Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TBC
Contributor

DNS over SSLVPN - nslookup timeout

Hello @All

 

I have configured sslvpn on Fortigate OS 7.2.0.

On Win10 Client Login Works, Ping IP and FQDN to system are working too.

If I'm using nslookup I get DNS request Timeout.

If i using ping -a I can Ping but no name resolution.

 

My configuration:

Under Network DNS Server I have configured LAN and SSL-VPN tunnel interface.

DNS Database are configured our domain with both internal MS-AD-DNS Server.

Under VPN sslvpn setting there are also both MS-AD-DNS Server configured.

 

Is there anything wrong in my configuration?

Also, i have no nslookup on Fortigate CLI

 

Many thank's for helping

TBC

 

1 Solution
seshuganesh
Staff
Staff

Hi Team,

 

As per your set up you do not need to configure DNS database since you already mentioned DNS servers explicitly under VPN >> SSL VPN settings.

Please make sure there is a firewall policy to allow the DNS traffic for these internal DNS servers from the SSL VPN client

Policy:

Incoming interface: ssl.root

Outgoing interface: Interface to which DNS servers are connected.

Source: SSL VPN with user

Destination: DNS servers

 

In case if its not working, please share us the output of below command:

Putty1: diag sniffer packet any 'host <sslvpnip> and port 53' 6 0 a

putty2:

diag debug reset

diag debug disable

diag debug flow filter addr <sslvpnclientip>

diag debug flow show function-name enanble

diag debug flow filter proto 1

diag debug flow trace start 1000

diag debug enable

 

Once you collect the debug, please disable the debug by executing this command "diag debug disable"

Please share us the output

View solution in original post

5 REPLIES 5
seshuganesh
Staff
Staff

Hi Team,

 

As per your set up you do not need to configure DNS database since you already mentioned DNS servers explicitly under VPN >> SSL VPN settings.

Please make sure there is a firewall policy to allow the DNS traffic for these internal DNS servers from the SSL VPN client

Policy:

Incoming interface: ssl.root

Outgoing interface: Interface to which DNS servers are connected.

Source: SSL VPN with user

Destination: DNS servers

 

In case if its not working, please share us the output of below command:

Putty1: diag sniffer packet any 'host <sslvpnip> and port 53' 6 0 a

putty2:

diag debug reset

diag debug disable

diag debug flow filter addr <sslvpnclientip>

diag debug flow show function-name enanble

diag debug flow filter proto 1

diag debug flow trace start 1000

diag debug enable

 

Once you collect the debug, please disable the debug by executing this command "diag debug disable"

Please share us the output

sw2090
SuperUser
SuperUser

if you use split tunneling you may have to set the dns option to manual on cli once you entered dns server in vpn gui on the fgt. Without that - at least that happened here with ipsec dial up vpn connections - no dns will be pushed.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
TBC
Contributor

Many thanks to you both!

@sw2090 the dns server are showing in CLI, many thank's

@seshuganesh, I have set up the policy as you described. Unfortunately, still with the same result.
Enclosed are the required outputs:

Sniffer trace:

 

filters=[host 192.168.190.1 and port 53]
^[[A2022-04-27 08:14:11.137086 ssl.root in 192.168.190.1.57695 -> 192.168.168.243.53: udp 46
0x0000 0000 0000 0001 0000 0000 0000 0800 4500 ..............E.
0x0010 004a ab34 0000 8011 a728 c0a8 be01 c0a8 .J.4.....(......
0x0020 a8f3 e15f 0035 0036 3abe 0001 0100 0001 ..._.5.6:.......
0x0030 0000 0000 0000 0332 3433 0331 3638 0331 .......243.168.1
0x0040 3638 0331 3932 0769 6e2d 6164 6472 0461 68.192.in-addr.a
0x0050 7270 6100 000c 0001 rpa.....

2022-04-27 08:14:13.144489 ssl.root in 192.168.190.1.57696 -> 192.168.168.243.53: udp 45
0x0000 0000 0000 0001 0000 0000 0000 0800 4500 ..............E.
0x0010 0049 ab35 0000 8011 a728 c0a8 be01 c0a8 .I.5.....(......
0x0020 a8f3 e160 0035 0035 7ead 0002 0100 0001 ...`.5.5~.......
0x0030 0000 0000 0000 0235 3203 3136 3803 3136 .......52.168.16
0x0040 3803 3139 3207 696e 2d61 6464 7204 6172 8.192.in-addr.ar
0x0050 7061 0000 0c00 01 pa.....

