Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wdy_hschroeder
New Contributor

FortiClient macOS "on_connect" script executes before connection is established

I wanted to use the on_connect script in the FortiClient to connect an smb share after the connection is established as shown here. But the command is executed before the connection is established. After my command failed the connection is shown as established in FortiClient. I tried to execute the command in the background but failed to do so.

 

                    <on_connect>
                        <script>
                            <os>mac</os>
                            <script>
                                echo "" &amp; sleep 4; /usr/bin/osascript -e 'mount volume "smb://ssldemo.fortinet.com/installers"'
                            </script>
                        </script>
                    </on_connect>

 

 

Environment:
MacOS 14.6.1
FortiClient 7.4.0.1645
SSL-VPN via SAML SSO using the external browser as user-agent

1 Solution
Anil_Solakoglu

Hi, 

I have done research based on the reported behavior and observed the following. 

1024936 FortiClient cannot sync VPN on connect script properly.

 

https://docs.fortinet.com/document/forticlient/7.4.0/macos-release-notes/124818/known-issues
This is addressed to fix at 7.2.5 which is released today. 

Please check the persistence of the issue with the specified build and if there are still issues raise a support ticket to troubleshoot further. 

View solution in original post

8 REPLIES 8
Anil_Solakoglu

Hi, 

Adding a check before mounting to your script can make a difference. 

Can you check and confirm via the following CLI?

SMB_Addr="smb://ssldemo.fortinet.com/installers"
MOUNT_CMD='/usr/bin/osascript -e "mount volume \"$SMB_Addr\""'

check_connection() {
if ping -c 1 ssldemo.fortinet.com &>/dev/null; then
return 0 # Success
else
return 1 # Failure
fi
}

while ! check_connection; do
echo "Waiting for SMB share to become accessible..."
sleep 4
done

echo "SMB share is accessible. Mounting..."
eval $MOUNT_CMD

wdy_hschroeder
New Contributor

Hi Anil,

I testet the provided script, but it did not solve the issue. When the script is executed manually after the connection is established it works as expected. But executed inside the `on_connect` the connection is never established as the script never finishes. This could be fixed with a retry counter for the reachability check.

But my core problem is the execution of the script before a connection is made. As I would assume that the `on_connect` script should be executed after the connection is established and not while the process is still ongoing. Currently the script is executed after the external browser (or internal) is used to authenticate the saml user.

 

Script:

#!/bin/bash
SMB_Addr="smb://ssldemo.fortinet.com/installers"
MOUNT_CMD='/usr/bin/osascript -e "mount volume \"$SMB_Addr\""'

check_connection() {
if ping -c 1 ssldemo.fortinet.com &>/dev/null; then
return 0 # Success
else
return 1 # Failure
fi
}

while ! check_connection; do
echo "Waiting for SMB share to become accessible..."
sleep 4
done

echo "SMB share is accessible. Mounting..."
eval $MOUNT_CMD

forticlient_settings.xml:

<on_connect>
                        <script>
                            <os>mac</os>
                            <script>
                                ~/mountShare.sh
                            </script>
                        </script>
                    </on_connect>

 

I also tried executing the script in the background. Which did not block the connection, but also did not connect the smb share.
forticlient_settings.xml :

<on_connect>
                        <script>
                            <os>mac</os>
                            <script>
                                ~/mountShare.sh &amp;
                            </script>
                        </script>
                    </on_connect>

 

Anil_Solakoglu

Hello, 

I made a bit of adjustment based on the retry counter. 

#!/bin/bash

SMB_URL="smb://ssldemo.fortinet.com/installers"
MOUNT_CMD='/usr/bin/osascript -e "mount volume \"$SMB_URL\""'

MAX_RETRIES=10

check_connection() {
if ping -c 1 ssldemo.fortinet.com &>/dev/null; then
return 0 # Success
else
return 1 # Failure
fi
}

retry_count=0
while ! check_connection; do
if [ $retry_count -ge $MAX_RETRIES ]; then
echo "Maximum retries reached. Exiting..."
exit 1
fi
echo "Waiting for SMB share to become accessible... (Attempt $((retry_count + 1))/$MAX_RETRIES)"
sleep 4
retry_count=$((retry_count + 1))
done
echo "SMB share is accessible. Mounting..."
eval $MOUNT_CMD

Have you ever tried to recreate from stratch the applied remote access profile from the EMS server and check the results? 

 

wdy_hschroeder

Hi,

With the new script the connection is established after ~40 sec (max retries reached). As the script is executed before a connection ist made and therefore does not solve my issue.

The config is a clean config with only one ssl-vpn configured, which i exported via the cli, added the script and then reimported it via cli.

UmarRasheed

use the remini apk. https://reminigeek.com/

Jenniejoya

Yes, you may also use: https://reminiapkking.com/

Anil_Solakoglu

Hi, 

I have done research based on the reported behavior and observed the following. 

1024936 FortiClient cannot sync VPN on connect script properly.

 

https://docs.fortinet.com/document/forticlient/7.4.0/macos-release-notes/124818/known-issues
This is addressed to fix at 7.2.5 which is released today. 

Please check the persistence of the issue with the specified build and if there are still issues raise a support ticket to troubleshoot further. 

BrodySmitham
New Contributor

The issue arises because the on_connect script in FortiClient executes prematurely, before the VPN connection is fully established. To resolve this, you can implement a script that checks the VPN connection's readiness, such as monitoring the interface status, and delays execution until the connection is active. Upgrading to FortiClient 7.2.5 or newer, which addresses synchronization issues with on_connect scripts, is also recommended. If the issue persists, use external tools like macOS launchd to better control script execution timing. Additionally, tools like ZArchiver available for PC on https://zarchiverapk.com/zarchiver-pc/ can aid in managing SMB shares and debugging network automations. Collect detailed logs to further investigate and ensure alignment between script execution and connection establishment.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors