Hot!SSL VPN No local DNS

Author
preyes
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/30 04:07:31
  • Status: offline
2020/06/30 04:24:47 (permalink)
0

SSL VPN No local DNS

Hi there, newbie here in the Fortinet world.
 
Our HO has FortiGate 200 running ver 6.4
 
I am also using FortiClient 6.4; I downgraded to FortiClient version 6.0 and it work fine; but I can not believe that this problem exists since version 6.2 and nobody noticed.
 
I have a SSL VPN configured which connects fine; but is does not transfer the local dns server info to the remote user. 
 
What can be the problem?
 
Thanks in advanced.
#1

17 Replies Related Threads

    oscar37
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/12 05:28:35
    • Status: offline
    Re: SSL VPN No local DNS 2020/06/30 06:58:14 (permalink)
    0
    do you have DNS server set to your local dns in your SSL VPN settings? 
     
    #config vpn ssl setting
        set dns-server1 <LOCAL DNS IP>
        set dns-server2 <Local DNS IP>
     
     
    you can also set via GUI from your SSL VPN settings.
     
    Thank you in Advance
    #2
    preyes
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/30 04:07:31
    • Status: offline
    Re: SSL VPN No local DNS 2020/07/01 07:39:56 (permalink)
    0
    Thanks for the quick reply.
    I have configured under Split DNS (SSL-VPN Portal)
    Primary DNS (local primary dns server) and Secondary DNS (local secondary dns server)
    #3
    isamt
    Bronze Member
    • Total Posts : 58
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/12/29 01:52:35
    • Status: offline
    Re: SSL VPN No local DNS 2020/07/01 12:48:08 (permalink)
    0
    Configure DNS for SSL Vpn under config vpn ssl settings.
     
    config vpn ssl settings
       set dns-suffix "Domain_Name"
       set dns-server1 192.168.1.1
       set dns-server2 192.168.1.2
     
    You should also configure dns-suffix, otherwise vpn clients will only be able to ping IP addresses or fully qualified host names.
    So i you have a server named intranet.domain.com on IP 192.168.1.100 vpn users can ping 192.168.1.100 and intranet.domain.com but not hostname intranet unless you set the dns-suffix to "domain.com"
     
    #4
    preyes
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/30 04:07:31
    • Status: offline
    Re: SSL VPN No local DNS 2020/07/01 13:54:25 (permalink)
    0
    I am unable to ping to intranet.domain.com but I can ping successfully to 192.168.1.100
     
    The vpn user is a local user created on the FortiGate running 6.4 and FortiClient 6.4
    I noticed that FortiClient 6.0 allow me to ping to intranet.domain.com and 192.168.1.100
    #5
    aseques
    Silver Member
    • Total Posts : 78
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/09/15 02:22:12
    • Status: offline
    Re: SSL VPN No local DNS 2020/07/02 02:31:34 (permalink)
    0
    I don't know if it's your case (you don't specify the platform), but on the forticlient 6.4.0 for linux there's an issue that breaks this feature, that's supposedly fixed on 6.4.1 that will be released at the end of the month.
     
    #6
    sw2090
    Expert Member
    • Total Posts : 969
    • Scores: 82
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: SSL VPN No local DNS 2020/07/02 07:42:41 (permalink)
    0
    hm I cannto speack for ssl vpn but I know this from IPSec. Maybe it is the same with ssl vpn?
     
    If I set a tunnel to do split dns the options in ipsec config are rather the same. You set dns-server1 and 2 and a domain/suffix. However it won't work because there is an option dns mode that is not visible in gui in ipsec config. It is set to "auto" by default which prevents split dns from working. It has to be set to "manual" on cli to make split dns work. 
    I don't have a clue why fortinet didn't include this in gui as it is that important.
    Maybe there is the same issue with split dns and ssl vpn too?
     
    hth
    Sebastian
    #7
    live89
    Silver Member
    • Total Posts : 98
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/05/11 07:20:42
    • Status: offline
    Re: SSL VPN No local DNS 2020/07/02 08:24:03 (permalink)
    0
    I've seen a known issue reported maybe related to your situation
    https://docs.fortinet.com/document/forticlient/6.2.1/windows-release-notes/991883/known-issues
    please check if this bug id 537299 is your case
    which has been resolved in 6.2.3
    https://docs.fortinet.com/document/forticlient/6.2.3/windows-release-notes/22791/resolved-issues
     

    Thanks
    #8
    aseques
    Silver Member
    • Total Posts : 78
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/09/15 02:22:12
    • Status: offline
    Re: SSL VPN No local DNS 2020/12/15 01:14:06 (permalink)
    0
    I forgot to update the thread, after escalating the issue, one of the engineers from fortigate could diagnose the issue and check that it was indeed a problem on the release 6.4.0, but..
    There's a fixed 6.4.1 version but only for EMS customers that are on more frequent releases.
    If you are (like me) without specific EMS contract for vpn users you have two options:
    • Wait until 6.4.1 is released on forticlient.com (6 months have passed without any change)
    • Use the legacy 4.x versions (no system integration, etc.)
    • Use some other program such as openfortigui (that has been my option so far) that works quite fine.
    It's a bit of a shame that fortigate hosts a non working (I'd say most of us are using local dns) vpn client in their site forcing users into other platforms / solutions.
    #9
    UrbyTuesday
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/16 15:11:31
    • Status: offline
    Re: SSL VPN No local DNS 2021/01/05 12:33:47 (permalink)
    0
    Exact same problem. 
    80E with 6.2.6 firmware and 6.4.2 Forticlient VPN - no internal DNS resolution over SSL VPN. Can ping the internal DNS server IP but not the FQDN.  NSLOOKUP times out.
     
    I've wasted a whole day on this ****.  Finally found this post, installed 6.2.6 and the problem goes away instantly. 
     
    Fortinet needs to get their $hit together.  This is ridiculous. I'm IT director for 200 people and have one assistant. We don't have time to run test labs for every single change we make.  There are certain things that should just WORK.  Period.  Like a utility. Completely inexcusable.
    #10
    UrbyTuesday
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/16 15:11:31
    • Status: offline
    Re: SSL VPN No local DNS 2021/01/06 06:42:46 (permalink)
    0
    FYI, the full process i tried on a new laptop:
    installed 6.4.2, no DNS resolution.
    backed down to 6.2.6, all was well.
    installed 6.2.8 to test...it broke again.
    backed down to 6.2.7...it worked properly again.
     
     
     
    post edited by UrbyTuesday - 2021/02/08 10:26:00
    #11
    Juquinha
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/04/24 12:46:47
    • Status: offline
    Re: SSL VPN No local DNS 2021/02/04 10:21:46 (permalink)
    0
    Hi!
     
    I was looking at this thread and I would like to ask if you guys checked the suffix settings at your machine to test this. Normally, we put the internal domains suffix at the NIC list to computers to always look for the FQDN. Even though, the DNS server also can look in its base for the query.its.domain.
     
    I, actually, prefer to know that Fortigate DOES NOT interfer into the resolution process. It is something that has only to do with the dns client and server.
     
     
    #12
    mister
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/02/24 23:39:52
    • Status: offline
    Re: SSL VPN No local DNS 2021/02/24 23:57:25 (permalink)
    0
    maybe its relevant to me ?
     
    my issue:
    I can not surf to websites on the Internet (no site) when I am connected from home with FORTI.
    While connecting the FORTI it is "Inserts" in the DNS'S wireless network card. When the alternate DNS it plants is "X.X.X.X". Only when I manually change it to dns google can I access the Internet in parallel with my connection in FORTI ...
    But any reconnection of FORTI of course eliminates this change in the wireless network card.
    #13
    aseques
    Silver Member
    • Total Posts : 78
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/09/15 02:22:12
    • Status: offline
    Re: SSL VPN No local DNS 2021/02/25 00:24:37 (permalink)
    0
    mister
    maybe its relevant to me ?
     
    my issue:
    I can not surf to websites on the Internet (no site) when I am connected from home with FORTI.
    While connecting the FORTI it is "Inserts" in the DNS'S wireless network card. When the alternate DNS it plants is "X.X.X.X". Only when I manually change it to dns google can I access the Internet in parallel with my connection in FORTI ...
    But any reconnection of FORTI of course eliminates this change in the wireless network card.


    In your case the problem seems to be that the dns provided by your vpn server don't resolve the domains, it's just the oposite of this thread case.
    #14
    browners80
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/11/03 05:04:42
    • Status: offline
    Re: SSL VPN No local DNS 2021/03/29 06:23:13 (permalink)
    0
    Setting the dns-suffix via cli sorted it for me.  
     
    Thanks guys
    #15
    tschoeller
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/02 11:11:01
    • Status: offline
    Re: SSL VPN No local DNS 2021/04/02 11:48:04 (permalink)
    0
    I have this same issue.  It only happens on some Windows 10 machines.  Other Windows 10 machines do not suffer from this problem.  Problem exists despite DNS server and suffix being set correctly in SSL settings.  I have seen this issue on 2 separate firewalls one with remote RADIUS users and the other with local users.  I have also tried enabling split DNS and have seen DNS queries start timing out despite low latency connection.  Suspect that there may be some DNS related bugs in newer version of FortiClient VPN. 
     
    Found this after submitting a new post:
    https://forum.fortinet.co...m=195269&tree=true
    #16
    UrbyTuesday
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/16 15:11:31
    • Status: offline
    Re: SSL VPN No local DNS 2021/04/02 12:36:06 (permalink)
    0
    Yeah that link is brand new and I just told that guy what I'll tell you.  Try FCVPN 6.2.6 or 6.2.7 (not 8) and see if it helps.
    #17
    JUST
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/09 07:29:20
    • Status: offline
    Re: SSL VPN No local DNS 2021/05/12 08:11:48 (permalink)
    0
    Hi,
    I had this same issue. Versions until 6.2.7 work but all after 6.2.7 not working.
    Fortinet launched recently a new version FortiClientVPN_7.0.0.0029_X64.exe and with this version, problem seems to be solved
    Thanks
     
    #18
    Jump to:
    © 2021 APG vNext Commercial Version 5.5