Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
danjahner
New Contributor

FortiClient VPN Problems With OSX 10.11 El Capitan

I installed the GM candidate of Mac OS X 10.11 El Capitan and my FortiClient VPN has stopped working. It completes the login, but after connection, no data is transferred - the incoming and outgoing freeze. It is a split tunnel connection and neither network or internet traffic works. 

 

I tried disabling the firewall and System Integrity Protection, but neither had any effect. 

9 Solutions
lzs
New Contributor II

I've been trying since the first public beta, and now on the final GM Candidate. The VPN problem is there. Basically, what is wrong is that OS X's resolver is sending traffic out through the primary (original) network interface, even though the route table correctly shows that the VPN tunnel (ppp0) should be used.

 

When you use a command like nslookup, the DNS traffic goes through the VPN tunnel (ppp0) properly.

 

DNS name resolution  fails because my VPN client is told to use my corporate DNS server, but my corporate DNS server refuses to serve name queries from outside the corporate network. When the FortiClient VPN is connected, OS X's name resolution traffic arrives at the DNS server with the client's public Internet IP address, and hence is refused by my DNS server.

 

Technically, this looks like an OS X bug. Or, perhaps there really is something wrong that FortiClient is dong. Either way, I hope FortiNet can rectify or take it up with Apple to fix El Capitan.

View solution in original post

Sridhar
New Contributor III

Facing the same issue. Latest FortiClient(5.3*) did not fix it.

But, FortiClient 4.0.2082 did not have any such issues(though it occasionally stops tunneling on its own).

 

Waiting for a fix like everyone, but 4.0.2082 is letting me work for time being.

View solution in original post

hansbogert

I've gotten it to "work" by getting the DNS to use ppp0 and some route magic. Explanation is on: http://serverfault.com/questions/728702/how-to-get-forticlient-working-in-osx-el-capitan/728707#7287...

 

Let's hope either party fixes this, because running scripts after establishing VPN is quite cumbersome.

View solution in original post

Chris_Lin_FTNT
kevinboos

Chris.Lin wrote:

There is a new private build here:

https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.493_macosx.dmg

 

Would you guys give it a try?

It works for now! Thanks!

View solution in original post

tommy765

Just ran El Capitan updates and it still does not work - bummer

View solution in original post

shenight

Chris.Lin wrote:

Here is another interim build b499.

https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.499_macosx.dmg

 

5.4.1 release may be available at the end of February.

 

P.S. b493 from previous post is different from the official 5.4.0 b493. Developer made the change after 5.4.0 was released.

Thanks ! I had same problems that other people since 3 months with forticlient and this new build fixes the issue!!! Great job!

View solution in original post

Chris_Lin_FTNT
soundso

After update to MacOS Sierra the client 5.4.1 works as expected.... 

View solution in original post

146 REPLIES 146
emnoc
Esteemed Contributor III

FWIW login and go to downloads on the support website. Release notes  dmg files exists.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Chris_Lin_FTNT

One very experienced Mac user mentioned how he changed the solver manually to make the DNS work. It may worth a try.

 

"Initial prep: $ mkdir ~/resolver $ echo ""nameserver 172.16.100.100"" > ~/resolver/ca (repeat for com, org and any other TLDs you need to access) $ sudo mkdir /etc/resolver

After connecting to SSLVPN: $ sudo cp ~/resolver/* /etc/resolver

When disconnecting from SSLVPN: $ sudo rm /etc/resolver/*

For some reason, this works, even though /etc/resolv.conf's contents have no effect. "

hansbogert

I've gotten it to "work" by getting the DNS to use ppp0 and some route magic. Explanation is on: http://serverfault.com/questions/728702/how-to-get-forticlient-working-in-osx-el-capitan/728707#7287...

 

Let's hope either party fixes this, because running scripts after establishing VPN is quite cumbersome.

tiujpatel

I updated the client to 5.4 and its still not working. Anyone else have this working without having to go thru route changes. 

tiujpatel

On top of it still not working I am now getting nonstop error in log which leads to grey screen of death. Happened couple times, had to uninstall 5.4 completely of this to stop. Here is what shows up in the console, this one line shows up continuously. 

 kernel[0]: fctappfwnke : error! - pkt data write error 

richard451

hansbogert wrote:

I've gotten it to "work" by getting the DNS to use ppp0 and some route magic. Explanation is on: http://serverfault.com/questions/728702/how-to-get-forticlient-working-in-osx-el-capitan/728707#7287...

 

Let's hope either party fixes this, because running scripts after establishing VPN is quite cumbersome.

That worked great!  Thank you!!

prabin

Hello,

 I have installed lastest forticlient 5.4 and I am running El Capitan. My issue is I am not able to connect to internet in Safari but I am able to login to my remote windows desktop. Any help will be useful?

seadave
Contributor III

This crap has got to stop Fortinet.  Is anyone over there doing any kind of QC testing???  I've spent that last month trying to figure out how I can deploy a consistently configured IPSec VPN to my Mac and Windows users without dumbing it down to crappy crypto.  EMS is a good start and I'm going to play with that, but based on the complaints about 5.2.4, the cert bug in 5.2.3 (UI gets corrupted if you attempt to upload a EC Signed Cert), and what I'm seeing in FortiClient 5.4 I don't have my hopes high.

 

WHY IN THE HECK ARE THERE NOT ADVANCED SETTINGS ON THE MAC CLIENT UI!!!

 

I guess I'm one of those guys who doesn't like defaults because that is what the bad guys love and I'm trying to prevent.  As a result we are trying to only allow DH Group 14 (I'd like to use the EC based ones but those aren't available in the Windows or Mac clients) and we are only allowing AES256/SHA256 Enc/Auth proposals.  This is fairly easy to do on the Windows client.  NONE OF THESE OPTIONS ARE AVAILABLE ON THE MAC!!!

 

I finally figured out that if I export the schema on the MAC I can waste a few more hours hunting these values down and change them by hand.  After doing so, I imported back into the MAC FortiClient and BAM!, if finally connected using the stronger auth crypto.  But now I'm in the same boat as all of the folks above due to DNS issues.

 

On Windows you can edit the virtual interface and add your domain and DNS servers to be used when the connection is active, but the FortiClient does not show up as an editable interface under the Mac Network settings.  I'm glad there are people out there who are as well versed as the person who figured out the CLI scripting but why torture us in having to figure that out when all it takes is a few weeks during development to make the freaking UI consistent and available to those of us who are not CLI terminal wizards???

 

PS I'm well aware that Apple has F'd up the DNS service in recent OSX releases.  I saw your release notes that said, "we found a problem, but it is Apples fault so it is up to them to fix it" is BS.  If one of your customers is able to come up with a fix, there should be someone at Fortinet who is smart enough to do that also and bake it into the build as an option.

jgallups

So cliffs notes so far... it's an Apple problem and Fortinet is waiting on a resolution?

jweber

Sounds like it. I'm curious whether anyone has tried it with the 10.11.1 betas.

Labels
Top Kudoed Authors