iOS 17: VPN configured as Full tunnel with Tunnel routes blocking the internet connection across the device. Need to restart the device to bring internet connection back

Issue Description:

When VPN packet tunnel provider is configured as Full tunnel with Tunnel routes as below,

tunnelProvider.protocolConfiguration.includeAllNetworks = YES; 
tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; 
tunnelProvider.protocolConfiguration.enforceRoutes = NO;

and saved to NETunnelProviderManager preferences using “saveToPreferencesWithCompletionHandler” After saving the configuration to preferences and after receiving the NEVPNConfigurationChangeNotification we are starting the tunnel using “startVPNTunnelWithOptions”.

Not able to connect to VPN only from iOS 17 and above devices and internet is getting blocked throughout the device after trying to the start tunnel. Once this issue is occurred, need to restart the device to get the internet connection back.

On iOS 16 and Below:

Able to successful connect and start VPN tunnel.

On iOS 17 and Later:

Not able to connect to VPN. VPN tunnel status is getting changed from connecting to disconnected. Internet on the device is getting blocked after VPN gets disconnected. Need to restart the device to get the internet connection back.

We can see the below device console logs:

After applying the above NETunnelProviderManager preferences and starting the tunnel, we can see that the VPN status is changed to connecting,

14:59:22.599515+0530 nesessionmanager NESMVPNSession[Primary Tunnel:SomeServerAddressXYZ:(null)]: status changed to connecting

Later we can see the status is getting changed to Disconnected:

14:59:23.588634+0530 nesessionmanager NESMVPNSession[Primary Tunnel:SomeServerAddressXYZ:(null)]: status changed to disconnected, last stop reason None

14:59:23.589042+0530. nesessionmanager NESMVPNSession[Primary Tunnel:SomeServerAddressXYZ:(null)]: Updated network agent (inactive, compulsory, not-user-activiated, not-kernel-activated)

After this receiving the NEVPNStatusChanged notification in our application and NEVPNStatus is changed to Disconnected.

When checked the reason for disconnect using “fetchLastDisconnectErrorWithCompletionHandler” on NEVPNConnection, we can see below

Error string : The VPN session failed because an internal error occurred

Error code : 12

After sometime I see that the VPN status is again changed back to connecting,

14:59:24.615125+0530 nesessionmanager NESMVPNSession[Primary Tunnel:bng-pcs-gateway.pulsesecure.net/pulse:24711A15-54C6-44C7-987D-65B7BFF3F294:(null)]: status changed to connecting

But by this time there is no internet connection across device.

Steps to reproduce:

  1. Configure VPN packet tunnel provider as Full tunnel with Tunnel routes(as mentioned above)
  2. Save the configuration to NETunnelProviderManager preferences using “saveToPreferencesWithCompletionHandler”
  3. Try to connect to VPN
  4. From iOS 17 and above its observed that, not able to connect to VPN and internet connection in the device is getting blocked

Queries: From the above observation my queries are,

  1. Why are we receiving the Disconnected state during connection?
  2. Why is this issue occurring only with iOS 17 and above device?
  3. What changes specifically done around tunnel from iOS 17 and above?

Given that this is a clear regression, I recommend that you file a bug about it.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

iOS 17: VPN configured as Full tunnel with Tunnel routes blocking the internet connection across the device. Need to restart the device to bring internet connection back
 
 
Q