KB43805 - Windows 10 network adapter has a status of "No Internet Access" after a VPN tunnel is created and certain Microsoft Office 365 services cannot connect due to NCSI failing with "No Internet Connection"

This article describes an issue with Windows 10 where the network adapter status displays "No Internet Access" after a VPN tunnel is created and certain online applications such as Microsoft Office 365 cannot connect due to NCSI failing with "No Internet Connection".

On Windows 10, once the Pulse VPN tunnel setup is complete and VPN tunnel connectivity is established, Windows 10 may display "No Internet Access" for the status of the network adapter:



And online applications such as MSFT Office 365 are not available due to error "No Internet Connection" in o365 account settings. 

Any time a network configuration change is detected, Windows will use the Network Connection Status Indicator (NCSI) technology to:

• Check the connectivity to an Intranet
• Check the connectivity to the Internet

NCSI determines connectivity using the following process:  

1. The adapter will send a DNS query for www.msftconnecttest.com*.
2. If successful, an http GET request is sent for www.msftconnecttest.com/connecttest.txt.
3. If the client receives an HTTP 200 OK response, NCSI sends a standard DNS query for an A record of dns.msftncsi.com and subsequently a standard DNS query is sent for an AAAA record of dns.msftncsi.com.

*If Split Tunneling is enabled then the above process takes place on the client's LAN adapter as well as on the Pulse virtual adapter.

If the DNS request in step 1 fails, or the HTTP response is anything other than HTTP 200 OK in step 2, then the LAN adapter and/or the Pulse virtual adapter will display a status of "No Internet access" and certain online applications such as Microsoft Office 365 will not work properly.  

Pulse Secure is reviewing the issue and will continue to update the KB as progress is made to resolve this issue. However, the following workaround can be applied:

1. If Pulse is configured without split tunneling, then Windows 10 will send the NCSI requests over the virtual adapter.  The VPN Tunneling ACL should allow access to:

2. Ensure that corporate DNS servers configured in the VPN connection profile are able to resolve queries for the hosts above.
3. If Pulse is configured with split tunneling enabled, then the above resource should be added to the Split Tunneling Policy to ensure these requests are sent through the VPN tunnel.  Otherwise, Windows 10 will not generate any NCSI requests to check for Internet connectivity on the Pulse virtual adapter.
4. If the client or VPN profile is configured to proxy requests then requests to above sites should be allowed through the proxy.  

Refer to this Networking Blog for examples of the expected DNS queries and HTTP requests/responses, taken using Microsoft Network Monitor, that are generated by NCSI in order to establish Internet connectivity.