Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
danjahner
New Contributor

FortiClient VPN Problems With OSX 10.11 El Capitan

I installed the GM candidate of Mac OS X 10.11 El Capitan and my FortiClient VPN has stopped working. It completes the login, but after connection, no data is transferred - the incoming and outgoing freeze. It is a split tunnel connection and neither network or internet traffic works. 

 

I tried disabling the firewall and System Integrity Protection, but neither had any effect. 

9 Solutions
lzs
New Contributor II

I've been trying since the first public beta, and now on the final GM Candidate. The VPN problem is there. Basically, what is wrong is that OS X's resolver is sending traffic out through the primary (original) network interface, even though the route table correctly shows that the VPN tunnel (ppp0) should be used.

 

When you use a command like nslookup, the DNS traffic goes through the VPN tunnel (ppp0) properly.

 

DNS name resolution  fails because my VPN client is told to use my corporate DNS server, but my corporate DNS server refuses to serve name queries from outside the corporate network. When the FortiClient VPN is connected, OS X's name resolution traffic arrives at the DNS server with the client's public Internet IP address, and hence is refused by my DNS server.

 

Technically, this looks like an OS X bug. Or, perhaps there really is something wrong that FortiClient is dong. Either way, I hope FortiNet can rectify or take it up with Apple to fix El Capitan.

View solution in original post

Sridhar
New Contributor III

Facing the same issue. Latest FortiClient(5.3*) did not fix it.

But, FortiClient 4.0.2082 did not have any such issues(though it occasionally stops tunneling on its own).

 

Waiting for a fix like everyone, but 4.0.2082 is letting me work for time being.

View solution in original post

hansbogert

I've gotten it to "work" by getting the DNS to use ppp0 and some route magic. Explanation is on: http://serverfault.com/questions/728702/how-to-get-forticlient-working-in-osx-el-capitan/728707#7287...

 

Let's hope either party fixes this, because running scripts after establishing VPN is quite cumbersome.

View solution in original post

Chris_Lin_FTNT
kevinboos

Chris.Lin wrote:

There is a new private build here:

https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.493_macosx.dmg

 

Would you guys give it a try?

It works for now! Thanks!

View solution in original post

tommy765

Just ran El Capitan updates and it still does not work - bummer

View solution in original post

shenight

Chris.Lin wrote:

Here is another interim build b499.

https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.499_macosx.dmg

 

5.4.1 release may be available at the end of February.

 

P.S. b493 from previous post is different from the official 5.4.0 b493. Developer made the change after 5.4.0 was released.

Thanks ! I had same problems that other people since 3 months with forticlient and this new build fixes the issue!!! Great job!

View solution in original post

Chris_Lin_FTNT
soundso

After update to MacOS Sierra the client 5.4.1 works as expected.... 

View solution in original post

146 REPLIES 146
davidgagne

We have the DNS problem as well. Have ticket logged but have not received anything helpful or even acknowledgement of the widespread issue.

 

None of my mac users can VPN right now due to this... looking into switching back to Cisco VPN to see if that works until this is resolved.

shenight

Chris.Lin wrote:

Here is another interim build b499.

https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.499_macosx.dmg

 

5.4.1 release may be available at the end of February.

 

P.S. b493 from previous post is different from the official 5.4.0 b493. Developer made the change after 5.4.0 was released.

Thanks ! I had same problems that other people since 3 months with forticlient and this new build fixes the issue!!! Great job!

jrobijns

Just to let you guys know: We had the same problem within our company for users that upgraded to El Capitan. This release did solve the problem for us as well!

 

Thanks!

jrobijns

shenight wrote:

Chris.Lin wrote:

Here is another interim build b499.

https://dl.dropboxusercontent.com/u/58793690/mac/FortiClient_5.4.0.499_macosx.dmg

 

5.4.1 release may be available at the end of February.

 

P.S. b493 from previous post is different from the official 5.4.0 b493. Developer made the change after 5.4.0 was released.

Thanks ! I had same problems that other people since 3 months with forticlient and this new build fixes the issue!!! Great job!

Just to let you guys know: We had the same problem within our company for users that upgraded to El Capitan. This release did solve the problem for us as well!

I specifically created a forum account just to let you know. It's always easy to complain (in general and personal, not meant towards anyone here) but I wanted to take the effort to be positive.   Thanks!

seadave

I initially had problems with this, but I am not now and I'm wondering why.  I'm running 5.4.0.493 on MacOS 10.11.2.  I just had an IPsec connection running for over two hours without any issues.  I'm testing from a 100Mbps Comcast business connection (Mac using FC) to CenturyLink 1Gbps (FG500D running 5.4).  I get about 10-13Mbps throughput over the link when downloading files off our 2008R2 file server VM.

 

I have the following turned on:

WAN1 -> IPsec Incomming -> LAN: AV, IPS, DLP, Proxy Default, SSL Deep Inspection

IPSec -> WAN1: AV, Webfiltering, DNS Filter (Block Botnet CnC), App Filter, IPS, DLP, SSL Deep Inspection

 

All seems to be well, but one thing I have noticed is that SSLVPN throughput (we do have a valid ECp256 Cert) is about 25% the speed of IPsec.  I tend to tweak my FG to enable high crypto and DH key of 2048 also.  Default use to be 1024, but 5.4 defaults to 2048 now.

brucereed

Has anyone heard anything about the release of FortiClient 5.4.1? I cannot believe Fortinet is taking this long to release a GA version and expecting people to use an interim build to solve the many 5.4.0 FortiClient issues.

Chris_Lin_FTNT

5.4.1 is scheduled for the second half of April (the team has many projects to work on at the same time. sorry.)

jweber
New Contributor

I can confirm that the bug is still present in the final 10.11.1, with FC 5.4, a split-tunnel VPN, and only one network interface enabled (Ethernet).

EDIT: didn't see Chris's post above. Will give it a try.

mr_brody
New Contributor

Using an older version works. From my dropbox: https://www.dropbox.com/s...cosx_4.0.2297.dmg?dl=0 Tested successfully!
fortinetstoppedOSXsu
New Contributor

Tried the private build and the published build for 10.11.1 and 10.11.2 

Nothing works.

 

This IS a Fortinet problem other VPN Clients like Tunnelblick work without any problems.

To excuse the non existing effort on their side by waiting for Apple to solve THEIR client problems is ridiculous.

 

It's a shame that Fortinet leaves it's clients unsupported since months after they have paid for their solution.

Fortinet hampers our work and is a massive risk now for ongoing projects.

 

I will support any initiative in our company to get rid of this firewall.

In other fields we successfully use open source solutions - which do not leave you at the mercy of a commercial provider.

I hope we find some open source solution for a firewall as well.

 

Any proposals - or experiences?

 

KR

 

 

Labels
Top Kudoed Authors