Ubuntu
network-manager-fortisslvpn package

Fail to update DNS settings

Bug #1885089 reported by Benoit MORDAC
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
network-manager-fortisslvpn (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

When connecting using Network-manager to a FortiSSL VPN, the DNS settings are not updated.

This was working fine on previous Ubuntu release (same VPN account and gateway). Now I can see in logs the VPN correctly bring up and get nameserver settings :

Jun 25 09:39:11 LH25450 systemd-udevd[106389]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: Got addresses: [10.244.148.1], ns [10.242.135.1, 10.242.135.2]
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: negotiation complete
...
Jun 25 09:39:14 LH25450 systemd[1]: Starting Network Manager Script Dispatcher Service...
Jun 25 09:39:14 LH25450 NetworkManager[106380]: INFO: Interface ppp0 is UP.
Jun 25 09:39:14 LH25450 NetworkManager[106380]: INFO: Tunnel is up and running.

But when looking for interface state using the nmcli, ppp0 is displayed as down :

root@LH25450:~# nmcli device status
DEVICE TYPE STATE CONNECTION
enp0s31f6 ethernet connected Connexion filaire 1
docker0 bridge connected docker0
ppp0 ppp disconnected --
wlp0s20f3 wifi unavailable --
lo loopback unmanaged --

And if I try to resolv an internal hostname, it fails :

bmordac@LH25450:~$ dig wpad.internal-domain.demo

; <<>> DiG 9.16.1-Ubuntu <<>> wpad.internal-domain.demo
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28205
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wpad.internal-domain.demo. IN A

;; Query time: 52 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jun 25 09:50:25 CEST 2020
;; MSG SIZE rcvd: 58

If I force dig to use NS received by the FortiGate, it works :

bmordac@LH25450:~$ dig @10.242.135.1 wpad.internal-domain.demo

; <<>> DiG 9.16.1-Ubuntu <<>> @10.242.135.1 wpad.internal-domain.demo
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58565
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 0f56987937b2e9a5 (echoed)
;; QUESTION SECTION:
;wpad.internal-domain.demo. IN A

;; ANSWER SECTION:
wpad.internal-domain.demo. 3600 IN CNAME fro1vresweb.internal-domain.demo.
fro1vresweb.internal-domain.demo. 3600 IN A 10.242.128.2

;; Query time: 28 msec
;; SERVER: 10.242.135.1#53(10.242.135.1)
;; WHEN: Thu Jun 25 09:50:48 CEST 2020
;; MSG SIZE rcvd: 112

Below the full log in /var/log/syslog :

