Microsoft NCSI claims no Internet after resume from sleep

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
inkasso
OpenVpn Newbie
Posts: 8
Joined: Wed Jun 02, 2021 6:14 am

Microsoft NCSI claims no Internet after resume from sleep

Post by inkasso » Wed Jun 02, 2021 6:45 am

Hi @ll!

I'm using the free community edition and don't know, if this is the right forum / the right category I'm posting in. Was already totally confused about a "non-free" version even existing, so I'm sorry, if I did anything wrong here...

My Setup:
Windows 10 Pro (Version 20H2 Build 19042.985)
openVPN client 2.5.2 running as service with 2 VPN autoconnecting

I have a working setup that allows internet traffic to be routed through my router directly to the internet. The VPNs don't change the default gateway on connect. The networks don't overlap (172.16.0.0/16 vs 192.168.99.0/24 vs 192.168.200.0/24). Connections are stable and I can access machines on the VPN networks as well as surf the internet.

Problem:
After putting my computer to sleep mode (done every day) and resuming from sleep, windows NCSI claims, that I do not have access to the internet. The VPNs are reconnecting fine and can be used and I also can surf the internet. The nuisance is: because of NCSI reports not to be connected to the internet, other microsoft software does not even try to connect to the internet and thus cannot be used properly.

The routing table look perfectly fine after that wakeup from sleep. I can surf the internet.

Additionally I found out by using a packet sniffer, that Outlook tries to connect, but the packets are routed to one of the VPN networks instead of following the default route. But there exists no route that would allow that to happen.

When I manually stop the VPN service for about 10-20 seconds, the NCSI detects successfully the internet connection and after that I can safely start the VPN service again. Everything works as expected after that.

So I have narrowed it down this far, but now, I don't know what I could do, to avoild having to stop and after a pause start again the VPN connections. This started happening shortly after windows 10 updated to a newer release.

Any helpful hints, what I could do to fix this permanently, are appreciated!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by TinCanTech » Wed Jun 02, 2021 9:47 am

Are you using TAP mode ?

inkasso
OpenVpn Newbie
Posts: 8
Joined: Wed Jun 02, 2021 6:14 am

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by inkasso » Wed Jun 02, 2021 2:26 pm

Yes I do.

Code: Select all

Unbekannter Adapter VPN-Verbindung:

   Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9
   Physische Adresse . . . . . . . . : 00-FF-23-E3-96-A5

Unbekannter Adapter VPN-Verbindung 2:

   Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9 #2
   Physische Adresse . . . . . . . . : 00-FF-5A-A7-F6-BB

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by TinCanTech » Wed Jun 02, 2021 4:19 pm

I mean TAP as opposed to TUN ..

See this viewtopic.php?f=30&t=22603

inkasso
OpenVpn Newbie
Posts: 8
Joined: Wed Jun 02, 2021 6:14 am

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by inkasso » Wed Jun 02, 2021 6:39 pm

Ah ok.

both configs are dev tun

inkasso
OpenVpn Newbie
Posts: 8
Joined: Wed Jun 02, 2021 6:14 am

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by inkasso » Fri Jun 04, 2021 5:43 am

If you meant your link to hint me to think about providing config files etc....
I thought as the configuration for itself works fine and it is just related to "resume from sleep", this would not be helpful. But of course, you may have them ;)

Ethernet adapters (after successfull connection):

Code: Select all

Ethernet-Adapter LAN:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Intel(R) Ethernet Connection (2) I218-LM
   Physische Adresse . . . . . . . . : 50-65-F3-21-A9-6B
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 172.16.137.11(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.0.0
   IPv4-Adresse  . . . . . . . . . . : 192.168.1.14(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 172.16.137.1
   DNS-Server  . . . . . . . . . . . : 172.16.137.1
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

Unbekannter Adapter VPN-Verbindung:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9
   Physische Adresse . . . . . . . . : 00-FF-23-E3-96-A5
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.99.10(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.252
   Lease erhalten. . . . . . . . . . : Mittwoch, 2. Juni 2021 06:39:52
   Lease läuft ab. . . . . . . . . . : Samstag, 4. Juni 2022 05:13:35
   Standardgateway . . . . . . . . . :
   DHCP-Server . . . . . . . . . . . : 192.168.99.9
   DNS-Server  . . . . . . . . . . . : 192.168.99.1
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

