Public bug reported:
When connecting using Network-manager to a FortiSSL VPN, the DNS
settings are not updated.
This was working fine on previous Ubuntu release (same VPN account and
gateway). Now I can see in logs the VPN correctly bring up and get
nameserver settings :
Jun 25 09:39:11 LH25450 systemd-udevd[106389]: ethtool: autonegotiation is
unset or enabled, the speed and duplex are not writable.
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: Got addresses:
[10.244.148.1], ns [10.242.135.1, 10.242.135.2]
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: negotiation complete
...
Jun 25 09:39:14 LH25450 systemd[1]: Starting Network Manager Script Dispatcher
Service...
Jun 25 09:39:14 LH25450 NetworkManager[106380]: INFO: Interface ppp0 is UP.
Jun 25 09:39:14 LH25450 NetworkManager[106380]: INFO: Tunnel is up and
running.
But when looking for interface state using the nmcli, ppp0 is displayed
as down :
root@LH25450:~# nmcli device status
DEVICE TYPE STATE CONNECTION
enp0s31f6 ethernet connected Connexion filaire 1
docker0 bridge connected docker0
ppp0 ppp disconnected --
wlp0s20f3 wifi unavailable --
lo loopback unmanaged --
And if I try to resolv an internal hostname, it fails :
bmordac@LH25450:~$ dig wpad.internal-domain.demo
; <<>> DiG 9.16.1-Ubuntu <<>> wpad.internal-domain.demo
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28205
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wpad.internal-domain.demo. IN A
;; Query time: 52 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jun 25 09:50:25 CEST 2020
;; MSG SIZE rcvd: 58
If I force dig to use NS received by the FortiGate, it works :
bmordac@LH25450:~$ dig @10.242.135.1 wpad.internal-domain.demo
; <<>> DiG 9.16.1-Ubuntu <<>> @10.242.135.1 wpad.internal-domain.demo
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58565
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 0f56987937b2e9a5 (echoed)
;; QUESTION SECTION:
;wpad.internal-domain.demo. IN A
;; ANSWER SECTION:
wpad.internal-domain.demo. 3600 IN CNAME
fro1vresweb.internal-domain.demo.
fro1vresweb.internal-domain.demo. 3600 IN A 10.242.128.2
;; Query time: 28 msec
;; SERVER: 10.242.135.1#53(10.242.135.1)
;; WHEN: Thu Jun 25 09:50:48 CEST 2020
;; MSG SIZE rcvd: 112
Below the full log in /var/log/syslog :
Jun 25 09:39:07 LH25450 NetworkManager[104625]: <info> [1593070747.2806]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",0]:
Started the VPN service, PID 106373
Jun 25 09:39:07 LH25450 NetworkManager[104625]: <info> [1593070747.2890]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",0]:
Saw the service appear; activating connection
Jun 25 09:39:07 LH25450 systemd-resolved[679]: Server returned error NXDOMAIN,
mitigating potential DNS violation DVE-2018-0001, retrying transaction with
reduced feature level UDP.
Jun 25 09:39:11 LH25450 NetworkManager[104625]: <info> [1593070751.0710]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",0]:
VPN connection: (ConnectInteractive) reply received
Jun 25 09:39:11 LH25450 NetworkManager[104625]: <info> [1593070751.0734]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",0]:
VPN plugin: state changed: starting (3)
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: Connected to gateway.
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: Authenticated.
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: Remote gateway has
allocated a VPN.
Jun 25 09:39:11 LH25450 pppd[106381]: Plugin
/usr/lib/pppd/2.4.7/nm-fortisslvpn-pppd-plugin.so loaded.
Jun 25 09:39:11 LH25450 NetworkManager[106381]: Plugin
/usr/lib/pppd/2.4.7/nm-fortisslvpn-pppd-plugin.so loaded.
Jun 25 09:39:11 LH25450 pppd[106381]: pppd 2.4.7 started by root, uid 0
Jun 25 09:39:11 LH25450 pppd[106381]: Using interface ppp0
Jun 25 09:39:11 LH25450 NetworkManager[106381]: Using interface ppp0
Jun 25 09:39:11 LH25450 NetworkManager[106381]: Connect: ppp0 <--> /dev/pts/0
Jun 25 09:39:11 LH25450 pppd[106381]: Connect: ppp0 <--> /dev/pts/0
Jun 25 09:39:11 LH25450 NetworkManager[104625]: <info> [1593070751.4736]
manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/8)
Jun 25 09:39:11 LH25450 systemd-udevd[106389]: ethtool: autonegotiation is
unset or enabled, the speed and duplex are not writable.
