Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pxiannie
New Contributor III

How to solve DNS resolve failed problem when connect to SSL VPN?

I'm able to connect to ping my server and access local system last week, but today I tried to connect it shows error DNS resolve failed. I did not make any changes and this error has been solved, why got this error again?  I cant ping my server in command prompt and access the local system now. My current version of FortiClient VPN is 7.2.3.0929, is it because of the updates?

 

Screenshot 2024-02-01 170224.png

Screenshot 2024-02-01 170430.png
Please help. Thanks!

 

FortiClient  
FortiGate  

22 REPLIES 22
hbac
Staff
Staff

Hi @pxiannie,

 

I can see that you are using public DNS servers. Do you have split tunneling enabled? 

 

Regards, 

pxiannie
New Contributor III

No, I didnt enabled. I disabled the tunnel mode split tunneling. The DNS split tunneling also didnt enabled.

hbac

@pxiannie

 

If split tunneling is disabled, that means DNS traffic will go through the FortiGate. Please run debug flow by following this article to see if the traffic is being dropped: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards, 

pxiannie
New Contributor III

Hi @hbac ,
I run diag debug flow trace start 100 and it show me message "Denied by forward policy check (policy 0)" , but I did set my service to all for firewall policy.

Screenshot 2024-02-05 155943.png

hbac

@pxiannie,

 

That means you don't have a firewall policy to allow traffic from ssl.root to ppp2. Please check your policy. 

 

Regards, 

JcvnStdn
New Contributor II

have you tried enabling the DNS DB ?
FortiGate DNS server | FortiGate / FortiOS 6.2.13 | Fortinet Document Library

Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
pxiannie
New Contributor III

No, because prevously I did not set also able to ping server

Jakob-AHHG

That would enable a full DNS server in the FG, that you need to maintain.
Here's what we do, that works:

Put internal DNS servers in the SSL-VPM Settings

Enable Split-Tummel, Policy Based

 

Then your client will use the PC's local DNS servers when accessing the internet, and your internal DNS servers when asking for sites based over the VPN (as specified in the FW rule in Destination)

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
pxiannie
New Contributor III

Hi @Jakob-AHHG ,

I did put internal DNS servers in SSL VPN Settings.
Screenshot 2024-02-01 170224.png
This is how I set my SSL VPN Portal, does the routing address override set correctly?
Screenshot 2024-02-06 131203.png

Here is my firewall policy
Screenshot 2024-02-06 131406.png

Updated:
I'm able to ping my server ip address after I set the routing address override to ssl vpn address. But why still not able to ping my servername?

Regards,

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors