Win11Pro is blocking outbound traffic to a specific subnet even with Firewall rule enabling.

Anonymous
2024-02-20T22:43:53+00:00

I have 1 Win11Pro/Domain joined machine that is now blocking outbound traffic to a specific subnet on the other side of the IPSec VPN tunnel. I have the firewall rule enabled to send all traffic to that subnet. Machines from the other side of the tunnel can ping the target machine but the reverse is not working. Interestingly, it can ping machines on the third subnet without issue.

Logging showed that the WFP was dropping the packets. Does anyone have a hint?

***moved from Windows / Windows 11 / Internet and connectivity***

Windows for business | Windows Client for IT Pros | Networking | Software-defined networking

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Anonymous
    2024-02-22T02:23:18+00:00

    Hello,

    Based on our understanding of the issue, we recommend that you follow these steps to troubleshoot:

    1.Ensure that the firewall rule on the Win11Pro machine explicitly allows ICMP (ping) traffic to the specific subnet. Sometimes, even if general traffic is allowed, ICMP might be blocked separately.

    2.Check the routing table on the Win11Pro machine (route print in Command Prompt). Make sure there's a route to the problematic subnet through the IPSec tunnel interface and it has a lower metric than any other conflicting routes.

    3.IPSec Policies:Check IPSec policies for possible filters that might be blocking the traffic to the specific subnet.

    4.Some antivirus software or third-party security solutions may also have their own firewall rules that could be blocking the traffic. Temporarily disable them to test if they're causing the issue.

    Regards,

    Zunhui

    0 comments No comments
  2. Anonymous
    2024-02-22T18:50:35+00:00

    This computer was originally within our domain network (192.168.10.0/24). It was moved to the user's home (192.168.11.0/24). A Cisco VPN router was used to make 2 VPN tunnels 1 to the main office and 1 to a secondary network. This computers on the domain network can ping this computer via the VPN tunnel but this computer cannot initiate a ping to any of the domain computer. It can ping the domain router through the VPN tunnel but not past that. On the secondary tunnel, the computer can ping with no packet loss.

    Symantec Endpoint Protection was uninstalled, Windows Firewall was disabnled without any effect. Auditing the WFP show the outbound packets were dropped.

    Looking at the Advance Windows Firewall settings, all parameters for the Private and Domain network were enabled.

    All VPN processing was done by the Cisco router so there shouldn't be any IPSec policy being active.

    Interesting note. If I setup a Einfoed PPPT VPN connection on the computer it can connect to the domain network.

    0 comments No comments
  3. Anonymous
    2024-02-23T18:55:05+00:00

    As it turned out, the firewall was blocking a range of addresses that including the domain subnet.

    0 comments No comments