FortiClient 6.4.2 DNS Issue

Question

Hi,

We've used FortiGates / FortiClient for years now. We currently use FortiClient 6.2.4 VPN only client on all our PCs for users to work from home etc. We're about to deploy a new HA FGT100F pair and as part of this, we're testing the latest version of FortiClient (V6.4.2). We don't usually use the latest version for stability reasons but we're looking to test the new SAML authentication options.

So, as part of our development testing before we push the new version out to our users, I've installed FortiClient 6.4.2 on my laptop. Normally, we'd use a development machine for testing, but I've not got access to it so I installed it on my laptop.

Here's the issue:

When the SSL VPN is connected to our existing FortiGate (no config change in 6mo+ and still working for all other users on FC6.2.4), DNS is not resolving properly, but it's weird. If I try and ping one of our internal servers using either the hostname only or the FQDN (e.g. server1 or server1.example.local), I get "Ping request could not find host server1. Please check the name and try again.".

BUT

If I go into NSLookup, 1) it correctly shows the "default server" (e.g. dns1.example.local) and 2) if I search for the same host (server1.example.local or just server1), it correctly returns the IP address.

I've also put a packet capture on the FortiGate and observed correct DNS requests and responses. I've had wireshark on my PC verifying the same. So the correct DNS responses are clearly reaching my laptop from our internal DNS servers.

So with this in mind, I decided to roll back to V6.2.4. However, now this version is now experiencing the exact same issue so it seems that V6.4.2 has changed something permanently.

The issue appears to be something related to IPv6 as if I try to ping with the -4 option, it works fine. However, not being to resolve v4 addresses means that everything on our VPN fails (we don't use v6 internally). I've tried the article below which suggests a <block_ipv6> tag in the FortiClient configuration but this doesn't seem to make any difference. I don't view disabling v6 on the network adapter as a viable option. Some users have v6 connections at home and some of our users (including me) use v6 when we visit external sites.

I have tried the following:

[ul]

Solution in this KB from 5 days ago (https://kb.fortinet.com/kb/documentLink.do?externalID=FD51201)

Uninstalling completely and using the FCRemove tool. Then reinstalling V6.2.4 (which had been working flawlessly for us until this test upgrade)

Run windows sfc /scannow[/ul]

Does anyone have any ideas for what to try next?

Thanks in advance.

t73db · Answer

Update: Tried with V6.4.3, issue still persists. Only way I can get this to work is to disable IPv6 on the local adapters which is not ideal as we use IPv6 in some instances.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded