Always On VPN Client Routes Missing

Choosing an Enterprise VPN

When configuring Always On VPN for Windows 10 and Windows 11 clients, administrators may encounter a scenario where an IPv4 route defined in Microsoft Endpoint Manager/Intune or custom XML is not reachable over an established Always On VPN connection. Further investigation indicates the route is added to the configuration on the endpoint but does not appear in the routing table when the connection is active.

Routing Configuration

When split tunneling is enabled, administrators must define routes to IP networks that are reachable over the Always On VPN connection. The method of defining these routes depends on the client configuration deployment method.

Endpoint Manager

Using Microsoft Endpoint Manager, administrators define IP routes in the Split Tunneling section of the configuration settings for the Always On VPN device configuration profile. Routes are defined by entering the destination prefix and prefix size. In this example, the and IPv4 networks are defined for routing over the Always On VPN tunnel.

Custom XML

Using custom XML deployed using Microsoft Endpoint Manager, System Center Configuration Manager (SCCM), or PowerShell, routes are defined in the XML file using the following syntax.

Client Configuration

Validate the routing configuration has been implemented on the endpoint successfully by running the following PowerShell command.

Get-VpnConnection -Name <Connection Name> | Select-Object -ExpandProperty Routes

As you can see here, the IPv4 routes and are included in the client’s Always On VPN configuration, as shown below.

Missing Route

However, after establishing an Always On VPN connection, the network is not reachable. To continue troubleshooting, run the following PowerShell command to view the active routing table.

Get-NetRoute -AddressFamily IPv4

As you can see above, the only IPv4 route in the VPN configuration added to the routing table is the network. The IPv4 route is missing.

Network Prefix Definition

IPv4 routes missing from the Always On VPN client’s routing table result from incorrect network prefix definition. Specifically, the IPv4 route used in the example here is not a valid network address. Rather, it is a host address in the network, as shown below.

The Get-Subnet PowerShell cmdlet is part of the Subnet PowerShell module. To install this module, run the following PowerShell command.

Install-Module Subnet


Using the example above, enabling access to the subnet would require defining the IPv4 prefix in the routing configuration as The moral of this story is always validate routing prefixes to ensure they are, in fact, network addresses and not host addresses.

Additional Information

Always On VPN Routing Configuration

Always On VPN Default Class-based Route and Microsoft Endpoint Manager/Intune

Leave a comment


  1. Some Guy

     /  November 8, 2021

    Great reminder. I would extrapolate a more general moral from the story: [b]if it’s not working the way you’re asking it to, make sure what you’re asking makes sense[/b].
    I spotted the subnetting error immediately when reading this story, but I can definitely relate to the feeling of innocently making an error like that and then getting stuck trying to troubleshoot a seemingly impossible problem.

    • Great advice! If you do a LOT of networking I’m sure it is easier to spot incorrect subnets like that. I do a fair amount though and I missed it. However, I knew enough to verify it. 🙂 On a somewhat related note, I can’t tell you how often I find administrators using (as an example) thinking it is a private IP address range. 😉

  2. Hi,
    Just wondering, do I always use the same MaskBits the the Get-Subnet returns? For example… if I have an UP and the Get-Subnet returns is that what I use? Or is there a particular prefixsize I should be using in this scenario

  3. Just want to double confirm – if I want to route particular public IP’s and hostnames via the VPN, would I follow the same steps?

    • No. If you want to route a *specific* public IP address over the VPN tunnel you would specify a /32 mask. Of course, you could use a broader mask if the public website has multiple IP addresses in a given subnet.

  4. Lenny

     /  December 2, 2022

    Hello Richard,

    Thank you for all your work on always on VPN, it helped me a lot to deploy it in my company.

    Since this week, we hare facing a new issue.

    Sometimes, our vpn user tunnel does miss all our routes from our split tunnel configuration.

    Strangely, this issue is really random, it can happen in SSTP, in IKEV2, in both of our RAS server.

    So it looks like the issue is based on our VPN profile, but as I said, it’s working well most of the time.
    When this happen, we just have to disconnect and reconnect the VPN, and routes are coming back. We may need to to that more than once for it works.

    When the issue is present, if we do a Get-VpnConnection -Name ‘VPN’ | Select-Object -ExpandProperty Routes

    Routes are showing correctly, but not with a route print.

    If you have any information about that, would be greatfull !

    Thanks a lot !

    • Wow, that’s unusual. That’s not something I’ve seen myself. Just for good measure, though, do you see the routes if you run the following PowerShell command when this happens?

      Get-NetRoute -AddressFamily IPv4

      • Hello, with that command I do not see the routes too.

        We have a device VPN used at the same time, and routes are always working for it.

        But still same issue from the user one.

      • If you restart the VPN connection then the routes appear?

      • Lenny

         /  December 20, 2022

        Hello, yes if I restart it routes are coming back (not always, we may need to restart it like more than once for it works)

      • That’s quite unusual. I’m not sure what would cause that, honestly.

      • James Hawksworth

         /  February 3, 2023

        I’m also seeing this, but only on some devices, not everyone. VPN connects on login, but nothing works due to the lack of routes until you disconnect and reconnect. Very strange!

      • That is weird.

  5. André

     /  May 12, 2023

    Hello, we configured a Device Tunnel. But the added routes are not active once the Device Tunnel is activated. only the route for the VPN Vnet itself is visible. All other routes to company internall vnets are not present and thus not reachable.

    Get-VpnConnection -AllUserConnection | Select-Object -ExpandProperty Routes does not show any entries. (entries are only shown when using user tunnel). Also route print does not show the entries.
    Is there anything different with device tunnel regarding the routes? as far as i read, those routes should also be supported with device tunnel… any idea? Thanks


Leave a Reply

%d bloggers like this: