Hello @All
I have configured sslvpn on Fortigate OS 7.2.0.
On Win10 Client Login Works, Ping IP and FQDN to system are working too.
If I'm using nslookup I get DNS request Timeout.
If i using ping -a I can Ping but no name resolution.
My configuration:
Under Network DNS Server I have configured LAN and SSL-VPN tunnel interface.
DNS Database are configured our domain with both internal MS-AD-DNS Server.
Under VPN sslvpn setting there are also both MS-AD-DNS Server configured.
Is there anything wrong in my configuration?
Also, i have no nslookup on Fortigate CLI
Many thank's for helping
TBC
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Team,
As per your set up you do not need to configure DNS database since you already mentioned DNS servers explicitly under VPN >> SSL VPN settings.
Please make sure there is a firewall policy to allow the DNS traffic for these internal DNS servers from the SSL VPN client
Policy:
Incoming interface: ssl.root
Outgoing interface: Interface to which DNS servers are connected.
Source: SSL VPN with user
Destination: DNS servers
In case if its not working, please share us the output of below command:
Putty1: diag sniffer packet any 'host <sslvpnip> and port 53' 6 0 a
putty2:
diag debug reset
diag debug disable
diag debug flow filter addr <sslvpnclientip>
diag debug flow show function-name enanble
diag debug flow filter proto 1
diag debug flow trace start 1000
diag debug enable
Once you collect the debug, please disable the debug by executing this command "diag debug disable"
Please share us the output
Hi Team,
As per your set up you do not need to configure DNS database since you already mentioned DNS servers explicitly under VPN >> SSL VPN settings.
Please make sure there is a firewall policy to allow the DNS traffic for these internal DNS servers from the SSL VPN client
Policy:
Incoming interface: ssl.root
Outgoing interface: Interface to which DNS servers are connected.
Source: SSL VPN with user
Destination: DNS servers
In case if its not working, please share us the output of below command:
Putty1: diag sniffer packet any 'host <sslvpnip> and port 53' 6 0 a
putty2:
diag debug reset
diag debug disable
diag debug flow filter addr <sslvpnclientip>
diag debug flow show function-name enanble
diag debug flow filter proto 1
diag debug flow trace start 1000
diag debug enable
Once you collect the debug, please disable the debug by executing this command "diag debug disable"
Please share us the output
if you use split tunneling you may have to set the dns option to manual on cli once you entered dns server in vpn gui on the fgt. Without that - at least that happened here with ipsec dial up vpn connections - no dns will be pushed.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Many thanks to you both!
@sw2090 the dns server are showing in CLI, many thank's
@seshuganesh, I have set up the policy as you described. Unfortunately, still with the same result.
Enclosed are the required outputs:
Sniffer trace:
filters=[host 192.168.190.1 and port 53]
^[[A2022-04-27 08:14:11.137086 ssl.root in 192.168.190.1.57695 -> 192.168.168.243.53: udp 46
0x0000 0000 0000 0001 0000 0000 0000 0800 4500 ..............E.
0x0010 004a ab34 0000 8011 a728 c0a8 be01 c0a8 .J.4.....(......
0x0020 a8f3 e15f 0035 0036 3abe 0001 0100 0001 ..._.5.6:.......
0x0030 0000 0000 0000 0332 3433 0331 3638 0331 .......243.168.1
0x0040 3638 0331 3932 0769 6e2d 6164 6472 0461 68.192.in-addr.a
0x0050 7270 6100 000c 0001 rpa.....
2022-04-27 08:14:13.144489 ssl.root in 192.168.190.1.57696 -> 192.168.168.243.53: udp 45
0x0000 0000 0000 0001 0000 0000 0000 0800 4500 ..............E.
0x0010 0049 ab35 0000 8011 a728 c0a8 be01 c0a8 .I.5.....(......
0x0020 a8f3 e160 0035 0035 7ead 0002 0100 0001 ...`.5.5~.......
0x0030 0000 0000 0000 0235 3203 3136 3803 3136 .......52.168.16
0x0040 3803 3139 3207 696e 2d61 6464 7204 6172 8.192.in-addr.ar
0x0050 7061 0000 0c00 01 pa.....
2022-04-27 08:15:21.105677 ssl.root in 192.168.190.1.61895 -> 192.168.168.245.53: udp 49
0x0000 0000 0000 0001 0000 0000 0000 0800 4500 ..............E.