Unbekannter Adapter VPN-Verbindung 2:

   Verbindungsspezifisches DNS-Suffix: 
   Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9 #2
   Physische Adresse . . . . . . . . : 00-FF-5A-A7-F6-BB
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.200.200(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Lease erhalten. . . . . . . . . . : Mittwoch, 2. Juni 2021 06:39:49
   Lease läuft ab. . . . . . . . . . : Samstag, 4. Juni 2022 05:13:35
   Standardgateway . . . . . . . . . :
   DHCP-Server . . . . . . . . . . . : 192.168.200.254
   DNS-Server  . . . . . . . . . . . : 192.168.200.1
                                       10.10.0.1
   NetBIOS über TCP/IP . . . . . . . : Aktiviert
Routing table (again after successfull connection):

Code: Select all

===========================================================================
Schnittstellenliste
 17...50 65 f3 21 a9 6b ......Intel(R) Ethernet Connection (2) I218-LM
  4...00 ff 23 e3 96 a5 ......TAP-Windows Adapter V9
 10...00 ff 5a a7 f6 bb ......TAP-Windows Adapter V9 #2
  1...........................Software Loopback Interface 1
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0     172.16.137.1    172.16.137.11    281
        10.10.0.0      255.255.0.0     192.168.99.9    192.168.99.10     25
        10.10.0.0      255.255.0.0    192.168.200.1  192.168.200.200     25
        10.20.0.0      255.255.0.0     192.168.99.9    192.168.99.10     25
        10.20.0.0      255.255.0.0    192.168.200.1  192.168.200.200     25
        10.80.0.0      255.255.0.0    192.168.200.1  192.168.200.200     25
        10.90.0.0      255.255.0.0    192.168.200.1  192.168.200.200     25
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    331
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    331
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
       172.16.0.0      255.255.0.0   Auf Verbindung     172.16.137.11    281
    172.16.137.11  255.255.255.255   Auf Verbindung     172.16.137.11    281
   172.16.255.255  255.255.255.255   Auf Verbindung     172.16.137.11    281
      192.168.1.0    255.255.255.0   Auf Verbindung     172.16.137.11    281
     192.168.1.14  255.255.255.255   Auf Verbindung     172.16.137.11    281
    192.168.1.255  255.255.255.255   Auf Verbindung     172.16.137.11    281
     192.168.40.0    255.255.255.0     192.168.99.9    192.168.99.10     25
     192.168.99.0    255.255.255.0     192.168.99.9    192.168.99.10     25
     192.168.99.8  255.255.255.252   Auf Verbindung     192.168.99.10    281
    192.168.99.10  255.255.255.255   Auf Verbindung     192.168.99.10    281
    192.168.99.11  255.255.255.255   Auf Verbindung     192.168.99.10    281
    192.168.200.0    255.255.255.0   Auf Verbindung   192.168.200.200    281
  192.168.200.200  255.255.255.255   Auf Verbindung   192.168.200.200    281
  192.168.200.255  255.255.255.255   Auf Verbindung   192.168.200.200    281
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    331
        224.0.0.0        240.0.0.0   Auf Verbindung     192.168.99.10    281
        224.0.0.0        240.0.0.0   Auf Verbindung   192.168.200.200    281
        224.0.0.0        240.0.0.0   Auf Verbindung     172.16.137.11    281
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
  255.255.255.255  255.255.255.255   Auf Verbindung     192.168.99.10    281
  255.255.255.255  255.255.255.255   Auf Verbindung   192.168.200.200    281
  255.255.255.255  255.255.255.255   Auf Verbindung     172.16.137.11    281
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0     172.16.137.1  Standard
===========================================================================

IPv6-Routentabelle
===========================================================================
Aktive Routen:
 If Metrik Netzwerkziel             Gateway
  1    331 ::1/128                  Auf Verbindung
  1    331 ff00::/8                 Auf Verbindung
===========================================================================
Ständige Routen:
  Keine
Config file for the first connection (all sensitive information redacted):

