Skip to main content
Sohonet
Sohonet
New Member
June 13, 2025
Question

FortiClient - Remote Access IPsec Connection Issue - MacOS

  • June 13, 2025
  • 7 replies
  • 6708 views

Hi All, 

 

We are experiencing an issue with the forticlient VPN client on MacOS 15.5

 

We are currently planning our roll out of remote access via IPsec and moving away from SSL VPNs, 

The issue we are having is that after a device cold start/reboot, the initial attempt to connect to the remote access VPN via IPsec always fails and gives an "Connection was terminated unexpectedly" error.

Trying it immediately again afterwards, it still fails.

The current workaround is to connect to the same remote VPN endpoint but via SSL VPN, and then trying the IPsec once more; however, this does not always seem to work.

Another workaround seems to be waiting 5-10 minutes, and trying the IPsec connection seems to work.

Once successfully connected via the IPsec VPN, it continues to work until the client device is rebooted/shut down.

 

Looking through the Forticlient debug logs, we are getting an "IPsec error -104"; however, when running an authentication debug on the FortiGate, I can see we are successfully authenticating via LDAP + Duo MFA.

 

When using the same login details to the same LDAP server but via SSL VPN, it works and authenticates successfully 100% of the time. 

 

Because of this, I do not trust that the -104 error is real.

 

When running Wireshark captures, I can also see the FortiClient app begins to initiate the phase 1 process, but when the FortiGate firewall responds, the Forticlient application does not continue on to the quick mode process and gets stuck sending NAT-Keepalive messages to the FortiGate.

 

The issues seem to have started after upgrading the macOS version to 15.5.

We are not experiencing this issue with older versions of MacOS (ie. macOS 12.7.6)

 

The issue is also affecting versions of Forticlient VPN, including 7.4.0, 7.4.1, 7.4.2 & the current version 7.4.3

 

This issue is limiting our rollout of the IPsec remote access VPN. 

 

if anyone has experienced a similar issue, I would greatly appreciate any assistance.

7 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
June 16, 2025

Hello Sohonet, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
Sohonet
SohonetAuthor
New Member
June 16, 2025

Hi Jean-Philippe,

 

That would be great thank you.

 

This issue is really hampering the rollout of our IPsec remote access VPN so hopefully we can find a solutions asap :)

 

kind regards

 

Ryan Bates

Sohonet

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
June 17, 2025

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Thanks,

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
June 18, 2025

Hello again Sohonet,

 

I found this solution. Can you tell me if it helps, please?

 

It seems like you're encountering a challenging issue with the FortiClient VPN on macOS 15.5, particularly with the IPsec connection after a reboot. Here are some troubleshooting steps and considerations that might help you address this problem:

 

  1. Check for Updates: Ensure that both FortiClient and macOS are updated to the latest versions. Sometimes, compatibility issues can arise from outdated software.

  2. Reinstall FortiClient: Uninstalling and then reinstalling FortiClient may resolve any corruption or misconfiguration that occurred during the upgrade.

  3. Network Configuration: Verify that there are no changes in network settings or firewall rules that could be affecting the IPsec connection. Ensure that the necessary ports for IPsec (UDP 500 and 4500) are open and not being blocked.

  4. Review Logs: Since you've already looked at the debug logs, continue to monitor them for any additional errors that might provide more context. Pay close attention to logs around the time of the connection attempts.

  5. NAT Keepalive Settings: Since you've noticed the client is stuck sending NAT-Keepalive messages, check the NAT Keepalive settings on both the FortiClient and the FortiGate. Adjusting these settings might help in establishing a more stable connection.

  6. Test with Different Configurations: If possible, test the IPsec connection with different configurations or profiles to see if there's a specific setting causing the issue.

  7. Compatibility Mode: If the issue began after upgrading macOS, consider running FortiClient in compatibility mode if that option is available.

  8. Contact Support: Since this issue seems to be specific to the combination of macOS 15.5 and FortiClient, reaching out to Fortinet support may yield more tailored assistance or insights into known issues.

  9. Community Forums: Check Fortinet community forums or user groups for similar issues. Other users may have encountered and resolved this problem.

