DescriptionDissolvable Agent prompts for server name during VPN registration. This can occur if the agent is unable to locate the appliance due to a domain mismatch.
During connection, the agent sends SRV DNS requests (queries) to determine the name of the appliance. SRV queries are answered if they are sourced from the same domain as the appliance VPN interface. If different, the agent will be unable to determine the appliance name and agent communication will fail. Therefore, if FortiNAC is managing multiple VPN scopes, they must all use the same domain.
Troubleshoot:
1. While connected to the VPN tunnel, confirm the host's DNS Suffix Search list includes the domain configured in the VPN DHCP scope on the appliance.
Windows:
ipconfig/all
macOS & Linux:
cat /etc/resolv.conf
2. Review the /bsc/logs/named.log file for SRV queries sent from the VPN host to the FortiNAC appliance
SolutionCisco ASA:
default-domain value should match the domain specified in the FortiNAC VPN DHCP scope.
default-domain value <domain in VPN DHCP scope>
FortiGate VPN:
dns-suffix value should match the domain specified in the FortiNAC VPN DHCP scope.
config vpn ssl web portal
edit "FNAC_SSL_Portal"
set dns-suffix "<domain in VPN DHCP scope>" next
end
next
end
Related Articles
Technical Tip: Troubleshooting FortiGate VPN integrations
Technical Tip: Troubleshooting Cisco ASA VPN integrations