No inbound connectivity after disconnecting from VPN client RRS feed

  • Question

  • Briefly:

    • We have a VPN client that creates a virtual network adapter.
    • We control what traffic will go across the VPN tunnel by manipulating DNS entries and the routing table such that Windows believes the proper route to get to the destination is through the virtual adapter.
    • When customers wish to force all traffic to go across the VPN tunnel (so that it may be inspected by a corporate firewall) we create a default route or a series of routes describing ( -, depending on which client the user has on their system (we have multiple clients that exhibit the behavior)
    • After connecting to such an environment (all works well) and disconnecting, we reset the DNS and routing to what they were previously (verified by diff).
    Under the above circumstances (a connect and subsequent disconnect) under only Windows 7 (not XP, we have not tested Vista to my knowledge), the client exhibits the following behavior:
    • Inbound connectivity to the client fails from machines on the same physical network-- with the exception of ARP -- packet captures show the packets arriving at the machine -- UNTIL the client makes an outbound connection to a machine on the physical network.
    • This behavior continues AFTER we uninstall the VNA.
    • After "fixing" the condition by making an outbound connection, the condition can be triggered again by visiting some (not all) SSL enabled websites (https) without using the VPN client at all.
    • The VPN client does not have a firewall component, nor is the Windows firewall enabled -- despite this having symptoms that suggest a firewall is blocking traffic.
    What forum would best be able to assist us?
    What extra tools would be needed to examine the issue (we've completely removed ourselves from the environment, but the problem persists afterwards -- there is something broken in windows networking after we leave the picture)?

    (We have much extra troubleshooting data available, but I wanted to keep the post brief).


    Thursday, October 21, 2010 12:45 PM