Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
danjahner
New Contributor

FortiClient VPN Problems With OSX 10.11 El Capitan

I installed the GM candidate of Mac OS X 10.11 El Capitan and my FortiClient VPN has stopped working. It completes the login, but after connection, no data is transferred - the incoming and outgoing freeze. It is a split tunnel connection and neither network or internet traffic works. 

 

I tried disabling the firewall and System Integrity Protection, but neither had any effect. 

9 Solutions
lzs
New Contributor II

I've been trying since the first public beta, and now on the final GM Candidate. The VPN problem is there. Basically, what is wrong is that OS X's resolver is sending traffic out through the primary (original) network interface, even though the route table correctly shows that the VPN tunnel (ppp0) should be used.

 

When you use a command like nslookup, the DNS traffic goes through the VPN tunnel (ppp0) properly.

 

DNS name resolution  fails because my VPN client is told to use my corporate DNS server, but my corporate DNS server refuses to serve name queries from outside the corporate network. When the FortiClient VPN is connected, OS X's name resolution traffic arrives at the DNS server with the client's public Internet IP address, and hence is refused by my DNS server.

 

Technically, this looks like an OS X bug. Or, perhaps there really is something wrong that FortiClient is dong. Either way, I hope FortiNet can rectify or take it up with Apple to fix El Capitan.

View solution in original post

Sridhar
New Contributor III

Facing the same issue. Latest FortiClient(5.3*) did not fix it.

But, FortiClient 4.0.2082 did not have any such issues(though it occasionally stops tunneling on its own).

 

Waiting for a fix like everyone, but 4.0.2082 is letting me work for time being.

View solution in original post

hansbogert

I've gotten it to "work" by getting the DNS to use ppp0 and some route magic. Explanation is on: http://serverfault.com/questions/728702/how-to-get-forticlient-working-in-osx-el-capitan/728707#7287...

 

Let's hope either party fixes this, because running scripts after establishing VPN is quite cumbersome.

View solution in original post

Chris_Lin_FTNT
kevinboos

Chris.Lin wrote:

There is a new private build here:

https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.493_macosx.dmg

 

Would you guys give it a try?

It works for now! Thanks!

View solution in original post

tommy765

Just ran El Capitan updates and it still does not work - bummer

View solution in original post

shenight

Chris.Lin wrote:

Here is another interim build b499.

https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.499_macosx.dmg

 

5.4.1 release may be available at the end of February.

 

P.S. b493 from previous post is different from the official 5.4.0 b493. Developer made the change after 5.4.0 was released.

Thanks ! I had same problems that other people since 3 months with forticlient and this new build fixes the issue!!! Great job!

View solution in original post

Chris_Lin_FTNT
soundso

After update to MacOS Sierra the client 5.4.1 works as expected.... 

View solution in original post

148 REPLIES 148
tiujpatel
New Contributor

I am still getting 

 kernel[0]: fctappfwnke : error! - pkt data write error hundreds of times with this new version as well. 

your_moms_firewall

FN says the release date of the client that "fixes Apple's problem" is January 25th. Way to take the initiative on a 6-month-old bug, guys!

sid_dawg

any know if Apple fixed the problem with a new release? 

sidney yoder
sidney yoder
soundso

The problem is not been fixed (El Capitan 10.11.3) . ;(

 

tommy765

Just ran El Capitan updates and it still does not work - bummer

soundso

After update to MacOS Sierra the client 5.4.1 works as expected.... 

brucereed

So does anyone know the current status of this problem and if a new release that addresses it has indeed shipped? We just started seeing FortiClient kernel panic crashes on El Capitan, regardless of release used. 

 

Also of note is we started seeing Windows BSD on FortiClient 5.4 and had to revert back to 5.2.5.

 

I'm feeling very uncomfortable because I took a chance on Fortinet FortiGate at a new job based on really positive feedback from many places, but in my entire career working with many Firewall/VPN platforms including Cisco, Juniper, and Palo Alto I've NEVER seen a VPN client crash an OS. It's unthinkable really.

Chris_Lin_FTNT

FortiClient does more than just VPN. But if you install the VPN only part of it, it may have less chance to crash the OS.

brucereed

Chris.Lin wrote:

FortiClient does more than just VPN. But if you install the VPN only part of it, it may have less chance to crash the OS.

We only install VPN, explicitly leaving out the endpoint protection components because we are not using them. I do get that having endpoint protection built in complicates the client and touches the kernel  where these sorts of issues can arise, but whether I am using FortiClient in VPN only mode or full endpoint protection mode it should not crash the OS, period.  

 

Really, this makes an argument for having two versions of the client where those customers not using endpoint protection are not impacted by the hooks the client has in the OS to perform those functions and maybe those customers would be spared this mess. 

Chris_Lin_FTNT

Here is another interim build b499.

https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.499_macosx.dmg

 

5.4.1 release may be available at the end of February.

 

P.S. b493 from previous post is different from the official 5.4.0 b493. Developer made the change after 5.4.0 was released.

Labels
Top Kudoed Authors