none
Lenovo laptop with Windows 10 Enterprise - can't access local subnet resources RRS feed

  • Question

  • Hello

    I have issue with some of our users laptops. When user tries to connect resources that are placed in same subnet as laptop - connection fails. Here are details:

    1)User can't open intranet web sites using google chrome. Error message say's "Your internet access is blocked - ERR_NETWORK_ACCESS_DENIED" At the same time I can open any internet sites and I can open same intranet site using internet explorer or edge.

    2)From same laptop I can't make RDP connection to workstations or servers from same subnet, but I can make RDP connection to workstations or servers located in other subnets.

    3)Other connections to same resources like access to server shares works.

    4)RDP connection to Laptop which have issues from other workstation in same subnet works.

    5)In same subnet are located laptops and workstations that don't have any connection issues to same resources

    6)IPv4 Route Table is the same as for working Laptops

    These are thing's I tried to fix issue, but they didn't worked:

    *Disabled firewall and windows defender - there is no third party antivirus or firewalls installed

    *Network settings reset and complete driver reinstall

    *Switching from wifi to cable connection and vice versa (IP range for wifi and cable connection is the same and is controlled by same DHCP server) - looks like connection works for 2-4 seconds during switch over but then again stops

    *Removing laptop from domain and joining back

    *Disabling all group policies

    *Disabling ipv6

    *Provided different IP address that worked for other workstations

    Only thing that helped was complete Windows reinstall. Maybe someone had similar issues and can help with advice?

    Best Regards

    Janis

    Wednesday, September 4, 2019 8:44 AM

Answers

  • Hi

    Figured it out. Problem was with Microsoft 365 Device Management -> Client apps -> App protection policies

    There was policy that prevented access to enterprise network for all apps that not specified in policy.

    Best regards

    Janis

    • Marked as answer by Janis Zimelis Friday, September 20, 2019 4:42 PM
    Friday, September 20, 2019 4:42 PM

All replies

  • Hello

    I have issue with some of our users laptops. When user tries to connect resources that are placed in same subnet as laptop - connection fails. Here are details:

    1)User can't open intranet web sites using google chrome. Error message say's "Your internet access is blocked - ERR_NETWORK_ACCESS_DENIED" At the same time I can open any internet sites and I can open same intranet site using internet explorer or edge.


    Hi Janis,

    Google Chrome is not a Microsoft product and it won't be possible for us to help you as far as Google Chrome issue is concerned.

    You can try IE11 or Microsoft Edge and check the issue.


    S.Sengupta,Microsoft MVP Windows and Devices for IT, Windows Insider MVP

    Thursday, September 5, 2019 8:05 AM
  • Hi ,

    >>User can't open intranet web sites using google chrome. Error message say's "Your internet access is blocked - ERR_NETWORK_ACCESS_DENIED" At the same time I can open any internet sites and I can open same intranet site using internet explorer or edge.

    Did you install some Network management tools? Could you please perform a clean boot to do a test ? Check if the error still occurs.

    For how to perform a clean boot in Windows, please refer to the following link:

    How to perform a clean boot in Windows

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, September 5, 2019 9:49 AM
  • Hi

    @S.Sengupta - Google Chrome in this case is not main issue, this is only one of symptoms that could help for troubleshooting. We can use IE11 or Edge, but this doesn't solve issue with Remote Desktop connection.

    @Candy Luo - thank you for advice, I will try to perform clean boot at 10.09 when affected user will be in office and let you know about the results.

    Best Regards,

    Janis

    Thursday, September 5, 2019 11:54 AM
  • Hi ,

    I will wait for your good news.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Friday, September 6, 2019 3:31 AM
  • Hi

    Manage to test clean boot today - no success :(

    • Ping to internal address works
    • Access to file share works
    • Remote desktop connection fails

    Best Regards

    Janis

    Friday, September 6, 2019 12:32 PM
  • Hi

    I installed Wireshark on affected workstation and found that no packets are generated if I try to make RDP connection to local subnet address, but when I try to make RDP connection to other subnet packets are generated.

    Best Regards

    Janis

    Monday, September 9, 2019 9:39 AM
  • Hi ,

    Sorry for the delayed response.

    >>I installed Wireshark on affected workstation and found that no packets are generated if I try to make RDP connection to local subnet address

    Please refer to the following steps:

    1.Download and install process monitor v3.5 on problematical sever.

    2.Open the process monitor, press “Ctrl+E” to “suspend” it, “Ctrl+X” to clear present process information. 

    3.Press “Ctrl+E” to start the process monitor again.

    4.Reproduce your issue ,then Press “Ctrl+E” to “Suspend” it again then save the present log(Ctrl+S).  save all event as normal.pml and issue.pml.

    Compare normal.pml with issue.pml to see if there are some processes are restricting RDP connection.

    For how to use process monitor, you could refer to the following link:

    Process Monitor v3.52

    Best Regards,

    Candy



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   



    Tuesday, September 10, 2019 9:44 AM
  • Hi

    @Candy Luo - thank you for advice. I think process monitor will show same processes, cause we change destination IP in same RDP client session and local subnet IP fails, but other subnet IP works

    We found that Windows 10 firewall logs dropped packets when we try connect local subnet address. Here is one line:

    DROP TCP 192.168.7.78 192.168.7.2 55117 3389 0 - 0 0 0 - - - SEND

    If in the same RDP session I connect to some other subnet IP - connection will succeed. Looks like issue is with firewall, but we can't find root cause all these steps doesn't help:

    1)Disabling Firewall 

    2)Restoring Firewall default policies 

    3)Removing workstation from domain.

    Is there way how to trace firewall activity with more details, cause standard logs don't show reason or rule which drops packet.

    Best Regards,

    Janis

    Friday, September 13, 2019 2:13 PM
  • Forgot to mention that there is no "Block the connection" in FireWall outbound rules
    Friday, September 13, 2019 2:42 PM
  • Hi

    Looks like we found how to reproduce issue. When we add Office365 email account in Oultook 2016 during setup there is option "Allow organization to manage my device". If this option is enabled Azure account is also added under Windows Settings -> Accounts -> Access work or school. And this is when fun begins. Looks like some policy from Office365 starts to block local subnet, but we can't find which, cause office365 configuration is with default settings. If we remove this account everything starts to work.

    We have on-premise domain and Office365 domain that are not synced. On-premise domain controller is located in subnet which have issues. Both domain names are the same. Maybe this is reason?

    Best regards

    Janis

    Friday, September 20, 2019 2:13 PM
  • Hi

    Figured it out. Problem was with Microsoft 365 Device Management -> Client apps -> App protection policies

    There was policy that prevented access to enterprise network for all apps that not specified in policy.

    Best regards

    Janis

    • Marked as answer by Janis Zimelis Friday, September 20, 2019 4:42 PM
    Friday, September 20, 2019 4:42 PM