Technical Tip: FortiClient is unable to connect on MAC OS

phaldikar_FTNT · ‎09-28-2021

Description
This article describes the issues when FortiClient is unable to connect on MAC OS and blocking due to FortiTray application blocked on MAC unit.

Solution
User can face issue while connecting FortiClient SSL-VPN on MAC OS.

It shows loading when connect is selected and again shows the login page without any error.

This can happen with below MAC OS version:
- macOS Catalina (up to and including version 10.15.3).
- macOS Mojave (version 10.14).
- macOS High Sierra (version 10.13).
- macOS Sierra (version 10.12).

Using below FortiClient versions also found the same issue:
- FortiClient 5.6, 6.0, 6.4, 7.0

In SSL-VPN and fnbamd debug it showed below output:

allocSSLConn:298 sconn 0x7f8894d100 (0:root)
[270:root:18d]SSL state:before SSL initialization (34.254.218.252)
[270:root:18d]SSL state:before SSL initialization (34.254.218.252)
[270:root:18d]client cert requirement: no
[270:root:18d]SSL state:SSLv3/TLS read client hello (34.254.218.252)
[270:root:18d]SSL state:SSLv3/TLS write server hello (34.254.218.252)
[270:root:18d]SSL state:SSLv3/TLS write change cipher spec (34.254.218.252)
[270:root:18d]SSL state:TLSv1.3 early data (34.254.218.252)
[270:root:18d]SSL state:TLSv1.3 early data:system lib(34.254.218.252)
[270:root:18d]SSL state:TLSv1.3 early data (34.254.218.252)
[270:root:18d]client cert requirement: no
[270:root:18d]SSL state:SSLv3/TLS read client hello (34.254.218.252)
[270:root:18d]SSL state:SSLv3/TLS write server hello (34.254.218.252)
[270:root:18d]SSL state:TLSv1.3 write encrypted extensions (34.254.218.252)
[270:root:18d]SSL state:SSLv3/TLS write certificate (34.254.218.252)
[270:root:18d]SSL state:TLSv1.3 write server certificate verify (34.254.218.252)
[270:root:18d]SSL state:SSLv3/TLS write finished (34.254.218.252)
[270:root:18d]SSL state:TLSv1.3 early data (34.254.218.252)
[270:root:18d]SSL state:TLSv1.3 early data:system lib(34.254.218.252)
[270:root:18d]SSL state:TLSv1.3 early data (34.254.218.252)
[270:root:18d]SSL state:SSLv3/TLS read finished (34.254.218.252)
[270:root:18d]SSL state:SSLv3/TLS write session ticket (34.254.218.252)
[270:root:18d]SSL state:SSLv3/TLS write session ticket (34.254.218.252)
[270:root:18d]SSL state:SSL negotiation finished successfully (34.254.218.252)
[270:root:18d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[270:root:18d]req: /remote/info
[270:root:18d]capability flags: 0xdf
[270:root:18d]sslConnGotoNextState:303 error (last state: 1, closeOp: 0)
[270:root:18d]Destroy sconn 0x7f8894d100, connSize=3. (root)

It is showing error 'sslConnGotoNextState:303 error (last state: 1, closeOp: 0)' in SSL-VPN and fnbamd debug.

Packet captures for sslvpn port, will showed below output:

72 1.715518 34.254.218.252 82.166.105.28 TCP 66 40854 → 10443 [ACK] Seq=1437 Ack=10008 Win=56704 Len=0 TSval=2887564429 TSecr=78269688
73 1.715542 34.254.218.252 82.166.105.28 TCP 66 40854 → 10443 [ACK] Seq=1437 Ack=12156 Win=56704 Len=0 TSval=2887564429 TSecr=78269688
74 1.759228 34.254.218.252 82.166.105.28 TCP 66 40854 → 10443 [ACK] Seq=1437 Ack=12157 Win=56704 Len=0 TSval=2887564473 TSecr=78269688
75 1.806576 34.254.218.252 82.166.105.28 TLSv1.3 90 Application Data
76 1.806610 82.166.105.28 34.254.218.252 TCP 54 10443 → 40854 [RST] Seq=12157 Win=0 Len=0
77 1.807420 34.254.218.252 82.166.105.28 TCP 66 40854 → 10443 [FIN, ACK] Seq=1461 Ack=12157 Win=56704 Len=0 TSval=2887564521 TSecr=78269688
78 1.807442 82.166.105.28 34.254.218.252 TCP 54 10443 → 40854 [RST] Seq=12157 Win=0 Len=0

Found TCP rst being sent from FortiGate towards the client.

If the same behaviour is noticed in MAC unit, it is necessary to allow the application FortiTray, then it can connect the FortiClient and get access through.