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: Got addresses:
[10.244.148.1], ns [10.242.135.1, 10.242.135.2]
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: negotiation complete
Jun 25 09:39:12 LH25450 systemd-resolved[679]: Server returned error NXDOMAIN,
mitigating potential DNS violation DVE-2018-0001, retrying transaction with
reduced feature level UDP.
Jun 25 09:39:13 LH25450 systemd-resolved[679]: message repeated 16 times: [
Server returned error NXDOMAIN, mitigating potential DNS violation
DVE-2018-0001, retrying transaction with reduced feature level UDP.]
Jun 25 09:39:14 LH25450 NetworkManager[106380]: INFO: negotiation complete
Jun 25 09:39:14 LH25450 pppd[106381]: local IP address 10.244.148.1
Jun 25 09:39:14 LH25450 kernel: [92296.251077] audit: type=1400
audit(1593070754.134:51133): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd" name="/sys/devices/virtual/net/ppp0/type" pid=752
comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 25 09:39:14 LH25450 NetworkManager[106381]: local IP address 10.244.148.1
Jun 25 09:39:14 LH25450 NetworkManager[106381]: remote IP address 192.0.2.1
Jun 25 09:39:14 LH25450 pppd[106381]: remote IP address 192.0.2.1
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1401]
device (ppp0): state change: unmanaged -> unavailable (reason
'connection-assumed', sys-iface-state: 'external')
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1448]
device (ppp0): state change: unavailable -> disconnected (reason 'none',
sys-iface-state: 'external')
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1643]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",0]:
VPN connection: (IP4 Config Get) reply received from old-style plugin
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1653]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
Data: VPN Gateway: XXX.XXX.XXX.XXX
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1653]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
Data: Tunnel Device: "ppp0"
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1654]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
Data: IPv4 configuration:
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1654]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
Data: Internal Address: 10.244.148.1
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1654]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
Data: Internal Prefix: 32
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1655]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
Data: Internal Point-to-Point Address: 192.0.2.1
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1655]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
Data: Static Route: 0.0.0.0/0 Next Hop: 0.0.0.0
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1655]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
Data: Static Route: 192.0.2.1/32 Next Hop: 0.0.0.0
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1655]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
Data: DNS Domain: '(none)'
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1656]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
Data: No IPv6 configuration
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1657]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
VPN plugin: state changed: started (4)
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1682]
vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]:
VPN connection: (IP Config Get) complete
Jun 25 09:39:14 LH25450 dbus-daemon[704]: [system] Activating via systemd:
service name='org.freedesktop.nm_dispatcher'
unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.651' (uid=0
pid=104625 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined")
Jun 25 09:39:14 LH25450 kernel: [92296.281959] audit: type=1400
audit(1593070754.166:51134): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd" name="/sys/devices/virtual/net/ppp0/type" pid=752
comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 25 09:39:14 LH25450 systemd[1]: Starting Network Manager Script Dispatcher
Service...
Jun 25 09:39:14 LH25450 NetworkManager[106380]: INFO: Interface ppp0 is UP.
Jun 25 09:39:14 LH25450 NetworkManager[106380]: INFO: Tunnel is up and
running.
Jun 25 09:39:14 LH25450 dbus-daemon[704]: [system] Successfully activated
service 'org.freedesktop.nm_dispatcher'
Jun 25 09:39:14 LH25450 systemd[1]: Started Network Manager Script Dispatcher
Service.
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1871]
policy: set 'VPN-FORTISSL' (ppp0) as default for IPv4 routing and DNS
Jun 25 09:39:15 LH25450 systemd-resolved[679]: Server returned error NXDOMAIN,
mitigating potential DNS violation DVE-2018-0001, retrying transaction with
reduced feature level UDP.
Jun 25 09:39:24 LH25450 systemd-resolved[679]: message repeated 27 times: [
Server returned error NXDOMAIN, mitigating potential DNS violation
DVE-2018-0001, retrying transaction with reduced feature level UDP.]
