Reset Search
 

 

Article

KB43805 - Windows 10 network adapter has a status of "No Internet Access" after a VPN tunnel is created using split tunneling disabled

« Go Back

Information

 
Last Modified Date10/5/2018 6:23 PM
Synopsis
This article describes an issue with Windows 10 in which the network adapter status displays "No Internet Access" after a VPN tunnel is created using split tunneling disabled
Problem or Goal
On Windows 10, once the Pulse VPN tunnel setup is complete and VPN tunnel connectivity is established, on a role with split tunneling disabled, Windows 10 may display "No Internet Access" for the status of the network adapter:

User-added image

When this happens, applications that rely on this network connectivity status check, such as Office 365 and the Microsoft App Store, will fail to connect

User-added image
Cause
When a network configuration change is detected, Windows will use the Network Connection Status Indicator (NCSI) technology to:
  • Check the connectivity to the Intranet
  • Check the connectivity to the Internet
NCSI determines connectivity using the following process:  
  1. The adapter will send a DNS query for www.msftconnecttest.com and www.ipv6.msftconnecttest.com(for dual stack machines)
  2. If successful, an http GET request is sent for www.msftconnecttest.com/connecttest.txt.
  3. If the client receives an HTTP 200 OK response, NCSI sends a standard DNS query for an A record of dns.msftncsi.com and subsequently a standard DNS query is sent for an AAAA record of dns.msftncsi.com.
If the DNS request in step 1 fails, or the HTTP response is anything other than HTTP 200 OK in step 2, then the LAN adapter and/or the Pulse virtual adapter will display a status of "No Internet access" and applications such as Microsoft Office 365 will report network access failures and not connect.
Solution
 We can check the below steps to resolve the issue in the meantime.
  1. If Pulse is configured without split tunneling, then Windows 10 will send the NCSI requests over the virtual adapter. The VPN Tunneling ACL should allow access to:
www.msftconnecttest.com
www.ipv6.msftconnecttest.com
dns.msftncsi.com
  1. Ensure that corporate DNS servers configured in the VPN connection profile are able to resolve and respond to queries for the hosts above.
  2. If the client or VPN profile is configured to proxy requests then requests to above sites should be allowed through the proxy. 
We can collect the wireshark capture taken from the virtual adapter when the VPN tunnel gets connected and immediately when the NCSI query is sent out. we can also check for traffic hitting the proxy in case a proxy is there.

We would need below information to troubleshoot :

1. Wireshark from Virtual adapter.

To collect wireshark from virtual adapter so that we capture the DNS requests, please follow below steps :
  • Open wireshark.
  • connect VPN and then select Virtual adapter in wireshark and start capture.
  • Stop wireshark capture and keep wireshark running with Virtual adapter selected.
  • Disconnect VPN.
  • Connect VPN and immediately start capture on wireshark on virtual adapter to capture the DNS requests.
2. TCP dump from PCS from internal interface with filter set to host DNSserverIP configured on VPN connection profile.

If the DNS requests are responded to and still we see the issue, please open a support case with above logs.
 
Related Links
Attachment 1 
Created ByMahendra Patel

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255