We are getting "Network error. Can not connect to vpn server" error while connecting SSL VPN on Big sur os. We are using FortiGate AZUREONDEMAND firewall with v6.4.2 build1723 (GA).
we are facing the exact same issue on our Mac OS Clients with different OS versions. (Big Sur, Monterey).
If we enter the FQDN of the Remote-Gateway we get the "network error" message, as soon as we enter the IPv4-Address of the Remote-Gateway we can connect without any problem.
-> entering the fix IPv4-Address is no solution, so how this can be fixed?
Just to be clear, there are no general DNS-issues on our side. The clients can resolve the FQDN by nslookup without any issues.
In the FortiClient Logs there is the following entry:
it is not a Fortinet issue, per latest security specs from apple, you need to use a valid CA certificate to connet to VPNSSL portal using a FQDN on the client configuration
Any luck on this issue? I'm trying to trouble shoot this currently. From what I can tell, the certificate is SHA1 signed and MacOS is requiring SHA2 signature key.
I look into fortitray.log and able to see the problem was a not valid SSL certificate.
In the above image, forticlient try to visit a URL with not valid certificate that generate error.
try to go this site:
https://<DESTINATION VPN SITE>:443/remote/info in Safari browser it will show you a warning because the SSL certificate is not valid, visit the site and it will prompt you accept certificate with your password.
Getting this too on MacOS 12.6 (Monterey), FortiClient VPN 7.0.7. The FortiGate is a 60-E running firmware 7.0.6. No problems connecting to the same server using VPN Client 6.0.1 on Windows 10.
The main thing that's throwing me off is the "Do not warn invalid certificate" option basically doesn't work for newer Macs. So, the certificate must be valid. I got a LetEncrypt cert, installed that, used a hostname that matched the cert, and now it can connect fine.
One thing to watch out for with the cert is it needs to include the chain. For LetEncrypt/CertBot, this is the 'fullchain.pem' file.
I experienced the same issue on MacOS 13.1, Forticlient VPN 7.0.7, connecting to a FortiGate with invalid certificate. I was able to solve the issue without having to use a valid certificate.
To troubleshoot this yourself if you have this error, try eliminate the client as the issue by accessing the web portal through a web browser via xxx.xxx.xxx.xxx:yyy/ where x is your IP and y is your port. Updating FortiClient to the newest version resolved the issue.
Yes, there seems to be different behavior after upgrading FortiGate VPN client from 7.0.7 to 7.0.8. I get a one-time warning about the certificate, and after that, can connect fine without warning. Oddly, the "Do not Warn Invalid Server Certificate" checkbox always seems to remain unchecked.
