Hi
I have a problem with vpn client and fortigate.
The tunnel is up ping device is ok but when i ping fqdn host no response.
Split tunnel is enabled. do you have an idea.
Fortigate and VPN version 7.4.3
Thanks for your help
Solved! Go to Solution.
Hi Meni
Try configure slit DNS
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/988717/ssl-vpn-split-dns
Hi Aek
thank you for your reply. I've done this before and the result is the same.
No DNS resolution
Meni
Hi Meni
Ensure that there is a firewall policy allowing your VPN clients to send DNS queries to your internal DNS server.
If this is done and doesn't work yet, try the following:
sniffer example
diag sniffer traffic any 'host x.x.x.x and port 53' 4
flow debug example
diag debug flow filter addr x.x.x.x
diag debug flow filter port 53
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug console timestamp enable
diag debug flow trace start 50
diag debug enable
Where x.x.x.x is the SSL VPN client's IP address, usually 10.212.134.x.
Hi
Thanks for your message. I made test
SSL VPN Client is 192.168.226.101
DNS SERVER : 192.168.1.201
FW01 # diag sniffer packet any 'host 192.168.226.101 and port 53' 4
interfaces=[any]
filters=[host 192.168.226.101 and port 53]
15.314038 ssl.root in 192.168.226.101.58481 -> 192.168.1.201.53: udp 39
15.314085 Lan_Inside out 192.168.226.101.58481 -> 192.168.1.201.53: udp 39
15.314089 LAN_Interne out 192.168.226.101.58481 -> 192.168.1.201.53: udp 39
15.314093 port1 out 192.168.226.101.58481 -> 192.168.1.201.53: udp 39
15.314526 Lan_Inside in 192.168.1.201.53 -> 192.168.226.101.58481: udp 55
15.314569 ssl.root out 192.168.1.201.53 -> 192.168.226.101.58481: udp 55
85.046123 ssl.root in 192.168.226.101.55970 -> 192.168.1.201.53: udp 33
85.046176 Lan_Inside out 192.168.226.101.55970 -> 192.168.1.201.53: udp 33
85.046180 LAN_Interne out 192.168.226.101.55970 -> 192.168.1.201.53: udp 33
85.046184 port3 out 192.168.226.101.55970 -> 192.168.1.201.53: udp 33
85.059475 Lan_Inside in 192.168.1.201.53 -> 192.168.226.101.55970: udp 49
85.059501 ssl.root out 192.168.1.201.53 -> 192.168.226.101.55970: udp 49
FW01 # 2024-05-10 10:37:30 id=65308 trace_id=11 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.226.101:54790-> 192.168.1.201:53) tun_id=0.0.0.0 from ssl.root. "
2024-05-10 10:37:30 id=65308 trace_id=11 func=init_ip_session_common line=6020 msg="allocate a new session-0024ba0d"
2024-05-10 10:37:30 id=65308 trace_id=11 func=iprope_dnat_check line=5466 msg="in-[ssl.root], out-[]"
2024-05-10 10:37:30 id=65308 trace_id=11 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-05-10 10:37:30 id=65308 trace_id=11 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-05-10 10:37:30 id=65308 trace_id=11 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw- 192.168.1.201 via Lan_Inside"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_fwd_check line=801 msg="in-[ssl.root], out-[Lan_Inside], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=98, len=3"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-111, ret-no-match, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-121, ret-matched, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_user_identity_check line=1887 msg="ret-matched"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffbffc02c384"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2358 msg="policy-121 is matched, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-121"
2024-05-10 10:37:30 id=65308 trace_id=11 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-121"
2024-05-10 10:37:30 id=65308 trace_id=11 func=fw_forward_handler line=985 msg="Allowed by Policy-121:"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
2024-05-10 10:37:30 id=65308 trace_id=12 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.1.201:53->192.168.226.101:54790) tun_id=0.0.0.0 from Lan_Inside. "
2024-05-10 10:37:30 id=65308 trace_id=12 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0024ba0d, reply direction"
2024-05-10 10:37:30 id=65308 trace_id=12 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-192.168.226.101 via ssl.root"
2024-05-10 10:37:30 id=65308 trace_id=12 func=npu_nturbo_unset_flags line=272 msg="ses->npu_state=0x100 skb->npu_flag=0x0"
2024-05-10 10:37:30 id=65308 trace_id=12 func=npu_nturbo_unset_flags line=272 msg="ses->npu_state=0x40108 skb->npu_flag=0x0"
2024-05-10 10:37:30 id=65308 trace_id=12 func=npu_handle_session44 line=1213 msg="Trying to offloading session from Lan_Inside to ssl.root, skb.npu_flag=00000000 ses.state=01000200 ses.npu_state=0x00040108"
2024-05-10 10:37:30 id=65308 trace_id=12 func=fw_forward_dirty_handler line=447 msg="state=01000200, state2=00000000, npu_state=00040108"
2024-05-10 10:37:30 id=65308 trace_id=12 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffbffc02c130"
2024-05-10 10:37:30 id=65308 trace_id=12 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
2024-05-10 10:37:30 id=65308 trace_id=12 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
I don't see error.
Hello Meni
You can check for few things
If you are pinging FQDN which is hosted internally then check if you have configured DNS server in SSL settings
The second condition is if you have configured DNS in SSL settings and you are resolving public DNS it might not work because DNS settings pushed to all the adapters
you can also check if if fqdn is fully qualified domain name or just a hostname
Thanks & Regards
Mayank Sharma
Hi Mayank
Thanks for your reply
I only put internal DNS. See below
The result is the same whether pinging the host alone or with the local domain
Hi @hbac
Thanks for your reply
Yes i have it.
I don't use ipV6 DNS, could the problem come from
Regards
Meni
Just for troubleshooting purpose, try enable NAT on this policy and redo the test.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.