SSTP VPN Client strange network connectivity issues

James Edmonds 811 Reputation points
2022-09-05T15:59:35.903+00:00

Hi,

I have a user who is connected via an SSTP VPN on our internal RRAS server.

They have some strange behaviour when connected, in that;
Outlook/Teams won't connect
Shared/mapped drive inaccessible
Most websites inaccessible
DNS is good
Google.com loads
Ping tests to all IPs is ok and routing seems fine
Can load \server_name\ but cannot load any of its shares

Device is fine when connected to the same network via WiFi.
I'm banging my head against a brick wall and need some advice on what else to check, as it makes no sense to me that google.com specifically would load, but no other sites seem to.

Cheers
James

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,272 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
648 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
513 questions
0 comments
Accepted answer
  1. Gary Nebbett 5,721 Reputation points
    2022-09-06T19:34:31.737+00:00

    Hello James,

    There are some hints in the traces about what is going wrong, but I still have some more research to do.

    Accessing www.google.com seems to work because that seems to work without using TCP port 443 - if UDP port 443 is accessible (QUIC) then that seems to work.

    The event sequence that I am concentrating on at the moment is this: 

    IpRouteBlocked "IP: Route [DestinationPrefix: 0.0.0.0:0/0 NextHop: 10.0.0.5:0 InterfaceIndex: 12 RouteMetric: 0] is blocked for Destination: 212.58.237.254:0 ConstrainInterfaceIndex: 12 ConstrainScopeZone: 1 in Compartment: 1, Reason: Default Routes Disabled On Interface . "  
IpRouteBlocked "IP: Route [DestinationPrefix: 0.0.0.0:0/0 NextHop: 0.0.0.0:0 InterfaceIndex: 42 RouteMetric: 1] is blocked for Destination: 212.58.237.254:0 ConstrainInterfaceIndex: 12 ConstrainScopeZone: 1 in Compartment: 1, Reason: Interface Constraint . "  
TcpipRouteLookup "IP: RouteLookup - API: IppFindNextHopAtDpcHelper DstAddr: 212.58.237.254:0 ConstrainSrcAddr: 10.0.0.169:0 ConstrainIfIndex: 12 ConstraintOveridden: 0 ReturnConstrained: 0 OutgoingIfIndex: 0 NextHopAddr: 0.0.0.0:0 Status: 3221226021 "  
TcpipRouteLookup "IP: RouteLookup - API: IppFindOrCreatePath DstAddr: 212.58.237.254:0 ConstrainSrcAddr: 10.0.0.169:0 ConstrainIfIndex: 12 ConstraintOveridden: 0 ReturnConstrained: 2050 OutgoingIfIndex: 0 NextHopAddr: 0.0.0.0:0 Status: 3221226021 "  
TcpConnectTcbFailedRoute "TCP: connection 0xFFFF97833E0148A0 (local=0.0.0.0:57257 remote=212.58.237.254:443) connect failed: route lookup status = 3221226044. "

    Interface 12 is the physical interface (which is used by the VPN client to access the VPN server) and interface 42 is the VPN interface. Status 3221226044 is STATUS_NETWORK_UNREACHABLE, 3221226021 is STATUS_NOT_FOUND. 212.58.237.254 is a BBC server.

    The trace seems to be indicating that the BBC site can't be reached via interface 12 (because that would bypass the VPN) and can't be reached via the VPN (interface 42) because there is a "constraint" that interface 12 must be used.

    The area that I need to research is that of routing "constraints". Amongst other questions, I can't understand how using UDP to reach the address works when TCP fails.

    Gary

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Nebbett 5,721 Reputation points
    2022-09-06T08:51:46.937+00:00

    Hello James,

    One approach would be to use pktmon to trace a simple scenario - perhaps loading www.google.com followed by loading news.bbc.co.uk (assuming that that is one of the web sites that is inaccessible).

    The command that I would suggest using is: pktmon start --capture --comp nics --flags 0x14 --trace --provider Microsoft-Windows-WFP --provider Microsoft-Windows-TCPIP --keywords 0x3FFFFFFFFFFF --level 17 --file-name why.etl to start a trace and pktmon stop to stop the trace.

    The resulting trace file (why.etl) could then be shared.

    Gary