If the issue persists, documenting all your findings and steps taken will be helpful when seeking further support from Fortinet or your IT department.

Jean-Philippe - Fortinet Community Team
Sohonet
SohonetAuthor
New Member
June 18, 2025

Hi Jean-Philippe

 

Thank you for getting back to me.

Below are my responses to your recommendations. 
 
Check for Updates: 
- We are running the latest versions of macOS 15.5 and Forticlient 7.4.3.1761
 
Reinstall FortiClient: 
- Have tried multiple times. Even when we tried a different version of forticlient, the old version was fully uninstalled, andthe  new one was installed from scratch
 
Network Configuration: No network changes have been made. Both IPsec ports are open. The client does eventually connect to the IPsec remote VPN so do not believe the issue is related to port access.
 
Review Logs: The same error occurs each time the connection fails. I'm constantly reviewing the debug logs, but each time the forticlient fails to connect to the IPsec VPN, the same logs are reported.
 
Below are some snipits from the logs today, failed attempts at 11:48 & 11:50, successful attempt 11:53am BST
 
I've included log snips from each attempt mentioned above so you can also see the difference between the failed connection attempts and the successful one.
 
From the Frotitray.logs:
20250618 11:48:07.165 TZ=+0100 [FortiTray:INFO] VpnManager.swift:1588 Start VPN: Sohonet UK IPsec
20250618 11:48:07.199 TZ=+0100 [FortiTray:INFO] VpnManager.swift:4084 Set DHCP notification keys success
20250618 11:48:07.199 TZ=+0100 [FortiTray:INFO] VpnManager.swift:246 Ignore Secure compliance Check as FCT is not connected to EMS
20250618 11:48:07.200 TZ=+0100 [FortiTray:DEBG] VpnManager.swift:1800 IPsec IKE Version 1
20250618 11:50:12.148 TZ=+0100 [FortiTray:EROR] IPSec.m:54 IPSec terminated with error code: -104
20250618 11:50:12.149 TZ=+0100 [FortiTray:INFO] VpnManager.swift:1103 No retry on manual connect
20250618 11:50:12.150 TZ=+0100 [FortiTray:DEBG] VpnManager.swift:1134 On VPN status change: Connecting -> DisconnectedBecauseOfError("Connection was terminated unexpectedly.", true, FortiTray.VpnStatus.DisconnectedErrorType.CommonError)
....
20250618 11:50:17.847 TZ=+0100 [FortiTray:INFO] VpnManager.swift:1588 Start VPN: Sohonet UK IPsec
20250618 11:50:17.859 TZ=+0100 [FortiTray:INFO] VpnManager.swift:4084 Set DHCP notification keys success
20250618 11:50:17.859 TZ=+0100 [FortiTray:INFO] VpnManager.swift:246 Ignore Secure compliance Check as FCT is not connected to EMS
20250618 11:50:17.859 TZ=+0100 [FortiTray:DEBG] VpnManager.swift:1800 IPsec IKE Version 1
20250618 11:52:22.701 TZ=+0100 [FortiTray:EROR] IPSec.m:54 IPSec terminated with error code: -104
20250618 11:52:22.701 TZ=+0100 [FortiTray:INFO] VpnManager.swift:1103 No retry on manual connect
20250618 11:52:22.702 TZ=+0100 [FortiTray:DEBG] VpnManager.swift:1134 On VPN status change: Connecting -> DisconnectedBecauseOfError("Connection was terminated unexpectedly.", true, FortiTray.VpnStatus.DisconnectedErrorType.CommonError)
....
20250618 11:53:06.397 TZ=+0100 [FortiTray:INFO] VpnManager.swift:1588 Start VPN: Sohonet UK IPsec
20250618 11:53:06.408 TZ=+0100 [FortiTray:INFO] VpnManager.swift:4084 Set DHCP notification keys success
20250618 11:53:06.409 TZ=+0100 [FortiTray:INFO] VpnManager.swift:246 Ignore Secure compliance Check as FCT is not connected to EMS
20250618 11:53:06.409 TZ=+0100 [FortiTray:DEBG] VpnManager.swift:1800 IPsec IKE Version 1
20250618 11:53:27.339 TZ=+0100 [FortiTray:INFO] VpnManager.swift:590 Change VPN configuration: OK
20250618 11:53:27.447 TZ=+0100 [FortiTray:DEBG] AppDelegate.swift:224 Received message: reload config
20250618 11:53:27.449 TZ=+0100 [FortiTray:DEBG] ConfigManager.swift:2297 Config file "/Library/Application Support/Fortinet/FortiClient/conf/vpn_bk.plist" not exist
20250618 11:53:28.257 TZ=+0100 [FortiTray:DEBG] VpnManager.swift:1134 On VPN status change: Connecting -> TunnelRunning
20250618 11:53:28.257 TZ=+0100 [FortiTray:INFO] VpnManager.swift:1195 VPN tunnel running
 
