Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pxiannie
New Contributor III

Created on ‎02-01-2024 01:07 AM Edited on ‎02-01-2024 01:10 AM

How to solve DNS resolve failed problem when connect to SSL VPN?

I'm able to connect to ping my server and access local system last week, but today I tried to connect it shows error DNS resolve failed. I did not make any changes and this error has been solved, why got this error again?  I cant ping my server in command prompt and access the local system now. My current version of FortiClient VPN is 7.2.3.0929, is it because of the updates?

 

Screenshot 2024-02-01 170224.png

Screenshot 2024-02-01 170430.png
Please help. Thanks!

 

FortiClient 
FortiGate 

Labels:
2185
0 Kudos
22 REPLIES 22
hbac
Staff
Staff

Created on ‎02-01-2024 06:26 AM

Hi @pxiannie,

 

I can see that you are using public DNS servers. Do you have split tunneling enabled? 

 

Regards, 

1023
pxiannie
New Contributor III
In response to hbac

Created on ‎02-01-2024 05:09 PM

No, I didnt enabled. I disabled the tunnel mode split tunneling. The DNS split tunneling also didnt enabled.

992
0 Kudos
hbac
Staff
Staff
In response to pxiannie

Created on ‎02-02-2024 05:49 AM

@pxiannie

 

If split tunneling is disabled, that means DNS traffic will go through the FortiGate. Please run debug flow by following this article to see if the traffic is being dropped: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards, 

936
pxiannie
New Contributor III
In response to hbac

Created on ‎02-05-2024 12:13 AM Edited on ‎02-05-2024 12:14 AM

Hi @hbac ,
I run diag debug flow trace start 100 and it show me message "Denied by forward policy check (policy 0)" , but I did set my service to all for firewall policy.

Screenshot 2024-02-05 155943.png

871
0 Kudos
hbac
Staff
Staff
In response to pxiannie

Created on ‎02-05-2024 06:00 AM

@pxiannie,

 

That means you don't have a firewall policy to allow traffic from ssl.root to ppp2. Please check your policy. 

 

Regards, 

855
JcvnStdn
New Contributor II

Created on ‎02-01-2024 02:03 PM

have you tried enabling the DNS DB ?
FortiGate DNS server | FortiGate / FortiOS 6.2.13 | Fortinet Document Library

Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
1007
pxiannie
New Contributor III
In response to JcvnStdn

Created on ‎02-01-2024 10:45 PM

No, because prevously I did not set also able to ping server

958
0 Kudos
Jakob-AHHG
Contributor II
In response to JcvnStdn

Created on ‎02-05-2024 06:22 AM

That would enable a full DNS server in the FG, that you need to maintain.
Here's what we do, that works:

Put internal DNS servers in the SSL-VPM Settings

Enable Split-Tummel, Policy Based

 

Then your client will use the PC's local DNS servers when accessing the internet, and your internal DNS servers when asking for sites based over the VPN (as specified in the FW rule in Destination)

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
850
pxiannie
New Contributor III
In response to Jakob-AHHG

Created on ‎02-05-2024 09:15 PM Edited on ‎02-06-2024 01:21 AM

Hi @Jakob-AHHG ,

I did put internal DNS servers in SSL VPN Settings.
Screenshot 2024-02-01 170224.png
This is how I set my SSL VPN Portal, does the routing address override set correctly?
Screenshot 2024-02-06 131203.png

Here is my firewall policy
Screenshot 2024-02-06 131406.png

Updated:
I'm able to ping my server ip address after I set the routing address override to ssl vpn address. But why still not able to ping my servername?

Regards,

813
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.