Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Proto1977
New Contributor II

Created on ‎11-16-2024 11:15 AM

FG90G 7.0.16 issue on DNS Suffix on IPSEC vpn remote access

Hi people,

I just updated a firewall from 7.0.15 to 16 and lost the standard SSL-VPN on forticlient.

 

So we migrated the vpn remote access config on IPSEC restoring user groups, policies etc etc.

 

The only issue I still have is to have the Forticlient (now connected by ipsec) use the dns suffix I'm passing to the clients.

 

I did all the standard config steps I've seen on other posts:

        set mode-cfg enable
        set dns mode manual
        set ipv4-dns-server
        set unity-support enable
        set domain <domain> 
 

but the client is still ignoring it.

 

On the ipconfig /all of the vpn client I can see it gets the parameters (internal dns, domain suffix, routes) but if I try to resolve a domain host without the suffix it simply fails. I can still ping it and resolve it with the full domain name.

 

Rules have been checked and I can reach the internal dns servers.

 

Of course the same feature was working fine before the upgrade on the normal SSL VPN.

 

Do you know if I missed something or if this kind of deployment (Ipsec remote access on forticlient 7.2.4) don't have this feature?

 

Thank you so much

 
243
0 Kudos
1 Solution
Proto1977
New Contributor II

Created on ‎11-18-2024 02:21 AM

Hello,

I saw under the network adapter I had static configuration of other dns suffix.

 

IPCONFIG /ALL shown me the correct dns suffix but at last it was not applied because of the network adapter configuration.

 

I had to set this config under the advanced settings of ipv4 to make it work, look at the picture below (sorry if the window language is in italian, I hope it helps anyway).

 

Senza titolo.jpg

 

 

 

View solution in original post

112
0 Kudos
3 REPLIES 3
ap
Staff
Staff

Created on ‎11-16-2024 01:49 PM

Hi,

 

Please check if you are able to resolve the same domain host without the suffix from fortigate CLI itself. It should work from fortigate Cli itself before it works from IPSEC dial up VPN.

 

If it doesn't work, please check your DNS configuration on fortigate. You can specify Local Domain names under DNS setting as per below article:

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/752486/dns-domain-list

 

Cheers,

Ankit

If you have found a solution, please like and accept it to make it easily accessible to others.

 

 

218
Proto1977
New Contributor II
In response to ap

Created on ‎11-17-2024 02:22 AM

Yes from the cli it can resolve it correctly without the suffix.

178
0 Kudos
Proto1977
New Contributor II

Created on ‎11-18-2024 02:21 AM

Hello,

I saw under the network adapter I had static configuration of other dns suffix.

 

IPCONFIG /ALL shown me the correct dns suffix but at last it was not applied because of the network adapter configuration.

 

I had to set this config under the advanced settings of ipv4 to make it work, look at the picture below (sorry if the window language is in italian, I hope it helps anyway).

 

Senza titolo.jpg

 

 

 

113
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.