I wanted to use the on_connect script in the FortiClient to connect an smb share after the connection is established as shown here. But the command is executed before the connection is established. After my command failed the connection is shown as established in FortiClient. I tried to execute the command in the background but failed to do so.
<on_connect>
<script>
<os>mac</os>
<script>
echo "" & sleep 4; /usr/bin/osascript -e 'mount volume "smb://ssldemo.fortinet.com/installers"'
</script>
</script>
</on_connect>
Environment:
MacOS 14.6.1
FortiClient 7.4.0.1645
SSL-VPN via SAML SSO using the external browser as user-agent
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
I have done research based on the reported behavior and observed the following.
1024936 | FortiClient cannot sync VPN on connect script properly. |
https://docs.fortinet.com/document/forticlient/7.4.0/macos-release-notes/124818/known-issues
This is addressed to fix at 7.2.5 which is released today.
Please check the persistence of the issue with the specified build and if there are still issues raise a support ticket to troubleshoot further.
Hi,
Adding a check before mounting to your script can make a difference.
Can you check and confirm via the following CLI?
SMB_Addr="smb://ssldemo.fortinet.com/installers"
MOUNT_CMD='/usr/bin/osascript -e "mount volume \"$SMB_Addr\""'
check_connection() {
if ping -c 1 ssldemo.fortinet.com &>/dev/null; then
return 0 # Success
else
return 1 # Failure
fi
}
while ! check_connection; do
echo "Waiting for SMB share to become accessible..."
sleep 4
done
echo "SMB share is accessible. Mounting..."
eval $MOUNT_CMD
Hi Anil,
I testet the provided script, but it did not solve the issue. When the script is executed manually after the connection is established it works as expected. But executed inside the `on_connect` the connection is never established as the script never finishes. This could be fixed with a retry counter for the reachability check.
But my core problem is the execution of the script before a connection is made. As I would assume that the `on_connect` script should be executed after the connection is established and not while the process is still ongoing. Currently the script is executed after the external browser (or internal) is used to authenticate the saml user.
Script:
#!/bin/bash
SMB_Addr="smb://ssldemo.fortinet.com/installers"
MOUNT_CMD='/usr/bin/osascript -e "mount volume \"$SMB_Addr\""'
check_connection() {
if ping -c 1 ssldemo.fortinet.com &>/dev/null; then
return 0 # Success
else
return 1 # Failure
fi
}
while ! check_connection; do
echo "Waiting for SMB share to become accessible..."
sleep 4
done
echo "SMB share is accessible. Mounting..."
eval $MOUNT_CMD
forticlient_settings.xml:
<on_connect>
<script>
<os>mac</os>
<script>
~/mountShare.sh
</script>
</script>
</on_connect>
I also tried executing the script in the background. Which did not block the connection, but also did not connect the smb share.
forticlient_settings.xml :
<on_connect>
<script>
<os>mac</os>
<script>
~/mountShare.sh &
</script>
</script>
</on_connect>
Hello,
I made a bit of adjustment based on the retry counter.
#!/bin/bash
SMB_URL="smb://ssldemo.fortinet.com/installers"
MOUNT_CMD='/usr/bin/osascript -e "mount volume \"$SMB_URL\""'
MAX_RETRIES=10
check_connection() {
if ping -c 1 ssldemo.fortinet.com &>/dev/null; then
return 0 # Success
else
return 1 # Failure
fi
}
retry_count=0
while ! check_connection; do
if [ $retry_count -ge $MAX_RETRIES ]; then
echo "Maximum retries reached. Exiting..."
exit 1
fi
echo "Waiting for SMB share to become accessible... (Attempt $((retry_count + 1))/$MAX_RETRIES)"
sleep 4
retry_count=$((retry_count + 1))
done
echo "SMB share is accessible. Mounting..."
eval $MOUNT_CMD
Have you ever tried to recreate from stratch the applied remote access profile from the EMS server and check the results?
Hi,
With the new script the connection is established after ~40 sec (max retries reached). As the script is executed before a connection ist made and therefore does not solve my issue.
The config is a clean config with only one ssl-vpn configured, which i exported via the cli, added the script and then reimported it via cli.
use the remini apk. https://reminigeek.com/
Hi,
I have done research based on the reported behavior and observed the following.
1024936 | FortiClient cannot sync VPN on connect script properly. |
https://docs.fortinet.com/document/forticlient/7.4.0/macos-release-notes/124818/known-issues
This is addressed to fix at 7.2.5 which is released today.
Please check the persistence of the issue with the specified build and if there are still issues raise a support ticket to troubleshoot further.
The issue arises because the on_connect script in FortiClient executes prematurely, before the VPN connection is fully established. To resolve this, you can implement a script that checks the VPN connection's readiness, such as monitoring the interface status, and delays execution until the connection is active. Upgrading to FortiClient 7.2.5 or newer, which addresses synchronization issues with on_connect scripts, is also recommended. If the issue persists, use external tools like macOS launchd to better control script execution timing. Additionally, tools like ZArchiver available for PC on https://zarchiverapk.com/zarchiver-pc/ can aid in managing SMB shares and debugging network automations. Collect detailed logs to further investigate and ensure alignment between script execution and connection establishment.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.