New Member

Solved

SSL VPN: Windows Works, MacOS does not!

Forum|Forum|4 years ago
August 17, 2021
7 replies
173388 views

Hi All.

I have a 100F device (6.2.8) setup for SSL VPN for remote connections using the VPN-only forticlient. Windows works perfectly. MacOS does not! The VPN shows "Connecting" and then simply goes back to no message. There are no errors. The VPN does not connect.

Mac = Big Sur 11.4

Forticlient = 7.0.1.0060

Facts:

- the VPN actually connects and authenticates. Logs show this. Also, putting in fake login details generates an client error for the wrong user/pass. The correct user/pass generates no messages. It connects but then for reasons unknown gets disconnected.

Fortigate Logs:

[263:root:42]got SNI server name: vpn.ourdomain.systems realm (null) [263:root:42]client cert requirement: no [263:root:42]SSL state:SSLv3/TLS read client hello (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS write server hello (49.178.7.112) [263:root:42]SSL state:TLSv1.3 write encrypted extensions (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS write certificate (49.178.7.112) [263:root:42]SSL state:TLSv1.3 write server certificate verify (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS write finished (49.178.7.112) [263:root:42]SSL state:TLSv1.3 early data (49.178.7.112) [263:root:42]SSL state:TLSv1.3 early data:system lib(49.178.7.112) [263:root:42]SSL state:TLSv1.3 early data (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS read finished (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS write session ticket (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS write session ticket (49.178.7.112) [263:root:42]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 [263:root:42]req: /remote/fortisslvpn_xml [263:root:42]deconstruct_session_id:426 decode session id ok, user=[user],group=[SSLVPN-Guest],authserver=[],portal=[External],host=[49.178.7.112],realm=[],idx=1,auth=1,sid=67598625,login=1629167478,access=1629167478,saml_logout_url=no [263:root:42]deconstruct_session_id:426 decode session id ok, user=[user],group=[SSLVPN-Guest],authserver=[],portal=[External],host=[49.178.7.112],realm=[],idx=1,auth=1,sid=67598625,login=1629167478,access=1629167478,saml_logout_url=no [263:root:42]sslvpn_reserve_dynip:1156 tunnel vd[root] ip[10.213.1.1] app session idx[1] [style="background-color: #ffff00;"][263:root:42]sslConnGotoNextState:307 error (last state: 1, closeOp: 0)[/style] [263:root:42]Destroy sconn 0x7f9fc8e300, connSize=0. (root)

FortiClient Logs:

20210817 11:37:51 [FortiTray:INFO] VpnManager.swift:787 Start VPN: Our Company 20210817 11:37:51 [FortiTray:INFO] VpnManager.swift:611 VPN connecting 20210817 11:37:51 [FortiTray:DEBG] vpnconnection.mm:540 Server URL: https://vpn.ourcompany.systems:10443 20210817 11:37:51 [FortiTray:INFO] sslvpn.cpp:215 ApiEncMethod: 0 20210817 11:37:51 [FortiTray:INFO] sslvpn.cpp:217 ApiRemoteAuthTimeout: 10 20210817 11:37:51 [FortiTray:INFO] sslvpn.cpp:219 ApiServerSalt: 23a08a55 20210817 11:37:51 [FortiTray:INFO] sslvpn.cpp:220 flag: 95 20210817 11:37:52 [FortiTray:INFO] sslvpn.cpp:314 Send authentication request 20210817 11:37:52 [FortiTray:INFO] sslvpn.cpp:506 Authentication passed 20210817 11:37:52 [FortiTray:DEBG] vpnconnection.mm:400 Stop process. 20210817 11:37:52 [FortiTray:INFO] VpnManager.swift:1475 Notification: Cancel input 20210817 11:37:52 [FortiTray:INFO] sslvpn_bridge.mm:71 Login successful 20210817 11:37:52 [FortiTray:INFO] sslvpn.cpp:575 Login successful 20210817 11:37:53 [FortiTray:INFO] VpnManager.swift:1183 Inherit proxy settings 20210817 11:37:55 [FortiTray:DEBG] AppDelegate.swift:151 Reload config [style="background-color: #ffff00;"]20210817 11:37:55 [FortiTray:EROR] ConfigManager.swift:1522 Config file "/Library/Application Support/Fortinet/FortiClient/conf/epctrl.plist" not exist[/style] 20210817 11:37:55 [FortiTray:INFO] VpnManager.swift:611 VPN connecting [style="background-color: #ffff00;"]20210817 11:37:55 [FortiTray:EROR] VpnManager.swift:388 Failed to get tunnel provider's return code[/style] 20210817 11:37:55 [FortiTray:INFO] VpnManager.swift:604 VPN disconnected

Im a bit stumped. The VPN successfully connects but then gets disconnected for an error I cannot decipher.

TIA.

Best answer by saqib_hussain

I had the same issue and this is how I fixed.

Check in Security & Privacy fortitray needs permission when you installed for the first time. If you cant see the application uninstall the forticlient using forticlient uninstaller and reinstall again. Check again in Security & Privacy > General. Allow fortitray app.

I hope this is helpful.

jdvuykAuthor

New Member

So I guess when they mean "no support" they really mean it.

I gave up. From my research, my conclusion is that the MacOS implementation is broken. I ended up configuring the Cisco IPsec method and that works fine. Its just a bit rubbish that I need to maintain 2 implementations now because of poor QA.

saqib_hussainAnswer

New Member

I had the same issue and this is how I fixed.

Check in Security & Privacy fortitray needs permission when you installed for the first time. If you cant see the application uninstall the forticlient using forticlient uninstaller and reinstall again. Check again in Security & Privacy > General. Allow fortitray app.

I hope this is helpful.

jdvuykAuthor

New Member

Someone give this man a beer!! (assuming you are a man!) This was totally the solution. So so simple. But at the same time, not easy to troubleshoot for the non-mac native. Thanks very much.

James1

New Member

Use IP address instead of hostname.

jgizel

Visitor III

This solved my issue. Terrible QA Fortinet.

petterrafael

New Member

The process of installing and reinstalling FortiClient is flawed and from the first installation on, the others always end up resulting in the error reported in this post.
The solution is quite simple, as it is about lack of permission, just go to System Preferences > Security & Privacy > Privacy and select Full Disk Access and give full permission to FortiClient.
Voila, everything working.

Raj13

New Member

did it, but still nothing works

PDGmail

New Member

Dear all,

Since yesterday, I have been experiencing the exact same issue. I am currently using MacOS Ventura 13.4 and FortiClient VPN 7.0.1.0060. There have been no changes made by the IT department, and I can successfully connect to the VPN using FortiClient on my iPhone, iPad, Windows PC, and even a Mac running High Sierra (10.13.6). The behavior is consistent across these devices, where FortiTray correctly connects to the VPN. On both the Ventura Macs i own, however, FortiTray attempts to establish a connection but suddenly disconnects. I have checked the logs, but they do not provide any useful information. The only odd thing I have noticed is that both the FortiClient and FortiClient Uninstaller applications in the Applications folder have a grey lock icon in the bottom left corner. On MacOS Ventura, the System Settings app has undergone significant changes in appearance compared to previous versions. However, in the Privacy & Security panel, I have granted all permissions to the app, and in any case I have not made any changes to them in the past two days.

Do you have any other advice or suggestions on what I could try?

Thank you in advance.

PD

gujuloos

New Member

Hi,

Did you manage to find a solution. I'm in the same boat as you with MacOS Ventura 13.4.1. I've tried multiple versions of Forticlient VPN from 7.0.1 all the way to 7.2.0 and nothing works due to the FortiTray never giving the option to give permission.

Joro5928

Visitor III

I've observed that MacOS can't connect on port different than standard 443.

bustedware

New Member

On a Apple M1 Max and getting this with Forticlient 7.2.4.0850

SSLVPNTunnel.swift:196 Server does not support all known tunnel methods

Firewall has `set algorithm low` set. I'm assuming the new Macs are refusing some old ciphers or it doesn't like self signed certificate or something. I have tried everything in this thread to no avail

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded