Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yeowkm99
Contributor

DNS server not updating

In our office network, we make use of fortinet FSSO to control Internet access per individual user.

After we login, our AD username and IP address will be logged by our firewall before we are able to access Internet.

We noticed that some times when user go to different office, their IP address will change. 

eg. from office 1,  PC01, 172.20.0.84 change to office 2, PC01, 172.30.0.74. If the AD DNS record does not update the hostname to the new office address PC01, 172.30.0.74, the user will have issues accessing Internet as the firewall log will only show 172.30.0.74 instead of ipaddress.JPGusername(172.30.0.74). 

the quick n fast way for us to solve this is do a ipconfig /renew or restart the PC, so that user will get the new IP address.

Is there any way to resolve this issue ? 

10 REPLIES 10
Patterson
Staff
Staff

Hi yeowkm99,

 

Can you please check on the FSSO collector agent under advance setting -> Windows security events logs . By default it will be 0, can you try changing the same to 2 as per the below KB.

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-event-IDs-used-by-FSSO-in...

 

Regards,

Patterson

Regards,
Patterson
yeowkm99

currently set as 0. have change it to 2.

i saw event ID 4624 and 4634 in the event logs.

how does changing this value effect the user logon

Patterson
Staff
Staff

Hi,

Changing the polling ID will help the agent to collect more security event ID, Agent requires workstation name on a security event to update the change in IP, Ideally  Kerberos as the authentication will not have the workstation name, so the agent use a combination of event ID  like 4768, 4769 to collect the workstation name.

Regards,
Patterson
yeowkm99

after changing the value to 2, i still have users with the same issues. 

DNS record not updating when they switch to different location. 

I need to remove the older record in the DNS manager in my AD server. only after i remove the old DNS record, then they can access Internet. 

yeowkm99

i have more than one FSSO collector agent servers.

have since changed the values on all the servers. 

Debbie_FTNT

Hey yeowkm99,

what IP verification do you have set up in collector agent? you could lower the time; this causes Collector Agent to double-check workstation IPs more quickly (and it should thus detect IP changes more quickly).

However, the main issue is likely something like this:
- Collector Agent checks one DNS server (based on the host's system settings)

- a host that changes its IP reports the IP change to a different DNS

- it takes a few minutes for the change to be replicated through your AD environment

A workaround could be for users to sign out and sign into their workstations again; this would generate a login event that Collector Agent should pick up on pretty quickly. As long as the login event is generated with IP, Collector Agent will see that. If the login event is generated with workstation name again, however, the issue with DNS lookup still remains.

The only real fix is something like Mobility Agent (which is a tool that reports IPs automatically to FortiAuthenticator, used in VPN scenarios), or make sure DNS changes in your AD are replicated more quickly so Collector Agent can pick up on the changed IP more quickly.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
yeowkm99

where do i lower the times ? is it at the collector agent ?

Debbie_FTNT

You should have an IP address change verify interval in Collector Agent (near the bottom):

Debbie_FTNT_0-1659689685823.png

You can lower this, so Collector Agent checks DNS server more frequently, but it won't change anything if the entries in DNS server are not updated.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
yeowkm99

how do i make sure that the DNS changes are replicated more quickly ?

Top Kudoed Authors