--- title: Troubleshooting UWP App Connectivity Issues in Windows Firewall description: Troubleshooting UWP App Connectivity Issues in Windows Firewall ms.topic: troubleshooting ms.date: 04/07/2025 --- # Troubleshooting UWP App Connectivity Issues This document is intended to help network admins, support engineers, and developers to investigate UWP app network connectivity issues. This document guides you through steps to debug Universal Windows Platform (UWP) app network connectivity issues by providing practical examples. ## Typical causes of connectivity issues UWP app network connectivity issues are typically caused by: 1. The UWP applications not being permitted to receive loopback traffic. This permission must be configured. By default, UWP applications aren't allowed to receive loopback traffic 1. The UWP app is missing the proper capability tokens 1. The private range is configured incorrectly. For example, the private range is set incorrectly through GP/MDM policies, etc. To understand these causes more thoroughly, there are several concepts to review. The traffic of network packets (what's permitted and what's not) on Windows is determined by the Windows Filtering Platform (WFP). When a UWP app or the private range is configured incorrectly, it affects how the UWP app's network traffic will be processed by WFP. When a packet is processed by WFP, the characteristics of that packet must explicitly match all the conditions of a filter to either be permitted or dropped to its target address. Connectivity issues typically happen when the packet doesn't match any of the filter conditions, leading the packet to be dropped by a default block filter. The presence of the default block filters ensures network isolation for UWP applications. Specifically, it guarantees a network drop for a packet that doesn't have the correct capabilities for the resource it's trying to reach. Such a packet drop ensures the application's granular access to each resource type and preventing the application from escaping its environment. For more information on the filter arbitration algorithm and network isolation, see [Filter Arbitration](/windows/win32/fwp/filter-arbitration) and [Isolation](/windows/win32/secauthz/appcontainer-isolation). The following sections cover debugging case examples for loopback and non-loopback UWP app network connectivity issues. > [!NOTE] > As improvements to debugging and diagnostics in the Windows Filtering Platform are made, the trace examples in this document may not exactly match the traces collected on previous releases of Windows. ## Debugging UWP App Loopback scenarios If you need to establish a TCP/IP connection between two processes on the same host where one of them is a UWP app, you must enable loopback. To enable loopback for client outbound connections, run the following command at a command prompt: ```cmd CheckNetIsolation.exe LoopbackExempt -a -n= ``` To enable loopback for server inbound connections, run the following command at a command prompt: ```cmd CheckNetIsolation.exe LoopbackExempt -is -n= ``` You can ensure loopback is enabled by checking the appx manifests of both the sender and receiver. For more information about loopback scenarios, see [Communicating with localhost (loopback)](/windows/iot-core/develop-your-app/loopback). >[!NOTE] >If you are in the middle of developing a UWA application and want to test its loopback, ensure to uninstall and re-install the UWA app if the network capabilities change for whatever reason. Also, see [How to enable loopback and troubleshoot network isolation (Windows Runtime apps)](/previous-versions/windows/apps/hh780593(v=win.10)). ## Debugging Live Drops If the issue happened recently, but you find you aren't able to reproduce the issue, go to Debugging Past Drops for the appropriate trace commands. If you can consistently reproduce the issue, then you can run the following command in an admin command prompt to gather a fresh trace: ```console Netsh wfp capture start keywords=19 Netsh wfp capture stop ``` These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains any allow or drop netEvents and filters that existed during that repro. Without "keywords=19", the trace will only collect drop netEvents. Inside the wfpdiag.xml, search for netEvents that have FWPM_NET_EVENT_TYPE_CLASSIFY_DROP as the netEvent type. To find the relevant drop events, search for the drop events with matching destination IP address, package SID, or application ID name. The characters in the application ID name will be separated by periods: ```XML (ex) \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... ``` The netEvent will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more. ## Case 1: UWP app connects to Internet target address with all capabilities In this example, the UWP app successfully connects to bing.com [2620:1ec:c11::200]. A packet from a UWP app needs the correct networking capability token for the resource it's trying to reach. In this scenario, the app could successfully send a packet to the Internet target because it had an Internet capability token. The following code shows the allow netEvent of the app connecting to the target IP. The netEvent contains information about the packet including its local address, remote address, capabilities, etc. ### Classify Allow netEvent, `Wfpdiag-Case-1.xml` ```xml

