Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
preyes
New Contributor

SSL VPN No local DNS

Hi there, newbie here in the Fortinet world.

 

Our HO has FortiGate 200 running ver 6.4

 

I am also using FortiClient 6.4; I downgraded to FortiClient version 6.0 and it work fine; but I can not believe that this problem exists since version 6.2 and nobody noticed.

 

I have a SSL VPN configured which connects fine; but is does not transfer the local dns server info to the remote user. 

 

What can be the problem?

 

Thanks in advanced.

17 REPLIES 17
oscar37
New Contributor

do you have DNS server set to your local dns in your SSL VPN settings? 

 

#config vpn ssl setting     set dns-server1 <LOCAL DNS IP>     set dns-server2 <Local DNS IP>

 

 

you can also set via GUI from your SSL VPN settings.

 

Thank you in Advance

preyes
New Contributor

Thanks for the quick reply.

I have configured under Split DNS (SSL-VPN Portal)

Primary DNS (local primary dns server) and Secondary DNS (local secondary dns server)

isamt

Configure DNS for SSL Vpn under config vpn ssl settings.

 

config vpn ssl settings    set dns-suffix "Domain_Name"    set dns-server1 192.168.1.1

   set dns-server2 192.168.1.2

 

You should also configure dns-suffix, otherwise vpn clients will only be able to ping IP addresses or fully qualified host names.

So i you have a server named intranet.domain.com on IP 192.168.1.100 vpn users can ping 192.168.1.100 and intranet.domain.com but not hostname intranet unless you set the dns-suffix to "domain.com"

 

preyes
New Contributor

I am unable to ping to intranet.domain.com but I can ping successfully to 192.168.1.100

 

The vpn user is a local user created on the FortiGate running 6.4 and FortiClient 6.4

I noticed that FortiClient 6.0 allow me to ping to intranet.domain.com and 192.168.1.100

aseques
New Contributor

I don't know if it's your case (you don't specify the platform), but on the forticlient 6.4.0 for linux there's an issue that breaks this feature, that's supposedly fixed on 6.4.1 that will be released at the end of the month.

 

sw2090
Honored Contributor

hm I cannto speack for ssl vpn but I know this from IPSec. Maybe it is the same with ssl vpn?

 

If I set a tunnel to do split dns the options in ipsec config are rather the same. You set dns-server1 and 2 and a domain/suffix. However it won't work because there is an option dns mode that is not visible in gui in ipsec config. It is set to "auto" by default which prevents split dns from working. It has to be set to "manual" on cli to make split dns work. 

I don't have a clue why fortinet didn't include this in gui as it is that important.

Maybe there is the same issue with split dns and ssl vpn too?

 

hth

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

live89

I've seen a known issue reported maybe related to your situation

https://docs.fortinet.com/document/forticlient/6.2.1/windows-release-notes/991883/known-issues

please check if this bug id 537299 is your case

which has been resolved in 6.2.3

https://docs.fortinet.com/document/forticlient/6.2.3/windows-release-notes/22791/resolved-issues

 

Thanks

aseques
New Contributor

I forgot to update the thread, after escalating the issue, one of the engineers from fortigate could diagnose the issue and check that it was indeed a problem on the release 6.4.0, but..

There's a fixed 6.4.1 version but only for EMS customers that are on more frequent releases.

If you are (like me) without specific EMS contract for vpn users you have two options:

[ul]
  • Wait until 6.4.1 is released on forticlient.com (6 months have passed without any change)
  • Use the legacy 4.x versions (no system integration, etc.)
  • Use some other program such as openfortigui (that has been my option so far) that works quite fine.[/ul]

    It's a bit of a shame that fortigate hosts a non working (I'd say most of us are using local dns) vpn client in their site forcing users into other platforms / solutions.

  • UrbyTuesday

    Exact same problem. 

    80E with 6.2.6 firmware and 6.4.2 Forticlient VPN - no internal DNS resolution over SSL VPN. Can ping the internal DNS server IP but not the FQDN.  NSLOOKUP times out.

     

    I've wasted a whole day on this ****.  Finally found this post, installed 6.2.6 and the problem goes away instantly. 

     

    Fortinet needs to get their $hit together.  This is ridiculous. I'm IT director for 200 people and have one assistant. We don't have time to run test labs for every single change we make.  There are certain things that should just WORK.  Period.  Like a utility. Completely inexcusable.