Office 2013 reports no internet connectivity with VPN connection


While using a VPN connection with Office 2013, users have reported that they are unable to connect to the internet within Office, causing some Office 2013 functionality not to work as expected.

Scenarios we have seen include: 
1.   Word 2013 unable to insert online pictures

ERROR:  "You need an internet connection to insert online pictures"

2.  Office Account Connected Services shows no internet connectivity

ERROR:    "NO INTERNET CONNECTION  Connect to the Internet to add or manage services"

3.  Attempting to launch help via F1 will bring up the Help interface, but it will report that the client is not connected to the internet

4. Attempting to access SharePoint or Check Out Documents from SharePoint results in errors such as:

        "Cannot checkout any document on SharePoint 2013 without internet connection"
        "Unable to connect right now. Check network and try again"

Additional Symptoms:

Checking the status of the network adapters in the Windows Network and Sharing Center will show that the VPN adapter does not have internet access.


Two terms to define first:
NLA – Network Location Awareness
NCSI – Network Connection Status Indicator

Customers have reported this issue using VPN solutions from both Juniper Networks and Palo Alto Networks.  We are sure there are other VPN clients that we don’t know about that are also impacted.

There is a service running on each Windows 7 machine that is called “Network Location Awareness”.  This service is responsible for determining the state of the network connections on the machine.  The information about the network connections is stored and accessed by the service “Network List Manager”.   Applications like Office 2013 can implement the Network List Manager interface to be able to get the state of the computer network connections and what connectivity each adapter has.  This allows the application to simplify their code and simply “ask the OS” what the network state is. 

For the customer reported issues, the third party VPN clients in use happen to not define a default gateway.  This may display as a default gateway of in the ipconfig output.  This is not really an issue for typical networking.  Customers may notice that they can get to network resources, and they do have connectivity to the internet.  The problem here is that NCSI depends on the default gateway to decide if it should “probe” the network connection to decide if it has an internet connection.  The way that NCSI probes the network is it attempts to connect to and retrieve a file called ncsi.txt.  If it can retrieve that file, it marks the connection as having internet access.  When the VPN adapter connection connects, and NCSI detects that a connection was made on an adapter interface.  NCSI will attempt to probe the connection, but since there is no default gateway on the VPN adapter it attempts to send the probe packets out the adapter with a default gateway and that fails since the VPN connection is active.  When this probe attempt fails, NCSI marks the adapter as having LOCAL connectivity.  Office 2013 is checking for INTERNET connectivity before attempting to connect to the online functionality such as online pictures or F1 HELP resources.

To resolve this issue, install the hotfix that is described in the article below.

2964643 Third-party VPN client stops Internet connectivity in Windows 7 SP1 or Windows Server 2008 R2 SP1