successfully deploy the tunnel. If you experience any issues, contact Cisco TAC.

Create a SASE Tunnel

Use the following procedure to create a SASE tunnel for an Umbrella organization:

  1. Log into CDO.
  2. Navigate to the VPN window. Select Site-to-Site VPN.
  3. Click the blue plus blue_cross_button.png button and select Create SASE Tunnel.
  4. Enter the Umbrella Peer information:
    • Select Umbrella - Select the Umbrella organization of your choice.
    • Datacenter - Select a head-end datacenter. We recommend selecting a datacenter that is geographically close to the ASA associated with the Umbrella organization.  
  5. Enter the ASA Peer information:
    • Select ASA Device- Select a ASA device that is associated with the Umbrella organization from the drop-down list and then click Select
    • Public Facing Interface - Select an IPv4 address that is static and  publicly routable. The address used should not be used for NAT.
    • LAN Address - Select the LAN interfaces that controls the LAN subnet. You must select at least one interface for LAN. 
    • Virtual Tunnel Interface - This field is automatically filled once you select the Umbrella organization and the ASA peer device. If necessary, you can manually enter an IP address that will be used as the new VTI.  
  6. The Passphrase is automatically filled once you select the Umbrella organization and the ASA peer device. The Confirm Passphrase is also automatically filled. You can manually enter these fields if necessary. 
  7. (Optional) The Deploy changes to ASA immediately toggle at the bottom of the pop-up window is enabled by default. When enabled, the SASE tunnel configuration is immediately deployed to the ASA peer selected in the tunnel configuration. If you want to stage changes and deploy later, manually toggle the option to disable.
  8. Click Deploy. Optionally, click Deploy and Create Another to simultaneously deploy this SASE tunnel and create another tunnel. Once deployed, the tunnel will appear in the VPN Tunnels page. If you choose to Deploy and Create Another SASE tunnel, CDO saves both the Umbrella organization selection and the Deploy changes to ASA immediately toggle setting and automatically applies these selections to the next tunnel configuration. You can manually alter these selections prior to deploying.


Delete a SASE Tunnel

To delete a SASE tunnel, the ASA associated with it must have a synced status in CDO. You cannot delete a tunnel if the device is uhealthy.

Note that if you delete a SASE tunnel from CDO, the tunnel is removed from both the ASA device and the Umbrella organization associated with it. 

Warning: If you delete a tunnel from CDO while the Umbrella organization credentials are considered invalid, or have changed since you onboarded the organization, CDO can only deploy the tunnel configuration to the ASA devices associated with the organization. Upon updating the credentials, CDO reads the Umbrella configuration and repopulates any tunnels that were deleted. Due to the tunnel existing in the Umbrella organization but not any of the ASA devices, there will be a synchronization issue and the ASA devices may not appear as peers to organization. We recommend confirming the Umbrella credentials prior to deleting any tunnels associated with the organization. 

Use the following procedure to delete a SASE tunnel through the CDO UI: 

  1. Log into CDO.
  2. Navigate to the VPN window. Select Site-to-Site VPN.
  3. Select the tunnel you want to delete from CDO. 
  4. In the Actions pane, click Delete
  5. Confirm you want to delete the tunnel and click OK


Related Articles:

  • Was this article helpful?