Hello Everyone,
I'm experiencing a peculiar issue with our FortiClient VPN on Mac systems and I was hoping to get some guidance or suggestions from this community.
We have integrated Azure AD SSO with our Fortigates within our organization. The problem we're facing is quite aleatory. Mac users, when trying to connect, occasionally receive an error message stating: "Network error. Cannot connect to VPN server". The strange thing is that after several connection attempts, they are eventually able to connect. I've tried a number of troubleshooting steps, but the problem persists:
Below is the fortitray.log with details (I removed sensitive data):
20230716 12:42:34 [FortiTray:INFO] VpnManager.swift:1314 SAML VPN login from GUI: VPN Corp
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:879 Start SAML VPN: VPN Corp
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:882 FortiTray is launching application
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:886 fcpath: /Applications/FortiClient.app/Contents/Resources/runtime.helper/FortiTray.app
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:902 FortiTray is finished application
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:908 FortiTray is sending GUI saml start message
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:493 Request VPN statistics
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:558 Waiting GUI login SAML VPN: VPN Corp
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:493 Request VPN statistics
20230716 12:42:34 [FortiTray:DEBG] AppDelegate.swift:189 Received message: reload config
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:493 Request VPN statistics
20230716 12:42:38 [FortiTray:INFO] VPNMessageBridge.m:439 Request VPN connect
20230716 12:42:38 [FortiTray:DEBG] VPNMessageBridge.m:466 SAML VPN profile: VPN Corp
20230716 12:42:38 [FortiTray:INFO] VpnManager.swift:1311 Connect SAML VPN: VPN Corp
20230716 12:42:38 [FortiTray:DEBG] VpnManager.swift:756 On VPN status change: DisconnectedBecauseOfError("Network error. Can not connect to VPN server.", true, FortiTray.VpnStatus.DisconnectedErrorType.CommonError) -> Connecting
20230716 12:42:38 [FortiTray:INFO] VpnManager.swift:791 VPN connecting
20230716 12:42:38 [FortiTray:INFO] VpnManager.swift:1112 Start VPN: VPN Corp
20230716 12:42:38 [FortiTray:INFO] FctBridge.m:123 Public IP retrieved: 777.777.777.777
20230716 12:42:38 [FortiTray:DEBG] vpnconnection.mm:676 Server URL: https://vpnssl.corp.com:10443
20230716 12:42:38 [FortiTray:DEBG] vpnconnection.mm:298 Request: [POST] "/remote/saml/login"
20230716 12:42:38 [FortiTray:DEBG] vpnconnection.mm:388 Resolved IP address 888.888.888.888 for domain name: vpnssl.corp.com
20230716 12:42:39 [FortiTray:EROR] vpnconnection.mm:507 Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x600002203fc0 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x600000f77890 [0x1f469c7f8]>{length = 16, capacity = 16, bytes = 0x100228cbc80aaa6b0000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <25F0F364-43F7-4D5F-B01E-A6B59E7BE6E0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <25F0F364-43F7-4D5F-B01E-A6B59E7BE6E0>.<1>"
), NSLocalizedDescription=The network connection was lost., NSErrorFailingURLStringKey=https://888.888.888.888:10443/remote/saml/login, NSErrorFailingURLKey=https://888.888.888.888:10443/remote/saml/login, _kCFStreamErrorDomainKey=4}
20230716 12:42:39 [FortiTray:EROR] vpnconnection.mm:536 Stop on error: Can not connect to VPN server.
20230716 12:42:39 [FortiTray:DEBG] vpnconnection.mm:520 Stop process.
20230716 12:42:39 [FortiTray:DEBG] vpnconnection.mm:564 Cancel http. http task is running: No
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:2117 Notification: Cancel input
20230716 12:42:39 [FortiTray:INFO] sslvpn_bridge.mm:209 VPN login exception: [1] Can not connect to VPN server.
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:1926 Notification: Login network error. Can not connect to VPN server.
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:741 No retry on manual connect
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:756 On VPN status change: Connecting -> DisconnectedBecauseOfError("Network error. Can not connect to VPN server.", true, FortiTray.VpnStatus.DisconnectedErrorType.CommonError)
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:766 VPN disconnected because of error: Network error. Can not connect to VPN server.
