Created on 06-30-2020 04:24 AM
Hi there, newbie here in the Fortinet world.
Our HO has FortiGate 200 running ver 6.4
I am also using FortiClient 6.4; I downgraded to FortiClient version 6.0 and it work fine; but I can not believe that this problem exists since version 6.2 and nobody noticed.
I have a SSL VPN configured which connects fine; but is does not transfer the local dns server info to the remote user.
What can be the problem?
Thanks in advanced.
Created on 06-30-2020 06:58 AM
do you have DNS server set to your local dns in your SSL VPN settings?
#config vpn ssl setting set dns-server1 <LOCAL DNS IP> set dns-server2 <Local DNS IP>
you can also set via GUI from your SSL VPN settings.
Thank you in Advance
Thanks for the quick reply.
I have configured under Split DNS (SSL-VPN Portal)
Primary DNS (local primary dns server) and Secondary DNS (local secondary dns server)
Configure DNS for SSL Vpn under config vpn ssl settings.
config vpn ssl settings set dns-suffix "Domain_Name" set dns-server1 192.168.1.1
set dns-server2 192.168.1.2
You should also configure dns-suffix, otherwise vpn clients will only be able to ping IP addresses or fully qualified host names.
So i you have a server named intranet.domain.com on IP 192.168.1.100 vpn users can ping 192.168.1.100 and intranet.domain.com but not hostname intranet unless you set the dns-suffix to "domain.com"
I am unable to ping to intranet.domain.com but I can ping successfully to 192.168.1.100
The vpn user is a local user created on the FortiGate running 6.4 and FortiClient 6.4
I noticed that FortiClient 6.0 allow me to ping to intranet.domain.com and 192.168.1.100
I don't know if it's your case (you don't specify the platform), but on the forticlient 6.4.0 for linux there's an issue that breaks this feature, that's supposedly fixed on 6.4.1 that will be released at the end of the month.
hm I cannto speack for ssl vpn but I know this from IPSec. Maybe it is the same with ssl vpn?
If I set a tunnel to do split dns the options in ipsec config are rather the same. You set dns-server1 and 2 and a domain/suffix. However it won't work because there is an option dns mode that is not visible in gui in ipsec config. It is set to "auto" by default which prevents split dns from working. It has to be set to "manual" on cli to make split dns work.
I don't have a clue why fortinet didn't include this in gui as it is that important.
Maybe there is the same issue with split dns and ssl vpn too?
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I've seen a known issue reported maybe related to your situation
please check if this bug id 537299 is your case
which has been resolved in 6.2.3
I forgot to update the thread, after escalating the issue, one of the engineers from fortigate could diagnose the issue and check that it was indeed a problem on the release 6.4.0, but..
There's a fixed 6.4.1 version but only for EMS customers that are on more frequent releases.
If you are (like me) without specific EMS contract for vpn users you have two options:[ul]
It's a bit of a shame that fortigate hosts a non working (I'd say most of us are using local dns) vpn client in their site forcing users into other platforms / solutions.
Exact same problem.
80E with 6.2.6 firmware and 6.4.2 Forticlient VPN - no internal DNS resolution over SSL VPN. Can ping the internal DNS server IP but not the FQDN. NSLOOKUP times out.
I've wasted a whole day on this ****. Finally found this post, installed 6.2.6 and the problem goes away instantly.
Fortinet needs to get their $hit together. This is ridiculous. I'm IT director for 200 people and have one assistant. We don't have time to run test labs for every single change we make. There are certain things that should just WORK. Period. Like a utility. Completely inexcusable.