I have a strange problem when I connect to a company VPN with forticlient application. First, I did not know what was wrong. After spending some time, I figured out that DNS is not working as it should have. Unfortunately, I have no idea, who's fault is that. It may be FortiClient VPN, systemd-resolved, or something else. I am using Ubuntu 22.04, which is not an official version yet, but I have doubts it will get any better until official release in a week or two.
This is output from resolvectl before VPN is established:
username@hostname:~$ resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (enp2s0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 3 (wlp1s0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.1.1 DNS Servers: 192.168.1.1 2a00:ee0:d::13 2a00:ee0:e::13 DNS Domain: --
After VPN is established resolvectl reports additional link called vpn:
username@hostname:~$ resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (enp2s0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 3 (wlp1s0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 172.20.1.21 DNS Servers: 172.20.1.16 172.20.1.21 2a00:ee0:d::13 2a00:ee0:e::13 DNS Domain: company.com Link 5 (vpn) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
As you can see additional DNS servers are added to Link 3, which should help me resolve internal names when connected to VPN. Strange thing is that when I write
username@hostname:~$ resolvectl query name.company.com name.company.com: resolve call failed: 'name.company.com' not found
I do not get anything. If I try with nslookup like this
username@hostname:~$ nslookup > server 172.20.1.16 Default server: 172.20.1.16 Address: 171.20.1.16#53 > name.company.com Server: 172.20.1.16 Address: 172.20.1.16#53 Name: name.company.com Address: 172.20.38.251
I get the correct answer. Since this was strange I traced network traffic to see what does nslookup differently than resolvectl query.
It turned out that nslookup uses a VPN assigned address for the source IP when asking DNS for a name. On the other hand, resolvectl query uses all other addresses for source IP except the one assigned by VPN. Because of that I guess DNS server does not have the route to send back an answer correctly to my computer, or DNS queries may even not reach the newly added DNS servers.
Because of that none of the programs I need can resolve the names correctly. The result is that I cannot connect anywhere within a VPN with a domain name.
Does anybody have an idea how to make resolvectl realize there is newly assigned VPN address, and it should use it as the source IP. Should FortiClient do some additional configutation on establishing a connection? Probably not.
I tried to restart systemd-resolved after VPN is established, but it does not help. Should I restart some other service? Which one?
I have checked how DNS is setup in network settings, and they are correct. Without VPN the network interface wlp1s0 shows:
username@hostname:~$ nmcli device show wlp1s0 | grep DNS IP4.DNS[1]: 192.168.1.1 IP6.DNS[1]: 2a00:ee0:d::13 IP6.DNS[2]: 2a00:ee0:e::13
After VPN is connected:
username@hostname:~$ nmcli device show wlp1s0 | grep DNS IP4.DNS[1]: 172.20.1.16 IP4.DNS[2]: 172.20.1.21 username@hostname:~$ nmcli device show vpn | grep DNS IP4.DNS[1]: 172.20.1.16 IP4.DNS[2]: 172.20.1.21
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
any news with this issue?
can u please enable the link to 7.0.3 again (unless you have another version ) and i will check it on my ubunto?
Thanks
There is a official repository with all current versions:
https://repo.fortinet.com/repo/7.0/ubuntu/pool/multiverse/forticlient/
https://repo.fortinet.com/repo/7.0/centos/8/os/x86_64/Packages/
Unfortunately, the 7.0.3 version does not fix it for me.
I have further observed the behaviour and found out an interesting detail. Most of the time DNS is not working correctly. However, on rare occasions, it resolves. On that occasions there is a line in /var/log/syslog:
Apr 21 07:59:45 hostname systemd-resolved[5415]: Using degraded feature set TCP instead of UDP for DNS server 172.20.1.21.
Wireshark shows in that case the correct source IP address. In all other DNS lookups UDP is used, and the source address is my local IP address and not VPN assigned IP. With TCP the VPN source address is used and then it works.
I still have no idea where the error should be fixed (systemd-resolved, fortinet client,...???).
Just as additional information: I use strongswan for ipsec to fortigate here. It still worked in 22.04 but still failed to push dns settings to me. I found out that was due to an old bug that was reported in debian buglist in 2018 already. It is not directly a bug in strongswan, it is more a "bug" in the apparmor profiles in ubuntu. Those are too restrictive and prevent strongswan from writing anything into /etc/resolv.conf and in consequence hostnames that can only be reolved over the ipsec cannot be resolved at all.
fixing the permissions by adding the missing line to the apparmor profile made it working with strongswan here.
Maybe the apparmor profile for forticlient has a similar issue?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hello, we are facing the same issue here with forticlient 7.0.0.0018 installed on Ubuntu 20.04.
DNS are not injected at all in the local resolver, we also tried to disable completely apparmor but without any successful result.
Is it possible to have an ETA for the public release of the fixed version?
Thanks in advance.
Regards
Luca
The same issue is present on Fedora 36 with systemd-resolved-250.7-1 and Forticlient 6.4.8
I feel very frustrated to see how Ubuntu users are completely ignored on that situation. I spend days and days searching for a solution by all means... NO SOLUTION. I have indeed seen how in several threads it is said that the next version solves the problem. But it is repeatedly false. This is very embarrassing.
We are adopting openfortivpn for Ubuntu desktops and I can say that it works without any issue, even with MFA authentication. It is perfectly integrated with systemd-resolve, so DNS is working as expected.
I also find it embarrassing that Fortinet is unable to release a working client for linux desktop.
HTH
Regards
Luca
Thank you for sharing with me this option. I have been trying to use it several times, but my institution use SAML SSO and I have deduces that it is impossible. Do you have an idea if openfortivpn can be used in this case? What about the certificates? I tried to use openssl against my fortinet gate server.
I have the same issue on Ubuntu 22.04. I also find it embarrassing that Fortinet is unable to release a working client for linux desktop. I feel frustrated.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.