Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiGate 60B - DNS doesn' t work for connected c...
Options
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 03-23-2011 10:48 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
FortiGate 60B - DNS doesn' t work for connected clients for about 20 minutes - then it works??!
So we have a FortiGate 60B unit that we use solely for VPN access for our employees.
The unit sits on our LAN at address 192.168.2.69
Clients connect fine, and get an address something like 192.168.1.110 - ...220
We' ve configured the FortiGate with the address of our DNS server which is 192.168.2.7
and for secondary DNS, we put a public one, OpenDNS or something probably.
The issue is that a client connects, can access anything by IP address but DNS doesn' t work at all. Public internet is fine.
nslookup works fine too, and uses 192.168.2.7 as it should.
Now the weird this is, after much testing, I' ve realised that if I wait about 20 minutes , and don' t touch anything, all of a sudden DNS starts working and I can ping anything on the network.
Really confused and looking for ideas.
thanks
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
How are you testing with nslookup? And have you set the dns server with nslookup from the client and from a local machine using debug?
i.e ( nslookup from wins or linux )
nslookup
server x.x.x.x
set d2
" type a name of a site "
Your problem might be DNS-server related and have nothing to do with the clients btw. Trying using 8.8.8.8 and 8.8.4.4 and see what happens.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Not applicable
Created on 03-23-2011 11:22 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I' m just testing nslookup like this...
C:\> PING SCSTORAGE1
Ping request could not find host scstorage1.
C:\> NSLOOKUP SCSTORAGE1
Server: dell_server.purplemonkey.local
Address: 192.168.2.7
Name: scstorage1.PurpleMonkey.local
Address: 192.168.2.17
C:\> PING SCSTORAGE1
Ping request could not find host scstorage1.
8.8.4.4 and 8.8.8.8 both ping fine - there is no issue resolving public addresses, it' s the addresses on our internal company network that aren' t resolving.
Not applicable
Created on 03-23-2011 11:47 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
2 more things I' ve noticed...
1. Over time, after connecting, it seems that names slowly become resolvable, ie... after 10 minutes, suddenly it can ping dell_server, then 5 minutes later dell_server2 works, then other names start to work, and after about 90 minutes, I can ping everything. Is it possible that these machines are broadcasting their addresses, and the client just listens and keeps note of the addresses??
2. I ran microsoft network monitor and looked for name resolution activity, whenever I try to ping from the VPN client, it doesn' t use DNS at all, it tries to resolve the name using netBIOS only, and fails. This seems like an important thing.
Is there any way I can force it to ping using DNS instead of Netbios? even just for testing purposes?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
When you ping the short-name and have problems, how about the FQDN or in this case you dot local fullname " host" .purplemonkey.local ?
And what does your ipconfig /all shows is your valid DNS-server entries?
Sense you mention this;
We' ve configured the FortiGate with the address of our DNS server which is 192.168.2.7 and for secondary DNS, we put a public one, OpenDNS or something probably.Maybe your hitting the public-dns server and it surely is not going to find " host" .purplemonkey.local. Other things to thank about, if the local resolution is the problem ( purplemonkey) what happens when you ping an external resouces www.microsoft.com or www.hp.com etc...? Does it resolve ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Not applicable
Created on 03-24-2011 08:29 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
short name vs FQDN doesn' t seem to make any difference.
they either both don' t work, or they both work.
and to answer your question about ipconfig /all details, this is where it gets strange.
I connect to VPN, and check IPCONFIG /ALL
it shows the 2 DNS servers as specified in our FortiGate config, so it sounds like it is definitely getting the information.
So I ping, and it fails.
Then if I go into network connections wireless adapter settings, TCPIP v4, properties, and then manually enter the DNS severs *exactly* the same as is already showing in IPCONFIG /ALL, save that, and ping again.
ping works.
i' m so confused!! FortiNet wants to charge me $470 for another year of tech support and I feel like I' m so close to working this out...
And regarding public internet resolution, no problems there at all.
As I said, when I used the network monitor to see what was happening, the workstation seems to be hitting the right address for name resolution but it' s not using DNS, it' s using netbios and some other things.
Not applicable
Created on 03-24-2011 09:35 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
update:
if I edit my FortiClient connection settings, and check the box for Acquire Virtual IP Address, then edit the settings for that, and manually enter IP address, DNS, mask etc,
then everything seems to work fine.
So it seems like unless I set these manually, clients are not receiving DNS server information when connecting.
??
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
As I said, when I used the network monitor to see what was happening, the workstation seems to be hitting the right address for name resolution but it' s not using DNS, it' s using netbios and some other things.have you considered disabling netbios for troubleshooting purpose? tcp ipv4 > properties> advance > netbios/tcp or whatever it is for windows adapter setting. If the problem is with local lookups, than I would start in that area and ensure that the client is not using netbios name resolution. But to me, it sounds like a local dns-server issue.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Not applicable
Created on 03-24-2011 10:02 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
seeing as the problem can be ' fixed' by changing tcp/ip settings on the client then I don' t see how you can assume the DNS server has a problem?
So I disabled netbios and that does seem to make things better. but I don' t want to have to do that on every computer in our company.
I don' t understand why the FortiGate isn' t setting the clients' DNS servers when they connect? Maybe we' ve missed something in our FortiGate config
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I' m requesting some background infos:
are we talking about SSL VPN or IPSec VPN?
Are Windows 7 and Vista clients affected, while XP works?
Is Split Tunneling enabled?
Is the problem gone when you disable/turn off the DNS Client service?
Does the name resolve with " nslookup" while " ping" to the same name fails?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Can an SSH connection to a... 145 Views
- FortiAP-231G intermittently goes offline. 84 Views
- Help with Forti vm home lab... 124 Views
- Issues with FortiClient EMS on macOS 166 Views
- duplicate license fortianalyzer 113 Views
Labels
-
FortiGate
8,372 -
FortiClient
1,692 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
536 -
FortiSwitch
452 -
FortiAP
447 -
6.0
416 -
FortiClient EMS
395 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
195 -
IPsec
179 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
105 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
50 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
Authentication
30 -
NAT
30 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
24 -
Logging
23 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
FortiGate v5.0
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
Explicit proxy
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1634 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.