Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
davebell
New Contributor II

MacOS Ventura DNS Resetting

Hi,

 

I've recently upgraded my mac to Ventura, and I have a weird problem with the free FortiClient VPN.

 

I can connect fine, and to start with everything works as expected. After around 30-40 minutes however, DNS resolution for internal resources stops working.

 

Before it breaks I see the following:

 

scutil --dns
DNS configuration

resolver #1
search domain[0] : xxx.net
nameserver[0] : 172.17.0.5
flags : Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)

<... snip ...>

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : xxx.net
  nameserver[0] : 172.17.0.5
  if_index : 22 (en8)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #2
  nameserver[0] : 8.8.8.8
  if_index : 14 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #3
  search domain[0] : xxx.net
  nameserver[0] : 172.17.0.5
  if_index : 27 (utun5)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)

 

 

After it breaks I have instead

 

scutil --dns
DNS configuration

resolver #1
  nameserver[0] : 8.8.8.8
  if_index : 22 (en8)
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

<...snip...>

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : 8.8.8.8
  if_index : 22 (en8)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #2
  nameserver[0] : 8.8.8.8
  if_index : 14 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #3
  search domain[0] : xxx.net
  nameserver[0] : 172.17.0.5
  if_index : 27 (utun5)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)

 

 

While it is broken, my resolver is working just fine.

 

dig google.com @172.17.0.5

; <<>> DiG 9.10.6 <<>> google.com @172.17.0.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		300	IN	A	142.250.200.46

;; Query time: 50 msec
;; SERVER: 172.17.0.5#53(172.17.0.5)
;; WHEN: Mon Nov 21 16:32:15 GMT 2022
;; MSG SIZE  rcvd: 55

 

 

It seems MacOS just decides to stop using the resolver provided by the VPN for some reason.

 

Has anyone got any clues about why this is happening, or where to look for clues as to why its happening?

I'm using VPN client 7.0.7.0245

12 REPLIES 12
Anthony_E
Community Manager
Community Manager

Hello Dave,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Dave,

 

I have found this guide which maybe can help you:

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d09db1d6-1a69-11ed-9eba-fa163e...

 

Could you please tell me it it helped?

 

Regards,

Anthony-Fortinet Community Team.
davebell
New Contributor II

Thanks for the link.

 

It doesn't really help. My issue is not listed in the known issues, and both fctservctl and FortiClient have full disk access enabled as instructed.

 

davebell_0-1669295574254.png

 

benjaminandresen
New Contributor

I'm having same issue since updating to Ventura.

Aeq
New Contributor

Are there any news on this issue?
I am using IOS version of FortiClientVPN as a workaround however customers are complaining on this and I cannot offer them to use an unverified version.

adepretis
New Contributor II

Hi,

a colleague of mine discovered, that disabling the IP tracking limiting feature seems to solve the problem:

Screenshot 2023-02-09 at 11.14.19.png

 

To be sure we disabled this for both WiFI and Network ports (even when not used) and it seems to work.

davebell
New Contributor II

I've tried this today, and so far my DNS has not reset! Thank you!

 

If I have no further issues I'm going to mark this as the solution.

adepretis
New Contributor II

sorry, seems to be a false alarm ... for my colleague it worked for a few hours (before the reset occured every 30-40mins) and we thought that might be it.
It's not :( - it stilled occured a few ours later.

davebell
New Contributor II

It may not be the full solution, but for me it has dramatically improved things. I've not had an issue with DNS since disabling tracking. 

 

That google groups link looks to be the exact same issue!

Top Kudoed Authors