Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tschoeller
New Contributor

DNS Queries fail on some Windows 10 machines - SSL Tunnel FortiClient VPN.

We have encountered this issue on both FG60E and FG40F.

 

SSL VPN Settings are set to specify DNS and WINS servers behind the FortiGate.

Portal settings enable split tunneling but DNS split tunneling is disabled.

DNS suffix was configured using:

config vpn ssl settings 

set dns-suffix domain.domain.tld

 

I have received 3 support requests where users are unable to resolve hostnames using ping and remote desktop:

ping hostname.domain.domain.tld   fails - could not find host

nslookup hostname.domain.domain.tld successfully resolves IP from DNS server behind FG.

Ping of the IP succeeds.  

RDP similarly fails with hostname but succeeds with IP.

 

This is only happening on select Windows 10 machines.  I would like to get to the bottom of it but cannot reproduce it on any of my systems.  I was unable to run packet captures on the users machine to see where the DNS queries were going.

 

Any suggestions would be appreciated.

 

FG40F 6.4.5 build 1828 GA

FG60E 6.4.5 build 1828 GA

FortiClient VPN 6.4.2.1580

FortiClient VPN 6.4.3.1608

 

SSL config:

reqclientcert : disable ssl-max-proto-ver : tls1-3 ssl-min-proto-ver : tls1-2 banned-cipher : ssl-insert-empty-fragment: enable https-redirect : disable x-content-type-options: enable ssl-client-renegotiation: disable force-two-factor-auth: disable servercert : *.domain.tld algorithm : high idle-timeout : 30000 auth-timeout : 28800 login-attempt-limit : 2 login-block-time : 60 login-timeout : 30 dtls-hello-timeout : 10 tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1" tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1" dns-suffix : domain.domain.tld dns-server1 : 10.1.1.9 dns-server2 : 10.1.1.11 wins-server1 : 0.0.0.0 wins-server2 : 0.0.0.0 ipv6-dns-server1 : :: ipv6-dns-server2 : :: ipv6-wins-server1 : :: ipv6-wins-server2 : :: url-obscuration : disable http-compression : disable http-only-cookie : enable port : 443 port-precedence : enable auto-tunnel-static-route: enable header-x-forwarded-for: add source-interface : "wan1" "dmz" "port3" "wan2" source-address : "all" source-address-negate: disable source-address6 : "all" source-address6-negate: disable default-portal : web-access authentication-rule: == [ 1 ] id: 1 dtls-tunnel : enable check-referer : disable http-request-header-timeout: 20 http-request-body-timeout: 30 auth-session-check-source-ip: enable tunnel-connect-without-reauth: disable hsts-include-subdomains: disable transform-backward-slashes: disable encode-2f-sequence : disable encrypt-and-store-password: disable client-sigalgs : all dtls-max-proto-ver : dtls1-2 dtls-min-proto-ver : dtls1-0

3 REPLIES 3
UrbyTuesday
New Contributor

Try Forticlient VPN v 6.2.6 and see if it makes a difference.

tschoeller

We tried 6.2.7 and 6.0.1.  Neither resolved the issue.  We ended up using the hosts file to solve the issue for the user.  We will try 6.2.6 for the next case we find.   

tschoeller

Got to the bottom of the issue today.  Reddit user Slushmania explains in detail: https://www.reddit.com/r/fortinet/comments/krl6h7/problem_with_ssl_vpn_and_dns/ 

 

In short Windows 10 is sending out simultaneous IPv4 and IPv6 DNS queries.  First query to come back is used.  Solution seems to be registry key: DisableParallelAandAAAA

Configuring the IPv6 DNS for the SSL tunnel should also resolve the issue.