Created on 09-12-2015 03:00 PM
I installed the GM candidate of Mac OS X 10.11 El Capitan and my FortiClient VPN has stopped working. It completes the login, but after connection, no data is transferred - the incoming and outgoing freeze. It is a split tunnel connection and neither network or internet traffic works.
I tried disabling the firewall and System Integrity Protection, but neither had any effect.
Solved! Go to Solution.
Created on 09-22-2015 01:26 AM
I've been trying since the first public beta, and now on the final GM Candidate. The VPN problem is there. Basically, what is wrong is that OS X's resolver is sending traffic out through the primary (original) network interface, even though the route table correctly shows that the VPN tunnel (ppp0) should be used.
When you use a command like nslookup, the DNS traffic goes through the VPN tunnel (ppp0) properly.
DNS name resolution fails because my VPN client is told to use my corporate DNS server, but my corporate DNS server refuses to serve name queries from outside the corporate network. When the FortiClient VPN is connected, OS X's name resolution traffic arrives at the DNS server with the client's public Internet IP address, and hence is refused by my DNS server.
Technically, this looks like an OS X bug. Or, perhaps there really is something wrong that FortiClient is dong. Either way, I hope FortiNet can rectify or take it up with Apple to fix El Capitan.
Facing the same issue. Latest FortiClient(5.3*) did not fix it.
But, FortiClient 4.0.2082 did not have any such issues(though it occasionally stops tunneling on its own).
Waiting for a fix like everyone, but 4.0.2082 is letting me work for time being.
I've gotten it to "work" by getting the DNS to use ppp0 and some route magic. Explanation is on: http://serverfault.com/questions/728702/how-to-get-forticlient-working-in-osx-el-capitan/728707#7287...
Let's hope either party fixes this, because running scripts after establishing VPN is quite cumbersome.
Chris.Lin wrote:Thanks ! I had same problems that other people since 3 months with forticlient and this new build fixes the issue!!! Great job!
Here is another interim build b499.
5.4.1 release may be available at the end of February.
P.S. b493 from previous post is different from the official 5.4.0 b493. Developer made the change after 5.4.0 was released.
What's rather strange to me is that I'm unable to find any other reports of this issue from El Cap users. The only results I find when searching for "mac 10.11 dns resolve" are related to this thread or to the discoveryd/mDNSResponder issues from Yosemite. If this were a widespread Apple problem, shouldn't there be at least a couple more reported issues?
Sorry was out of town with what turned out to be a dead laptop.
I know this article is old but I think the problem has persisted in some form or another. Since it was published, Apple ditched discoveryd back for mDNSresponder (after four months!), but we've still had some issues.
I think it (did?) mainly impact(s) split tunneling and it is possible that I'm lumping this together with another less obvious networking bug. One article I read indicated that the OS get confused as to what interface to send a packet on, so if you are connected to both Wifi and Ethernet (silly I know but people do it all the time), and a VPN with split tunneling enabled, the connection will crash after a short period of time. My proposed solution is to disable split tunneling, and make sure you are only on Wifi or Ethernet, not both. Have not had time to definitively test with all the possible MacOS and FC versions.
There is a new private build here:
Would you guys give it a try?
Seems to work for me on 10.11.
Edit: Positive results on 10.11.1, too.
Me too -- the private build works on 10.11.1, with both Ethernet and Wi-Fi enabled. Good news! Now I just need to decide if I actually want to upgrade. :)
Chris, I think I can speak for all here that your monitoring and offer to provide updates for testing is greatly appreciated. I will attempt to test with this also.
Can confirm, the private build works in 10.11! Thanks for the effort.
Is the search domain getting set properly for you guys? I had the same issue with 5.2 build(in Yosemite), so had to write a script to add the search domain via scutil(which still works). Its kinda annoying to run the script every time you connect to VPN.