Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: DNS problem with SSL VPN in tunnel mode
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS problem with SSL VPN in tunnel mode
Since we have SSL VPN (in tunnel mode) set up in our FGT80C (version 4.1.4) on June 2010 by our vendor, we' ve been noticing a strange DNS problem. No, it' s not about the DNS suffix problem, but a real DNS problem.
We noticed that sometimes host names are not resolved at all, eg
ping 1.2.3.4 has replies while
ping name.mydomain.com has no reply
and this is the case whatever name is used.
I was pretty sure DNS request didn' t get to our internal DNS server but it is totally reachable because
ping dns_ip_address has replies
But I don' t know how to " follow" DNS requests to see where they are actually sent to, so I can' t confirm on this point.
What' s annoying with this problem is that it' s not reproducible. At least, I' m unable to find the pattern how to reproduce it at ease. But I have a little trail (or maybe just some unfortunate co-incidence?):
when I reboot the FGT and I immediately connect to VPN, 4 out of 5 times I come across this problem. But if I use another computer to connect another VPN (the first VPN tunnel is still maintained), the 2nd computer has no DNS problem.
So all I can do to my end-users is to tell them to reconnect VPN again and again until that works... :(
Has anyone come across this problem? Known bug? Or bad config?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, this is not normal. Have a look at what the DNS resolver does (assuming that your FG is the one and only recursive DNS in your network):
on the command line, type diag deb ena diag deb cons time ena diag deb app dns -1 stop with: diag deb dis diag deb app dns 0
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, our FGT doesn' t have the role of DNS server. We have internal, independent AD-integrated DNS servers (based on Windows Server 2008 but this should not change anything).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still, you can use the debug commands to follow the dnsproxy on the FG while it' s resolving its own DNS requests, e.g. from " exe ping www.whatever.com" on the CLI. For each (new, uncached) DNS request there should be one request going to the internal DNS on your LAN.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me see if I understand it.
The group of commands " diag deb ena ..." is to be entered in the CLI of FGT.
And the " exe ping www.whatever.com" is to be entered in the (VPN client) computer, right?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Horinius
Just requesting some more background infos:
Are Windows 7 and Vista clients affected, while XP works?
Is Split Tunneling enabled?
Is the problem gone when you disable/turn off the DNS Client service?
Does the name resolve with " nslookup" while " ping" to the same name fails?
regards
Maik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> Are Windows 7 and Vista clients affected, while XP works?
I did the test at home and I only had XP Pro SP3 at that time. So, the partial answer is " problem occurs with XP"
I had two computers at home and both had this problem.
> Is Split Tunneling enabled?
Yes. But if I remembered it correctly, we also had this problem without tunnel split. But it' s hard to confirm as the FGT is now being used 24/7: shutting it down for test is a big problem to my company.
> Is the problem gone when you disable/turn off the DNS Client service?
I don' t know. I' ve never gone in that direction. Are you thinking about WINS? In case you' re asking: No, I don' t put WINS server in VPN config. Because as I understand it, order of name resolution is (DNS cache, hosts file, DNS, WINS) (cf http://support.microsoft.com/kb/172218).
Since I always flush DNS cache before every test, and hosts files contain no host name other than localhost, that means the problem encountered can only be due to DNS.
> Does the name resolve with " nslookup" while " ping" to the same name fails?
No, nslookup didn' t work either.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, these debug commands are entered in the CLI, either from the Console App or from an ssh terminal client (prefered). You can have multiple ssh logins active at one time, so you can check the debug output in one window and enter the ping command in the other.
The whole point of trying to ping is that you do it from the CLI of the FG itself - not from a client. This way, you test the name resolution of the FG which is used for e.g. SSL VPN.
Your SSL policy supports DNS, of course, among other services, right?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> Your SSL policy supports DNS, of course, among other services, right?
I suppose you mean the policy from ssl.root as source interface to internal target interface, right? I do have this policy and its " service" is set to ANY while " action" is set to ACCEPT. But that should not be the cause because the problem is not always present. It is there sometimes.
OK, I' ll try the debug command next time when I reboot the firewall.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have same problem, My fortigate is 310B with firmware 4.0 MR3, Client OS: XP/Win7.
If the Split Tunneling is enabled, the client often can not resolved intranet dns, user have to logout and login many times and check if the dns is resotred to normal. i found the client has two dns server when the ssl vpn is connected, one is for internet, another is for intranet (ssl-vpn), and client use the internet dns server somtimes, and use the intranet dns server somtimes, i can get the correct ip if use the command " nslookup intranethostname" ; but can not get the correct ip if use the command " ping intranethostname" sometimes, it return " Ping request could not find host intranethostname.com. Please check the name and try again" .
If disable the Split Tunneling, because the client can not connect to internet dns server, it has to use the intranet dns server, and all dns can be resolved successfully.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,694 -
FortiClient
1,762 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.