WSL2 no internet/net connection

[aerophagiano]

Windows Version

Microsoft Windows [Versione 10.0.19045.3324]

WSL Version

1.2.5.0

Are you using WSL 1 or WSL 2?

• [X] WSL 2
• [ ] WSL 1

Kernel Version

5.15.90.1

Distro Version

Ubuntu 22.04

Other Software

Trellix Endpoint Security 10.7

Repro Steps

Connections time-out in wsl2/ubuntu. For example open WSL2/Ubuntu and run curl -m 5 -v https://microsoft.com

Failed to connect to microsoft.com port 443 after 4859 ms: Connection timed out

if I run these commands

    wsl --shutdown
    netsh int ip reset all
    netsh winhttp reset proxy
    ipconfig /flushdns
    netsh winsock reset
    shutdown /r (or manually restart)

after the restart connections start working again but for a brief time span, then they return to time-out.

Expected Behavior

(after running the commands above and restarting)

*   Trying 20.112.250.133:443...
*   Trying 2603:1030:b:3::152:443...
* Immediate connect fail for 2603:1030:b:3::152: Network is unreachable
*   Trying 2603:1030:20e:3::23c:443...
* Immediate connect fail for 2603:1030:20e:3::23c: Network is unreachable
*   Trying 2603:1030:c02:8::14:443...
* Immediate connect fail for 2603:1030:c02:8::14: Network is unreachable
*   Trying 2603:1020:201:10::10f:443...
* Immediate connect fail for 2603:1020:201:10::10f: Network is unreachable
*   Trying 2603:1010:3:3::5b:443...
* Immediate connect fail for 2603:1010:3:3::5b: Network is unreachable
* Connected to microsoft.com (20.112.250.133) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=microsoft.com
*  start date: Aug  8 18:46:02 2023 GMT
*  expire date: Jun 27 23:59:59 2024 GMT
*  subjectAltName: host "microsoft.com" matched cert's "microsoft.com"
*  issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure TLS Issuing CA 01
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x5648d427c560)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: microsoft.com
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 301
< date: Fri, 25 Aug 2023 13:27:43 GMT
< server: Kestrel
< location: https://www.microsoft.com/
< content-length: 0
< strict-transport-security: max-age=31536000
<
* Connection #0 to host microsoft.com left intact

Actual Behavior

*   Trying 20.112.250.133:443...
*   Trying 2603:1030:b:3::152:443...
* Immediate connect fail for 2603:1030:b:3::152: Network is unreachable
*   Trying 2603:1030:20e:3::23c:443...
* Immediate connect fail for 2603:1030:20e:3::23c: Network is unreachable
*   Trying 2603:1030:c02:8::14:443...
* Immediate connect fail for 2603:1030:c02:8::14: Network is unreachable
*   Trying 2603:1020:201:10::10f:443...
* Immediate connect fail for 2603:1020:201:10::10f: Network is unreachable
*   Trying 2603:1010:3:3::5b:443...
* Immediate connect fail for 2603:1010:3:3::5b: Network is unreachable
* After 2493ms connect time, move on!
* connect to 20.112.250.133 port 443 failed: Connection timed out
*   Trying 20.231.239.246:443...
* After 1144ms connect time, move on!
* connect to 20.231.239.246 port 443 failed: Connection timed out
*   Trying 20.76.201.171:443...
* After 572ms connect time, move on!
* connect to 20.76.201.171 port 443 failed: Connection timed out
*   Trying 20.70.246.20:443...
* After 286ms connect time, move on!
* connect to 20.70.246.20 port 443 failed: Connection timed out
*   Trying 20.236.44.162:443...
* After 142ms connect time, move on!
* connect to 20.236.44.162 port 443 failed: Connection timed out
* Failed to connect to microsoft.com port 443 after 4859 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to microsoft.com port 443 after 4859 ms: Connection timed out

Diagnostic Logs

No response

[crimsonvspurple]

I have to run these commands every time I leave the computer for a while. This started happening since a few weeks after some windows update. It was fine before for years.

echo "Restarting WSL Service"
Restart-Service LxssManager
echo "Restarting Host Network Service"
Stop-Service -name "hns"
Start-Service -name "hns"
echo "Restarting Hyper-V adapters"
Get-NetAdapter -IncludeHidden | Where-Object `
    {$_.InterfaceDescription.StartsWith('Hyper-V Virtual Switch Extension Adapter')} `
    | Disable-NetAdapter -Confirm:$False
Get-NetAdapter -IncludeHidden | Where-Object `
    {$_.InterfaceDescription.StartsWith('Hyper-V Virtual Switch Extension Adapter')} `
    | Enable-NetAdapter -Confirm:$False

from https://github.com/microsoft/WSL/issues/5821

[ghost]

looks like a duplicate of #10349

[ghost]

@keith-horton, what logs do you want collected for this?

[ghost]

Reopening due to overzealous bot.

[keith-horton]

Hi there.

For the host configuration: collect-wsl-logs.ps1

For the Linux configuration: networking.sh

Then please run WPR with this config file and repro (e.g. try to run curl against a URL). wsl_networking.wprp

[aerophagiano]

WslLogs-2023-08-30_09-37-39.zip hi, here the are the wsl logs networking.bat.output.txt and the networking.bat output

[keith-horton]

Something is definitely odd. DNS apparently works fine (the Linux DNS servers were updated to not use the NAT DNS proxy, which is just fine) - which means UDP packets are being routed out of the container to the Internet and back again. That's great.

You state that it starts working then eventually stops working. It works after force resetting a lot of network configuration options, at least for a while.

I see there are other virtual network adapters that are connected. I'm guessing these are for the security software you have installed. I don't have visibility into how they are interacting with the NAT'd packets that are injected.

The symptoms you describe strongly suggest this 3rd party software is dropping some of the traffic being sent. We don't see where the packets are being lost (in our layers).

Is there a way to configure your security software to not filter traffic as a test?

[Jai-GAY]

it is the same as I faced?

[CutupAngel]

Here is the solution. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723