Intermittent connection issue with FortiClient on Mac - Azure AD SSO Integration - Error -1001

idanieri · ‎07-16-2023

Hello Everyone,

I'm experiencing a peculiar issue with our FortiClient VPN on Mac systems and I was hoping to get some guidance or suggestions from this community.

We have integrated Azure AD SSO with our Fortigates within our organization. The problem we're facing is quite aleatory. Mac users, when trying to connect, occasionally receive an error message stating: "Network error. Cannot connect to VPN server". The strange thing is that after several connection attempts, they are eventually able to connect. I've tried a number of troubleshooting steps, but the problem persists:

I've tried reinstalling the FortiClient and clearing the configuration cache, but neither seems to have any effect.
We're using the latest FortiClient version, 7.0.8. We also tested with previous versions, but faced other issues related to known bugs with SAML SSO.
If I set the public IP address instead the FQDN as the remote gateway, it connects at the first try.
The client side network is fine, I tested this by myself and could connect to other VPNs from other vendors without any issue.
There is no AV active with mac users.
Accessing the VPN web portal via a web browser also works without any issues.

Below is the fortitray.log with details (I removed sensitive data):

20230716 12:42:34 [FortiTray:INFO] VpnManager.swift:1314 SAML VPN login from GUI: VPN Corp
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:879 Start SAML VPN: VPN Corp
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:882 FortiTray is launching application

20230716 12:42:34 [FortiTray:INFO] FctBridge.m:886 fcpath: /Applications/FortiClient.app/Contents/Resources/runtime.helper/FortiTray.app
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:902 FortiTray is finished application

20230716 12:42:34 [FortiTray:INFO] FctBridge.m:908 FortiTray is sending GUI saml start message

20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:493 Request VPN statistics
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:558 Waiting GUI login SAML VPN: VPN Corp
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:493 Request VPN statistics
20230716 12:42:34 [FortiTray:DEBG] AppDelegate.swift:189 Received message: reload config
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:493 Request VPN statistics
20230716 12:42:38 [FortiTray:INFO] VPNMessageBridge.m:439 Request VPN connect
20230716 12:42:38 [FortiTray:DEBG] VPNMessageBridge.m:466 SAML VPN profile: VPN Corp
20230716 12:42:38 [FortiTray:INFO] VpnManager.swift:1311 Connect SAML VPN: VPN Corp
20230716 12:42:38 [FortiTray:DEBG] VpnManager.swift:756 On VPN status change: DisconnectedBecauseOfError("Network error. Can not connect to VPN server.", true, FortiTray.VpnStatus.DisconnectedErrorType.CommonError) -> Connecting
20230716 12:42:38 [FortiTray:INFO] VpnManager.swift:791 VPN connecting
20230716 12:42:38 [FortiTray:INFO] VpnManager.swift:1112 Start VPN: VPN Corp
20230716 12:42:38 [FortiTray:INFO] FctBridge.m:123 Public IP retrieved: 777.777.777.777
20230716 12:42:38 [FortiTray:DEBG] vpnconnection.mm:676 Server URL: https://vpnssl.corp.com:10443
20230716 12:42:38 [FortiTray:DEBG] vpnconnection.mm:298 Request: [POST] "/remote/saml/login"
20230716 12:42:38 [FortiTray:DEBG] vpnconnection.mm:388 Resolved IP address 888.888.888.888 for domain name: vpnssl.corp.com
20230716 12:42:39 [FortiTray:EROR] vpnconnection.mm:507 Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x600002203fc0 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x600000f77890 [0x1f469c7f8]>{length = 16, capacity = 16, bytes = 0x100228cbc80aaa6b0000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <25F0F364-43F7-4D5F-B01E-A6B59E7BE6E0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <25F0F364-43F7-4D5F-B01E-A6B59E7BE6E0>.<1>"
), NSLocalizedDescription=The network connection was lost., NSErrorFailingURLStringKey=https://888.888.888.888:10443/remote/saml/login, NSErrorFailingURLKey=https://888.888.888.888:10443/remote/saml/login, _kCFStreamErrorDomainKey=4}
20230716 12:42:39 [FortiTray:EROR] vpnconnection.mm:536 Stop on error: Can not connect to VPN server.
20230716 12:42:39 [FortiTray:DEBG] vpnconnection.mm:520 Stop process.
20230716 12:42:39 [FortiTray:DEBG] vpnconnection.mm:564 Cancel http. http task is running: No
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:2117 Notification: Cancel input
20230716 12:42:39 [FortiTray:INFO] sslvpn_bridge.mm:209 VPN login exception: [1] Can not connect to VPN server.
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:1926 Notification: Login network error. Can not connect to VPN server.
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:741 No retry on manual connect
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:756 On VPN status change: Connecting -> DisconnectedBecauseOfError("Network error. Can not connect to VPN server.", true, FortiTray.VpnStatus.DisconnectedErrorType.CommonError)
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:766 VPN disconnected because of error: Network error. Can not connect to VPN server.
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:634 On VPN session end
20230716 12:42:39 [FortiTray:EROR] sslvpn_bridge.mm:638 Failed to get auth token.
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:673 Waiting for VPN session to end
20230716 12:42:39 [FortiTray:DEBG] sslvpn_bridge.mm:582 VPN session wait until finished
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:675 VPN session ended
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:684 On VPN disconnected

Has anyone encountered a similar issue? If so, any advice or suggestions on potential solutions would be greatly appreciated.

Thanks in advance for your time and help!

Anthony_E · ‎07-18-2023

Hello idanieri,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

tthrilok · ‎07-19-2023

Hi Idanieri,

Thank you for the query!

May I request if you have taken sslvpnd and samld logs from the firewall when trying to connect to VPN from mac machines?

You may please share the below logs when the issue is happening?

di de reset

di de app samld -1

di de en

+ Once the above commands are run, please try to connect from mac machine and once the error is seen, please stop the debugs using:

di de di

di de reset

Thank you!

Thallapelly Thrilok.

idanieri · ‎07-20-2023

Hi Thallapelly, thanks for your reply. Next is the debug log from the FGT:

SSLVPN-01 # diagnose debug application samld -1
Debug messages will be on for 30 minutes.

SSLVPN-01 # diagnose debug enable

SSLVPN-01 # __samld_sp_create_auth_req [447]: SAML SP algo: 0 -> lasso=1. Binding Method: urn:oasis:names:tc:SAML:2.0:b
indings:HTTP-POST

__samld_sp_create_auth_req [467]:
**** AuthnRequest URL ****
https://login.microsoftonline.com/c4a8886b-f140-478b-ac47-249555c30afd/saml2?SAMLRequest=jZJfb9sgFMW%2FisW7bbBx7KAkUhIvWqR2s5psD3u
ZCL5ukfiTAe62bz%2FitF37sGoSEuJwD9zf0V14rtWZrcfwYO7gxwg%2BJL%2B0Mp5NF0s0OsMs99IzwzV4FgQ7rG9vWJFhdnY2WGEVemV538G9BxekNSjZt0v0fYvpfE7
K9ezDhu4IKTZ1U5NmTvB2V7ZtVaDkKzgf65co2qPJ%2BxH2xgduQpRwUaa4Tgt8JJSVBSurbyhpI4M0PEyuhxDOnuW5svfSZFoKZ70dgjVKGsiE1bmgvGma2SkdCMUprZt
TygWNj9J5VVWixHzo8wtZbGZnnYApqyUauPJw6aiLUPIRXpTuKZWNNL009%2B8HcroWefbxeOzS7vPhiJL1c0hba%2FyowR3APUoBX%2B5u%2FgIVGGckrlkdt5oRTGmZO
9A2wNTtlRitFpcDm3Jzq%2F82awi854Ev8tf2xXVYPkWKfdtZJcXvSySah39DkoxMiuzTYSplo%2FFnEHKQ0EdWpezPrQMeYoDBjYDy1fXTt0O5%2BgM%3D&RelayState
=magic%3D468dc441c14e596d&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=DD5ighdlLPkxVgbdafFp%2BRztvPP4
jEU7WVooPys1rxtqc6TqZM2TtePra9enm46L%2FFeR5BfPTwRrFPznwMRPhWwWQ5KKKIdPNk6YbvaFclFYNhDbGUuMJ3TmUteFyMPLKQh5NtevLHVXvR54t%2BCtNr0ne%
2BlZaYFf4thKmCEz1LYOHT6nFTmYZ%2FqGUyX0YyQL1pYc9bid%2B26LyY%2BRcOLxOn4g9F3ECKcirpCmMQQC0LjSwZxyQnjWsXkPUzlb8iqkwdO6co1qtXPslM9ACiwJ
j43TAR6A2mfiJpooxSLrUeO8borYmBReZtCwIZVQQjj41Y7On%2FcIyG7JCAK0IsPxWQ%3D%3D
***********************
__samld_sp_create_auth_req [481]:
**** AuthnRequest ****
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_C04