Code: Select all

client
resolv-retry 20
keepalive 2 10
nobind
mute-replay-warnings
remote-cert-tls server
verb 4
persist-key
persist-tun
explicit-exit-notify 1
dev tun
auth-user-pass
proto udp
port 1194
cipher AES-128-CBC
remote anonymo.us 1194 # public address 

<ca>
-----BEGIN CERTIFICATE-----
#(snip)
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
#(snip)
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
#(snip)
-----END PRIVATE KEY-----
</key>
Config file for the second connection (all sensitive information redacted):

Code: Select all

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
client
resolv-retry infinite
remote another.undisclosed.one 1194 udp
lport 0
remote-cert-tls server
auth-user-pass
comp-lzo adaptive
<ca>
-----BEGIN CERTIFICATE-----
#(snip)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
#(snip)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
#(snip)
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
#(snip)
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by TinCanTech » Fri Jun 04, 2021 9:31 am

Sorry, I don't know why Mircosoft NCSI reports no connectivity.
There may be something you can configure in Windows ..

There is nothing that I know of that you can add to an Openvpn config to change the issue.
Your VPN should time out during sleep mode and then establish a new connection on resume.

You could either report the problem to your server provider (I presume your work).
Or Microsoft ..

inkasso
OpenVpn Newbie
Posts: 8
Joined: Wed Jun 02, 2021 6:14 am

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by inkasso » Fri Jun 04, 2021 9:42 am

Reporting it to my service provider would mean to report it to myself :D

Just hoped for someone that might have had a similar issue or even an Idea, what might help to solve this.
Telling microsoft would be my next try but I guess they will point me back here again.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by TinCanTech » Fri Jun 04, 2021 10:04 am

If it is your own server then you did not include your server config or any logs.

It's hard to help without details ..

Your client log at --verb 4 from connection and through a sleep and wake cycle of at least 10 minutes may help.

inkasso
OpenVpn Newbie
Posts: 8
Joined: Wed Jun 02, 2021 6:14 am

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by inkasso » Fri Jun 04, 2021 3:56 pm

You already guessed that it is my work. But as I'm the one operating the infrastructure, I would have to talk to myself...

Next working day will be monday. I'll have to look, how to extract the server configs, as both servers are running as integrated service on different firewalls.

The client log you asked for:

