Skip to main content
Proto1977
Proto1977
Visitor III
November 16, 2024
Solved

FG90G 7.0.16 issue on DNS Suffix on IPSEC vpn remote access

  • November 16, 2024
  • 2 replies
  • 3044 views

Hi people,

I just updated a firewall from 7.0.15 to 16 and lost the standard SSL-VPN on forticlient.

 

So we migrated the vpn remote access config on IPSEC restoring user groups, policies etc etc.

 

The only issue I still have is to have the Forticlient (now connected by ipsec) use the dns suffix I'm passing to the clients.

 

I did all the standard config steps I've seen on other posts:

        set mode-cfg enable
        set dns mode manual
        set ipv4-dns-server
        set unity-support enable
        set domain <domain> 
 

but the client is still ignoring it.

 

On the ipconfig /all of the vpn client I can see it gets the parameters (internal dns, domain suffix, routes) but if I try to resolve a domain host without the suffix it simply fails. I can still ping it and resolve it with the full domain name.

 

Rules have been checked and I can reach the internal dns servers.

 

Of course the same feature was working fine before the upgrade on the normal SSL VPN.

 

Do you know if I missed something or if this kind of deployment (Ipsec remote access on forticlient 7.2.4) don't have this feature?

 

Thank you so much

 
Best answer by Proto1977

Hello,

I saw under the network adapter I had static configuration of other dns suffix.

 

IPCONFIG /ALL shown me the correct dns suffix but at last it was not applied because of the network adapter configuration.

 

I had to set this config under the advanced settings of ipv4 to make it work, look at the picture below (sorry if the window language is in italian, I hope it helps anyway).

 

Senza titolo.jpg

 

 

 

2 replies

apFortinet
Staff
apFortinet
Staff
November 16, 2024

Hi,

 

Please check if you are able to resolve the same domain host without the suffix from fortigate CLI itself. It should work from fortigate Cli itself before it works from IPSEC dial up VPN.

 

If it doesn't work, please check your DNS configuration on fortigate. You can specify Local Domain names under DNS setting as per below article:

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/752486/dns-domain-list

 

Cheers,

Ankit

If you have found a solution, please like and accept it to make it easily accessible to others.

 

 

    Proto1977
    Proto1977Author
    Visitor III
    November 17, 2024

    Yes from the cli it can resolve it correctly without the suffix.

    Proto1977
    Proto1977AuthorAnswer
    Visitor III
    November 18, 2024

    Hello,

    I saw under the network adapter I had static configuration of other dns suffix.

     

    IPCONFIG /ALL shown me the correct dns suffix but at last it was not applied because of the network adapter configuration.

     

    I had to set this config under the advanced settings of ipv4 to make it work, look at the picture below (sorry if the window language is in italian, I hope it helps anyway).

     

    Senza titolo.jpg

     

     

     

    Terms & ConditionsAccessibility statement