 
From the Fctctl.logs:
20250618 11:48:09.716 TZ=+0100 [ipsec:DEBG] racoon_utils:674 Xauth is enabled
20250618 11:48:09.799 TZ=+0100 [vpnc:DEBG] vpn_control:249 received message 0, len=196
20250618 11:48:09.799 TZ=+0100 [ipsec:DEBG] ipsec_control:1640 Receive a ipsec control request from worker
20250618 11:48:09.799 TZ=+0100 [ipsec:DEBG] ipsec_control:1101 Received get psk request from racoon
20250618 11:48:09.800 TZ=+0100 [ipsec:DEBG] ipsec_control:1119 sent psk *** to racoon
20250618 11:48:09.800 TZ=+0100 [vpnc:DEBG] vpn_control:183 controller socket closed
20250618 11:48:09.800 TZ=+0100 [vpnc:DEBG] vpn_control:42 clear_session
20250618 11:48:09.800 TZ=+0100 [vpnc:DEBG] vpn_control:46 session not NULL
20250618 11:50:12.139 TZ=+0100 [ipsec:EROR] ipsec_control:444 ipsec phase 1 timeout
....
20250618 11:50:20.355 TZ=+0100 [ipsec:DEBG] racoon_utils:674 Xauth is enabled
20250618 11:50:20.451 TZ=+0100 [vpnc:DEBG] vpn_control:249 received message 0, len=196
20250618 11:50:20.451 TZ=+0100 [ipsec:DEBG] ipsec_control:1640 Receive a ipsec control request from worker
20250618 11:50:20.451 TZ=+0100 [ipsec:DEBG] ipsec_control:1101 Received get psk request from racoon
20250618 11:50:20.452 TZ=+0100 [ipsec:DEBG] ipsec_control:1119 sent psk *** to racoon
20250618 11:50:20.452 TZ=+0100 [vpnc:DEBG] vpn_control:183 controller socket closed
20250618 11:50:20.452 TZ=+0100 [vpnc:DEBG] vpn_control:42 clear_session
20250618 11:50:20.452 TZ=+0100 [vpnc:DEBG] vpn_control:46 session not NULL
20250618 11:52:22.690 TZ=+0100 [ipsec:EROR] ipsec_control:444 ipsec phase 1 timeout
...
20250618 11:53:08.862 TZ=+0100 [ipsec:DEBG] racoon_utils:674 Xauth is enabled
20250618 11:53:08.950 TZ=+0100 [vpnc:DEBG] vpn_control:249 received message 0, len=196
20250618 11:53:08.950 TZ=+0100 [ipsec:DEBG] ipsec_control:1640 Receive a ipsec control request from worker
20250618 11:53:08.951 TZ=+0100 [ipsec:DEBG] ipsec_control:1101 Received get psk request from racoon
20250618 11:53:08.951 TZ=+0100 [ipsec:DEBG] ipsec_control:1119 sent psk *** to racoon
20250618 11:53:08.951 TZ=+0100 [vpnc:DEBG] vpn_control:183 controller socket closed
20250618 11:53:08.951 TZ=+0100 [vpnc:DEBG] vpn_control:42 clear_session
20250618 11:53:08.951 TZ=+0100 [vpnc:DEBG] vpn_control:46 session not NULL
20250618 11:53:17.145 TZ=+0100 [vpnc:DEBG] vpn_control:249 received message 0, len=21732
20250618 11:53:17.145 TZ=+0100 [ipsec:DEBG] ipsec_control:1640 Receive a ipsec control request from worker
20250618 11:53:17.146 TZ=+0100 [ipsec:INFO] ipsec_control:835 Ipsec Phase 1 of server 193.203.89.153 is up
 
From FCT-Tunnel-ctl.log:
20250618 11:48:08.648 TZ=+0100 [fct_tunnel_ctl:DEBG] main:192 pfkey message, len: 16
20250618 11:48:08.648 TZ=+0100 [fct_tunnel_ctl:INFO] message_handler:604 SADB_REGISTER
20250618 11:48:08.649 TZ=+0100 [fct_tunnel_ctl:DEBG] main:192 pfkey message, len: 16
20250618 11:48:08.649 TZ=+0100 [fct_tunnel_ctl:DEBG] message_handler:582 unsupported message type: 18
20250618 11:48:08.649 TZ=+0100 [fct_tunnel_ctl:INFO] message_handler:469 send pfkey errno: 1
20250618 11:48:09.798 TZ=+0100 [fct_tunnel_ctl:DEBG] main:508 register isakmp port: [4500] [4500]
20250618 11:50:12.153 TZ=+0100 [fct_tunnel_ctl:DEBG] main:192 pfkey message, len: 16
20250618 11:50:12.153 TZ=+0100 [fct_tunnel_ctl:INFO] message_handler:1247 SADB_FLUSH
20250618 11:50:14.299 TZ=+0100 [fct_tunnel_ctl:DEBG] main:54 caught signal: 30
20250618 11:50:14.299 TZ=+0100 [fct_tunnel_ctl:DEBG] main:206 Failed to receive pfkey message: Bad file descriptor
...
20250618 11:50:19.248 TZ=+0100 [fct_tunnel_ctl:DEBG] main:192 pfkey message, len: 16
20250618 11:50:19.248 TZ=+0100 [fct_tunnel_ctl:INFO] message_handler:604 SADB_REGISTER
20250618 11:50:19.248 TZ=+0100 [fct_tunnel_ctl:DEBG] main:192 pfkey message, len: 16
20250618 11:50:19.248 TZ=+0100 [fct_tunnel_ctl:DEBG] message_handler:582 unsupported message type: 18
20250618 11:50:19.249 TZ=+0100 [fct_tunnel_ctl:INFO] message_handler:469 send pfkey errno: 1
20250618 11:50:20.450 TZ=+0100 [fct_tunnel_ctl:DEBG] main:508 register isakmp port: [4500] [4500]
20250618 11:52:22.706 TZ=+0100 [fct_tunnel_ctl:DEBG] main:192 pfkey message, len: 16
20250618 11:52:22.706 TZ=+0100 [fct_tunnel_ctl:INFO] message_handler:1247 SADB_FLUSH
20250618 11:52:24.857 TZ=+0100 [fct_tunnel_ctl:DEBG] main:54 caught signal: 30
20250618 11:52:24.857 TZ=+0100 [fct_tunnel_ctl:DEBG] main:206 Failed to receive pfkey message: Bad file descriptor
...
20250618 11:53:07.672 TZ=+0100 [fct_tunnel_ctl:DEBG] main:192 pfkey message, len: 16
20250618 11:53:07.672 TZ=+0100 [fct_tunnel_ctl:INFO] message_handler:604 SADB_REGISTER
20250618 11:53:07.672 TZ=+0100 [fct_tunnel_ctl:DEBG] main:192 pfkey message, len: 16
20250618 11:53:07.673 TZ=+0100 [fct_tunnel_ctl:DEBG] message_handler:582 unsupported message type: 18
20250618 11:53:07.673 TZ=+0100 [fct_tunnel_ctl:INFO] message_handler:469 send pfkey errno: 1
20250618 11:53:08.949 TZ=+0100 [fct_tunnel_ctl:DEBG] main:508 register isakmp port: [4500] [4500]
20250618 11:53:17.165 TZ=+0100 [fct_tunnel_ctl:DEBG] fct_message_handler:130 Connect to kernel ctl com.apple.net.utun_control
20250618 11:53:17.165 TZ=+0100 [fct_tunnel_ctl:INFO] fct_message_handler:177 Create virtual network adapter utun4
 
NAT Keepalive Settings:
Can you point me in the direction of the NAT keepalive settings, I can only find the NAT traversal and autokey keep alive options on the Ipsec tunnel via the webGUI
 
 
Test with Different Configurations: Can you recommend any config settings to change?
 