Jun 25 09:39:07 LH25450 NetworkManager[104625]: <info> [1593070747.2806] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",0]: Started the VPN service, PID 106373
Jun 25 09:39:07 LH25450 NetworkManager[104625]: <info> [1593070747.2890] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",0]: Saw the service appear; activating connection
Jun 25 09:39:07 LH25450 systemd-resolved[679]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Jun 25 09:39:11 LH25450 NetworkManager[104625]: <info> [1593070751.0710] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",0]: VPN connection: (ConnectInteractive) reply received
Jun 25 09:39:11 LH25450 NetworkManager[104625]: <info> [1593070751.0734] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",0]: VPN plugin: state changed: starting (3)
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: Connected to gateway.
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: Authenticated.
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: Remote gateway has allocated a VPN.
Jun 25 09:39:11 LH25450 pppd[106381]: Plugin /usr/lib/pppd/2.4.7/nm-fortisslvpn-pppd-plugin.so loaded.
Jun 25 09:39:11 LH25450 NetworkManager[106381]: Plugin /usr/lib/pppd/2.4.7/nm-fortisslvpn-pppd-plugin.so loaded.
Jun 25 09:39:11 LH25450 pppd[106381]: pppd 2.4.7 started by root, uid 0
Jun 25 09:39:11 LH25450 pppd[106381]: Using interface ppp0
Jun 25 09:39:11 LH25450 NetworkManager[106381]: Using interface ppp0
Jun 25 09:39:11 LH25450 NetworkManager[106381]: Connect: ppp0 <--> /dev/pts/0
Jun 25 09:39:11 LH25450 pppd[106381]: Connect: ppp0 <--> /dev/pts/0
Jun 25 09:39:11 LH25450 NetworkManager[104625]: <info> [1593070751.4736] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/8)
Jun 25 09:39:11 LH25450 systemd-udevd[106389]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: Got addresses: [10.244.148.1], ns [10.242.135.1, 10.242.135.2]
Jun 25 09:39:11 LH25450 NetworkManager[106380]: INFO: negotiation complete
Jun 25 09:39:12 LH25450 systemd-resolved[679]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Jun 25 09:39:13 LH25450 systemd-resolved[679]: message repeated 16 times: [ Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.]
Jun 25 09:39:14 LH25450 NetworkManager[106380]: INFO: negotiation complete
Jun 25 09:39:14 LH25450 pppd[106381]: local IP address 10.244.148.1
Jun 25 09:39:14 LH25450 kernel: [92296.251077] audit: type=1400 audit(1593070754.134:51133): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/sys/devices/virtual/net/ppp0/type" pid=752 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 25 09:39:14 LH25450 NetworkManager[106381]: local IP address 10.244.148.1
Jun 25 09:39:14 LH25450 NetworkManager[106381]: remote IP address 192.0.2.1
Jun 25 09:39:14 LH25450 pppd[106381]: remote IP address 192.0.2.1
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1401] device (ppp0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1448] device (ppp0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'external')
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1643] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1653] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: Data: VPN Gateway: XXX.XXX.XXX.XXX
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1653] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: Data: Tunnel Device: "ppp0"
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1654] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: Data: IPv4 configuration:
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1654] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: Data: Internal Address: 10.244.148.1
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1654] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: Data: Internal Prefix: 32
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1655] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: Data: Internal Point-to-Point Address: 192.0.2.1
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1655] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: Data: Static Route: 0.0.0.0/0 Next Hop: 0.0.0.0
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1655] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: Data: Static Route: 192.0.2.1/32 Next Hop: 0.0.0.0
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1655] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: Data: DNS Domain: '(none)'
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1656] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: Data: No IPv6 configuration
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1657] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: VPN plugin: state changed: started (4)
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1682] vpn-connection[0x5561a5c7c7a0,dd53c702-520c-4a16-9bf5-64ccd4d47480,"VPN-FORTISSL",25:(ppp0)]: VPN connection: (IP Config Get) complete
Jun 25 09:39:14 LH25450 dbus-daemon[704]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.651' (uid=0 pid=104625 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined")
Jun 25 09:39:14 LH25450 kernel: [92296.281959] audit: type=1400 audit(1593070754.166:51134): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/sys/devices/virtual/net/ppp0/type" pid=752 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 25 09:39:14 LH25450 systemd[1]: Starting Network Manager Script Dispatcher Service...
Jun 25 09:39:14 LH25450 NetworkManager[106380]: INFO: Interface ppp0 is UP.
Jun 25 09:39:14 LH25450 NetworkManager[106380]: INFO: Tunnel is up and running.
Jun 25 09:39:14 LH25450 dbus-daemon[704]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jun 25 09:39:14 LH25450 systemd[1]: Started Network Manager Script Dispatcher Service.
Jun 25 09:39:14 LH25450 NetworkManager[104625]: <info> [1593070754.1871] policy: set 'VPN-FORTISSL' (ppp0) as default for IPv4 routing and DNS
Jun 25 09:39:15 LH25450 systemd-resolved[679]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Jun 25 09:39:24 LH25450 systemd-resolved[679]: message repeated 27 times: [ Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.]
Jun 25 09:39:24 LH25450 systemd[1]: NetworkManager-dispatcher.service: Succeeded.
Jun 25 09:39:24 LH25450 systemd-resolved[679]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.

