WSL unable to talk to internet after VPN connection (NOT DNS)

[jwitko]

Please fill out the below information:

• Your Windows build number: (Type ver at a Windows Command Prompt)
  Microsoft Windows [Version 10.0.17763.557]

• What you're doing and what's happening:
  I am able to reach the internet on WSL without issue. When I connect to a VPN (This has happened to me on multiple windows versions across multiple PCs) I can no longer route traffic to the internet. The VPN is Cisco AnyConnect Secure Mobility Client, but it has happened with OpenVPN too in the past. This does not happen to my co-worker who has the same laptop with the same managed OS from the same company.

I also want to be clear this is not a DNS issue as is commonly reported with VPN on WSL. An example of proof is that ping 8.8.8.8 along with any other internet addresses is failing, as well as any other attempt to connect to an external internet address. Traffic to VPN internal addresses still works.

• What's wrong / what should be happening instead:
  Traffic should still be able to take an appropriate path (Whether through the vpn interface or wifi interface) to the internet.

• Strace of the failing command, if applicable: https://gist.github.com/jwitko/878e6905dc2130555201f3cdedc5ad9c

Some verbose curl examples:
before vpn

jwitko@LAP:~/galorndon-infra$ curl -vvv https://www.microsoft.com
* Rebuilt URL to: https://www.microsoft.com/
*   Trying 23.194.176.233...
* TCP_NODELAY set
*   Trying 2600:141b:5000:5a1::356e...
* TCP_NODELAY set
* connect to 2600:141b:5000:5a1::356e port 443 failed: Connection refused
*   Trying 2600:141b:5000:5aa::356e...
* TCP_NODELAY set
* connect to 2600:141b:5000:5aa::356e port 443 failed: Connection refused
* Connected to www.microsoft.com (23.194.176.233) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:

after vpn

jwitko@LAP:~/galorndon-infra$ curl -vvv https://www.microsoft.com
* Rebuilt URL to: https://www.microsoft.com/
*   Trying 2600:1406:e800:392::356e...
* TCP_NODELAY set
*   Trying 23.203.187.5...
* TCP_NODELAY set
* connect to 2600:1406:e800:392::356e port 443 failed: Connection refused
*   Trying 2600:1406:e800:391::356e...
* TCP_NODELAY set
* connect to 23.203.187.5 port 443 failed: Connection refused
* connect to 2600:1406:e800:391::356e port 443 failed: Connection refused
* Failed to connect to www.microsoft.com port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to www.microsoft.com port 443: Connection refused

Note: This actually says connection refused, which is interesting. It takes a very long time to get there so I'm somewhat suspicious this isn't a bug in that it should actually say attempt timed out.

route table:

jwitko@LAP:~/galorndon-infra$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 0.0.0.0         255.255.255.255 U     0      0        0 eth2
224.0.0.0       0.0.0.0         240.0.0.0       U     0      0        0 eth2
10.39.255.255   0.0.0.0         255.255.255.255 U     0      0        0 eth2
10.39.224.0     0.0.0.0         255.255.224.0   U     0      0        0 eth2
10.39.224.193   0.0.0.0         255.255.255.255 U     0      0        0 eth2
192.168.1.0     10.39.224.1     255.255.255.0   U     0      0        0 eth2
0.0.0.0         10.39.224.1     255.255.255.255 U     0      0        0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U     256    0        0 lo
127.0.0.1       0.0.0.0         255.255.255.255 U     256    0        0 lo
127.255.255.255 0.0.0.0         255.255.255.255 U     256    0        0 lo
224.0.0.0       0.0.0.0         240.0.0.0       U     256    0        0 lo
255.255.255.255 0.0.0.0         255.255.255.255 U     256    0        0 lo
0.0.0.0         192.168.1.1     255.255.255.255 U     0      0        0 wifi0
192.168.1.0     0.0.0.0         255.255.255.0   U     256    0        0 wifi0
192.168.1.184   0.0.0.0         255.255.255.255 U     256    0        0 wifi0
192.168.1.255   0.0.0.0         255.255.255.255 U     256    0        0 wifi0
224.0.0.0       0.0.0.0         240.0.0.0       U     256    0        0 wifi0
255.255.255.255 0.0.0.0         255.255.255.255 U     256    0        0 wifi0
192.168.1.1     0.0.0.0         255.255.255.255 U     0      0        0 wifi0
209.17.40.167   192.168.1.1     255.255.255.255 U     0      0        0 wifi0

eth2 being the VPN interface.

[craigloewen-msft]

If you're still experiencing this issue, please upgrade to the latest build and try it again. Then if you are still seeing this problem after that please collect networking logs for us (instructions here) and post a comment on this thread with a link to the logs so we can easily go find them.

Thank you!

[neileadobe]

I also have this problem. Feedback reported here with logs: https://aka.ms/AA6fthe

[dalgibbard]

Possible dupe of #4277 and #2529

[foobarbecue]

Me too.

[abhijeetchopra]

Replacing the SSL VPN client from Cisco AnyConnect to OpenConnect worked for a colleague.

[dsazonoff]

Same issue here, with latest versions

[jsteenri]

Here's a submission of this failing easily: ping works in WSL 2 w/o VPN, nothing after enabling VPN. VPN is CiscoAnyConnect provided by corporate. Share link: https://aka.ms/AA97xj7

[jsteenri]

Anyone finding themselves here should check the workarounds in #4277, specifically the one that implements a triggered task to change the interface metric of the VPN adapter created routes

[jwitko]

Closing because there are other better issues out there that explain this situation #4289 (comment)