question

DimitriGoossens-4099 avatar image
0 Votes"
DimitriGoossens-4099 asked DimitriGoossens-4099 action

Get-NetIpInterface VS "netsh interface ipv4 show interfaces"... different results on same interfaces -> changed metric not working on always on vpn interface

Hi,

We're performing an Always On VPN project, and have an issue with DNS resolution.
In general we want the AOVPN interface to have a lower metric then the wired NIC.
THe DNS gets chosen, based on the interface with the lowest metric.

We're using a script from Richard Hicks to change the metric of the AOVPN interface.
(https://github.com/richardhicks/aovpn/blob/master/Update-Rasphone.ps1)
It does get set correctly, and is being changed in the rasphone.pbk file located in : "C:\ProgramData\Microsoft\Network\Connections\"
(we're installing it for all users, hence the location of the file).

So far, so good.. Everything seems to get adapted correctly (verified metric on GUI interface too, and it shows the changed metric).

However when a client connects via VPN, they still get the ISP DNS server (via wired interface) to respond instead of the internal DNS server.
Lowering the metric of the AOVPN interface, should have forced this DNS to be used.

Now for the question :)

When checking the metric of the connections via "netsh interface ipv4 show interfaces", the metric is correct (we see the changed one)

When checking via Get-NetIPInterface, the old value is still shown, valued 25, which is automatic. This is the metric being used, and the one queried with netsh is being ignored.

Does anyone know why there is a difference in both ways to query them?

windows-10-networkwindows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi,

Could you please post output of netsh interface ipv4 show interfaces and Get-NetIPInterface ? This can help us identify your issue better.

Based on my understanding, netsh interface ipv4 show interfaces shows correct metric value but Get-NetIPInterface shows wrong metric value. And when a client connects via VPN, they still get the ISP DNS. Is that right? Please feel free to let me know if I have any misunderstanding.

Please try Set-NetIPInterface cmdlet to set the correct metric for VPN adapter. See if it works.

For example in Power Shell by running:

 Set-NetIPInterface -InterfaceIndex 12 -InterfaceMetric 5

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DimitriGoossens-4099 avatar image
0 Votes"
DimitriGoossens-4099 answered

Hi,
For some reason I now get the wrong "unchanged" interface metric when executing both query cmdlets (get-netipinterface and netsh).
The metric on the AOVPN interface is correctly changed on the adapter itself however.
I tried disconnecting/reconnecting, but the interface metric keeps unchanged when queried with the cmdlets, but is ok when looking at the GUI properties of the adapter.

This cmdlet works :
Set-NetIPInterface -InterfaceIndex 12 -InterfaceMetric 5
But by default the metric of the AOVPN connection always gets reset when you disconnect/reconnect it. (this is default behavior for Windows)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi ,

You might try to set wired interface's metric to a larger value and check when a client connects via VPN whether they can get internal DNS server.

If it still doesn't work, as a workaround, you might write a script that run the command of Set-NetIPInterface -InterfaceIndex 12 -InterfaceMetric 5 once it detects a AOVPN connection. Of cause, this is not a good solution, if we want to find the root cause, I would suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

Here is the link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DimitriGoossens-4099 avatar image
0 Votes"
DimitriGoossens-4099 answered CandyLuo-MSFT commented

Thanks! Setting the metric of the wired connections to a higher value does work, but if you need to do this on thousands of clients, there might be other problems popping up.
It's too bad that Windows doesn't let you correctly set a metric for 1 particular interface (VPN), and the solution is to change everything else besides this metric :-)

I would like to understand why the metric that you see in the GUI isn't used.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

How about manually set metric in VPN interface? I noticed that you are using a script from Richard Hicks to change the metric. If you manually set metric to 5 in the GUI, can it be work? (I want to narrow down whether the issue is related with scripts.)

0 Votes 0 ·
DimitriGoossens-4099 avatar image
0 Votes"
DimitriGoossens-4099 answered

Thanks!
Setting the metric via the GUI on the AOVPN interface does work, and it survives a reboot/shutdown.
So it has something to do with the script and where it's exactly saved.
Do you have any idea where it is taken from when quering via the cmdlet?
So it does work manually, but we cannot do that on thousands of computers. Also the VPN interfaces gets deleted and recreated on every update.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Now , we can narrow down the issue is related with scripts. Don't use script to change the metric. As far as I know, when you connect to VPN successfully, VPN 's adapter interface metric will auto lower than other interface.

Make sure adapters' interface metric are setting to Automatic metric. Then do not use script to change the metric, connect to VPN and then check the results.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DimitriGoossens-4099 avatar image
0 Votes"
DimitriGoossens-4099 answered CandyLuo-MSFT edited

The wired interface will always have priority (lower metric) then the AOVPN interface by default.
The AOVPN adapter has the same metric as a wireless interface by default, which is 25.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

In my lab, AOVPN interface always has lower metric than local interface. In your case, it seems you need to use Set-NetIPInterface -InterfaceIndex 12 -InterfaceMetric 5 cmdlet to change the metric.


0 Votes 0 ·