Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL VPN No local DNS

Hi there, newbie here in the Fortinet world.


Our HO has FortiGate 200 running ver 6.4


I am also using FortiClient 6.4; I downgraded to FortiClient version 6.0 and it work fine; but I can not believe that this problem exists since version 6.2 and nobody noticed.


I have a SSL VPN configured which connects fine; but is does not transfer the local dns server info to the remote user. 


What can be the problem?


Thanks in advanced.

New Contributor

do you have DNS server set to your local dns in your SSL VPN settings? 


#config vpn ssl setting     set dns-server1 <LOCAL DNS IP>     set dns-server2 <Local DNS IP>



you can also set via GUI from your SSL VPN settings.


Thank you in Advance

New Contributor

Thanks for the quick reply.

I have configured under Split DNS (SSL-VPN Portal)

Primary DNS (local primary dns server) and Secondary DNS (local secondary dns server)


Configure DNS for SSL Vpn under config vpn ssl settings.


config vpn ssl settings    set dns-suffix "Domain_Name"    set dns-server1

   set dns-server2


You should also configure dns-suffix, otherwise vpn clients will only be able to ping IP addresses or fully qualified host names.

So i you have a server named on IP vpn users can ping and but not hostname intranet unless you set the dns-suffix to ""


New Contributor

I am unable to ping to but I can ping successfully to


The vpn user is a local user created on the FortiGate running 6.4 and FortiClient 6.4

I noticed that FortiClient 6.0 allow me to ping to and

New Contributor

I don't know if it's your case (you don't specify the platform), but on the forticlient 6.4.0 for linux there's an issue that breaks this feature, that's supposedly fixed on 6.4.1 that will be released at the end of the month.



hm I cannto speack for ssl vpn but I know this from IPSec. Maybe it is the same with ssl vpn?


If I set a tunnel to do split dns the options in ipsec config are rather the same. You set dns-server1 and 2 and a domain/suffix. However it won't work because there is an option dns mode that is not visible in gui in ipsec config. It is set to "auto" by default which prevents split dns from working. It has to be set to "manual" on cli to make split dns work. 

I don't have a clue why fortinet didn't include this in gui as it is that important.

Maybe there is the same issue with split dns and ssl vpn too?





"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

I've seen a known issue reported maybe related to your situation

please check if this bug id 537299 is your case

which has been resolved in 6.2.3



New Contributor

I forgot to update the thread, after escalating the issue, one of the engineers from fortigate could diagnose the issue and check that it was indeed a problem on the release 6.4.0, but..

There's a fixed 6.4.1 version but only for EMS customers that are on more frequent releases.

If you are (like me) without specific EMS contract for vpn users you have two options:

  • Wait until 6.4.1 is released on (6 months have passed without any change)
  • Use the legacy 4.x versions (no system integration, etc.)
  • Use some other program such as openfortigui (that has been my option so far) that works quite fine.[/ul]

    It's a bit of a shame that fortigate hosts a non working (I'd say most of us are using local dns) vpn client in their site forcing users into other platforms / solutions.

  • UrbyTuesday

    Exact same problem. 

    80E with 6.2.6 firmware and 6.4.2 Forticlient VPN - no internal DNS resolution over SSL VPN. Can ping the internal DNS server IP but not the FQDN.  NSLOOKUP times out.


    I've wasted a whole day on this ****.  Finally found this post, installed 6.2.6 and the problem goes away instantly. 


    Fortinet needs to get their $hit together.  This is ridiculous. I'm IT director for 200 people and have one assistant. We don't have time to run test labs for every single change we make.  There are certain things that should just WORK.  Period.  Like a utility. Completely inexcusable.


    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Top Kudoed Authors