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:634 On VPN session end
20230716 12:42:39 [FortiTray:EROR] sslvpn_bridge.mm:638 Failed to get auth token.
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:673 Waiting for VPN session to end
20230716 12:42:39 [FortiTray:DEBG] sslvpn_bridge.mm:582 VPN session wait until finished
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:675 VPN session ended
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:684 On VPN disconnected
Has anyone encountered a similar issue? If so, any advice or suggestions on potential solutions would be greatly appreciated.
Thanks in advance for your time and help!
Hello idanieri,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Hi Idanieri,
Thank you for the query!
May I request if you have taken sslvpnd and samld logs from the firewall when trying to connect to VPN from mac machines?
You may please share the below logs when the issue is happening?
di de reset
di de app samld -1
di de en
+ Once the above commands are run, please try to connect from mac machine and once the error is seen, please stop the debugs using:
di de di
di de reset
Thank you!
Thallapelly Thrilok.
Hi Thallapelly, thanks for your reply. Next is the debug log from the FGT:
SSLVPN-01 # diagnose debug application samld -1
Debug messages will be on for 30 minutes.
SSLVPN-01 # diagnose debug enable
SSLVPN-01 # __samld_sp_create_auth_req [447]: SAML SP algo: 0 -> lasso=1. Binding Method: urn:oasis:names:tc:SAML:2.0:b
__samld_sp_create_auth_req [467]:
**** AuthnRequest URL ****
__samld_sp_create_auth_req [481]:
**** AuthnRequest ****
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_C04
9913A6EB4F112B78718910CF3DD52" Version="2.0" IssueInstant="2023-07-20T14:32:35Z" Destination="https://login.microsoftonline.com/c4
a8886b-f140-478b-ac47-249555c30afd/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oa
sis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://888.888.888.888:10443/remote/saml/login"><saml:Issue
r>https://888.888.888.888:10443/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-fo
rmat:unspecified" AllowCreate="true"/></samlp:AuthnRequest>
__samld_sp_create_auth_req [486]:
**** SP Login Dump ****
<lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns
:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_C049913A6EB4F112B787189
10CF3DD52" Version="2.0" IssueInstant="2023-07-20T14:32:35Z" Destination="https://login.microsoftonline.com/c4a8886b-f140-478b-ac4
7-249555c30afd/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.
0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://888.888.888.888:10443/remote/saml/login"><saml:Issuer>https://888.888.
888.888:10443/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" Al
samld_send_common_reply [114]: Code: 0, id: 61847, data_len: 3439
samld_send_common_reply [122]: Attr: 14, 2304, <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns
:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Reque
st><samlp:AuthnRequest ID="_C049913A6EB4F112B78718910CF3DD52" Version="2.0" IssueInstant="2023-07-20T14:32:35Z" Destination="https
://login.microsoftonline.com/c4a8886b-f140-478b-ac47-249555c30afd/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive=
"false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://888.888.888.888:10443
/remote/saml/login"><saml:Issuer>https://888.888.888.888:10443/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oa
sis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>
samld_send_common_reply [122]: Attr: 11, 1119, https://login.microsoftonline.com/c4a8886b-f140-478b-ac47-249555c30afd/saml2?SA
After analyzing the session, it appears that there is no subsequent message following the last occurrence of "samld_send_common_reply [122]." In a successful connection, however, I would typically expect to receive "__samld_sp_login_resp [831]" along with the corresponding SP Login Response Message Body.
Thanks for the reply Thallapelly. I tried many times to post the reply with the log you requested but I continuously receive this message:
Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied.
Do you have some way to share this log with you? I also tried to attach the file into a post message but isn't possible.
Thanks in advance
I had a same issue.
Try connecting to the VPN with different network to see if the issue persists.
Thanks, I tried that but with no success... It looks like there is something wrong in the way the FortiClient uses the IPs deliverd by the DNS.
Hi all, I went deeper in the troubleshooting and found out that this happens also in notebooks with Windows and it looks like there is some extrange behaviour with the DNS resolution from the FortiClient app itself.
We have a load balancer that resolves vpnssl.corp.com with two IPs, and there is a sticky connection rule to resolve the same IP depending the source IP address
Tests performed from macOS 13.4.1 and Windows 10:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.