Jun 25 09:39:24 LH25450 systemd[1]: NetworkManager-dispatcher.service:
Succeeded.
Jun 25 09:39:24 LH25450 systemd-resolved[679]: Server returned error NXDOMAIN,
mitigating potential DNS violation DVE-2018-0001, retrying transaction with
reduced feature level UDP.
bmordac@LH25450:~$ sudo nmcli device show
GENERAL.DEVICE: enp0s31f6
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 38:22:E2:C2:F6:C3
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: Connexion filaire 1
GENERAL.CON-PATH:
/org/freedesktop/NetworkManager/ActiveConnection/2
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]: 192.168.1.3/24
IP4.GATEWAY: 192.168.1.254
IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = 192.168.1.254, mt
= 100
IP4.ROUTE[2]: dst = 217.64.156.33/32, nh =
192.168.1.254, mt = 100
IP4.ROUTE[3]: dst = 192.168.1.254/32, nh = 0.0.0.0,
mt = 100
IP4.ROUTE[4]: dst = 169.254.0.0/16, nh = 0.0.0.0, mt
= 1000
IP4.ROUTE[5]: dst = 192.168.1.0/24, nh = 0.0.0.0, mt
= 100
IP4.DNS[1]: 192.168.1.254
IP6.ADDRESS[1]: 2a01:e0a:xxxx:xxxx:xxxx:d9d:4cc8:e6c5/64
IP6.ADDRESS[2]: 2a01:e0a:xxxx:xxxx:xxxx:1d38:cea7:258/64
IP6.ADDRESS[3]: fe80::ad4c:5ae4:f843:3657/64
IP6.GATEWAY: fe80::160c:76ff:feb4:a10a
IP6.ROUTE[1]: dst = 2a01:e0a:xxxx:xxxx::/64, nh = ::,
mt = 100
IP6.ROUTE[2]: dst = ::/0, nh =
fe80::160c:76ff:feb4:a10a, mt = 20100
IP6.ROUTE[3]: dst = fe80::/64, nh = ::, mt = 100
IP6.ROUTE[4]: dst = ff00::/8, nh = ::, mt = 256,
table=255
IP6.DNS[1]: fd0f:ee:b0::1
GENERAL.DEVICE: docker0
GENERAL.TYPE: bridge
GENERAL.HWADDR: 02:42:DF:0B:F4:F8
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: docker0
GENERAL.CON-PATH:
/org/freedesktop/NetworkManager/ActiveConnection/1
IP4.ADDRESS[1]: 172.17.0.1/16
IP4.GATEWAY: --
IP4.ROUTE[1]: dst = 172.17.0.0/16, nh = 0.0.0.0, mt = 0
IP6.GATEWAY: --
GENERAL.DEVICE: ppp0
GENERAL.TYPE: ppp
GENERAL.HWADDR: (unknown)
GENERAL.MTU: 1400
GENERAL.STATE: 30 (disconnected)
GENERAL.CONNECTION: --
GENERAL.CON-PATH: --
GENERAL.DEVICE: wlp0s20f3
GENERAL.TYPE: wifi
GENERAL.HWADDR: 84:C5:A6:31:C2:7F
GENERAL.MTU: 1500
GENERAL.STATE: 20 (unavailable)
GENERAL.CONNECTION: --
GENERAL.CON-PATH: --
GENERAL.DEVICE: lo
GENERAL.TYPE: loopback
GENERAL.HWADDR: 00:00:00:00:00:00
GENERAL.MTU: 65536
GENERAL.STATE: 10 (unmanaged)
GENERAL.CONNECTION: --
GENERAL.CON-PATH: --
IP4.ADDRESS[1]: 127.0.0.1/8
IP4.GATEWAY: --
IP6.ADDRESS[1]: ::1/128
IP6.GATEWAY: --
IP6.ROUTE[1]: dst = ::1/128, nh = ::, mt = 256
bmordac@LH25450:~$
bmordac@LH25450:~$ systemd-resolve --status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 25 (ppp0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 4 (docker0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 3 (wlp0s20f3)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 2 (enp0s31f6)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.1.254
DNS Servers: 192.168.1.254
fd0f:ee:b0::1
DNS Domain: ~.
** Affects: network-manager-fortisslvpn (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885089
Title:
Fail to update DNS settings
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-fortisslvpn/+bug/1885089/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
