Internet connection is lost at random times when Windows VPN is active

Question

I am a seasoned Windows user and software developer (30+ years). I have done a lot of testing to try to figure out this problem but I am at a loss.

I'm running Windows 10 on two different computers and the same problem occurs on both of them. I work from home and the firm I work for has an internal network that hosts various resources (servers and software). They have a dedicated Windows Server acting as a VPN server for users who need remote access, like me. I launch a Windows VPN client connection on my Windows 10 systems to gain access to the internal network. BUT fairly recently the VPN client connection has become very unreliable with regard to maintaining an internet connection. Usually, my internet connection is fine for a period of time after I launch the VPN. However, after an indeterminate amount of time (anywhere from seconds to a few minutes to sometimes a few hours) I lose internet connectivity. The Windows VPN network status property window claims the VPN is connected and internet is available. But any application I run that requires an internet connection fails at this point. I must stop the VPN client in order to regain internet. Restarting the VPN simply repeats the cycle.

My home network environment is wired TCP/IP through a TP-Link Deco router. My ISP provides fiber network service (fiber modem) with at least 1 Gbps speed. Network service is fine if I am not using the VPN.

The internet drop-out problems started to occur after I switched from my previous ISP and an older DSL network service (and a different network router). VPN connections to my work network were reliable under this old system (but the underlying DSL network was unreliable and would drop out frequently, which is why I switched).

I have run the Windows networking troubleshooter, both before and after the VPN has lost internet. When internet is working, the troubleshooter finds no problems (as one would expect). After internet is lost, the troubleshooter reports that no DNS server can be located.

I have involved my work network administrator to try to diagnose the problem. He says the VPN server can identify when I connect but it does not show any obvious errors when internet is lost.

I have checked the Windows event log on my home computers. No errors related to networking are reported.

I am out of ideas and the experienced support tech at my work is as well. It appears that Windows does not (obviously) provide the diagnostics we need to resolve the problem. I am open to suggestions from the community.

Jeff

***moved from Windows / Windows 10 / Internet and connectivity***

Answer 1

Hi Jeff,

Thank you for the detailed description of your issue. Based on your explanation, the VPN connection causes the internet connection to drop after a certain period. Here are some potential issues and solutions that might help resolve this problem:

1. Check Router Settings:

• Ensure that your TP-Link Deco router firmware is up to date.
• Verify if the MTU setting on your router is appropriate for your network. You can try setting it to 1400 or 1450 to avoid packet fragmentation issues.

2. Adjust VPN Client Settings:

• Try changing the DNS server settings on your VPN client to use public DNS servers (such as Google's 8.8.8.8 and 8.8.4.4).
• Disable the "Use default gateway on remote network" option in the VPN connection properties (under the TCP/IPv4 settings on the "Networking" tab).

3. Check Local Network Settings:

• Ensure that your local network adapter drivers are up to date.
• Run ipconfig /flushdns and netsh winsock reset in the command prompt to flush the DNS cache and reset the Winsock catalog.
• Try setting the DNS server on your local network adapter to public DNS servers.

4. Logs and Diagnostic Tools:

• Enable VPN connection logging in Windows for more detailed recording and analysis of the issue. Check the "Microsoft-Windows-RRAS" log in the Windows Event Viewer.
• Use network monitoring tools (such as Wireshark) to capture network traffic before and after the VPN disconnects and analyze for any anomalies.

5. Try a Different VPN Client:

• Try using a different VPN client software to see if the issue persists. For example, you can use OpenVPN or another third-party VPN client.

ion.

6. Use an Alternate Network:

• If possible, try using the VPN on a different network environment (such as a mobile hotspot) to see if the issue still occurs. This can help determine if the problem is specific to your local network environment.

I hope these suggestions help. If the issue persists, please feel free to share more information on the forum, and other community members might be able to provide additional support and suggestions.

Good luck,

Rosy

Answer 2

Thanks for the suggestions. I will respond to some of them.

1. The TP-Link Deco router I use doesn't permit end users changing the MTU. Or, at least not until a firmware update adds that feature. I need to schedule a time to apply the update and see if the MTU feature was added.
2. I installed Wireshark. It provided some interesting insights. I made one change based on what I found (disable IPv6 for the VPN) but it did not solve the problem. The only noticeable difference afterwards was the "Network Troubleshooter" no longer was able to identify a cause. In other words, the troubleshooter did not flag a missing DNS server as the problem. Therefore, I think the DNS is not really the problem so I haven't made any DNS changes. I will keep using Wireshark, though.

I could not locate a way to "enable VPN connection logging", as you say. Unless you are referring to the event log entries added by the VPN client when starting and stopping the connection. Those appear to provide only limited information. I looked for the "Microsoft-Windows-RRAS" logs and found some things similar to that name. However, those event viewer nodes contained no information.

6. My work's IT person has talked about trying a different VPN. This probably won't happen soon, though.

Jeff

Answer 3

Hello Jeff,

Which type of VPN is being used (IKEv2, SSTP, L2TP)? The troubleshooting approach differs between the IPsec and TLS types.

Diagnostic tracing is available, but the trace data is often difficult to interpret and it is often difficult to know which diagnostic providers to enable.

If you are using an IPsec based VPN, then it would be useful to know what these two PowerShell cmdlets report when the problem has occurred: Get-NetIPsecMainModeSA and Get-NetIPsecQuickModeSA.

Gary

Answer 4

As a matter of fact, our VPN seems to only work with PPTP. I had configured my connection in Windows using the "Automatic" option but when I went back and tried the specific options, only PPTP succeeds to establish a connection.

Answer 5

Hello Jeff,

IKEv2, SSTP and L2TP (except in pre-shared key mode) require the VPN server to possess a certificate issued by a certificate authority trusted by your machines. I guess that the necessary conditions do not prevail in your environment.

Point 4 from Rosy contains the most appropriate "first step" diagnostic tracing. Collection of a network trace and Microsoft-Windows-RRAS can be combined in a single command (and the data stored in a single file - very useful for correlating related information).

One command that should should achieve this is:

pktmon start --capture --comp nics --trace --provider Microsoft-Windows-RRAS --file-name why.etl

Tracing is stopped with the command:

pktmon stop

One tool (now deprecated) that can interpret the trace data in why.etl is/was Microsoft Message Analyzer.

Gary