Help
FortiCare Service Development Discussions
Ask questions and join FortiCare Services
nedahejazi
New Contributor

Created on ‎11-25-2025 07:18 PM

Mismatch between FortiClient VPN connection and Mac OS setting

Hello,

 I installed FortiClient on MacOS 26.1 and after following the instruction from our IT, I am apparently connected to the VPN. Everything seems fine in the FortiClient window, showing it is "connected", but I have two problems: first in the Mac system setting, VPN & Filters, it shows VPN is "disconnected", second I lose the internet after connecting to the VPN. In the same system setting, under Filters & Proxies, I cannot add FortiClient to the list, while I can still see Cisco Secure. I checked some posts regarding  internet disconnection, but all are confusing to me and have not been helpful. I would be thankful if anyone would help to solve this issue.

Thank you.

 

 

 

 

443
0 Kudos
2 Solutions
funkylicious
SuperUser
SuperUser
In response to nedahejazi

Created on ‎11-26-2025 08:48 AM

according to the "netstat -rn" table, you VPN pushes/installs a route for 10.11.42.0/24 network via utun interface and the IP assigned to you is 10.254.0.219 , which means it's split tunnel.

 

as for DNS settings/servers, these usually are assigned via DHCP from your home/local network when you connect to it, no need to change/set anything manually and based on the scutils --dns you can reach 8.8.8.8 therefore you should have internet access.

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
380
funkylicious
SuperUser
SuperUser
In response to nedahejazi

Created on ‎11-26-2025 10:57 AM Edited on ‎11-26-2025 10:59 AM

ok, this means that connecting to the IPsec is pushing a specific DNS server to the station ( most likely its configured on the FGT as DNS server and there it works and IT enabled Use system DNS in mode config in IPsec ) - https://community.fortinet.com/t5/Support-Forum/Can-t-enable-DNS-on-VPN-Tunnel/m-p/52350 which breaks your connection.

remove it from resolv.conf and add any other DNS and it should be ok.

 

cannot resolve from Internet/my home queries using it

 

nslookup google.com 146.155.1.155
Server: 146.155.1.155
Address: 146.155.1.155#53

** server can't find google.com: REFUSED

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
328
19 REPLIES 19
funkylicious
SuperUser
SuperUser
In response to nedahejazi

Created on ‎11-26-2025 09:35 AM Edited on ‎11-26-2025 09:35 AM

this means that whatever DNS server(s) is/are being pushed/changed via VPN ( look at resolv.conf before and after to check what changes ) is likely unreachable and setting/changing it manually will solve the issue.

"jack of all trades, master of none"
"jack of all trades, master of none"
204
nedahejazi
New Contributor
In response to funkylicious

Created on ‎11-26-2025 09:48 AM

Yes. Back to resolv.conf:

Screenshot 2025-11-26 at 2.45.16 PM.png

 At the very end, it shows something reachable. Do you have any idea what this is?

200
0 Kudos
funkylicious
SuperUser
SuperUser
In response to nedahejazi

Created on ‎11-26-2025 09:58 AM

i assume that it says that 8.8.8.8 is reachable.

try disabling private relay and/or limit ip tracking and also perform different tests with nslookup

 

nslookup google.com

nslookup google.com 8.8.8.8

nslookup google.com 1.1.1.1

nslookup google.com 8.8.4.4

"jack of all trades, master of none"
"jack of all trades, master of none"
199
nedahejazi
New Contributor
In response to funkylicious

Created on ‎11-26-2025 10:26 AM

Thank you again for your time.

 

I disabled "Limit IP address tracking", but my computer is not upgraded for having active "Private Relay". I tested these after VPN connection:

 

Screenshot 2025-11-26 at 2.45.16 PM.png

 Any clue?

195
0 Kudos
funkylicious
SuperUser
SuperUser
In response to nedahejazi

Created on ‎11-26-2025 10:31 AM Edited on ‎11-26-2025 10:32 AM

scutil --dns isnt a real test from my perspective.

rely more on tools like ping/nslookup/traceroute etc 

please make use of those and test towards public DNS servers from above and show what you get while connected to VPN

"jack of all trades, master of none"
"jack of all trades, master of none"
190
0 Kudos
nedahejazi
New Contributor
In response to funkylicious

Created on ‎11-26-2025 10:35 AM Edited on ‎11-26-2025 10:36 AM

Terribly sorry, I attached a wrong screenshot in the previous message:

Screenshot 2025-11-26 at 3.25.47 PM.png

 

187
0 Kudos
funkylicious
SuperUser
SuperUser
In response to nedahejazi

Created on ‎11-26-2025 10:44 AM

ok, so this means that internet access is granted and can resolve public dns entries with public dns servers.

doing a nslookup google.com , w/o specifying the server to use has the same result? if not then just add any of those dns servers to resolv.conf and you should be able to surf the internet ( assuming that they are not present after connecting ) 

"jack of all trades, master of none"
"jack of all trades, master of none"
183
0 Kudos
nedahejazi
New Contributor
In response to funkylicious

Created on ‎11-26-2025 10:52 AM

Before VPN connection:

Screenshot 2025-11-26 at 3.48.36 PM.png

 and after VPN connection:

Screenshot 2025-11-26 at 3.48.45 PM.png

(The previous tests with the specific servers that I attached were all after VPN connection.) But there seems to be a problem here after VPN connection w/o the server.

182
0 Kudos
funkylicious
SuperUser
SuperUser
In response to nedahejazi

Created on ‎11-26-2025 10:57 AM Edited on ‎11-26-2025 10:59 AM

ok, this means that connecting to the IPsec is pushing a specific DNS server to the station ( most likely its configured on the FGT as DNS server and there it works and IT enabled Use system DNS in mode config in IPsec ) - https://community.fortinet.com/t5/Support-Forum/Can-t-enable-DNS-on-VPN-Tunnel/m-p/52350 which breaks your connection.

remove it from resolv.conf and add any other DNS and it should be ok.

 

cannot resolve from Internet/my home queries using it

 

nslookup google.com 146.155.1.155
Server: 146.155.1.155
Address: 146.155.1.155#53

** server can't find google.com: REFUSED

"jack of all trades, master of none"
"jack of all trades, master of none"
329
nedahejazi
New Contributor
In response to funkylicious

Created on ‎11-27-2025 03:27 PM Edited on ‎11-27-2025 03:51 PM

Hello funkylicious, I do not know how to thank you properly for all your help. I sent your message to the IT and then they made a change to the VPN system at DNS level, and my problem was solved.  

121
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.