- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forticlient VPN SSL not working with IP but not with nameserver
Hi, we have set an SSL VPN with a domain with fortiddns, works perfect in windows, but not with Mac users with Big Sur 11.5.1, the thing is the Mac can ping the domain, but, when Forticlient tries to connect, throws this error:
VPN disconnected because of error: Network error. Can not connect to VPN server.
We have checked the logs and have this error:
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."
Any thoughts? Is this a bug?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am currently getting this behavior. I'm pretty sure it is a problem with my SSL certificate, but I can't figure out what. Here is the guidance from Apple: https://support.apple.com/en-ca/HT210176. My thumbprint was already SHA256. My cert validity period was only 2 years ... I reissued the cert with a 3 year period and that didn't help. Safari trusts the certificate and loads pages from the same server w/o error, but Forticlient or the MacOS VPN stack it relies on still doesn't like the cert. Still looking for an answer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
To narrow down the issue:
-Do you mean that on Windows devices the SSLVPN works fine?
-Is the macOS FCT able to connect if using IP instead of DNS gateway to connect VPN?
-Ensure that FCT has full disk access: https://docs.fortinet.com/document/forticlient/7.0.7/macos-release-notes/223986/special-notices
-Are you using FCT 7.0.x? Have you tried using FCT 6.4.x and see if the issue persist?
Bon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the Windows machines connect without issue.
Yes, the MacOS clients can connect using the IP address of the Fortigate, but not the domain name.
Yes, the MacOS clients have full disk access.
Yes, I am running Forticlient EMS Cloud and am on the v7.0.7 client. I can't backlevel my client because EMS Cloud requires v7+ and I'm using it for antivirus.
I had opened a ticket with Fortinet Support and they helped me with the related issues with IPv6 (required a firmware update to my Fortigate to v7.0), but they could not identify the specific problem here - just "a problem with your certificate".