Operational Defect Database
BugZero found this defect 2224 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3csSAA
Mobile VPN with SSL client unexpectedly uses Windows LAN interface defined DNS servers over DNS servers defined by the VPN
Last update date:
4/3/2023
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
All
Description:
Issue
Windows users might notice that Windows continues to use DNS servers defined by the LAN interface while connected to Mobile VPN with SSL. The cause of this behavior is how Windows determines which interface DNS servers to use when multiple physical and virtual network adapters are connected at the same time. The Mobile VPN with SSL TAP adapter does not have an interface metric assigned and is automatically assigned an interface metric based on the Windows Automatic Metric Feature. For more information, go to https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/automatic-metric-for-ipv4-routes The TAP adapter installed with the Mobile VPN with SSL client will always be assigned a route metric of 35. When used in the presence of gigabit or higher LAN links, the LAN adapter will have a lower metric and be preferred. Systems with slower LAN network connections will not be affected.If you are unsure whether your client is affected, use this PowerShell command while connected to the VPN to verify the interface adapter metrics: Get-NetIPInterface | Sort-Object -Property "InterfaceMetric" Windows uses the DNS servers assigned to the network adapter with the lowest interface metric, which you can see with the command ipconfig /all.
Workaround/Solution
If the Mobile VPN with SSL Force all client traffic through the tunnel option is enabled, the VPN TAP adapter will dynamically be assigned an interface route metric of 3 on connection.If the Force all client traffic through the tunnel option is not enabled, manually set the Mobile VPN with SSL TAP adapter route metric to 3 to make sure that the VPN assigned DNS servers are always used when connected. In Windows Control Panel, open the Network and Sharing Center.Double-click Change adapter settings.Right-click the network adapter labeled TAP-Windows Adapter V9.From the drop-down list, select Properties. The Properties dialog box for the network adapter opens.In the This connection uses the following items section, select Internet Protocol Version 4 (TCP/IPv4).Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens.Click Advanced. The Advanced TCP/IP Settings dialog box opens.Clear the Automatic metric check box.In the Interface metric text box, type 3Click OK three times to confirm the change to the network adapter properties.
