- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient VPN Problems With OSX 10.11 El Capitan
I installed the GM candidate of Mac OS X 10.11 El Capitan and my FortiClient VPN has stopped working. It completes the login, but after connection, no data is transferred - the incoming and outgoing freeze. It is a split tunnel connection and neither network or internet traffic works.
I tried disabling the firewall and System Integrity Protection, but neither had any effect.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been trying since the first public beta, and now on the final GM Candidate. The VPN problem is there. Basically, what is wrong is that OS X's resolver is sending traffic out through the primary (original) network interface, even though the route table correctly shows that the VPN tunnel (ppp0) should be used.
When you use a command like nslookup, the DNS traffic goes through the VPN tunnel (ppp0) properly.
DNS name resolution fails because my VPN client is told to use my corporate DNS server, but my corporate DNS server refuses to serve name queries from outside the corporate network. When the FortiClient VPN is connected, OS X's name resolution traffic arrives at the DNS server with the client's public Internet IP address, and hence is refused by my DNS server.
Technically, this looks like an OS X bug. Or, perhaps there really is something wrong that FortiClient is dong. Either way, I hope FortiNet can rectify or take it up with Apple to fix El Capitan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Facing the same issue. Latest FortiClient(5.3*) did not fix it.
But, FortiClient 4.0.2082 did not have any such issues(though it occasionally stops tunneling on its own).
Waiting for a fix like everyone, but 4.0.2082 is letting me work for time being.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've gotten it to "work" by getting the DNS to use ppp0 and some route magic. Explanation is on: http://serverfault.com/questions/728702/how-to-get-forticlient-working-in-osx-el-capitan/728707#7287...
Let's hope either party fixes this, because running scripts after establishing VPN is quite cumbersome.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a new private build here:
https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.493_macosx.dmg
Would you guys give it a try?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chris.Lin wrote:It works for now! Thanks!There is a new private build here:
https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.493_macosx.dmg
Would you guys give it a try?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just ran El Capitan updates and it still does not work - bummer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chris.Lin wrote:Thanks ! I had same problems that other people since 3 months with forticlient and this new build fixes the issue!!! Great job!Here is another interim build b499.
https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.499_macosx.dmg
5.4.1 release may be available at the end of February.
P.S. b493 from previous post is different from the official 5.4.0 b493. Developer made the change after 5.4.0 was released.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. A more recent build.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After update to MacOS Sierra the client 5.4.1 works as expected....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an FortiClient Mac interim build FortiClient_5.3.25.492_macosx.dmg here: https://www.dropbox.com/sh/cb0j4pxw1f8nq84/AABJBxUrmhiRfwHjAIBKe1DSa/mac?dl=0
Please try to see if it works for you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chris.Lin wrote:Hi Chris, thanks, it's really good to know that someone's working on this issue!I have an FortiClient Mac interim build FortiClient_5.3.25.492_macosx.dmg here: https://www.dropbox.com/sh/cb0j4pxw1f8nq84/AABJBxUrmhiRfwHjAIBKe1DSa/mac?dl=0
Please try to see if it works for you.
I've just tested the build but the problem is not resolved. It's a bit different now. The resolver's traffic is sent through the tunnel "ppp0", but with the wrong source IP. It's using the source IP of the Mac's physical interface (e.g. "en0") instead of the VPN tunnel IP.
Using the "nslookup" command does see the DNS queries going through the tunnel "ppp0" with the proper source IP address, so this command works.
Hope this helps you! :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see.
How about clearing DNS cache, like this http://osxdaily.com/2014/11/20/flush-dns-cache-mac-os-x/
After this, does it still use wrong source IP?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chris.Lin wrote:Hi Chris,I see.
How about clearing DNS cache, like this http://osxdaily.com/2014/11/20/flush-dns-cache-mac-os-x/
After this, does it still use wrong source IP?
It's still sending the DNS queries with the wrong source IP after the cache flush. I don't think the cache flush would help anyway, since the resolver is in fact trying to send out the queries.
Hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a problem to reproduce this issue :( Maybe we installed 10.11 on another drive instead of upgrade?
I wonder how do you guys install 10.11?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you attached
1. the sslvpn log file
2. the ifconfig settings
3. FOS config file
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And FCT config file too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chris.Lin wrote:I have El Capitan upgraded over Yosemite.We have a problem to reproduce this issue :( Maybe we installed 10.11 on another drive instead of upgrade?
I wonder how do you guys install 10.11?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would you advise people not to upgrade to El Capitan if we use a Forticlient SSL VPN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jeff: I'm having the same DNS problem, on a clean install. I sent you the logs and config files via PM -- let me know if you need anything else.