VPN IP address handling

Forum|Forum|6 years ago
November 26, 2019
1 reply
3629 views

We have a small problem. Our Fortigate 60E firewalls are handling our SSLVPN service. It appears they hand out IP addresses sequentially. Host 1 gets .1, host 2 gets .2 host 1 disconnects, host 3 gets .1

When this happens, host 1 registers .1 with dns, and in this scenario host 3 does too.

Our problem is that sometimes a single host will connect say 3 times in 3 hours, and end up with 3 different DNS entries.

I would think that the NIC would update with a new IP each time it contacts DNS, and keep it at one entry per host name. This is causing trouble for SCCM which is trying to delivery patches to these machines when they connect to VPN.

Anyone seen this before?

VPN

Statistic68Author

New Member

Can anyone reply to this?

Kenundrum

New Member

I have the exact same problem. You can mess with DNS TTL and aging/scavenging but that would involve fully segregating the VPN users into new DNS forward and reverse zones. You may also want to look at using a DHCP relay on the VPN interface.

See https://cookbook.fortinet.com/ipsec-vpn-external-dhcp-service/ It's for 5.2 but the concepts still exist in newer versions. I see this in my future when i have time.

A full dhcp server would be smart enough to assign the same address to the same MAC address no matter how often they connect/disconnect.

Statistic68Author

New Member

Thanks for the info and confirmation!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded