- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- DNS Reply problem on VPN SSL
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS Reply problem on VPN SSL
Hi
I have a problem with vpn client and fortigate.
The tunnel is up ping device is ok but when i ping fqdn host no response.
Split tunnel is enabled. do you have an idea.
Fortigate and VPN version 7.4.3
Thanks for your help
Solved! Go to Solution.
Labels:
- Labels:
-
SSL-VPN
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Meni
Try configure slit DNS
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/988717/ssl-vpn-split-dns
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Aek
thank you for your reply. I've done this before and the result is the same.
No DNS resolution
Meni
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Meni
Ensure that there is a firewall policy allowing your VPN clients to send DNS queries to your internal DNS server.
If this is done and doesn't work yet, try the following:
- From the client use nslookup to send a DNS query to internald DNS server and see if you got a reply
- On FG use diag sniffer (example below) to check if DNS traffic is reaching the FG and properly forwarded
- On FG use diad debug flow (example below) to check if this DNS traffic is allowed or blocked by FG
sniffer example
diag sniffer traffic any 'host x.x.x.x and port 53' 4
flow debug example
diag debug flow filter addr x.x.x.x
diag debug flow filter port 53
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug console timestamp enable
diag debug flow trace start 50
diag debug enable
Where x.x.x.x is the SSL VPN client's IP address, usually 10.212.134.x.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks for your message. I made test
SSL VPN Client is 192.168.226.101
DNS SERVER : 192.168.1.201
FW01 # diag sniffer packet any 'host 192.168.226.101 and port 53' 4
interfaces=[any]
filters=[host 192.168.226.101 and port 53]
15.314038 ssl.root in 192.168.226.101.58481 -> 192.168.1.201.53: udp 39
15.314085 Lan_Inside out 192.168.226.101.58481 -> 192.168.1.201.53: udp 39
15.314089 LAN_Interne out 192.168.226.101.58481 -> 192.168.1.201.53: udp 39
15.314093 port1 out 192.168.226.101.58481 -> 192.168.1.201.53: udp 39
15.314526 Lan_Inside in 192.168.1.201.53 -> 192.168.226.101.58481: udp 55
15.314569 ssl.root out 192.168.1.201.53 -> 192.168.226.101.58481: udp 55
85.046123 ssl.root in 192.168.226.101.55970 -> 192.168.1.201.53: udp 33
85.046176 Lan_Inside out 192.168.226.101.55970 -> 192.168.1.201.53: udp 33
85.046180 LAN_Interne out 192.168.226.101.55970 -> 192.168.1.201.53: udp 33
85.046184 port3 out 192.168.226.101.55970 -> 192.168.1.201.53: udp 33
85.059475 Lan_Inside in 192.168.1.201.53 -> 192.168.226.101.55970: udp 49
85.059501 ssl.root out 192.168.1.201.53 -> 192.168.226.101.55970: udp 49
FW01 # 2024-05-10 10:37:30 id=65308 trace_id=11 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.226.101:54790-> 192.168.1.201:53) tun_id=0.0.0.0 from ssl.root. "
2024-05-10 10:37:30 id=65308 trace_id=11 func=init_ip_session_common line=6020 msg="allocate a new session-0024ba0d"
2024-05-10 10:37:30 id=65308 trace_id=11 func=iprope_dnat_check line=5466 msg="in-[ssl.root], out-[]"
2024-05-10 10:37:30 id=65308 trace_id=11 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-05-10 10:37:30 id=65308 trace_id=11 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-05-10 10:37:30 id=65308 trace_id=11 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw- 192.168.1.201 via Lan_Inside"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_fwd_check line=801 msg="in-[ssl.root], out-[Lan_Inside], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=98, len=3"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-111, ret-no-match, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-121, ret-matched, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_user_identity_check line=1887 msg="ret-matched"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffbffc02c384"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_check_one_policy line=2358 msg="policy-121 is matched, act-accept"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-121"
2024-05-10 10:37:30 id=65308 trace_id=11 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-121"
2024-05-10 10:37:30 id=65308 trace_id=11 func=fw_forward_handler line=985 msg="Allowed by Policy-121:"
2024-05-10 10:37:30 id=65308 trace_id=11 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
2024-05-10 10:37:30 id=65308 trace_id=12 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.1.201:53->192.168.226.101:54790) tun_id=0.0.0.0 from Lan_Inside. "
2024-05-10 10:37:30 id=65308 trace_id=12 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0024ba0d, reply direction"
2024-05-10 10:37:30 id=65308 trace_id=12 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-192.168.226.101 via ssl.root"
2024-05-10 10:37:30 id=65308 trace_id=12 func=npu_nturbo_unset_flags line=272 msg="ses->npu_state=0x100 skb->npu_flag=0x0"
2024-05-10 10:37:30 id=65308 trace_id=12 func=npu_nturbo_unset_flags line=272 msg="ses->npu_state=0x40108 skb->npu_flag=0x0"
2024-05-10 10:37:30 id=65308 trace_id=12 func=npu_handle_session44 line=1213 msg="Trying to offloading session from Lan_Inside to ssl.root, skb.npu_flag=00000000 ses.state=01000200 ses.npu_state=0x00040108"
2024-05-10 10:37:30 id=65308 trace_id=12 func=fw_forward_dirty_handler line=447 msg="state=01000200, state2=00000000, npu_state=00040108"
2024-05-10 10:37:30 id=65308 trace_id=12 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffbffc02c130"
2024-05-10 10:37:30 id=65308 trace_id=12 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
2024-05-10 10:37:30 id=65308 trace_id=12 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
I don't see error.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Meni
You can check for few things
If you are pinging FQDN which is hosted internally then check if you have configured DNS server in SSL settings
The second condition is if you have configured DNS in SSL settings and you are resolving public DNS it might not work because DNS settings pushed to all the adapters
you can also check if if fqdn is fully qualified domain name or just a hostname
Thanks & Regards
Mayank Sharma
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mayank
Thanks for your reply
I only put internal DNS. See below
The result is the same whether pinging the host alone or with the local domain
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @hbac
Thanks for your reply
Yes i have it.
I don't use ipV6 DNS, could the problem come from
Regards
Meni
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just for troubleshooting purpose, try enable NAT on this policy and redo the test.
AEK
AEK
Related Posts
- Fortigate: Captive Portal not working on... 125 Views
- 7.4.4 Is OUT - SD-WAN Rules... 215 Views
- How to route ougoing FG traffic... 113 Views
- IPsec VPN login failed because no... 252 Views
- FortiGate stripping BGP TCP option 19 230 Views
Labels
-
FortiGate
6,769 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
581 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
347 -
FortiClient EMS
274 -
FortiMail
264 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
162 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiExtender
33 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
23 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
LDAP
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.