Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kevmeister68
New Contributor

Overlapping Subnets - Forticlient works on PC, works on Android, doesn't work on iOS

I am seeking help with a problem that I cannot understand. One of our staff members has a subnet at home that matches our subnet at work, being 192.168.0.x/24.

 

Normally I would dismiss this out of hand as likely to cause routing problems and so forth. This user is a QA person and therefore uses a PC, Android device, and iOS device as part of her workflow, to connect to resources in our corporate network.

 

Using Forticlient on each of these devices, the PC works (despite the overlapping subnet), Android works (depite the overlapping subnet), but iOS does not work.

 

In the iOS case it is not using the corporate DNS and it is not routing traffic to the corporate LAN.

 

I know the usual recommendation is to renumber the corporate subnet, but I am also reticent to do that because it is ultimately just a symptomatic fix until we get another conflict.

 

Any ideas on how to troubleshoot or what settings might be available to assist. We have split tunnelling enabled for VPN users. I tried setting up a different VPN portal for this user and turned off split tunnelling, but that resulted in none of her devices being able to route traffic (although this could be a misconfiguration error on my part).

5 REPLIES 5
distillednetwork
Contributor III

Try to set a dns-suffix for you internal domain on the vpn settings.  Sometimes iOS gets picky if there is not DNS suffix provided:

config vpn ssl settings

   set dns-suffix "youdomain.fqdn"

end

Kevmeister68

Thanks for the idea -- unfortunately we already have DNS suffixes defined.

distillednetwork

what about setting up another portal for the user to use that has a backup subnet to use?  You could do it either with multiple realms (a different url) so everyone connects to the main one unless there is a conflict then they can go with the backup portal.

Kevmeister68

Can you explain this a little further, please? Are you implying that the firewall would do some kind of address translation from the "backup subnet" onto the "real" corporate subnet (and vice-versa)? Do you have any solution for DNS that doesn't require an entirely different DNS server?

distillednetwork

Take a look at this guide done by a Fortinet SE:

 

https://infosecmonkey.com/deploying-ssl-vpns-using-multiple-realms/

 

You could setup the realm for a different SSL-VPN IP Pool that doesn't conflict and everyone else could use the main one.

Top Kudoed Authors