bmordac@LH25450:~$ sudo nmcli device show
GENERAL.DEVICE: enp0s31f6
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 38:22:E2:C2:F6:C3
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: Connexion filaire 1
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/2
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]: 192.168.1.3/24
IP4.GATEWAY: 192.168.1.254
IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = 192.168.1.254, mt = 100
IP4.ROUTE[2]: dst = 217.64.156.33/32, nh = 192.168.1.254, mt = 100
IP4.ROUTE[3]: dst = 192.168.1.254/32, nh = 0.0.0.0, mt = 100
IP4.ROUTE[4]: dst = 169.254.0.0/16, nh = 0.0.0.0, mt = 1000
IP4.ROUTE[5]: dst = 192.168.1.0/24, nh = 0.0.0.0, mt = 100
IP4.DNS[1]: 192.168.1.254
IP6.ADDRESS[1]: 2a01:e0a:xxxx:xxxx:xxxx:d9d:4cc8:e6c5/64
IP6.ADDRESS[2]: 2a01:e0a:xxxx:xxxx:xxxx:1d38:cea7:258/64
IP6.ADDRESS[3]: fe80::ad4c:5ae4:f843:3657/64
IP6.GATEWAY: fe80::160c:76ff:feb4:a10a
IP6.ROUTE[1]: dst = 2a01:e0a:xxxx:xxxx::/64, nh = ::, mt = 100
IP6.ROUTE[2]: dst = ::/0, nh = fe80::160c:76ff:feb4:a10a, mt = 20100
IP6.ROUTE[3]: dst = fe80::/64, nh = ::, mt = 100
IP6.ROUTE[4]: dst = ff00::/8, nh = ::, mt = 256, table=255
IP6.DNS[1]: fd0f:ee:b0::1

GENERAL.DEVICE: docker0
GENERAL.TYPE: bridge
GENERAL.HWADDR: 02:42:DF:0B:F4:F8
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: docker0
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1
IP4.ADDRESS[1]: 172.17.0.1/16
IP4.GATEWAY: --
IP4.ROUTE[1]: dst = 172.17.0.0/16, nh = 0.0.0.0, mt = 0
IP6.GATEWAY: --

GENERAL.DEVICE: ppp0
GENERAL.TYPE: ppp
GENERAL.HWADDR: (unknown)
GENERAL.MTU: 1400
GENERAL.STATE: 30 (disconnected)
GENERAL.CONNECTION: --
GENERAL.CON-PATH: --

GENERAL.DEVICE: wlp0s20f3
GENERAL.TYPE: wifi
GENERAL.HWADDR: 84:C5:A6:31:C2:7F
GENERAL.MTU: 1500
GENERAL.STATE: 20 (unavailable)
GENERAL.CONNECTION: --
GENERAL.CON-PATH: --

GENERAL.DEVICE: lo
GENERAL.TYPE: loopback
GENERAL.HWADDR: 00:00:00:00:00:00
GENERAL.MTU: 65536
GENERAL.STATE: 10 (unmanaged)
GENERAL.CONNECTION: --
GENERAL.CON-PATH: --
IP4.ADDRESS[1]: 127.0.0.1/8
IP4.GATEWAY: --
IP6.ADDRESS[1]: ::1/128
IP6.GATEWAY: --
IP6.ROUTE[1]: dst = ::1/128, nh = ::, mt = 256
bmordac@LH25450:~$

bmordac@LH25450:~$ systemd-resolve --status
Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 25 (ppp0)
      Current Scopes: none
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Link 4 (docker0)
      Current Scopes: none
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Link 3 (wlp0s20f3)
      Current Scopes: none
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Link 2 (enp0s31f6)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 192.168.1.254
         DNS Servers: 192.168.1.254
                      fd0f:ee:b0::1
          DNS Domain: ~.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-fortisslvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Romain Izard (romain-izard) wrote :

This issue is fixed on the mainline for this project with the following commit:

https://gitlab.gnome.org/GNOME/NetworkManager-fortisslvpn/-/commit/66d431f18fd4812ed984790c877d965b35b69612

Revision history for this message
Mark Deneen (mdeneen) wrote :

It looks like the most recent stable release, 1.2.10, still does not have the change referenced by Romain above. It looks like a trivial patch and would make a lot of people happy. Would it be possible to backport this single commit before 21.04 lands?

Revision history for this message
Daniel Barta (lk7r) wrote :

I would like to nicely ask for the fix mentioned above. Using 21.04. Thank you.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.