In this article:
    Applicable to:
    • Twingate Component: Windows Client
    • Environment: AWS WorkSpaces Pools when running Twingate

    Overview

    AWS WorkSpaces Pool instances may terminate approximately 20 minutes after launch due to failing heartbeats. This occurs because the WorkSpaces management service attempts to resolve squid-proxy.appstream.local but fails when the system is connected to Twingate.

    Cause

    The underlying cause is due to a known limitation, for further information, reference KB article [Windows Client] Limitations with Multiple NICs and Split-Horizon DNS.

    The WorkSpaces Pools management service performs a health check that requires resolving squid-proxy.appstream.local

    • When not connected to Twingate, the DNS resolution follows the standard query order:

      1. The frontend NIC's DNS servers do not return an A record.

      2. The backend NIC's DNS servers successfully return an A record.

    • When connected to Twingate, the query is forwarded to Twingate’s DNS servers and follows this order:

      1. Query is sent to frontend DNS servers (10.30.51.4, 10.30.50.4), which do not return an A record.

      2. The query is not forwarded to the backend DNS servers (198.19.0.2), causing resolution failure.

      3. As a result, the WorkSpaces heartbeat check fails, leading AWS to terminate the instance.

    Troubleshooting

    To confirm this issue:

    • While NOT connected to Twingate, run the below command in command prompt or PowerShell:
      nslookup squid-proxy.appstream.local
      • We should see IPs returned with the A record
      • If the command returns multiple IPs, note down all the IP addresses.
    • While connected to Twingate, run the below command in command prompt or PowerShell:
      nslookup squid-proxy.appstream.local
      • We should NOT have any IPs returned as no A record is found

    Workaround

    Method 1 - Manual hosts file update

    • Make a backup of C:\Windows\System32\drivers\etc\hosts prior to proceeding.

    • Retrieve the correct IPs: Run nslookup (as shown above) while not connected to Twingate and copy the returned A records.

    • Edit the hosts file:

      • Open Notepad as Administrator.

      • Navigate to: C:\Windows\System32\drivers\etc\hosts

      • At the very bottom of the file, add a new line for each A record retrieved via nslookup:

        <IP1> squid-proxy.appstream.local
        <IP2> squid-proxy.appstream.local
        <IP3> squid-proxy.appstream.local

        (Replace <IP1>, <IP2>, etc., with the actual A records retrieved via nslookup.)

    • Save the file and close Notepad.

    Method 2 - Scripted hosts file update

    Note: this method should only be ran once and not after method 1. If you already performed method 1 or run this multiple times, you will need to manually remove all entries of squid-proxy.appstream.local in the hosts file (perform the opposite of method 1 above).

    • While NOT connected to Twingate, open PowerShell as Administrator.
    • Copy the below command and press enter to run.
    Copy-Item -Path "C:\Windows\System32\drivers\etc\hosts" -Destination "C:\Windows\System32\drivers\etc\hosts.bak" -Force
    Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "`r`n" -Encoding ASCII

    Resolve-DnsName squid-proxy.appstream.local | 
        Where-Object QueryType -eq "A" | 
        ForEach-Object { "{0} {1}" -f $_.IPAddress, "squid-proxy.appstream.local" } | 
        Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Encoding ASCII

    Verify the Workaround

    After performing either of the above methods, verify the file has been updated correctly. After updated, it should look something like the below when opened by Notepad.

    Note:<IP1>, <IP2>, etc., will be the real IPs retrieved via nslookup, and <computer_name> will be the hostname of your desktop.

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host

    # localhost name resolution is handled within DNS itself.
    #	127.0.0.1       localhost
    #	::1             localhost

    127.0.0.1    <computer_name>

    <IP1> squid-proxy.appstream.local 
    <IP2> squid-proxy.appstream.local 
    <IP3> squid-proxy.appstream.local

    Limitation of the Workaround

    • This forces local name resolution, ensuring the hostname resolves correctly while connected to Twingate.

    • Since WorkSpaces Pool instances are ephemeral, this modification should be applied at image creation or automated via a script.

    • The WorkSpaces backend host squid-proxy.appstream.local will have different IPs environment to environment.
    • The WorkSpaces backend host squid-proxy.appstream.local's IPs are subject to change, thus a scripted method to dynamically update the hosts file when Twingate is not running would be ideal.