2020-05-21T17:25:59.070Z FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET FWPM_NET_EVENT_FLAG_APP_ID_SET FWPM_NET_EVENT_FLAG_USER_ID_SET FWPM_NET_EVENT_FLAG_IP_VERSION_SET FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET FWP_IP_VERSION_V6 6 2001:4898:30:3:256c:e5ba:12f3:beb1 2620:1ec:c11::200 52127 443 0 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... S-1-5-21-2993214446-1947230185-131795049-1000 FWP_AF_INET6 S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 0

FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW 125918 50 0 1 1 0000000000000000 FWP_CAPABILITIES_FLAG_INTERNET_CLIENT FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK 0 125918 FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH FWP_ACTION_PERMIT 121167 FWPP_SUBLAYER_INTERNAL_FIREWALL_WF FWP_ACTION_PERMIT ``` The following is the filter that permitted the packet to be sent to the target address according to the **terminatingFiltersInfo** in the **netEvent**. This packet was allowed by Filter #125918, from the InternetClient Default Rule. ### InternetClient Default Rule Filter #125918, `Wfpdiag-Case-1.xml` ```xml {3389708e-f7ae-4ebc-a61a-f659065ab24e} InternetClient Default Rule InternetClient Default Rule FWPM_PROVIDER_MPSSVC_WSH ad2b000000000000 .+...... FWPM_LAYER_ALE_AUTH_CONNECT_V6 FWPM_SUBLAYER_MPSSVC_WSH FWP_EMPTY FWPM_CONDITION_ALE_PACKAGE_ID FWP_MATCH_NOT_EQUAL FWP_SID S-1-0-0 FWPM_CONDITION_IP_REMOTE_ADDRESS FWP_MATCH_RANGE FWP_RANGE_TYPE FWP_BYTE_ARRAY16_TYPE :: FWP_BYTE_ARRAY16_TYPE ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff FWPM_CONDITION_ORIGINAL_PROFILE_ID FWP_MATCH_EQUAL FWP_UINT32 1 FWPM_CONDITION_CURRENT_PROFILE_ID FWP_MATCH_EQUAL FWP_UINT32 1 FWPM_CONDITION_ALE_USER_ID FWP_MATCH_EQUAL FWP_SECURITY_DESCRIPTOR_TYPE O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN) FWP_ACTION_PERMIT 0 125918 FWP_UINT64 103079219136 ``` ### Capabilities Condition in Filter #125918, `Wfpdiag-Case-1.xml` ```xml FWPM_CONDITION_ALE_USER_ID FWP_MATCH_EQUAL FWP_SECURITY_DESCRIPTOR_TYPE O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN) ``` This condition enables checking capabilities in this filter. The important part of this condition is **S-1-15-3-1**, which is the capability SID for **INTERNET_CLIENT** privileges. From the **netEvent** capabilities section, capabilities from netEvent, Wfpdiag-Case-1.xml. ```xml FWP_CAPABILITIES_FLAG_INTERNET_CLIENT FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK ``` These capabilities show the packet came from an app with an Internet client token (**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**) which matches the capability SID in the filter. All the other conditions are also met for the filter, so the packet is allowed. Something to note is that the only capability token required for the packet to reach bing.com was the Internet client token, even though this example showed the packet having all capabilities. ## Case 2: UWP APP can't reach Internet target address and has no capabilities In this example, the UWP app is unable to connect to bing.com [2620:1ec:c11::200]. The following example is that of a drop netEvent that was captured in the trace. ### Classify Drop netEvent, `Wfpdiag-Case-2.xml` ```xml

2020-03-30T23:53:09.720Z FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET FWPM_NET_EVENT_FLAG_APP_ID_SET FWPM_NET_EVENT_FLAG_USER_ID_SET FWPM_NET_EVENT_FLAG_IP_VERSION_SET FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET FWP_IP_VERSION_V6 6 2001:4898:1a:1045:8469:3351:e6e2:543 2620:1ec:c11::200 63187 443 0 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0034002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...4...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... S-1-5-21-2788718703-1626973220-3690764900-1000 FWP_AF_INET6 S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 0

FWPM_NET_EVENT_TYPE_CLASSIFY_DROP 68893 50 0 1 1 MS_FWP_DIRECTION_OUT false 0 0 0000000000000000 0 68893 FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH FWP_ACTION_BLOCK 68879 FWPP_SUBLAYER_INTERNAL_FIREWALL_WF FWP_ACTION_PERMIT ``` The first thing that you should check in the **netEvent** is the capabilities field. In this example, the capabilities field is empty, indicating that the UWP app wasn't configured with any capability tokens to allow it to connect to a network. ### Internal Fields from netEvent, `Wfpdiag-Case-2.xml` ```xml 0000000000000000 0 68893 FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH FWP_ACTION_BLOCK 68879 FWPP_SUBLAYER_INTERNAL_FIREWALL_WF FWP_ACTION_PERMIT ``` The **netEvent** also shows information about the filter that explicitly dropped this packet, like the **FilterId**, listed under classify drop. ### Classify Drop from netEvent, `Wfpdiag-Case-2.xml` ```xml 68893 50 0 1 1 MS_FWP_DIRECTION_OUT false 0 0 ``` If you search for the filter #68893 in Wfpdiag-Case2.xml, you'll see that the packet was dropped by a Block Outbound Default Rule filter. ### Block Outbound Default Rule Filter #68893, `Wfpdiag-Case-2.xml` ```xml {6d51582f-bcf8-42c4-afc9-e2ce7155c11b} /t **Block Outbound Default Rule** Block Outbound Default Rule {4b153735-1049-4480-aab4-d1b9bdc03710} b001000000000000 ........ FWPM_LAYER_ALE_AUTH_CONNECT_V6 {b3cdd441-af90-41ba-a745-7c6008ff2300} FWP_EMPTY FWPM_CONDITION_ALE_PACKAGE_ID FWP_MATCH_NOT_EQUAL FWP_SID S-1-0-0 FWP_ACTION_BLOCK 0 68893 FWP_UINT64 68719476736 ``` A packet will reach a default block filter if the packet was unable to match any of the conditions of other filters, and not allowed by the other filters in the same sublayer. If the packet had the correct capability token, **FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**, it would have matched a condition for a non-default block filter, and would have been permitted to reach bing.com. Without the correct capability tokens, the packet will be explicitly dropped by a default block outbound filter. ## Case 3: UWP app can't reach Internet target address without Internet Client capability In this example, the app is unable to connect to bing.com [2620:1ec:c11::200]. The app in this scenario only has private network capabilities (Client and Server). The app is trying to connect to an Internet resource (bing.com), but only has a private network token. Therefore, the packet will be dropped. ### Classify Drop netEvent, `Wfpdiag-Case-3.xml` ```xml

2020-03-31T16:57:18.570Z FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET FWPM_NET_EVENT_FLAG_APP_ID_SET FWPM_NET_EVENT_FLAG_USER_ID_SET FWPM_NET_EVENT_FLAG_IP_VERSION_SET FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET FWP_IP_VERSION_V6 6 2001:4898:1a:1045:9c65:7805:dd4a:cc4b 2620:1ec:c11::200 64086 443 0 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0035002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...5...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... S-1-5-21-2788718703-1626973220-3690764900-1000 FWP_AF_INET6 S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 0

FWPM_NET_EVENT_TYPE_CLASSIFY_DROP 68893 50 0 1 1 MS_FWP_DIRECTION_OUT false 0 0 0000000000000000 **** **FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK** **** 0 68893 FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH FWP_ACTION_BLOCK 68879 FWPP_SUBLAYER_INTERNAL_FIREWALL_WF FWP_ACTION_PERMIT ``` ## Case 4: UWP app can't reach Intranet target address without Private Network capability In this example, the UWP app is unable to reach the Intranet target address, 10.50.50.50, because it doesn't have a Private Network capability. ### Classify Drop netEvent, `Wfpdiag-Case-4.xml` ```xml