0x0010 004d ea3e 0000 8011 6819 c0a8 be01 c0a8 .M.>....h.......
0x0020 a8f5 f1c7 0035 0039 1a69 4fc2 0100 0001 .....5.9.iO.....
0x0030 0000 0000 0000 0c73 6574 7469 6e67 732d .......settings-
0x0040 7769 6e04 6461 7461 096d 6963 726f 736f win.data.microso
0x0050 6674 0363 6f6d 0000 0100 01 ft.com.....
2022-04-27 08:15:22.105924 ssl.root in 192.168.190.1.61895 -> 192.168.168.243.53: udp 49
0x0000 0000 0000 0001 0000 0000 0000 0800 4500 ..............E.
0x0010 004d ab36 0000 8011 a723 c0a8 be01 c0a8 .M.6.....#......
0x0020 a8f3 f1c7 0035 0039 1a6b 4fc2 0100 0001 .....5.9.kO.....
0x0030 0000 0000 0000 0c73 6574 7469 6e67 732d .......settings-
0x0040 7769 6e04 6461 7461 096d 6963 726f 736f win.data.microso
0x0050 6674 0363 6f6d 0000 0100 01 ft.com.....
Debug output:
# id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 80.153.x.x:64058->10.250.252.1:19009) tun_id=0.0.0.0 from port2. flag [.], seq 3919645418, ack 3333014032, win 1024"
id=65308 trace_id=1 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, original direction"
id=65308 trace_id=2 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.250.252.1:19009->80.153.x.x:64058) tun_id=0.0.0.0 from local. flag [.], seq 3333014032, ack 3919645524, win 91"
id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, reply direction"
id=65308 trace_id=3 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 80.153.x.x:64058->10.250.252.1:19009) tun_id=0.0.0.0 from port2. flag [.], seq 3919645524, ack 3333014032, win 1024"
id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, original direction"
id=65308 trace_id=4 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.250.252.1:19009->80.153.x.x:64058) tun_id=0.0.0.0 from local. flag [.], seq 3333014032, ack 3919645584, win 91"
id=65308 trace_id=4 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, reply direction"
id=65308 trace_id=5 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 80.153.x.x:64058->10.250.252.1:19009) tun_id=0.0.0.0 from port2. flag [.], seq 3919645584, ack 3333014032, win 1024"
id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, original direction"
id=65308 trace_id=6 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.250.252.1:19009->80.153.x.x:64058) tun_id=0.0.0.0 from local. flag [.], seq 3333014032, ack 3919645689, win 91"
id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, reply direction"
id=65308 trace_id=7 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 80.153.x.x:64058->10.250.252.1:19009) tun_id=0.0.0.0 from port2. flag [.], seq 3919645689, ack 3333014032, win 1024"
id=65308 trace_id=7 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, original direction"
id=65308 trace_id=8 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.250.252.1:19009->80.153.x.x:64058) tun_id=0.0.0.0 from local. flag [.], seq 3333014032, ack 3919645804, win 91"
id=65308 trace_id=8 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, reply direction"
id=65308 trace_id=9 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 80.153.x.x:64058->10.250.252.1:19009) tun_id=0.0.0.0 from port2. flag [.], seq 3919645804, ack 3333014032, win 1024"
id=65308 trace_id=9 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, original direction"
id=65308 trace_id=10 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.250.252.1:19009->80.153.x.x:64058) tun_id=0.0.0.0 from local. flag [.], seq 3333014032, ack 3919645919, win 91"
id=65308 trace_id=10 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-0017755a, reply direction"
Ping and nslookup from client
ping subu-pi2-rv4
Ping wird ausgeführt für subu-pi2-rv4.domain.com [192.168.169.52] mit 32 Bytes Daten:
C:\Windows\system32>nslookup 192.168.168.52
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.168.243
Many thanks for helping
Hi Team,
From the output, i could see DNS is working fine:
ping subu-pi2-rv4
Ping wird ausgeführt für subu-pi2-rv4.domain.com [192.168.169.52] mit 32 Bytes Daten:
You tried to ping to subu-pi2-rv4, it got resolved to 192.168.169.52
May i know what is the exact issue you are facing?
Hello seshuganesh,
thanks for your reply.
I have now deleted the DNS from the VPN Settings and have still active policy to our DNS server like you describe.
With that Set up, the DNS ware working and the also my idle timeout from my other post.
So for now, everything looks good.
Many thanks for helping!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1095 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.