2022-04-27 08:15:21.105677 ssl.root in 192.168.190.1.61895 -> 192.168.168.245.53: udp 49
0x0000 0000 0000 0001 0000 0000 0000 0800 4500 ..............E.
0x0010 004d ea3e 0000 8011 6819 c0a8 be01 c0a8 .M.>....h.......
0x0020 a8f5 f1c7 0035 0039 1a69 4fc2 0100 0001 .....5.9.iO.....
0x0030 0000 0000 0000 0c73 6574 7469 6e67 732d .......settings-
0x0040 7769 6e04 6461 7461 096d 6963 726f 736f win.data.microso
0x0050 6674 0363 6f6d 0000 0100 01 ft.com.....

2022-04-27 08:15:22.105924 ssl.root in 192.168.190.1.61895 -> 192.168.168.243.53: udp 49
0x0000 0000 0000 0001 0000 0000 0000 0800 4500 ..............E.
0x0010 004d ab36 0000 8011 a723 c0a8 be01 c0a8 .M.6.....#......
0x0020 a8f3 f1c7 0035 0039 1a6b 4fc2 0100 0001 .....5.9.kO.....
0x0030 0000 0000 0000 0c73 6574 7469 6e67 732d .......settings-
0x0040 7769 6e04 6461 7461 096d 6963 726f 736f win.data.microso
0x0050 6674 0363 6f6d 0000 0100 01 ft.com.....

 

 

Debug output:

 

 

# id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 80.153.x.x:64058->10.250.252.1:19009) tun_id=0.0.0.0 from port2. flag [.], seq 3919645418, ack 3333014032, win 1024"
id=65308 trace_id=1 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, original direction"
id=65308 trace_id=2 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.250.252.1:19009->80.153.x.x:64058) tun_id=0.0.0.0 from local. flag [.], seq 3333014032, ack 3919645524, win 91"
id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, reply direction"
id=65308 trace_id=3 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 80.153.x.x:64058->10.250.252.1:19009) tun_id=0.0.0.0 from port2. flag [.], seq 3919645524, ack 3333014032, win 1024"
id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, original direction"
id=65308 trace_id=4 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.250.252.1:19009->80.153.x.x:64058) tun_id=0.0.0.0 from local. flag [.], seq 3333014032, ack 3919645584, win 91"
id=65308 trace_id=4 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, reply direction"
id=65308 trace_id=5 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 80.153.x.x:64058->10.250.252.1:19009) tun_id=0.0.0.0 from port2. flag [.], seq 3919645584, ack 3333014032, win 1024"
id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, original direction"
id=65308 trace_id=6 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.250.252.1:19009->80.153.x.x:64058) tun_id=0.0.0.0 from local. flag [.], seq 3333014032, ack 3919645689, win 91"
id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, reply direction"
id=65308 trace_id=7 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 80.153.x.x:64058->10.250.252.1:19009) tun_id=0.0.0.0 from port2. flag [.], seq 3919645689, ack 3333014032, win 1024"
id=65308 trace_id=7 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, original direction"
id=65308 trace_id=8 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.250.252.1:19009->80.153.x.x:64058) tun_id=0.0.0.0 from local. flag [.], seq 3333014032, ack 3919645804, win 91"
id=65308 trace_id=8 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, reply direction"
id=65308 trace_id=9 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 80.153.x.x:64058->10.250.252.1:19009) tun_id=0.0.0.0 from port2. flag [.], seq 3919645804, ack 3333014032, win 1024"
id=65308 trace_id=9 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, original direction"
id=65308 trace_id=10 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.250.252.1:19009->80.153.x.x:64058) tun_id=0.0.0.0 from local. flag [.], seq 3333014032, ack 3919645919, win 91"
id=65308 trace_id=10 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, reply direction"

 

 

 

Ping and nslookup from client

 

ping subu-pi2-rv4
Ping wird ausgeführt für subu-pi2-rv4.domain.com [192.168.169.52] mit 32 Bytes Daten:

C:\Windows\system32>nslookup 192.168.168.52
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.168.243

 

 

Many thanks for helping

seshuganesh
Staff
Staff

Hi Team,

 

From the output, i could see DNS is working fine:

ping subu-pi2-rv4
Ping wird ausgeführt für subu-pi2-rv4.domain.com [192.168.169.52] mit 32 Bytes Daten:

You tried to ping to subu-pi2-rv4, it got resolved to 192.168.169.52

May i know what is the exact issue you are facing?

 

TBC

Hello seshuganesh,

thanks for your reply.

I have now deleted the DNS from the VPN Settings and have still active policy to our DNS server like you describe.

With that Set up, the DNS ware working and the also my idle timeout from my other post.

So for now, everything looks good.

 

Many thanks for helping!

Labels
Top Kudoed Authors