 
Compatibility Mode: I am not aware of a "Compatibility Mode" built into macOS like there is in Windows, can you advise where this option might be on MacOS?
 
 
Contact Support: I've tried contacting the Fortinet paid support and provided them with all the logs and screenshots/pcaps, and they informed me that Forticlient is not supported by them and is only supported by the community. this was their response
"Regardless of all above, FCT without EMS/FCT Standalone VPN is out of TAC Support scope. They is supported through community; > https://community.fortinet.com/"
 
Community Forums: I have done so, but could not find any posts matching my specific issue.
 
In terms of reporting this to our IT Department, I am a member of our Network Engineering team, so we are the "IT Department"
    Jean-Philippe_P
    Staff & Editor
    Jean-Philippe_P
    Staff & Editor
    June 18, 2025

    Thanks for all these infos. As I am not a TAC engineer, I cannot go further with you but I asked help and someone might come back to help you :)

    Jean-Philippe - Fortinet Community Team
    Sohonet
    SohonetAuthor
    New Member
    June 23, 2025

    Hi Sacrio23,

     

    From all my additional testing/reading syslogs and researching error messages, I'm pretty confident this is now a Forticlient/MacOS compatibility issue or some bug in the latest version of Forticlient.

     

    Given Kumar_B's post saying my issue appears to be a similar issue to one that has been reported to Fortinet's engineers, I hope we get an updated version of FortiClient ASAP that will fix this issue.

     

    As mentioned in my previous posts, I have opened a case with Fortinet support, but as we are not using EMS-managed Forticlient, they are unwilling to provide me with any further support. I just hope my case does get passed on to the Fortinet Engineering team so they can use it to assist in resolving the issue.

      kolelvo2
      kolelvo2
      New Member
      June 30, 2025

      Sure. If I click on the tunnel, there is a template type "Dialup - iOS Native". To get the P2 settings, I clicked on the the "Convert to custom tunnel" button. So it should be default settings.

      sharmar
      Staff & Editor
      sharmar
      Staff & Editor
      July 3, 2025

      Hello Sohonet, 

       

      Could you please share the following logs on the firewall side, :

       

      diagnose vpn ike log filter clear

      diagnose debug console timestamp enable

      diagnose debug application fnbamd -1

      diagnose vpn ike log-filter dst-addr4 x.x.x.x <---------------Clients Public IP

      di de app eap_proxy

      diagnose debug app ike -1

      diagnose debug application samld -1

      diagnose debug enable

       

      Thanks, 

      S
      sdm24
      New Member
      April 23, 2026

      We’re noticing the same issue with IPSEC.

      SAML via Entra worked fine with SSL VPN using Forticlient when our Forti was on 7.4.x

      However after testing IPSEC (using SAML via Entra) since updating to 7.6.6 some of our Mac’s aren’t connecting and getting the error message “Connection was terminated unexpectedly” with the same “IPsec error -104” in the logs.

      Was there a resolution to this?

      Marslauncher
      Marslauncher
      New Member
      April 29, 2026

      I’ve been getting the same thing happen for the past week on my macbook -

      [ipsec:EROR] ipsec_control:1087 Received racoon error report: -305

      and

      [ipsec:EROR] ipsec_control:1087 Received racoon error report: -307

      Initially I could not even reach the SSO login page and I had to manually disable the webfilter plugin in order to even reach that, updated to 7.4.7 forticlient and can reach SSO with that enabled now, connection establishes but then disconnects with the above error after ~10 seconds.

