Windows Endpoint VPN and Network Connectivity Failure — Adapter, DNS, Tunnel, and Stack Triage

Indicators

• VPN client reports 'Not Connected' or drops intermittently — no specific error code visible in the client UI
• Internal DNS names fail to resolve over VPN tunnel — nslookup against VPN-assigned DNS server returns timeout or SERVFAIL
• ipconfig /all shows VPN adapter present but with no default gateway or incorrect DNS server assignments
• Event Viewer Microsoft-Windows-VPN-Client/Operational log contains authentication errors, IKE negotiation failures, or certificate validation errors
• Event Viewer Microsoft-Windows-NetworkProfile/Operational log shows unexpected network profile changes (e.g., adapter classified as Public instead of Domain or Private)
• ping to VPN gateway IP succeeds but ping to internal resources over tunnel fails, indicating routing or split-tunnel misconfiguration
• netsh winsock show catalog returns corrupt or unexpected entries after a Windows update

Likely causes

• Split-tunnel misconfiguration: VPN routes not pushed correctly, causing DNS queries for internal names to route to LAN DNS servers rather than VPN-assigned DNS servers — results in internal hostname resolution failure
• Windows network stack corruption after a cumulative update: Winsock catalog or TCP/IP stack entries corrupted, causing adapter-level failures not resolvable by adapter reset alone
• VPN profile corruption or desync: Locally cached VPN profile diverged from the Intune or GPO baseline, causing negotiation mismatches or missing authentication parameters
• Network adapter driver regression: A cumulative update or OEM driver update introduced instability in the virtual or physical NIC used by the VPN client, causing intermittent drops
• Certificate expiry or chain trust failure: The client or server certificate used for IKEv2/SSTP VPN authentication has expired or the intermediate CA is not trusted on the endpoint

Diagnostic steps

1. Run 'ipconfig /all' and review the output — confirm all adapter states (up/down), check DNS server assignments per adapter, verify default gateway presence, and note whether the VPN adapter appears and has a valid IP assignment.
   Determines whether the VPN adapter is present and has been correctly configured by the OS, distinguishing between a missing adapter (driver/profile issue), a connected-but-misconfigured adapter (split-tunnel or DNS issue), and a physical connectivity failure.
2. Open Event Viewer (eventvwr.msc) and navigate to Applications and Services Logs > Microsoft > Windows > VPN-Client > Operational. Review the most recent entries for errors relating to IKE negotiation, certificate validation, or authentication rejection. Then check Applications and Services Logs > Microsoft > Windows > NetworkProfile > Operational for unexpected network profile changes.
   Identifies VPN-specific failure modes such as IKE phase failures, certificate errors, or authentication rejections, and separately identifies OS-level network classification changes that may block VPN connectivity.
3. Test layer-by-layer connectivity: first run 'ping <VPN gateway IP>' to confirm basic IP reachability. If tunnel establishes, run 'ping <internal resource IP>' to test tunnel routing. Then run 'nslookup <internal hostname> <VPN DNS server IP>' to test DNS resolution specifically against the VPN-assigned DNS server, bypassing LAN DNS servers.
   Isolates the failure layer — routing failure (VPN gateway reachable but internal IPs unreachable indicates split-tunnel route missing), vs DNS failure (routing works but internal names fail to resolve indicates DNS is routing to LAN servers).
4. Run 'netsh winsock show catalog' and review for unexpected or corrupt entries. Also run 'netsh int ip show config' to review TCP/IP configuration per adapter. If the output shows malformed entries or the command returns errors, proceed to network stack reset in the resolution path.
   Identifies network stack corruption that is not visible from adapter properties — Winsock or TCP/IP stack corruption can cause intermittent connectivity failures that persist through adapter disable/enable cycles.
5. Check the Windows System event log for any Event ID 7036 (service state change) entries for the VPN-related services (e.g., RasMan, IkeExt, PolicyAgent) and confirm all are Running. Run 'sc query RasMan', 'sc query IkeExt', 'sc query PolicyAgent' to verify service states.
   A stopped or failed RasMan (Remote Access Connection Manager), IkeExt (IKE and AuthIP IPsec Keying Modules), or PolicyAgent (IPsec Policy Agent) service will prevent VPN tunnel establishment entirely, even if the client UI appears functional.

Resolution path

• Step 1 — Restart dependent VPN services if any are stopped: run 'net start RasMan', 'net start IkeExt', 'net start PolicyAgent' from an elevated command prompt. Attempt VPN reconnection after each service restart to confirm whether a stopped service was the sole cause.
• Step 2 — Flush DNS cache and reset DNS resolver: run 'ipconfig /flushdns' to clear stale cached entries, then retry DNS resolution with 'nslookup <internal hostname> <VPN DNS server IP>'. If split-tunnel DNS routing is the issue, verify the VPN profile's DNS suffix and route configuration via 'Get-VpnConnection | Select-Object -ExpandProperty Routes' and 'Get-VpnConnection | Select-Object -ExpandProperty DnsConfig'.
• Step 3 — Reset the Windows network stack if Winsock corruption or TCP/IP stack damage is suspected: from an elevated command prompt, run 'netsh winsock reset' followed by 'netsh int ip reset'. Restart the machine after both commands complete. WARNING: this will reset all custom Winsock entries and static IP configurations — document existing settings before proceeding.
• Step 4 — Remove and re-provision the VPN profile if profile corruption is suspected: run 'Remove-VpnConnection -Name "<ProfileName>" -Force' (user tunnel) or remove the device tunnel equivalent, then trigger a policy sync from Intune (Settings > Accounts > Access work or school > Sync) or a 'gpupdate /force' to re-push the VPN profile from the management baseline.
• Step 5 — If adapter driver regression is suspected following a recent update, open Device Manager, locate the affected network adapter, select 'Update driver > Browse my computer > Let me pick from a list', and roll back to the previously known-good driver version. Alternatively, use 'pnputil /enum-drivers' to identify installed driver versions and 'pnputil /delete-driver <oem#.inf> /uninstall' to remove the problematic driver before reinstalling the stable version.

Prevention

• Maintain a documented VPN profile configuration baseline in Intune or Group Policy and enforce automatic profile re-provisioning on policy sync — ensures profiles can be rapidly restored without manual intervention if corruption occurs.
• Implement proactive network adapter driver management using an approved OEM driver catalog with ring-based deployment (test group before broad rollout) — prevents adapter-level regressions from driver updates reaching the full fleet simultaneously.
• Configure Always On VPN device tunnel where possible so machine-level VPN connectivity is established before user logon — reduces user-level profile corruption exposure and ensures management channel remains available even if user tunnel fails.
• Capture Winsock catalog baseline ('netsh winsock show catalog > winsock-baseline.txt') on known-good endpoints and store in the endpoint management system — provides a reference for detecting and recovering from Winsock corruption without requiring reinstallation media.

Tools

• ipconfig — network adapter state, IP, DNS, and gateway enumeration
• ping — ICMP reachability testing at each network layer
• nslookup — DNS resolution testing against specific DNS server targets
• netsh — Winsock catalog inspection and network stack reset
• eventvwr.msc (Event Viewer) — VPN-Client/Operational and NetworkProfile/Operational log review
• sc query — Windows service state verification
• rasphone / rasdial — command-line VPN connection management for Always On VPN profiles

References

• Microsoft Docs — Always On VPN Troubleshooting
• Microsoft Docs — netsh winsock reset
• Source batch entry: VPN/networking triage category — Triage Manual Batch