Windowsserverdocs: TrustedNetworkDetection not working?

Created on 11 Jul 2018  Â·  15Comments  Â·  Source: MicrosoftDocs/windowsserverdocs

We use local dns-domain like "company.local" inside our corporate network. I set TrustedNetworkDetection to this domain, but laptops still try to connect with VPN every 5 minutes, as i see in event log (RasClient event 20227).
Is i`m do it wrong?


Document Details

âš  Do not edit this section. It is required for docs.microsoft.com âžź GitHub issue linking.

Pri2 in progress networking system bug windows-server-thresholprod

All 15 comments

Yes, i forgot, RasClient try to connect VPN when laptops are in corporate network already.

Hi @3apa3a-b-ta3e, the engineering team is working on a device tunnel bug. You can find more details in this doc bug.

@shortpatti, i read that tread, but nothing there about my situation, it`s another bug or something.

Ok, seems to i found yet another bug (or bugs) - after i move laptop to the external network (simulate roadwarrior) device tunnel being triggered and connect to my VPN-server (its not MS RRAS, but working good). Ok, then i connect back to corporate network (WiFi or cable, doesnt matter) without reboot - device tunnel is still showed as active. VPN-server said that connection is broken, but Windows still keep it up, with all mapped routes, of course. Nothing is worked until reboot Windows.

Next bug - device tunnel connection from Windows 10 (1803) is triggered, routes applied, i see it`s status, packets are sended to interface - but no packets return back (zero at "Received"). Network and Sharing center shows my VPN-connection as "Identifying..." for a minute or two, then changed to "Public network". If i wait another two minutes - status changed to "Domain Network" and in same time packets start running in both direction - everything is good now, connection worked.
I test with another, not domain joined Windows 10 and 2016, just add certificate to machine store and create very similar connection by hands - everything is worked without 5 minutes delay.
How i can fix it? Network Location Awareness make this problem or what?

Also, can you remove "duplicate" tag?

@MihaiSP, can you take a look at this issue? This is one of them that I mentioned a few weeks ago.

@shortpatti, i read that tread, but nothing there about my situation, it`s another bug or something.

Ok, seems to i found yet another bug (or bugs) - after i move laptop to the external network (simulate roadwarrior) device tunnel being triggered and connect to my VPN-server (its not MS RRAS, but working good). Ok, then i connect back to corporate network (WiFi or cable, doesnt matter) without reboot - device tunnel is still showed as active. VPN-server said that connection is broken, but Windows still keep it up, with all mapped routes, of course. Nothing is worked until reboot Windows.

Next bug - device tunnel connection from Windows 10 (1803) is triggered, routes applied, i see it`s status, packets are sended to interface - but no packets return back (zero at "Received"). Network and Sharing center shows my VPN-connection as "Identifying..." for a minute or two, then changed to "Public network". If i wait another two minutes - status changed to "Domain Network" and in same time packets start running in both direction - everything is good now, connection worked.
I test with another, not domain joined Windows 10 and 2016, just add certificate to machine store and create very similar connection by hands - everything is worked without 5 minutes delay.
How i can fix it? Network Location Awareness make this problem or what?

Also, can you remove "duplicate" tag?

I have this same set of issues - were you able to find any resolution?

I have this same set of issues - were you able to find any resolution?

@efbertos, no.
First issue with trying to connect even on internal network - never resolved.
Second, with 5 minutes delay - looks like it`s Kaspersky Endpoint Security issue, but even with disabled firewall and stopped services i cannot solve it. Only by stoping ALL Kaspersky services AND DRIVERS traffic start to pass without delay. Or complete uninstall KES.

Hi everyone!
As maybe you know in windows 1709 was an issue with Device tunnel connection
Event ID: 1000
error message: Faulting application name: svchost.exe_RasMan

Then in 1803 MS resolved this problem but in 1903 this problem appeared again.
Who knows about this issue and resolved that?

@3apa3a-b-ta3e - Looks like you were right. KES was preventing me from connecting the first time around.

I uninstalled and was able to connect consistently. The problem I am seeing now is the "Wan Miniport (IKEv2)" interface doesn't disconnect when I am on the trusted network.

