SSTP VPN Client strange network connectivity issues

Question

Hi,

I have a user who is connected via an SSTP VPN on our internal RRAS server.

They have some strange behaviour when connected, in that;
Outlook/Teams won't connect
Shared/mapped drive inaccessible
Most websites inaccessible
DNS is good
Google.com loads
Ping tests to all IPs is ok and routing seems fine
Can load \server_name\ but cannot load any of its shares

Device is fine when connected to the same network via WiFi.
I'm banging my head against a brick wall and need some advice on what else to check, as it makes no sense to me that google.com specifically would load, but no other sites seem to.

Cheers
James

Answer 1

Hello James,

There are some hints in the traces about what is going wrong, but I still have some more research to do.

Accessing www.google.com seems to work because that seems to work without using TCP port 443 - if UDP port 443 is accessible (QUIC) then that seems to work.

The event sequence that I am concentrating on at the moment is this:

IpRouteBlocked "IP: Route [DestinationPrefix: 0.0.0.0:0/0 NextHop: 10.0.0.5:0 InterfaceIndex: 12 RouteMetric: 0] is blocked for Destination: 212.58.237.254:0 ConstrainInterfaceIndex: 12 ConstrainScopeZone: 1 in Compartment: 1, Reason: Default Routes Disabled On Interface . "  
IpRouteBlocked "IP: Route [DestinationPrefix: 0.0.0.0:0/0 NextHop: 0.0.0.0:0 InterfaceIndex: 42 RouteMetric: 1] is blocked for Destination: 212.58.237.254:0 ConstrainInterfaceIndex: 12 ConstrainScopeZone: 1 in Compartment: 1, Reason: Interface Constraint . "  
TcpipRouteLookup "IP: RouteLookup - API: IppFindNextHopAtDpcHelper DstAddr: 212.58.237.254:0 ConstrainSrcAddr: 10.0.0.169:0 ConstrainIfIndex: 12 ConstraintOveridden: 0 ReturnConstrained: 0 OutgoingIfIndex: 0 NextHopAddr: 0.0.0.0:0 Status: 3221226021 "  
TcpipRouteLookup "IP: RouteLookup - API: IppFindOrCreatePath DstAddr: 212.58.237.254:0 ConstrainSrcAddr: 10.0.0.169:0 ConstrainIfIndex: 12 ConstraintOveridden: 0 ReturnConstrained: 2050 OutgoingIfIndex: 0 NextHopAddr: 0.0.0.0:0 Status: 3221226021 "  
TcpConnectTcbFailedRoute "TCP: connection 0xFFFF97833E0148A0 (local=0.0.0.0:57257 remote=212.58.237.254:443) connect failed: route lookup status = 3221226044. "  

Interface 12 is the physical interface (which is used by the VPN client to access the VPN server) and interface 42 is the VPN interface. Status 3221226044 is STATUS_NETWORK_UNREACHABLE, 3221226021 is STATUS_NOT_FOUND. 212.58.237.254 is a BBC server.

The trace seems to be indicating that the BBC site can't be reached via interface 12 (because that would bypass the VPN) and can't be reached via the VPN (interface 42) because there is a "constraint" that interface 12 must be used.

The area that I need to research is that of routing "constraints". Amongst other questions, I can't understand how using UDP to reach the address works when TCP fails.

Gary

Answer 2

Hello James,

One approach would be to use pktmon to trace a simple scenario - perhaps loading www.google.com followed by loading news.bbc.co.uk (assuming that that is one of the web sites that is inaccessible).

The command that I would suggest using is: pktmon start --capture --comp nics --flags 0x14 --trace --provider Microsoft-Windows-WFP --provider Microsoft-Windows-TCPIP --keywords 0x3FFFFFFFFFFF --level 17 --file-name why.etl to start a trace and pktmon stop to stop the trace.

The resulting trace file (why.etl) could then be shared.

Gary