nick_patchett  Freshman Member

Has there been any update to this? I have the same issue going from a USG60 to a FLEX 200. One WAN interface with multiple public IP addresses.

Right well this is very weird, I changed the VTI again to a different IP, that broke it all, I put it back to 192.168.170.253/255.255.255.25 and now everything is working perfectly!

Thanks for this Peter, we seem to be getting somewhere. So my local firewall is on 192.168.170.254/255.255.255.0, I've changed the VTI address in the IPSEC VPN settings to be 192.168.170.253/255.255.255.255. This has got the firewall to start resolving the address when testing using NSLOOKUP. And my device on 192.168.170.1…

Did more testing, setup a Windows DNS server, put the forwarders in and pointed a machine on the LAN at it and DNS resolved perfectly so it is 100% the firewall zone forwarders that are not working.

This is the result I get from the nslookup diagnostic within the firewall so you can see it isn't forwarding the request to the zone forwarder but rather the global forwarder If I open up advanced settings and specify the remote DNS server it just times out, like the firewall is ignoring its own static routes. However, if…

The VTI was all automatically configured by the 700H and is set to a 169 address

The VTI was created automatically when I created the IPSEC VPN

Yeah it's an IPSEC VPN and I need to query a DNS server at the other end of a tunnel. This is how I've set it up

This is a brand new installation so there has never been any other firewall installed.