unusual networking issue - device online but not pingable

Solution 1:

TL;DR:

The host is online, but isn't responding because of a firewall. Use ARP to verify it's connected to the network.

Inbound Traffic Is Blocked

The Surface has a software firewall enabled (e.g. Windows Firewall) that's configured to block unsolicited incoming traffic, including ICMP echo requests (ping). This also explains why your other connection attempts are failing. However, connecting through a service such as LogMeIn works because, technically, the Surface is initiating the connection in that case.

How To Find Connected But Firewalled Nodes Using ARP

If you're on the same subnet as the device you can prove to yourself that the machine is connected to the network even if it doesn't respond to ping requests. Do so as follows:

1. Ping the device. This causes your computer to send an ARP request to the local subnet asking, "What device has IP address X?" If the node is online, despite any configured firewall it will send a reply to your machine saying "My MAC address is Y and I have IP address X." This response is stored in your local machine's ARP Cache.
2. Run the command arp -a and observe whether there's an entry for the device's IP address. If there is, the device is online.

A Note About ARP Caching

ARP entries can be cached, though in Windows Vista and newer the cache timeout is less than 45 seconds. However, if you really want to ensure the remote node is online the precise moment you issue your ping command, run one of the following before step 1 above:

To remove only the target node's entry from your ARP cache, run:

arp -d <remote_ip>

Or, to clear the entire ARP cache, run:

arp -d *