Fail to connect to network resources on the corporate networks in Visual Studio
Symptoms
You may encounter an issue in which you receive the following error message when the Visual Studio 2015 RTM attempts to connect to a network resource on some corporate networks which have security appliances:
The underlying connection was closed: An unexpected error occurred on send
This issue blocks the user's ability to sign in, connect to Visual Studio Team Services, or use NuGet. You will also see the following behaviors:
On the corporate network, you cannot sign in or connect to Visual Studio Team Services by using Visual Studio 2015 RTM which uses Transport Layer Security (TLS) 1.2 protocol.
On the corporate network, you can sign in by using Visual Studio 2013 and Visual Studio 2015 Release Candidate (RC).
You can sign in by using Visual Studio 2015 RTM if it's used outside the corporate network.
Cause
This issue occurs because the security appliances on these corporate networks block certain server connections when Visual Studio 2015 uses TLS 1.2.
Resolution
To fix this issue, update the security appliances in order to support TLS 1.2 for the following connections:
List of URLs for sign-in and licensing connections:
For a more general list of URLs:
Sign-in, Visual Studio Team Services and Azure connections
*.windows.net
*.microsoftonline.com
*.visualstudio.com
*.microsoft.com
*.live.com
NuGet connections
*.azurewebsites.net
*.nuget.org
Note: Privately owned NuGet server URLs may not be included in the list above. You can check the NuGet servers you are using by opening up %APPData%\Nuget\NuGet.Config.
We recommend updating the security appliances to work with TLS 1.2 for the above endpoints and not rely on TLS 1.0, since the use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions. For more information about disabling RC4 in .NET TLS, see security advisory 2960358.
More Information
The reason Visual Studio 2013 and Visual Studio 2015 RC can connect when Visual Studio 2015 RTM cannot is that the two use TLS 1.0 to make the connections by default, while Visual Studio 2015 RTM uses TLS 1.2. Visual Studio incrementally falls back to older protocols (TLS 1.1 and TLS 1.0) to try to connect. But the problematic security appliances reset the connection after you try to connect by using TLS 1.2, which drops the connection completely. As a result, Visual Studio cannot try the other protocols to connect.
If you encounter this issue, notice that this problem isn't just limited to Visual Studio. Internet Explorer and applications that use TLS 1.2 to connect to the endpoints that were discussed earlier will encounter the same problem.
To diagnose whether you are running into this issue, follow these steps:
Download NetMonitor.
You may have to sign out of Windows and sign back in. Or, run NetMonitor as admin for NetMonitor to work correctly.
Close all applications and browser windows.
Open Internet Explorer (not Chrome or any other browser).
In NetMonitor, click "New Capture" in the upper-left corner, then click "Start."
Start Internet Explorer, Click "Internet Options", and then click "Advanced."
Under Settings, uncheck "Use TLS 1.0" and "Use TLS 1.1" so that you only use TLS 1.2.
Try the URL that's failing to connect in Visual Studio. For example, https://app.vssps.visualstudio.com.
In NetMonitor, click "Stop."
Click "Save As", and then save the trace as "TLS 1.2 only".
In NetMonitor, click "New Capture" in the upper-left corner, then click "Start."
In Internet Explorer, click "Internet Options", and then click "Advanced."
Under Settings, uncheck "Use TLS 1.1" and "Use TLS 1.2" so that you only use TLS 1.0.
Connect to the same URL as the one in step #8
In NetMonitor, click "Stop."
Click "Save As", and then save the trace as "TLS 1.0 only".
If you compare the two traces, you will have the following conclusions:
You can connect to the URL by using TLS 1.0.
You cannot connect to the URL by using TLS 1.2.
The NetMonitor log for TLS 1.2 shows an SSL connection being made to the proxy server but getting no response. The connection is dropped without additional attempt to connect by using other protocols.
When you don't use the corporate network, you can connect by using both TLS 1.0 and TLS 1.2.
Note: Reset to the default protocol option after you diagnose the issue. To do this, following these steps:
Start Internet Explorer, Click "Internet Options", and then click "Advanced."
Under Settings, check "Use TLS 1.0", "Use TLS 1.1" and "Use TLS 1.2."
Warning
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.