Solved: Network shown no internet after posture complete (warning icon)

Freemen · ‎11-19-2019

After endpoint complaint we allow acl permit ip any any however the window 7 or 10 shown the warning sign. anyway to fix that?

the PC already have internet access / full access.

Damien Miller · ‎11-19-2019

In this case, the limited connectivity is being triggered when the Windows OS tries to reach out to Microsoft but can't. Once the endpoint receives the compliant permit ACL, it can now reach the internet, but Windows doesn't know the test would succeed. Assuming there is no content filtering in the network, this should clear up on its own based on the timers in Windows.

I can't provide you documentation on this, I haven't found any published on the MS site, but I know if you block Microsoft update servers the same thing happens.

This is a function of the network location awareness service within Windows. A test to see if it is in fact the connectivity test would be to right click on the icon which usually initiates a new probe.

Lastly, there is a registry key that controls the probing on this but I wouldn't mess with that.

View solution in original post

Mohammed al Baqari · ‎11-19-2019

This might be related to another security device such as firewall or proxy.
If you config on the switch that show ip access-list interface give you
permit ip any any, then investigate logs in other devices

Freemen · ‎11-19-2019

@Mohammed al Baqari without ISE also same VLAN, they go internet using proxy. so that is no block, do you experience this at other deployment with posture?

ISE 2.6P3

Damien Miller · ‎11-19-2019

In this case, the limited connectivity is being triggered when the Windows OS tries to reach out to Microsoft but can't. Once the endpoint receives the compliant permit ACL, it can now reach the internet, but Windows doesn't know the test would succeed. Assuming there is no content filtering in the network, this should clear up on its own based on the timers in Windows.

I can't provide you documentation on this, I haven't found any published on the MS site, but I know if you block Microsoft update servers the same thing happens.

This is a function of the network location awareness service within Windows. A test to see if it is in fact the connectivity test would be to right click on the icon which usually initiates a new probe.

Lastly, there is a registry key that controls the probing on this but I wouldn't mess with that.

Freemen · ‎11-20-2019

Understand and agree is window got some background to check the internet so the icon can be no warning.

but i cannot find that service to how to manually fix it.

for non IT personel, that icon is really confusing and misleading.

Anurag Sharma · ‎11-20-2019

Hi @Freemen ,

So, basically, this is a Microsoft's way of testing the reachability to their site.

Specifically, this - http://www.msftncsi.com/ncsi.txt and http://ipv6.msftncsi.com/ncsi.txt

You did mention the users go through Proxy. Please go ahead and bypass (or exempt; whatever's applicable) these URLs from the Proxy.

More details on this can be found at the Microsoft article for NCSI (Network Connectivity Status Indicator).

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Freemen · ‎11-26-2019

everything is allow except the ncsi.4-c-0003.c-msedge.net which is down

i open a TAC case to check, share if i get the solution

Freemen · ‎12-17-2019

turned out seam like disable the auto probe is the only way to resolve.