But in our case, URL Session is calling a public endpoint. That's the reason, it succeeds even when VPN connection is being established. It happens intermittently. Majorly after sleep/wakeup or when enabling onDemand randomly. Scenario that works always: Connect VPN manually. VPN established successfully Disconnect manually. Enable on demand. VPN established successfully automatically. So, I think it's not the same issue as mentioned above.

Yes

It's MacOS We are calling some custom extension using Apple's enterprise single sign-on feature. https://developer.apple.com/documentation/authenticationservices

Packet tunnel provider is caliing some another app which is using URLSession

Yes

We are using URLSession inside startTunnel() provided by Packet tunnel provider Tested with NWConnection as well - it is also not receiving any response. Response is received only after ondemand is disabled which brings the internet connectivity back. I think there's an issue with onDemand flow itself rather than URLSession / NWConnection. Our 2nd test which mentioned about teams call drops also adds to it (Which doesn't use either of them)

waitsForConnectivity property is not enabled for URLsession configuration. URLSession leads to no internet internmittently but when it does, there is no mitigation other than disabling always-on. That's the biggest problem right now.

Lower level cpp APIs for creating TCP socket and reading/writing over it. This works perfectly always. Yes ms is milliseconds. I think no internet is seen at app level / http clients / apis. That's the reason URLSession also fails and Teams call also experiences drops. In this 2nd auth scenario, internet drop is only for few ms, on-demand connection succeeds eventually and we don't experience any issues.

We are still trying to test with NWConnection. But we use some other auth as well where URLSession isn't used but we still land into no internet for few ms (Teams call also experiences drops). So, I believe on-demand flow itself has some issues.

Why we are landing into no internet only during OnDemand connections? Is that a bug in Apple's ondDemand flow? Any known / documented bugs with URLSession?

Yes, from within Packet tunnel provider process. URLSession No state as such. Device loses internet connectivity

It stays in NO_INTERNET state until on-demand is disabled

let rule = NEOnDemandRuleConnect() rule.interfaceTypeMatch = .any manager.onDemandRules = [rule] manager.isOnDemandEnabled = true manager.isEnabled = true manager.saveToPreferences {} Yes, we need to contact VPN server and some other endpoints to get the configuration. But https requests are timing out because device is loosing internet connectivity (All apps + device)

Happening only when onDemand is enabled (Not at all when we manually call startTunnel and setup VPN tunnel settings).

Single User Machine has internet -> onDemand Enabled-> calls startTunnel() -> but before even we call setTunnelNetworkSettings(), internet goes away on machine So I am guessing some network settings are changing on machine in between leading to traffic going over incorrect interface.