FortiClient VPN Issue since yesterday - losing internet while connected to VPN

bdubi71 · ‎12-20-2024

Since yesterday, we are observing an alarming issue with FortiClient VPN.

When connected to FortiClient VPN, users do not have access to Internet (access to company internal resources work fine).

If user disconnects from VPN, access to Internet is back immediately.

Affected users, when connected to VPN, can ping 8.8.8.8 but name resolution does not work, so they can't access google.com.

We tried to modify the DNS settings on the affected devices, but even when using 8.8.8.8 as DNS server, users still cannot resolve FQDNs correctly!

So far, we have observed this problem on one MacBook (issue noticed today) and all Android devices (issue noticed yesterday).

Just wondering if anyone else has observed this problem recently?

We have created ticket with Fortinet support but still waiting for a reply...

FortiOS v7.0.15 build0632

Different FortiClient VPN versions (Android - 7.4.1.0176, MacBook - 7.2.4.0850)

No recent changes on our side - Christmas is coming, so we do not make any changes.....
Thanks!

AEK · ‎12-20-2024

Once you connect to VPN, you need to check on the client hosts if the routing (netstat -rn) and DNS are as expected.

In your case you need split tunnel and split DNS (or no DNS injected by VPN). In other words in your routing table there should be no default route injected by VPN, and the DNS queries should not be sent through the tunnel (except for your Corp domain).

I guess your issue is cased by a full tunnel, and your remote FG is probably denying DNS queries to 8.8.8.8, while it allows ping to 8.8.8.8.

AEK

Durga_Ashwath · ‎12-20-2024

The issue you’re describing is likely due to a combination of DNS configuration and split-tunneling behavior. Here's how to troubleshoot and resolve the problem:

1. Check Internet access is restricted when connected to the VPN.
Users can ping public IPs (e.g., 8.8.8.8), so basic routing is working.
DNS resolution is not functioning for external FQDNs.
Problem affects specific platforms (MacBook, Android).
Possible Causes:

Incorrect DNS settings in the VPN configuration.
Split tunneling not configured properly.
DNS traffic from the affected devices may not be routed correctly through the VPN.

2. Verify FortiGate DNS Configuration
Ensure your FortiGate DNS settings are properly configured:
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
end

3. Check the Mode-Config Settings
Ensure the VPN server is pushing the correct DNS servers to clients:

config vpn ipsec phase1-interface
edit "<your_phase1_name>"
set mode-cfg enable
set ipv4-dns-server1 8.8.8.8
set ipv4-dns-server2 8.8.4.4
next
end
4. Enable Split Tunneling (Optional)
If you want to allow users to access the Internet directly while connected to the VPN, configure split tunneling:

Enable split tunneling in your phase 1 configuration:
config vpn ipsec phase1-interface
edit "<your_phase1_name>"
set split-tunneling enable
next
end
Define the networks that should route through the VPN (e.g., your internal subnets):
config vpn ipsec phase1-interface
edit "<your_phase1_name>"
config split-tunneling-routing-address
edit 1
set subnet 192.168.1.0 255.255.255.0
next
end
next
end
5. Check FortiClient Configuration
Ensure the FortiClient is correctly configured to handle DNS:

In FortiClient, verify that "Use this connection only for resources on its network" (split tunneling) is enabled.
Ensure the DNS settings in FortiClient align with the pushed settings from the FortiGate.
6.Test DNS resolution:
nslookup google.com
Android:

Check if the Android device is using private DNS (Android 9 and above). If "Private DNS" is enabled with a custom DNS provider, disable it or adjust it to work with your VPN configuration.
Test DNS resolution using a network diagnostic app.

7.Verify DNS traffic on the FortiGate:
diagnose sniffer packet any "port 53" 4
8. Potential External Issues
If these steps don't resolve the problem, consider these possibilities:

A recent update to FortiClient or the affected operating systems introduced compatibility issues.
A recent FortiGate firmware update might require reviewing the release notes for known issues.

dingjerry_FTNT · ‎12-20-2024

Hi @bdubi71 ,

If your VPN is SSL VPN, it sounds like no split tunneling enabled.

If you can share your VPN configuration, we can take a look at it for you.

Regards,

Jerry

Theo4 · ‎12-22-2024

Likely A split tunneling issue based on your description.

If you want users to utilize their own internet connection, make sure split tunneling is enabled in your VPN config and add the required routing addresses.

If you want to route internet traffic through the tunnel, disable split tunneling and make sure there is a firewall policy from the tunnel interface to the internet interface.

bdubi71 · ‎12-23-2024

Thank you all for your answers so far!

We use SSLVPN with split tunneling enabled.

Some screenshots with the config attached.

We have our AD domains configured for "Split DNS" with primary and secondary DNS servers.

At the moment, all iPhones and Windows laptops seem to be *not* affected by this problem.

We have been running on the same SSLVPN config for the last few years and SSLVPN worked fine for all devices (Android, iPhones, MacBook and Windows laptops), so we are really not sure why it has stopped for Android and Macbooks last week.

I have tested this issue with both versions of FortiClient (EMS version and free version) and I get the same results...

I will perform the tests you have advised (especially a great and long list from @Durga_Ashwath ) and I will let you know the results.

Thanks for your help, I appreciate it.

FortiClient VPN Issue since yesterday - losing internet while connected to VPN

Nominate a Forum Post for Knowledge Article Creation