| Description | This article describes the '504 DNS lookup failed' error when using FQDN to access the ZTNA server. |
| Scope | FortiGate, FortiEMS, FortiClient, ZTNA. |
| Solution |
When trying to access the ZTNA server using FQDN, one may face the following issue:
For more details about FortiGate and FortiEMS configuration, please check the documents below: ZTNA HTTPS access proxy example Use FQDN with ZTNA TCP forwarding access proxy
Using FQDN requires that the FortiGate or host can resolve the hostname. With FortiGate in charge of this function, it is necessary to validate that it will do.
In the example below, the following internal DNS server is being used to resolve the hostname:
The tricky point about the DNS resolution is that the primary DNS server will not always be used to resolve the hostname. By default, FortiGate uses the 'least RTT' (ms) as the server selection method, and this can be changed to 'failover', which means that only one DNS server will resolve the hostnames until the primary one is unreachable.
For more details the server selection method: FortiGate DNS query preference when multiple DNS protocols are enabled
When the previously cached hostname expires and there is a new attempt to resolve it, the secondary one will be used if the secondary DNS server has a lower RTT(ms) value and the DNS resolution will fail if the secondary one does not have this DNS entry.
To check if the hostname is cached, run 'diag test application dnsproxy 13' on the CLI. For more DNS commands: Technical Tip: FortiGate Troubleshooting DNS commands
Testing access to ZTNA servers using FQDN:
|
