We are currently in the process of removing Talari's from our environment and just having IPSec tunnels for AD traffic on the Fortigates. So far I have a couple offices moved over. We have a couple new offices with the same setup (minus the Talari) with IPSec tunnel(s). When doing a Route Lookup at the new offices to our .local domain, I get "No routes exists to the destination "DOMAIN.local". If I do it on the offices that were moved off the Talari device, it works fine and highlights the IPSec tunnel. I have compared the configurations and they are the same. I've looked at the firewall in our datacenter and everything appears to be identical with the new and old offices. DNS queries for the domain appear to be using the tunnel, but for my sanity I would like to figure why the route lookup at the old office locations but not the new ones.
I ran a packet capture (not sure what diag debug command to use) and see that the DNS query is coming from 10.10.10.1 which is the DMZ interface. I looked and nothing is using the DMZ interface.
I ended up figuring out the issue. I missed adding a source-ip under dns-database
config system dns-database
set domain "DOMAIN.local"
set type slave
set authoritative disable
set forwarder "*DNS server 1*" "*DNS server 2*"
set source-ip *FORTIGATE LAN Interface*
set ip-master *DNS server 1*
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.