Microsoft Network Connectivity Status Indicator (NCSI) Warning
In rare circumstances the Umbrella Roaming Client can make it more likely for Windows to incorrectly display a “No Internet Access” warning when connectivity is still functioning correctly. This is caused by a limitation in Microsoft’s Network Connectivity Status Indicator feature.
This is primarily a cosmetic issue, in the sense that the client machine does still have full internet connectivity. However, some Microsoft applications such as Outlook, Office365, Skype and OneDrive may not even attempt to connect when this “No Internet Access” warning is displayed.
Please note - If you are seeing a genuine connectivity problem whilst the warning triangle is displayed (such as DNS queries not responding, latency, or websites not loading) then this article isn't the best place to start. This indicates that NCSI is displaying a legitimate warning caused by real network connectivity issues.
NCSI Design Limitation
NCSI uses “Active” DNS probes to validate that internet connectivity is possible on each network interface. Active probing is described in more detail here: https://technet.microsoft.com/en-us/library/cc766017(v=ws.10).aspx
However, these DNS checks are restricted and will not succeed when the DNS server is running on a different interface (such as 127.0.0.1). The Roaming Client runs a DNS forwarder on the loopback interface (127.0.0.1) as part of its core operation, therefore these specific checks are not compatible with the Roaming Client.
Microsoft engineering are aware of this issue and are currently tracking it. We expect a future Windows update to resolve this problem.
This limitation does not cause any problem in the vast majority of environments, because Windows performs other checks to validate connectivity. See Passive Polling below.
Windows also uses a technique called ‘Passive Polling’ to monitor for traffic received from the internet. If the “No Internet Access” warning is displayed incorrectly it is likely your environment is affected by an issue with Passive Polling.
Passive Polling works by analyzing the TTL (Time To Live) in the IP header of TCP/UDP packets. The TTL is analyzed to determine how many “hops” the packet has taken to reach the computer. When a received packet has crossed more than the default of 8 hops the system is deemed to have Internet Connectivity.
In some circumstances the Passive Polling technique may be inconsistent, for example:
- Running Windows in a desktop virtual machine such as Parallels Desktop or VMware Fusion/Workstation.
- When other networking software such as firewalls, proxy servers, or certain VPN clients reset the TTL.
- In an environment where there is a low number of packets received from the internet. For example, when Internet Access is strictly locked down.
If you believe you are affected by a Passive Polling issue please contact Microsoft support for assistance.
Hosts File Workaround
This workaround resolves the known issue with the “Active” DNS tests. We recommend to create the following host entry:
- Press the Windows key or go to the start menu.
- Type Notepad in the search field.
- In the search input box, right-click Notepad and select Run As Administrator.
- In Notepad, open the following file: C:\Windows\System32\drivers\etc\hosts
- Append the following to the hosts file: 220.127.116.11 dns.msftncsi.com
- Click File and Save.
- Reboot the system
Note that this may cause NCSI to display that the system is “Connected” in some situations where there is actually limited connectivity. Other applications on the device - such as internet browsers - often implement their own connectivity check mechanism. The Roaming Client does not create issues for these mechanisms. Additionally, this workaround will not affect connectivity checks performed by those applications.
Attached to this document is a file called hostsfile.vbs. This file is a visual basic script that runs on Windows computers. It appends the above entry to the hosts file automatically. This will assist with distributing this change to an entire organization.
Use the Cisco AnyConnect Roaming Security Module
Our Cisco AnyConnect module works in a similar way to the standard Roaming Client, but has a different method of intercepting DNS traffic; using a kernel driver rather than modifying DNS server settings on the network interface. Therefore this product is not affected by the NCSI limitation.
We recommend that Cisco AnyConnect customers migrate to the Umbrella Security Module.
Adjust Passive Polling Parameters
Passive Polling can be adjusted to make the system more likely to recognize internet traffic. Whereas the hosts file workaround effectively disables NCSI, adjusting passive polling parameters maintains NCSI functionality. The drawback is that it may not work in every scenario. Microsoft recommends adding the following registry keys:
- Disable Active Probing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\EnableActiveProbing = 0 (DWORD)
- Reduce the Passive Hop count threshold to 1 (this is the minimum):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\MinimumInternetHopCount = 1 (DWORD)
- Double (or more) the Passive Polling period:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\PassivePollPeriod = 30 (DWORD)
If any of the registry keys do not exist they should be created. Please reboot the system after making these changes.
Whilst these registry keys should make it far more likely that passive polling will succeed, they will not necessarily resolve the problem for every environment. Please contact Microsoft Support for assistance in troubleshooting Passive Polling.
Install Windows 7 Hotfix 2964643
Windows 7 customers should also ensure the following Microsoft Hotfix is installed:
This hotfix can be used in conjunction with any of the workaround and options documented above.