Hot!DNS Queries fail on some Windows 10 machines - SSL Tunnel FortiClient VPN.

Author
tschoeller
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/04/02 11:11:01
  • Status: offline
2021/04/02 11:35:38 (permalink) 6.4
0

DNS Queries fail on some Windows 10 machines - SSL Tunnel FortiClient VPN.

We have encountered this issue on both FG60E and FG40F.
 
SSL VPN Settings are set to specify DNS and WINS servers behind the FortiGate.
Portal settings enable split tunneling but DNS split tunneling is disabled.
DNS suffix was configured using:
config vpn ssl settings 
set dns-suffix domain.domain.tld
 
I have received 3 support requests where users are unable to resolve hostnames using ping and remote desktop:
ping hostname.domain.domain.tld   fails - could not find host
nslookup hostname.domain.domain.tld successfully resolves IP from DNS server behind FG.
Ping of the IP succeeds.  
RDP similarly fails with hostname but succeeds with IP.
 
This is only happening on select Windows 10 machines.  I would like to get to the bottom of it but cannot reproduce it on any of my systems.  I was unable to run packet captures on the users machine to see where the DNS queries were going.
 
Any suggestions would be appreciated.
 
FG40F 6.4.5 build 1828 GA
FG60E 6.4.5 build 1828 GA
FortiClient VPN 6.4.2.1580
FortiClient VPN 6.4.3.1608
 
SSL config:
reqclientcert : disable
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-2
banned-cipher :
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : *.domain.tld
algorithm : high
idle-timeout : 30000
auth-timeout : 28800
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
dtls-hello-timeout : 10
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix : domain.domain.tld
dns-server1 : 10.1.1.9
dns-server2 : 10.1.1.11
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : 443
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "wan1" "dmz" "port3" "wan2"
source-address : "all"
source-address-negate: disable
source-address6 : "all"
source-address6-negate: disable
default-portal : web-access
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : enable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dtls-max-proto-ver : dtls1-2
dtls-min-proto-ver : dtls1-0
#1
UrbyTuesday
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/16 15:11:31
  • Status: offline
Re: DNS Queries fail on some Windows 10 machines - SSL Tunnel FortiClient VPN. 2021/04/02 12:34:05 (permalink)
0
Try Forticlient VPN v 6.2.6 and see if it makes a difference.
#2
tschoeller
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/04/02 11:11:01
  • Status: offline
Re: DNS Queries fail on some Windows 10 machines - SSL Tunnel FortiClient VPN. 2021/04/06 06:47:43 (permalink)
0
We tried 6.2.7 and 6.0.1.  Neither resolved the issue.  We ended up using the hosts file to solve the issue for the user.  We will try 6.2.6 for the next case we find.   
#3
tschoeller
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/04/02 11:11:01
  • Status: offline
Re: DNS Queries fail on some Windows 10 machines - SSL Tunnel FortiClient VPN. 2021/04/08 14:14:55 (permalink)
0
Got to the bottom of the issue today.  Reddit user Slushmania explains in detail: https://www.reddit.com/r/fortinet/comments/krl6h7/problem_with_ssl_vpn_and_dns/ 
 
In short Windows 10 is sending out simultaneous IPv4 and IPv6 DNS queries.  First query to come back is used.  Solution seems to be registry key: DisableParallelAandAAAA


Configuring the IPv6 DNS for the SSL tunnel should also resolve the issue.
post edited by tschoeller - 2021/04/08 14:26:40
#4
Jump to:
© 2021 APG vNext Commercial Version 5.5