Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jdvuyk
New Contributor

SSL VPN: Windows Works, MacOS does not!

Hi All.

I have a 100F device (6.2.8) setup for SSL VPN for remote connections using the VPN-only forticlient.  Windows works perfectly.  MacOS does not!  The VPN shows "Connecting" and then simply goes back to no message.  There are no errors.  The VPN does not connect. 

 

Mac = Big Sur 11.4

Forticlient = 7.0.1.0060

 

Facts:

- the VPN actually connects and authenticates.  Logs show this.  Also, putting in fake login details generates an client error for the wrong user/pass.  The correct user/pass generates no messages.  It connects but then for reasons unknown gets disconnected.

 

Fortigate Logs:

[263:root:42]got SNI server name: vpn.ourdomain.systems realm (null) [263:root:42]client cert requirement: no [263:root:42]SSL state:SSLv3/TLS read client hello (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS write server hello (49.178.7.112) [263:root:42]SSL state:TLSv1.3 write encrypted extensions (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS write certificate (49.178.7.112) [263:root:42]SSL state:TLSv1.3 write server certificate verify (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS write finished (49.178.7.112) [263:root:42]SSL state:TLSv1.3 early data (49.178.7.112) [263:root:42]SSL state:TLSv1.3 early data:system lib(49.178.7.112) [263:root:42]SSL state:TLSv1.3 early data (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS read finished (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS write session ticket (49.178.7.112) [263:root:42]SSL state:SSLv3/TLS write session ticket (49.178.7.112) [263:root:42]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 [263:root:42]req: /remote/fortisslvpn_xml [263:root:42]deconstruct_session_id:426 decode session id ok, user=[user],group=[SSLVPN-Guest],authserver=[],portal=[External],host=[49.178.7.112],realm=[],idx=1,auth=1,sid=67598625,login=1629167478,access=1629167478,saml_logout_url=no [263:root:42]deconstruct_session_id:426 decode session id ok, user=[user],group=[SSLVPN-Guest],authserver=[],portal=[External],host=[49.178.7.112],realm=[],idx=1,auth=1,sid=67598625,login=1629167478,access=1629167478,saml_logout_url=no [263:root:42]sslvpn_reserve_dynip:1156 tunnel vd[root] ip[10.213.1.1] app session idx[1] [style="background-color: #ffff00;"][263:root:42]sslConnGotoNextState:307 error (last state: 1, closeOp: 0)[/style] [263:root:42]Destroy sconn 0x7f9fc8e300, connSize=0. (root)

 

FortiClient Logs:

20210817 11:37:51 [FortiTray:INFO] VpnManager.swift:787 Start VPN: Our Company 20210817 11:37:51 [FortiTray:INFO] VpnManager.swift:611 VPN connecting 20210817 11:37:51 [FortiTray:DEBG] vpnconnection.mm:540 Server URL: https://vpn.ourcompany.systems:10443 20210817 11:37:51 [FortiTray:INFO] sslvpn.cpp:215 ApiEncMethod: 0 20210817 11:37:51 [FortiTray:INFO] sslvpn.cpp:217 ApiRemoteAuthTimeout: 10 20210817 11:37:51 [FortiTray:INFO] sslvpn.cpp:219 ApiServerSalt: 23a08a55 20210817 11:37:51 [FortiTray:INFO] sslvpn.cpp:220 flag: 95 20210817 11:37:52 [FortiTray:INFO] sslvpn.cpp:314 Send authentication request 20210817 11:37:52 [FortiTray:INFO] sslvpn.cpp:506 Authentication passed 20210817 11:37:52 [FortiTray:DEBG] vpnconnection.mm:400 Stop process. 20210817 11:37:52 [FortiTray:INFO] VpnManager.swift:1475 Notification: Cancel input 20210817 11:37:52 [FortiTray:INFO] sslvpn_bridge.mm:71 Login successful 20210817 11:37:52 [FortiTray:INFO] sslvpn.cpp:575 Login successful 20210817 11:37:53 [FortiTray:INFO] VpnManager.swift:1183 Inherit proxy settings 20210817 11:37:55 [FortiTray:DEBG] AppDelegate.swift:151 Reload config [style="background-color: #ffff00;"]20210817 11:37:55 [FortiTray:EROR] ConfigManager.swift:1522 Config file "/Library/Application Support/Fortinet/FortiClient/conf/epctrl.plist" not exist[/style] 20210817 11:37:55 [FortiTray:INFO] VpnManager.swift:611 VPN connecting [style="background-color: #ffff00;"]20210817 11:37:55 [FortiTray:EROR] VpnManager.swift:388 Failed to get tunnel provider's return code[/style] 20210817 11:37:55 [FortiTray:INFO] VpnManager.swift:604 VPN disconnected

 

Im a bit stumped.  The VPN successfully connects but then gets disconnected for an error I cannot decipher.

TIA.

 

 

 

1 Solution
saqib_hussain

I had the same issue and this is how I fixed.

Check in Security & Privacy fortitray needs permission when you installed for the first time. If you cant see the application uninstall the forticlient using forticlient uninstaller and reinstall again. Check again in Security & Privacy > General.  Allow fortitray app.

 

I hope this is helpful.

View solution in original post

7 REPLIES 7
jdvuyk
New Contributor

So I guess when they mean "no support" they really mean it.

 

I gave up.  From my research, my conclusion is that the MacOS implementation is broken.  I ended up configuring the Cisco IPsec method and that works fine.  Its just a bit rubbish that I need to maintain 2 implementations now because of poor QA.

saqib_hussain

I had the same issue and this is how I fixed.

Check in Security & Privacy fortitray needs permission when you installed for the first time. If you cant see the application uninstall the forticlient using forticlient uninstaller and reinstall again. Check again in Security & Privacy > General.  Allow fortitray app.

 

I hope this is helpful.

jdvuyk

Someone give this man a beer!!  (assuming you are a man!)  This was totally the solution.    So so simple.    But at the same time, not easy to troubleshoot for the non-mac native.  Thanks very much.

Pittstate
New Contributor II

If any developers from Fortinet read these forums, please, please, give more informative error messages. None of the errors indicated in the Forticlient log indicate any permission based issues.

 

Also, this could easily be solved by a permissions check within the Forticlient application and a dialog box that tells the client the EXACT reason it can't perform properly. If the 'fortitray' application doesn't have permissions, it should check and on failure tell the client via a message of some sort or (better) prompt them to remediate the problem by requesting the permissions again.  But why is this permission being skipped over in the first place? There were other permissions that the user received prompting to allow when the client was installed initially. How did this one escape?

James1
New Contributor II

Use IP address instead of hostname. 

jgizel
New Contributor

This solved my issue.  Terrible QA Fortinet.

petterrafael
New Contributor

The process of installing and reinstalling FortiClient is flawed and from the first installation on, the others always end up resulting in the error reported in this post.
The solution is quite simple, as it is about lack of permission, just go to System Preferences > Security & Privacy > Privacy and select Full Disk Access and give full permission to FortiClient.
Voila, everything working.