Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
t73db
New Contributor

FortiClient 6.4.2 DNS Issue

Hi,

 

We've used FortiGates / FortiClient for years now. We currently use FortiClient 6.2.4 VPN only client on all our PCs for users to work from home etc. We're about to deploy a new HA FGT100F pair and as part of this, we're testing the latest version of FortiClient (V6.4.2). We don't usually use the latest version for stability reasons but we're looking to test the new SAML authentication options.

 

So, as part of our development testing before we push the new version out to our users, I've installed FortiClient 6.4.2 on my laptop. Normally, we'd use a development machine for testing, but I've not got access to it so I installed it on my laptop.

 

Here's the issue:

 

When the SSL VPN is connected to our existing FortiGate (no config change in 6mo+ and still working for all other users on FC6.2.4), DNS is not resolving properly, but it's weird. If I try and ping one of our internal servers using either the hostname only or the FQDN (e.g. server1 or server1.example.local), I get "Ping request could not find host server1. Please check the name and try again.".

 

BUT

 

If I go into NSLookup, 1) it correctly shows the "default server" (e.g. dns1.example.local)  and 2) if I search for the same host (server1.example.local or just server1), it correctly returns the IP address.

 

I've also put a packet capture on the FortiGate and observed correct DNS requests and responses. I've had wireshark on my PC verifying the same. So the correct DNS responses are clearly reaching my laptop from our internal DNS servers.

 

So with this in mind, I decided to roll back to V6.2.4. However, now this version is now experiencing the exact same issue so it seems that V6.4.2 has changed something permanently.

 

The issue appears to be something related to IPv6 as if I try to ping with the -4 option, it works fine. However, not being to resolve v4 addresses means that everything on our VPN fails (we don't use v6 internally). I've tried the article below which suggests a <block_ipv6> tag in the FortiClient configuration but this doesn't seem to make any difference. I don't view disabling v6 on the network adapter as a viable option. Some users have v6 connections at home and some of our users (including me) use v6 when we visit external sites.

 

I have tried the following:

[ul]
  • Solution in this KB from 5 days ago (https://kb.fortinet.com/kb/documentLink.do?externalID=FD51201)
  • Uninstalling completely and using the FCRemove tool. Then reinstalling V6.2.4 (which had been working flawlessly for us until this test upgrade)
  • Run windows sfc /scannow[/ul]

     

    Does anyone have any ideas for what to try next?

     

    Thanks in advance.

  • 3 REPLIES 3
    t73db
    New Contributor

    Update:

     

    Tried with V6.4.3, issue still persists.

     

    Only way I can get this to work is to disable IPv6 on the local adapters which is not ideal as we use IPv6 in some instances.

    Dickie
    New Contributor III

    Hi,

    We had this issue. After investigation it seems that a lot of the end user home routers are now configured from the ISP for IPV6.  Windows now prefers IPV6 so does its look ups there and gets and answer that there is nothing with that name, and as it answered does not fall back to V4.  We set IPv4 as a preference via a GP on these machines and all is working now:

     

    https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-ipv6-in-windows

     

    YMMV - give it a go.

    Richard
    Richard
    KennethKarlsson

    I have just experienced the same issue, and have downgraded our VPN client to version 6.4.0.1464, things work again.

     

    I could ping all hosts on the network, but no DNS would go through ?? i experienced it because i was setting up some new laptops, and installing the default client from the forticlient website, which i expect is the latest version. After many attempts to solve the problem on the FW and at the Client, i tried to downgrade the client, and then all worked again. Seems like something is wrong in the latest version.

     

    Labels
    Top Kudoed Authors