Fortigate 200E:Recursive DNS not working for VPN SSL users

Hi,

Fortigate version: Version: FortiGate-200E v6.0.4

Problem:

I configured VPN SSL as explained in the cookbook as well as DNS for clients (the fortigate 200E) which is supposed to do recursive dns too.

The current situation: 

1/ For users transiting the firewall and who are NOT connected via SSL VPN, all is working as expected including recursive DNS.

2/ DNS resolution from the FW is also working as expected ie. "execute ping www.linode.com" , for example

3/ [NOT working] DNS resolution is not working for users connected via VPN SSL

The logs are below but basically when all's working as expected, you can see the whole resolution taking place ie. arrival of the packet, the recursive part to the distant dns server and the response. 

When not working, the dns request doesn't event get parsed as can be seen below, the sequence stops at "get_intf_policy()-892: ifindex=31" and the next sequence "[worker 0] dns_parse_message()-614" is missing.

-> I was suspecting a firewall policy issue but even after allowing all kinds of traffic through, it's still not working.

Any ideas, experiences or even a solution ;)

Thanks in advance

Logs on executing "diagnose debug application dns -1" (when not working): NOK

[worker 0] udp_receive_request()-2330 [worker 0] udp_receive_request()-2385: vd=0, vrf=0, intf=31, len=32, alen=16, 192.168.99.9:51745=>172.16.99.3 [worker 0] handle_dns_request()-1615: id:0xbd49 pktlen=32, qr=0 req_type=3 [worker 0] get_intf_policy()-892: ifindex=31 [worker 0] udp_receive_request()-2330 [worker 0] batch_on_read()-2688 [worker 0] udp_receive_request()-2330 [worker 0] udp_receive_request()-2385: vd=0, vrf=0, intf=31, len=33, alen=16, 192.168.99.9:52229=>172.16.99.3

Logs on executing "diagnose debug application dns -1" (when working): OK

[worker 0] udp_receive_request()-2385: vd=0, vrf=0, intf=38, len=36, alen=16, 172.16.199.190:53453=>172.16.99.3 [worker 0] handle_dns_request()-1615: id:0x6c31 pktlen=36, qr=0 req_type=3 [worker 0] get_intf_policy()-892: ifindex=38 [worker 0] dns_parse_message()-614 [worker 0] dns_nat64_update_request()-270 [worker 0] dns_local_lookup()-2223: vfid=0 qname=etsy.fr, qtype=1, qclass=1, offset=25, map#=2 max_sz=512 [worker 0] dns_lookup_aa_zone()-495: vfid=0, fqdn=etsy.fr [worker 0] dns_forward_request()-1056 [worker 0] dns_send_resol_request()-861: orig id: 0x316c local id: 0x0000 domain=etsy.fr [worker 0] dns_find_best_server()-375: vfid=0 profiled=0 last server 0.0.0.0 [worker 0] dns_send_resol_request()-967: Send 36B to 1.1.1.1:53 via fd=16 request:0 dns_num:7 [worker 0] dns_send_resol_request()-1010: fd=16 used source-ip: 99.99.99.10:4075 [worker 0] udp_receive_request()-2330 [worker 0] batch_on_read()-2688 [worker 0] udp_receive_response()-2546 [worker 0] udp_receive_response()-2569: vd-0: len=192, addr=1.1.1.1:53 [worker 0] dns_query_handle_response()-2025: id:0x802a domain=etsy.fr pktlen=192 [worker 0] dns_set_min_ttl()-182: QR: etsy.fr [worker 0] dns_set_min_ttl()-190: Offset of 1st RR: 25 Number of RR's: 6 [worker 0] dns_set_min_ttl()-200: RR TTL: 3600 [worker 0] dns_set_min_ttl()-200: RR TTL: 158606 [worker 0] dns_set_min_ttl()-200: RR TTL: 158606 [worker 0] dns_set_min_ttl()-200: RR TTL: 158606 [worker 0] dns_set_min_ttl()-200: RR TTL: 158606 [worker 0] dns_set_min_ttl()-200: RR TTL: 0 [worker 0] dns_cache_response()-281: Min ttl = 10 [worker 0] dns_forward_response()-1272 [worker 0] dns_secure_forward_response()-1220: category=255 profile=none [worker 0] dns_visibility_log_hostname()-235: vd=0 pktlen=192 [worker 0] hostname_entry_insert()-140: af=2 domain=etsy.fr [worker 0] __dns_forward_response()-1123 [worker 0] __dns_forward_response()-1129: vd-0 Send 192B via fd=13, family=2 [worker 0] __dns_forward_response()-1132: set svf of fd to 0 [worker 0] __dns_forward_response()-1179: vd=0 send 192B response 172.16.99.3:53=>172.16.199.190:53453 [worker 0] dns_query_delete()-449: orgi id:0x316c local id:0x802a active tcp_req=(nil) [worker 0] udp_receive_response()-2546