Interpreting kernel/iOSAppProxyProvider logs

Hi, I'm troubleshooting an iOS network connectivity issue when my app is running 'in' a per-app VPN and would like some clarification about the ordering of some of the logging generated after installing various debugging profiles on the device (VPN (Network Extension), Network Diagnostics, mDNSResponder).

Context

The connectivity issue is between two vendors my app is involved with. One supplies an app proxy provider extension to provide per-app VPN capability for my app. The other vendor provides an SDK framework that's attempting to make network connections which normally work when the VPN is not involved. We have confirmed with the VPN vendor that it is not a configuration (whitelisting, etc) type issue.

I am trying to understand from the logs what component caused/initiated the network connection termination. Was it the kernel, was it the App Proxy Provider Network Extension code or was it the app (SDK framework) code ?

Log entries

I've attached a short log file and number the lines for reference, and have redacted a few commercially sensitive parts.

Questions

Can this log help determine who caused the network connection failure, and if not, is there any more instrumentation I could enable that might help?

Do the log entries (and their timestamps) reflect the actual order/timing of events reported on, or is there some jumbling occurring due to my app, the kernel and iOSAppProxyProvider running in different processes/threads?

After the app initiates the network connection (line 1), it appears that the kernel flow diversion code in netinet/flow_divert.c establishes the flow and closes it (lines 2 - 6) before iOSAppProxyProvider even starts to establish the flow (lines 7 - 10).

Then the app somehow seems to detects a network error (line 8), before the iOSAppProxyProvider has even matched the VPN extension (line 12) to it and then finally the iOSAppProxyProvider closes the flow (lines 13-17).

I'd have expected an interleaving of kernel and iOSAppProxyProvider log entries, with the app's own logging just occurring at the start and end, bracketing the whole interaction...

I am new to this area of iOS, so apologies if I am missing some important foundational concepts about how these components all work together.

Thanks in advance, Rob

Interpreting kernel/iOSAppProxyProvider logs
 
 
Q