FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sourav
Staff
Staff
Article Id 206686
Description

This article describes how to resolve the issue when the customer is seeing both the local adaptor IP and SSL VPN adaptor IP on the local DNS server.

Scope FortiGate/FortiClient.
Solution

Local IP: The IP assigned to the end-user network adaptor might be LAN or Wi-Fi.

SSL VPN IP: The IP assigned from the FortiGate to the SSL VPN adaptor.

 

When the end-user is connected to the SSL VPN and gets the internal DNS IP address from the FortiGate, this error occurs.

Below is a sample output from the user's PC after connecting to SSL VPN.

 

sourav_0-1646975217003.png

 

sourav_1-1646975217004.png

 

Entry on the DNS server for the same user after connecting to SSL VPN.

 

The solution to resolve this issue is described below:

 

  1. Take the XML backup of the FortiClient by referring to the XML backup guide.
  2. Open the backup file using notepad.
  3. Search for the following keyword in the notepad and change the value to 2:

 

no_dns_registration

 

  1. While searching the keyword, two lines can be found, do the changes on both.
  2. After making the changes, save the file and import it again to the FortiClient.
  3. After, try to connect the FortiClient. The SSL VPN IP on the local DNS server will be visible.

 

The following is the change in DNS entry in the server:

 

sourav_2-1646975283740.png

 

If no_dns_registration=1, only the physical network adapter's 'Register This Connection's Address in DNS' is selected.
If no_dns_registration=2, only the tunnel interface's 'Register This Connection's Address in DNS' is selected.
if no_dns_registration=0, both physical and tunnel interface's 'Register This Connection's Address in DNS' are selected.

 

Note: Try also disabling the DNS registration on the local NIC via NIC properties:

Go to NIC -> Properties -> IPv4 -> Advanced -> DNS tab -> Uncheck 'Register this connection’s addresses in DNS.' 

Configure FortiClient VPN adapter to register its IP in DNS.

Use GPO(Group policy object) settings:
Computer Configuration -> Administrative Templates -> Network -> DNS Client.