2020-05-22T21:29:28.601Z FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET FWPM_NET_EVENT_FLAG_APP_ID_SET FWPM_NET_EVENT_FLAG_USER_ID_SET FWPM_NET_EVENT_FLAG_IP_VERSION_SET FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET FWP_IP_VERSION_V4 6 10.216.117.17 10.50.50.50 52998 53 0 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... S-1-5-21-2993214446-1947230185-131795049-1000 FWP_AF_INET S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 0

FWPM_NET_EVENT_TYPE_CLASSIFY_DROP 121180 48 0 1 1 MS_FWP_DIRECTION_OUT false 0 0 0000000000000000 FWP_CAPABILITIES_FLAG_INTERNET_CLIENT FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER 0 121180 FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH FWP_ACTION_BLOCK 121165 FWPP_SUBLAYER_INTERNAL_FIREWALL_WF FWP_ACTION_PERMIT ``` ## Case 5: UWP app can't reach "Intranet" target address with Private Network capability In this example, the UWP app is unable to reach the Intranet target address, 10.1.1.1, even though it has a Private Network capability token. ### Classify Drop netEvent, `Wfpdiag-Case-5.xml` ```xml

2020-05-22T20:54:53.499Z FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET FWPM_NET_EVENT_FLAG_APP_ID_SET FWPM_NET_EVENT_FLAG_USER_ID_SET FWPM_NET_EVENT_FLAG_IP_VERSION_SET FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET FWP_IP_VERSION_V4 6 10.216.117.17 10.1.1.1 52956 53 0 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... S-1-5-21-2993214446-1947230185-131795049-1000 FWP_AF_INET S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 0

FWPM_NET_EVENT_TYPE_CLASSIFY_DROP 121180 48 0 1 1 MS_FWP_DIRECTION_OUT false 0 0 0000000000000000 FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK 0 121180 FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH FWP_ACTION_BLOCK 121165 FWPP_SUBLAYER_INTERNAL_FIREWALL_WF FWP_ACTION_PERMIT ``` The following shows the filter that blocked the event: ### Block Outbound Default Rule Filter #121180, `Wfpdiag-Case-5.xml` ```xml {e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6} Block Outbound Default Rule Block Outbound Default Rule FWPM_PROVIDER_MPSSVC_WSH c029000000000000 .)...... FWPM_LAYER_ALE_AUTH_CONNECT_V4 FWPM_SUBLAYER_MPSSVC_WSH FWP_EMPTY FWPM_CONDITION_ALE_PACKAGE_ID FWP_MATCH_NOT_EQUAL FWP_SID S-1-0-0 FWP_ACTION_BLOCK 0 121180 FWP_UINT64 274877906944 ``` If the target was in the private range, then it should have been allowed by a PrivateNetwork Outbound Default Rule filter. The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address, 10.1.1.1, isn't included in these filters it becomes clear that the address isn't in the private range. Check the policies that configure the private range on the device (MDM, Group Policy, etc.) and make sure it includes the private target address you wanted to reach. ### PrivateNetwork Outbound Default Rule Filters, `Wfpdiag-Case-5.xml` ```xml {fd65507b-e356-4e2f-966f-0c9f9c1c6e78} PrivateNetwork Outbound Default Rule PrivateNetwork Outbound Default Rule FWPM_PROVIDER_MPSSVC_WSH f22d000000000000 .-...... FWPM_LAYER_ALE_AUTH_CONNECT_V4 FWPM_SUBLAYER_MPSSVC_WSH FWP_EMPTY FWPM_CONDITION_ALE_PACKAGE_ID FWP_MATCH_NOT_EQUAL FWP_SID S-1-0-0 FWPM_CONDITION_IP_REMOTE_ADDRESS FWP_MATCH_EQUAL FWP_UINT32 1.1.1.1 FWPM_CONDITION_ORIGINAL_PROFILE_ID FWP_MATCH_EQUAL FWP_UINT32 1 FWPM_CONDITION_CURRENT_PROFILE_ID FWP_MATCH_EQUAL FWP_UINT32 1 FWPM_CONDITION_ALE_USER_ID FWP_MATCH_EQUAL FWP_SECURITY_DESCRIPTOR_TYPE O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN) FWP_ACTION_PERMIT 0 129656 FWP_UINT64 144115600392724416 {b11b4f8a-222e-49d6-8d69-02728681d8bc} PrivateNetwork Outbound Default Rule PrivateNetwork Outbound Default Rule FWPM_PROVIDER_MPSSVC_WSH f22d000000000000 .-...... FWPM_LAYER_ALE_AUTH_CONNECT_V4 FWPM_SUBLAYER_MPSSVC_WSH FWP_EMPTY FWPM_CONDITION_ALE_PACKAGE_ID FWP_MATCH_NOT_EQUAL FWP_SID S-1-0-0 FWPM_CONDITION_IP_REMOTE_ADDRESS FWP_MATCH_RANGE FWP_RANGE_TYPE FWP_UINT32 172.16.0.0 FWP_UINT32 172.31.255.255 FWPM_CONDITION_ORIGINAL_PROFILE_ID FWP_MATCH_EQUAL FWP_UINT32 1 FWPM_CONDITION_CURRENT_PROFILE_ID FWP_MATCH_EQUAL FWP_UINT32 1 FWPM_CONDITION_ALE_USER_ID FWP_MATCH_EQUAL FWP_SECURITY_DESCRIPTOR_TYPE O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN) FWP_ACTION_PERMIT 0 129657 FWP_UINT64 36029209335832512 {21cd82bc-6077-4069-94bf-750e5a43ca23} PrivateNetwork Outbound Default Rule PrivateNetwork Outbound Default Rule FWPM_PROVIDER_MPSSVC_WSH f22d000000000000 .-...... FWPM_LAYER_ALE_AUTH_CONNECT_V4 FWPM_SUBLAYER_MPSSVC_WSH FWP_EMPTY FWPM_CONDITION_ALE_PACKAGE_ID FWP_MATCH_NOT_EQUAL FWP_SID S-1-0-0 FWPM_CONDITION_IP_REMOTE_ADDRESS FWP_MATCH_RANGE FWP_RANGE_TYPE FWP_UINT32 192.168.0.0 FWP_UINT32 192.168.255.255 FWPM_CONDITION_ORIGINAL_PROFILE_ID FWP_MATCH_EQUAL FWP_UINT32 1 FWPM_CONDITION_CURRENT_PROFILE_ID FWP_MATCH_EQUAL FWP_UINT32 1 FWPM_CONDITION_ALE_USER_ID FWP_MATCH_EQUAL FWP_SECURITY_DESCRIPTOR_TYPE O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN) FWP_ACTION_PERMIT 0 129658 FWP_UINT64 36029209335832512 ``` ## Debugging Past Drops If you're debugging a network drop from the past or from a remote machine, you may have traces already collected from Feedback Hub, such as nettrace.etl and wfpstate.xml. Once nettrace.etl is converted, nettrace.txt will have the netEvents of the reproduced event, and wfpstate.xml will contain the filters that were present on the machine at the time. If you don't have a live repro or traces already collected, you can still collect traces after the UWP network connectivity issue has happened by running these commands in an admin command prompt: ```xml Netsh wfp show netevents Netsh wfp show state ``` `Netsh wfp show netevents` creates `netevents.xml`, which contains the past net events. `Netsh wfp show state` creates wfpstate.xml, which contains the current filters present on the machine. Unfortunately, collecting traces after the UWP network connectivity issue isn't always reliable. NetEvents on the device are stored in a buffer. Once that buffer has reached maximum capacity, the buffer will overwrite older net events. Due to the buffer overwrite, it's possible that the collected netevents.xml won't contain the net event associated with the UWP network connectivity issue. It could have been overwritten. Additionally, filters on the device can get deleted and re-added with different filterIds due to miscellaneous events on the device. Because of these implications, a **filterId** from **netsh wfp show netevents** may not necessarily match any filter in **netsh wfp show state** because that **filterId** may be outdated. If you can reproduce the UWP network connectivity issue consistently, we recommend using the commands from Debugging Live Drops instead. Additionally, you can still follow the examples from Debugging Live Drops section using the trace commands in this section, even if you don't have a live repro. The **netEvents** and filters are stored in one file in Debugging Live Drops as opposed to two separate files in the following Debugging Past Drops examples. ## Case 7: Debugging Past Drop - UWP app can't reach Internet target address and has no capabilities In this example, the UWP app is unable to connect to bing.com. ### Classify Drop Net Event, `NetEvents-Case-7.xml` ```xml

2020-05-04T22:04:07.039Z FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET FWPM_NET_EVENT_FLAG_APP_ID_SET FWPM_NET_EVENT_FLAG_USER_ID_SET FWPM_NET_EVENT_FLAG_IP_VERSION_SET FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET FWP_IP_VERSION_V4 6 10.195.36.30 204.79.197.200 57062 443 0 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... S-1-5-21-1578316205-4060061518-881547182-1000 FWP_AF_INET S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 0

FWPM_NET_EVENT_TYPE_CLASSIFY_DROP 206064 48 0 1 1 MS_FWP_DIRECTION_OUT false 0 0 0000000000000000 0 206064 FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH FWP_ACTION_BLOCK 206049 FWPP_SUBLAYER_INTERNAL_FIREWALL_WF FWP_ACTION_PERMIT ``` The Internal fields list no active capabilities, and the packet is dropped at nfilter 206064. This filter is a default block rule filter, meaning the packet passed through every filter that could have allowed it, but because conditions didn't match for any of those filters, the packet fell to the filter that blocks any packet that the Security Descriptor doesn't match. ### Block Outbound Default Rule Filter #206064, `FilterState-Case-7.xml` ```xml {f138d1ad-9293-478f-8519-c3368e796711} Block Outbound Default Rule Block Outbound Default Rule FWPM_PROVIDER_MPSSVC_WSH 2e65000000000000 .e...... FWPM_LAYER_ALE_AUTH_CONNECT_V4 FWPM_SUBLAYER_MPSSVC_WSH FWP_EMPTY FWPM_CONDITION_ALE_PACKAGE_ID FWP_MATCH_NOT_EQUAL FWP_SID S-1-0-0 FWP_ACTION_BLOCK 0 206064 FWP_UINT64 274877906944 ``` ## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities In this example, the UWP app successfully connects to bing.com [204.79.197.200]. ### Classify Allow Net Event, `NetEvents-Case-8.xml` ```xml

2020-05-04T18:49:55.101Z FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET FWPM_NET_EVENT_FLAG_APP_ID_SET FWPM_NET_EVENT_FLAG_USER_ID_SET FWPM_NET_EVENT_FLAG_IP_VERSION_SET FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET FWP_IP_VERSION_V4 6 10.195.36.30 204.79.197.200 61673 443 0 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... S-1-5-21-1578316205-4060061518-881547182-1000 FWP_AF_INET S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 0

FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW 208757 48 0 1 1 0000000000000000 FWP_CAPABILITIES_FLAG_INTERNET_CLIENT FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK 0 208757 FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH FWP_ACTION_PERMIT 206049 FWPP_SUBLAYER_INTERNAL_FIREWALL_WF FWP_ACTION_PERMIT ``` All capabilities are enabled and the resulting filter determining the flow of the packet is 208757. The filter stated above with action permit: ### InternetClient Default Rule Filter #208757, `FilterState-Case-8.xml` ```xml {e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5} InternetClient Default Rule InternetClient Default Rule FWPM_PROVIDER_MPSSVC_WSH e167000000000000 .g...... FWPM_LAYER_ALE_AUTH_CONNECT_V4 FWPM_SUBLAYER_MPSSVC_WSH FWP_EMPTY FWPM_CONDITION_ALE_PACKAGE_ID FWP_MATCH_NOT_EQUAL FWP_SID S-1-0-0 FWPM_CONDITION_IP_REMOTE_ADDRESS FWP_MATCH_RANGE FWP_RANGE_TYPE FWP_UINT32 0.0.0.0 FWP_UINT32 255.255.255.255 FWPM_CONDITION_ORIGINAL_PROFILE_ID FWP_MATCH_EQUAL FWP_UINT32 1 FWPM_CONDITION_CURRENT_PROFILE_ID FWP_MATCH_EQUAL FWP_UINT32 1 FWPM_CONDITION_ALE_USER_ID FWP_MATCH_EQUAL FWP_SECURITY_DESCRIPTOR_TYPE O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN) FWP_ACTION_PERMIT 0 208757 FWP_UINT64 412316868544 ```