We have encountered this issue on both FG60E and FG40F.
SSL VPN Settings are set to specify DNS and WINS servers behind the FortiGate.
Portal settings enable split tunneling but DNS split tunneling is disabled.
DNS suffix was configured using:
config vpn ssl settings
set dns-suffix domain.domain.tld
I have received 3 support requests where users are unable to resolve hostnames using ping and remote desktop:
ping hostname.domain.domain.tld fails - could not find host
nslookup hostname.domain.domain.tld successfully resolves IP from DNS server behind FG.
Ping of the IP succeeds.
RDP similarly fails with hostname but succeeds with IP.
This is only happening on select Windows 10 machines. I would like to get to the bottom of it but cannot reproduce it on any of my systems. I was unable to run packet captures on the users machine to see where the DNS queries were going.
Any suggestions would be appreciated.
FG40F 6.4.5 build 1828 GA
FG60E 6.4.5 build 1828 GA
FortiClient VPN 6.4.2.1580
FortiClient VPN 6.4.3.1608
SSL config:
reqclientcert : disable ssl-max-proto-ver : tls1-3 ssl-min-proto-ver : tls1-2 banned-cipher : ssl-insert-empty-fragment: enable https-redirect : disable x-content-type-options: enable ssl-client-renegotiation: disable force-two-factor-auth: disable servercert : *.domain.tld algorithm : high idle-timeout : 30000 auth-timeout : 28800 login-attempt-limit : 2 login-block-time : 60 login-timeout : 30 dtls-hello-timeout : 10 tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1" tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1" dns-suffix : domain.domain.tld dns-server1 : 10.1.1.9 dns-server2 : 10.1.1.11 wins-server1 : 0.0.0.0 wins-server2 : 0.0.0.0 ipv6-dns-server1 : :: ipv6-dns-server2 : :: ipv6-wins-server1 : :: ipv6-wins-server2 : :: url-obscuration : disable http-compression : disable http-only-cookie : enable port : 443 port-precedence : enable auto-tunnel-static-route: enable header-x-forwarded-for: add source-interface : "wan1" "dmz" "port3" "wan2" source-address : "all" source-address-negate: disable source-address6 : "all" source-address6-negate: disable default-portal : web-access authentication-rule: == [ 1 ] id: 1 dtls-tunnel : enable check-referer : disable http-request-header-timeout: 20 http-request-body-timeout: 30 auth-session-check-source-ip: enable tunnel-connect-without-reauth: disable hsts-include-subdomains: disable transform-backward-slashes: disable encode-2f-sequence : disable encrypt-and-store-password: disable client-sigalgs : all dtls-max-proto-ver : dtls1-2 dtls-min-proto-ver : dtls1-0
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Try Forticlient VPN v 6.2.6 and see if it makes a difference.
We tried 6.2.7 and 6.0.1. Neither resolved the issue. We ended up using the hosts file to solve the issue for the user. We will try 6.2.6 for the next case we find.
Got to the bottom of the issue today. Reddit user Slushmania explains in detail: https://www.reddit.com/r/fortinet/comments/krl6h7/problem_with_ssl_vpn_and_dns/
In short Windows 10 is sending out simultaneous IPv4 and IPv6 DNS queries. First query to come back is used. Solution seems to be registry key: DisableParallelAandAAAA
Configuring the IPv6 DNS for the SSL tunnel should also resolve the issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.