       

       

      [servctl_api:EROR] fctservctl2_api:44 detected error with servctl connection. Attempting to reconnect...
      [servctl:EROR] FCTClientDelegate:353 Failed to register with the provider: Couldn’t communicate with a helper application.
      [vpnc:INFO] fctctld:514 fctipsecd start
      [ipsec:INFO] ipsec_control:590 Start connecting to server name: REDACTED ip: REDACTED , address family: 2
      [ipsec:INFO] ipsec_control:844 Ipsec Phase 1 of server REDACTED is up
      [ipsec:INFO] ipsec_control:845 Local 172.16.0.2 : 4500
      [ipsec:INFO] ipsec_control:846 Remote REDACTED : 0
      [ipsec:INFO] ipsec_control:847 Default Gateway: 
      [ipsec:INFO] ipsec_control:848 Default Interface: 
      [ipsec:INFO] ipsec_control:849 Internal Addr4: 172.16.250.20
      [ipsec:INFO] ipsec_control:850 Internal DNS4: 172.31.74.98 172.31.14.51 1.1.1.1
      [ipsec:INFO] ipsec_control:851 Internal Addr6: 
      [ipsec:INFO] ipsec_control:852 Internal DNS6: 
      [ipsec:INFO] ipsec_control:853 Split Include CDir: 
      [ipsec:INFO] ipsec_control:854 Split Local CDir: 
      [ipsec:INFO] ipsec_control:855 Split Include IPv4: 0.0.0.0/0.0.0.0
      [ipsec:INFO] ipsec_control:856 Split Exclude IPv4: 
      [ipsec:INFO] ipsec_control:857 Split Include IPv6: 
      [ipsec:INFO] ipsec_control:858 Allow Save Password: 1
      [ipsec:INFO] ipsec_control:859 Allow Auto Connect: 0
      [ipsec:INFO] ipsec_control:860 Allow Always Up: 0
      [ipsec:INFO] ipsec_control:861 Search Domain: 
      [ipsec:INFO] ipsec_control:862 Split DNS Domain List: 
      [ipsec:INFO] ipsec_control:863 Enable Client Resumption: 0
      [ipsec:INFO] ipsec_modcfg:1121 Creating IPv4 virtual network adapter
      [ipsec:INFO] ipsec_modcfg:1127 IPv4 virtual network adapter successfully created
      [ipsec:INFO] ipsec_modcfg:715 Appending IPv4 DNS server: 172.31.74.98
      [ipsec:INFO] ipsec_modcfg:715 Appending IPv4 DNS server: 172.31.14.51
      [ipsec:INFO] ipsec_modcfg:715 Appending IPv4 DNS server: 1.1.1.1
      [ipsec:INFO] ipsec_modcfg:774 Inherit search domains
      [ipsec:INFO] ipsec_modcfg:787 Setup DNS and search domain
      [ipsec:INFO] ipsec_modcfg:1212 Setup IPv4 tunnel
      [ipsec:INFO] ipsec_modcfg:1218 Setup IPv4 tunnel successful
      [ipsec:INFO] ipsec_control:1237 Ipsec phase2 to REDACTED is established
      [ipsec:INFO] ipsec_control:1986 Setup DNS and search domain again
      [ipsec:EROR] ipsec_control:1087 Received racoon error report: -307
      [ipsec:INFO] ipsec_control:366 Close ipsec connection to server REDACTED - status: 4
      [ipsec:INFO] ipsec_control:1986 Setup DNS and search domain again
      [ipsec:INFO] IPSecSplitDNSManager:95 Privileged helper is not nil, call its function uninstallSplitDns
      [ipsec:INFO] IPSecSplitDNSManager:52 Privileged helper connection invalidation handler is called
      [ipsec:EROR] ipsec_control:1087 Received racoon error report: -305
      [ipsec:INFO] ipsec_control:366 Close ipsec connection to server REDACTED - status: 3
      [ipsec:INFO] ipsec_control:680 User disconnected the IPSEC connection to server: REDACTED
      [ipsec:INFO] ipsec_control:366 Close ipsec connection to server REDACTED - status: 3
      [ipsec:INFO] ipsec_control:366 Close ipsec connection to server REDACTED - status: 3
      [servctl_api:EROR] fctservctl2_api:44 detected error with servctl connection. Attempting to reconnect...
      [servctl:EROR] FCTClientDelegate:353 Failed to register with the provider: Couldn’t communicate with a helper application.

      Terms & ConditionsAccessibility statement