Network connectivity from WSL2 to a corporate IP via PPTP VPN is flaky

[evilguest]

Windows Version

Windows 11 Pro 22H2 22621.3007 Windows Feature Experience Pack 1000.22681.1000.0

WSL Version

2.0.9.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

5.15.133.1-1

Distro Version

Ubuntu 22.04

Other Software

No response

Repro Steps

1. I connect to a corporate network via PPTP VPN (Windows built-in). The metric for the VPN interface is set to 5 to make sure only the corporate resources are routed through it; everything else is routed directly.
2. In WSL2 I am trying to access a corporate resource via SSH, SCP, GIT, etc.
3. I am also trying to perform the traceroute and ping from both Windows CMD and WSL2

Expected Behavior

The traceability and packet loss are the same from Windows and from WSL2

Actual Behavior

The packet loss when pinging the corporate addresses is close to 100%.
Typically, ping gets the first response, and none beyond those. Sometimes even the first response doesn't come.
Same addresses are pinged fine directly (0% loss).
DNS resolution works fine (i.e. the corporate addresses are resolved on VPN, everything else resolved externally).
Traceroute works fine from both WSL2 and Windows.

Pinging non-corporate resources (i.e. skipping the VPN) also works with 0% loss

Diagnostic Logs

1. Pinging the corporate address from WSL2:

sinclair@DESKTOP-8L2SM42:~$ ping gerrit.fisgroup.ru
PING sas-gerrit.fisgroup.ru (10.10.22.41) 56(84) bytes of data.
64 bytes from sas-gerrit.fisgroup.ru (10.10.22.41): icmp_seq=1 ttl=62 time=4.87 ms
^C
--- sas-gerrit.fisgroup.ru ping statistics ---
9 packets transmitted, 1 received, 88.8889% packet loss, time 8223ms
rtt min/avg/max/mdev = 4.866/4.866/4.866/0.000 ms

2. pinging the same address from Windows:

C:\>ping gerrit.fisgroup.ru
Pinging sas-gerrit.fisgroup.ru [10.10.22.41] with 32 bytes of data:
Reply from 10.10.22.41: bytes=32 time=3ms TTL=62
Reply from 10.10.22.41: bytes=32 time=4ms TTL=62
Reply from 10.10.22.41: bytes=32 time=4ms TTL=62
Reply from 10.10.22.41: bytes=32 time=4ms TTL=62
Ping statistics for 10.10.22.41:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 4ms, Average = 3ms

2. pinging an external resource from WSL2:

sinclair@DESKTOP-8L2SM42:~$ ping microsoft.com
PING microsoft.com (20.112.250.133) 56(84) bytes of data.
64 bytes from 20.112.250.133 (20.112.250.133): icmp_seq=1 ttl=104 time=184 ms
64 bytes from 20.112.250.133 (20.112.250.133): icmp_seq=2 ttl=104 time=182 ms
64 bytes from 20.112.250.133 (20.112.250.133): icmp_seq=3 ttl=104 time=181 ms
64 bytes from 20.112.250.133 (20.112.250.133): icmp_seq=4 ttl=104 time=184 ms
64 bytes from 20.112.250.133 (20.112.250.133): icmp_seq=5 ttl=104 time=181 ms
64 bytes from 20.112.250.133 (20.112.250.133): icmp_seq=6 ttl=104 time=181 ms
64 bytes from 20.112.250.133 (20.112.250.133): icmp_seq=7 ttl=104 time=181 ms
64 bytes from 20.112.250.133 (20.112.250.133): icmp_seq=8 ttl=104 time=181 ms
^C
--- microsoft.com ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7011ms
rtt min/avg/max/mdev = 180.653/181.809/184.303/1.264 ms

3. Tracing route to the corporate address from Windows:

Tracing route to sas-gerrit.fisgroup.ru [10.10.22.41] over a maximum of 30 hops:
1     4 ms     3 ms     3 ms  fmr-pptp.fisgroup.ru [10.10.112.1]
2     4 ms     3 ms     3 ms  is.fisgroup.ru [10.2.1.11]
3     4 ms     3 ms     3 ms  sas-gerrit.fisgroup.ru [10.10.22.41]
Trace complete.

4. Tracing route to the same address from WSL2 (issues twice to illustrate the random selection of the packets lost):

sinclair@DESKTOP-8L2SM42:~$ traceroute gerrit.fisgroup.ru
traceroute to gerrit.fisgroup.ru (10.10.22.41), 30 hops max, 60 byte packets
 1  fmr-pptp.fisgroup.ru (10.10.112.1)  5.927 ms * *
 2  * * *
 3  * * *
 4  sas-gerrit.fisgroup.ru (10.10.22.41)  3.810 ms * *
sinclair@DESKTOP-8L2SM42:~$ traceroute gerrit.fisgroup.ru
traceroute to gerrit.fisgroup.ru (10.10.22.41), 30 hops max, 60 byte packets
 1  fmr-pptp.fisgroup.ru (10.10.112.1)  3.708 ms * *
 2  * is.fisgroup.ru (10.2.1.11)  3.550 ms *
 3  * * *
 4  * * sas-gerrit.fisgroup.ru (10.10.22.41)  3.889 ms

[github-actions]

Hi I'm an AI powered bot that finds similar issues based off the issue title.

Please view the issues below to see if they solve your problem, and if the issue describes your problem please consider closing this one and thumbs upping the other issue to help us prioritize it. Thank you!

Open similar issues:

• WSL2 , problem with network connection when VPN used (PulseSecure) (#5068), similarity score: 0.78
• WSL2 not using host's VPN connection (#9004), similarity score: 0.76
• WSL2 Networking Issues Inside VPN due to mismatch in third octet of gateway and ip address (#11010), similarity score: 0.73

Closed similar issues:

• WSL 2 Internet connection doesn't work until I connect to VPN (#5784), similarity score: 0.77
• wsl1 vpn connectivity (#7995), similarity score: 0.73

Note: You can give me feedback by thumbs upping or thumbs downing this comment.

[chanpreetdhanjal]

Hi. Can you please collect networking logs by following the instructions below?
https://github.com/microsoft/WSL/blob/master/CONTRIBUTING.md#collect-wsl-logs-for-networking-issues

[evilguest]

Here it is:
WslNetworkingLogs-2024-01-24_21-06-11.zip
Note this time I observe 100% packet loss (and non-VPN-routed hosts like microsoft,com are still pinged with no loss)

[evilguest]

Any ideas on the root cause or troubleshooting steps?

[CatalinFetoiu]

hello @evilguest. thanks for your patience

from the logs it looks like we are not properly mirroring all the interfaces and routes from Windows, particularly we don't seem to mirror the IP and routes of the "FIS VPN" interface

can you please do the following to collect new logs? We need to capture "connecting to the VPN" in the logs

disconnect VPN
Run wsl --shutdown
Run .\collect-networking-logs.ps1
Start WSL
connect to the VPN
reproduce the issue
Stop logs