Code: Select all

2021-06-03 21:38:46 us=639099 TLS: soft reset sec=3600/3600 bytes=150620/-1 pkts=3534/0
2021-06-03 21:38:46 us=722084 VERIFY OK: depth=1, CN=certificateAuthority, C=CO, ST=ST, L=L, O=O, OU=OU, dnQualifier=certificateAuthority
2021-06-03 21:38:46 us=722084 VERIFY KU OK
2021-06-03 21:38:46 us=722084 Validating certificate extended key usage
2021-06-03 21:38:46 us=722084 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-06-03 21:38:46 us=722084 VERIFY EKU OK
2021-06-03 21:38:46 us=722084 VERIFY OK: depth=0, C=CO, ST=ST, O=O, OU=OU, CN=server, dnQualifier=server
2021-06-03 21:38:46 us=893741 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-06-03 21:38:46 us=893741 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-06-03 21:38:46 us=893741 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2021-06-04 05:13:34 us=954223 [server] Inactivity timeout (--ping-restart), restarting
2021-06-04 05:13:34 us=955223 TCP/UDP: Closing socket
2021-06-04 05:13:34 us=955223 SIGUSR1[soft,ping-restart] received, process restarting
2021-06-04 05:13:34 us=955223 Restart pause, 5 second(s)
2021-06-04 05:13:39 us=970587 Re-using SSL/TLS context
2021-06-04 05:13:39 us=970587 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2021-06-04 05:13:39 us=970587 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-06-04 05:13:39 us=970587 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2021-06-04 05:13:39 us=970587 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2021-06-04 05:13:39 us=970587 TCP/UDP: Preserving recently used remote address: [AF_INET]??.??.??.??:1194
2021-06-04 05:13:39 us=970587 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-06-04 05:13:39 us=970587 UDP link local: (not bound)
2021-06-04 05:13:39 us=970587 UDP link remote: [AF_INET]??.??.??.??:1194
2021-06-04 05:13:40 us=15561 TLS: Initial packet from [AF_INET]??.??.??.??:1194, sid=99d9df8f 5474552d
2021-06-04 05:13:40 us=100514 VERIFY OK: depth=1, CN=certificateAuthority, C=CO, ST=ST, L=L, O=O, OU=OU, dnQualifier=certificateAuthority
2021-06-04 05:13:40 us=100514 VERIFY KU OK
2021-06-04 05:13:40 us=100514 Validating certificate extended key usage
2021-06-04 05:13:40 us=100514 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-06-04 05:13:40 us=100514 VERIFY EKU OK
2021-06-04 05:13:40 us=100514 VERIFY OK: depth=0, C=CO, ST=ST, O=O, OU=OU, CN=server, dnQualifier=server
2021-06-04 05:13:40 us=351964 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2021-06-04 05:13:40 us=351964 [server] Peer Connection Initiated with [AF_INET]??.??.??.??:1194
2021-06-04 05:13:41 us=757491 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2021-06-04 05:13:41 us=786455 PUSH: Received control message: 'PUSH_REPLY,register-dns,route 192.168.40.0 255.255.255.0,route 10.10.0.0 255.255.0.0,route 10.20.0.0 255.255.0.0,route 192.168.99.0 255.255.255.0,topology net30,ping 2,ping-restart 10,dhcp-option DNS 192.168.99.1,ifconfig 192.168.99.10 192.168.99.9,peer-id 0,cipher AES-256-GCM'
2021-06-04 05:13:41 us=786455 OPTIONS IMPORT: timers and/or timeouts modified
2021-06-04 05:13:41 us=786455 OPTIONS IMPORT: --ifconfig/up options modified
2021-06-04 05:13:41 us=786455 OPTIONS IMPORT: route options modified
2021-06-04 05:13:41 us=786455 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-06-04 05:13:41 us=786455 OPTIONS IMPORT: peer-id set
2021-06-04 05:13:41 us=786455 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-06-04 05:13:41 us=786455 OPTIONS IMPORT: data channel crypto options modified
2021-06-04 05:13:41 us=786455 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-06-04 05:13:41 us=786455 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
2021-06-04 05:13:41 us=786455 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-06-04 05:13:41 us=786455 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-06-04 05:13:41 us=786455 Preserving previous TUN/TAP instance: VPN-Verbindung
2021-06-04 05:13:41 us=786455 Initialization Sequence Completed
2021-06-04 05:13:41 Start ipconfig commands for register-dns...
2021-06-04 05:13:41 C:\WINDOWS\system32\ipconfig.exe /flushdns
2021-06-04 05:13:41 C:\WINDOWS\system32\ipconfig.exe /registerdns
2021-06-04 05:13:44 End ipconfig commands for register-dns...

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by TinCanTech » Fri Jun 04, 2021 5:55 pm

You log shows the expected timeout & restart.

The only thing you could try, from openvpn perspective, is to remove persist-tun from your client config.

Maybe that will kick windows into action again, when the timeout occurs.

inkasso
OpenVpn Newbie
Posts: 8
Joined: Wed Jun 02, 2021 6:14 am

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by inkasso » Sun Jun 06, 2021 2:57 am

I have removed persist-tun from both configs and restarted the openVPN service.
Some time after that, I put the machine to sleep and the next day, after wakeup, the problem is still there :-/

I'll change back the config now.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by TinCanTech » Sun Jun 06, 2021 12:41 pm

Generally, clients should not use --persist-tun.

--persist-tun is meant to be used by servers which drop root privileges.

inkasso
OpenVpn Newbie
Posts: 8
Joined: Wed Jun 02, 2021 6:14 am

Re: Microsoft NCSI claims no Internet after resume from sleep

Post by inkasso » Tue Jun 08, 2021 8:07 am

I haven't found a way to export the server configs out of the firewalls, yet.

I guess, this is because they are dynamically generated based on some defaults and the choices made in the GUI.

Post Reply