Heck I can even turn off wifi and unplug ethernet and the interface will sometimes stay connected. This of course leave the routes in for the interesting traffic resulting in packets being black-holed.

KES was preventing me from connecting the first time around.

Told ya :-). I faced this issue a year ago, then (as a corporate customer) i`v created ticket INC000009388250 to Kaspersky support, they ask me about a tons of logs, ask me to to this and that, install some fixes, send them tons of logs again - NOTHING! Just nothing helps.
I gived up and never try to do that again.

The problem I am seeing now is the "Wan Miniport (IKEv2)" interface doesn't disconnect when I am on the trusted network. Heck I can even turn off wifi and unplug ethernet and the interface will sometimes stay connected. This of course leave the routes in for the interesting traffic resulting in packets being black-holed.

Yeah, different install - same ... issues.
Looks like MS drop support for this feature, and this makes me sad because i`m really enjoy that, the idea was actually an excellent.

Hi guys - does anyone have any more info on this issue? We are experiencing exactly what @3apa3a-b-ta3e and @efbertos described above.

Hi everyone!
As maybe you know in windows 1709 was an issue with Device tunnel connection
Event ID: 1000
error message: Faulting application name: svchost.exe_RasMan

Then in 1803 MS resolved this problem but in 1903 this problem appeared again.
Who knows about this issue and resolved that?

This issue was apparently fixed in KB4505903.

Hello @3apa3a-b-ta3e, @tommagumma, @efbertos. For your reports regarding issues in Trusted Network Detection, would you be able to provide feedback and diagnostic logs using the Windows Feedback Hub app? In order to provide diagnostic logs you might need to enable “full diagnostic data” on your settings app. Here are instructions on how to submit feedback for VPN issues:

  1. Open Feedback Hub app.
  2. Select Feedback on the left side menu.
  3. Click “Add new feedback”.
  4. Add a title and details. Please make a note about your feedback title so that you can share it with us once feedback is submitted.
  5. Select Problem.
  6. Set problem Category: Network and Internet and subcategory: Connecting with a VPN client.
  7. Click “Recreate my problem”.
  8. Please leave the “Include data about Connecting with a VPN client (Default)” selected. Leaving “Include screenshots of each step” selected is also be helpful.
  9. Click “Start capture”.
  10. Please recreate your problem (for example, follow the steps you usually do when you expect Trusted Network Detection to disconnect the VPN interface).
  11. Click “Stop capture”.
  12. Click “Submit” and wait until you receive confirmation that diagnostics were submitted correctly. If asked, please mark that this is a new problem.

Please let us know when you have submitted your feedback. If possible, share its title.

Here are instructions on how to enable full diagnostic data:

  1. Open Settings app.
  2. Go to privacy.
  3. Select Diagnostics & feedback.
  4. Select “full” under Diagnostic data.

It is important that diagnostic logs are collected so that the issue can be investigated faster.
Here is a short video on how to send feedback (notice this does not show how to recreate your problem):

Also, here is the Feedback Hub app.

Thank you

@jabamsp we have a ticket open about this issue and cannot make any progress on this matter. Surely the official github should suffice for feedback.

It's pretty clear to me something is wrong with the logic for trustednetworkdetection where it's not covering all 'network change' scenerios or polling the trustednetworkdetection suffix often enough.

Wi-Fi to Wi-Fi network change seems to work best for trusted network detection. Disconnect from WiFi, or loss of internet from the wifi ssid while staying connected to the ssid does not work properly.

I have followed your directions and submitted feedback nonetheless, hopefully this gets us somewhere.

Hi guys - does anyone have any more info on this issue? We are experiencing exactly what @3apa3a-b-ta3e and @efbertos described above.

Did you manage to find anything? I can't get Microsoft support to do anything about this. This is a complete joke.

@efbertos nope, we are still none the wiser. We haven't had time to engage MS support properly yet so for now we are just not bothering with Always On. It's a real shame!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

chall3ng3r picture chall3ng3r  Â·  4Comments

ElimAdmin picture ElimAdmin  Â·  3Comments

janis-veinbergs picture janis-veinbergs  Â·  5Comments

parabolic123 picture parabolic123  Â·  4Comments

buzzywinter picture buzzywinter  Â·  5Comments