Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
preyes
New Contributor

Created on ‎06-30-2020 04:24 AM

SSL VPN No local DNS

Hi there, newbie here in the Fortinet world.

 

Our HO has FortiGate 200 running ver 6.4

 

I am also using FortiClient 6.4; I downgraded to FortiClient version 6.0 and it work fine; but I can not believe that this problem exists since version 6.2 and nobody noticed.

 

I have a SSL VPN configured which connects fine; but is does not transfer the local dns server info to the remote user. 

 

What can be the problem?

 

Thanks in advanced.

31276
0 Kudos
17 REPLIES 17
oscar37
New Contributor

Created on ‎06-30-2020 06:58 AM

do you have DNS server set to your local dns in your SSL VPN settings? 

 

#config vpn ssl setting     set dns-server1 <LOCAL DNS IP>     set dns-server2 <Local DNS IP>

 

 

you can also set via GUI from your SSL VPN settings.

 

Thank you in Advance

15631
0 Kudos
preyes
New Contributor
In response to oscar37

Created on ‎07-01-2020 07:39 AM

Thanks for the quick reply.

I have configured under Split DNS (SSL-VPN Portal)

Primary DNS (local primary dns server) and Secondary DNS (local secondary dns server)

15631
0 Kudos
isamt
Contributor
In response to preyes

Created on ‎07-01-2020 12:48 PM

Configure DNS for SSL Vpn under config vpn ssl settings.

 

config vpn ssl settings    set dns-suffix "Domain_Name"    set dns-server1 192.168.1.1

   set dns-server2 192.168.1.2

 

You should also configure dns-suffix, otherwise vpn clients will only be able to ping IP addresses or fully qualified host names.

So i you have a server named intranet.domain.com on IP 192.168.1.100 vpn users can ping 192.168.1.100 and intranet.domain.com but not hostname intranet unless you set the dns-suffix to "domain.com"

 

15631
0 Kudos
preyes
New Contributor
In response to isamt

Created on ‎07-01-2020 01:54 PM

I am unable to ping to intranet.domain.com but I can ping successfully to 192.168.1.100

 

The vpn user is a local user created on the FortiGate running 6.4 and FortiClient 6.4

I noticed that FortiClient 6.0 allow me to ping to intranet.domain.com and 192.168.1.100

15631
0 Kudos
aseques
Contributor
In response to preyes

Created on ‎07-02-2020 02:31 AM

I don't know if it's your case (you don't specify the platform), but on the forticlient 6.4.0 for linux there's an issue that breaks this feature, that's supposedly fixed on 6.4.1 that will be released at the end of the month.

 

15631
0 Kudos
sw2090
SuperUser
SuperUser
In response to aseques

Created on ‎07-02-2020 07:42 AM

hm I cannto speack for ssl vpn but I know this from IPSec. Maybe it is the same with ssl vpn?

 

If I set a tunnel to do split dns the options in ipsec config are rather the same. You set dns-server1 and 2 and a domain/suffix. However it won't work because there is an option dns mode that is not visible in gui in ipsec config. It is set to "auto" by default which prevents split dns from working. It has to be set to "manual" on cli to make split dns work. 

I don't have a clue why fortinet didn't include this in gui as it is that important.

Maybe there is the same issue with split dns and ssl vpn too?

 

hth

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
15631
0 Kudos
live89
Contributor II
In response to sw2090

Created on ‎07-02-2020 08:24 AM

I've seen a known issue reported maybe related to your situation

https://docs.fortinet.com/document/forticlient/6.2.1/windows-release-notes/991883/known-issues

please check if this bug id 537299 is your case

which has been resolved in 6.2.3

https://docs.fortinet.com/document/forticlient/6.2.3/windows-release-notes/22791/resolved-issues

 

Thanks

Thanks
15631
0 Kudos
aseques
Contributor
In response to live89

Created on ‎12-15-2020 01:14 AM

I forgot to update the thread, after escalating the issue, one of the engineers from fortigate could diagnose the issue and check that it was indeed a problem on the release 6.4.0, but..

There's a fixed 6.4.1 version but only for EMS customers that are on more frequent releases.

If you are (like me) without specific EMS contract for vpn users you have two options:

[ul]
  • Wait until 6.4.1 is released on forticlient.com (6 months have passed without any change)
  • Use the legacy 4.x versions (no system integration, etc.)
  • Use some other program such as openfortigui (that has been my option so far) that works quite fine.[/ul]

    It's a bit of a shame that fortigate hosts a non working (I'd say most of us are using local dns) vpn client in their site forcing users into other platforms / solutions.

    • 15631
    0 Kudos
    UrbyTuesday
    New Contributor
    In response to aseques

    Created on ‎01-05-2021 12:33 PM

    Exact same problem. 

    80E with 6.2.6 firmware and 6.4.2 Forticlient VPN - no internal DNS resolution over SSL VPN. Can ping the internal DNS server IP but not the FQDN.  NSLOOKUP times out.

     

    I've wasted a whole day on this ****.  Finally found this post, installed 6.2.6 and the problem goes away instantly. 

     

    Fortinet needs to get their $hit together.  This is ridiculous. I'm IT director for 200 people and have one assistant. We don't have time to run test labs for every single change we make.  There are certain things that should just WORK.  Period.  Like a utility. Completely inexcusable.

    15631
    0 Kudos
    Announcements
    Check out our Community Chatter Blog! Click here to get involved
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2025 Fortinet, Inc. All Rights Reserved.