9913A6EB4F112B78718910CF3DD52" Version="2.0" IssueInstant="2023-07-20T14:32:35Z" Destination="https://login.microsoftonline.com/c4
a8886b-f140-478b-ac47-249555c30afd/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oa
sis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://888.888.888.888:10443/remote/saml/login"><saml:Issue
r>https://888.888.888.888:10443/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-fo
rmat:unspecified" AllowCreate="true"/></samlp:AuthnRequest>
***********************
__samld_sp_create_auth_req [486]:
**** SP Login Dump ****
<lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns
:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_C049913A6EB4F112B787189
10CF3DD52" Version="2.0" IssueInstant="2023-07-20T14:32:35Z" Destination="https://login.microsoftonline.com/c4a8886b-f140-478b-ac4
7-249555c30afd/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.
0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://888.888.888.888:10443/remote/saml/login"><saml:Issuer>https://888.888.
888.888:10443/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" Al
lowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://sts.windows.net/c4a8886b-f140-478b-ac47-249
555c30afd/</lasso:RemoteProviderID><lasso:MsgUrl>https://login.microsoftonline.com/c4a8886b-f140-478b-ac47-249555c30afd/saml2?SAML
Request=jZJfb9sgFMW%2FisW7bbBx7KAkUhIvWqR2s5psD3uZCL5ukfiTAe62bz%2FitF37sGoSEuJwD9zf0V14rtWZrcfwYO7gxwg%2BJL%2B0Mp5NF0s0OsMs99Izwz
V4FgQ7rG9vWJFhdnY2WGEVemV538G9BxekNSjZt0v0fYvpfE7K9ezDhu4IKTZ1U5NmTvB2V7ZtVaDkKzgf65co2qPJ%2BxH2xgduQpRwUaa4Tgt8JJSVBSurbyhpI4M0PE
yuhxDOnuW5svfSZFoKZ70dgjVKGsiE1bmgvGma2SkdCMUprZtTygWNj9J5VVWixHzo8wtZbGZnnYApqyUauPJw6aiLUPIRXpTuKZWNNL009%2B8HcroWefbxeOzS7vPhiJ
L1c0hba%2FyowR3APUoBX%2B5u%2FgIVGGckrlkdt5oRTGmZO9A2wNTtlRitFpcDm3Jzq%2F82awi854Ev8tf2xXVYPkWKfdtZJcXvSySah39DkoxMiuzTYSplo%2FFnEH
KQ0EdWpezPrQMeYoDBjYDy1fXTt0O5%2BgM%3D&amp;RelayState=magic%3D468dc441c14e596d&amp;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxm
ldsig%23rsa-sha1&amp;Signature=DD5ighdlLPkxVgbdafFp%2BRztvPP4jEU7WVooPys1rxtqc6TqZM2TtePra9enm46L%2FFeR5BfPTwRrFPznwMRPhWwWQ5KKKId
PNk6YbvaFclFYNhDbGUuMJ3TmUteFyMPLKQh5NtevLHVXvR54t%2BCtNr0ne%2BlZaYFf4thKmCEz1LYOHT6nFTmYZ%2FqGUyX0YyQL1pYc9bid%2B26LyY%2BRcOLxOn4
g9F3ECKcirpCmMQQC0LjSwZxyQnjWsXkPUzlb8iqkwdO6co1qtXPslM9ACiwJj43TAR6A2mfiJpooxSLrUeO8borYmBReZtCwIZVQQjj41Y7On%2FcIyG7JCAK0IsPxWQ%
3D%3D</lasso:MsgUrl><lasso:MsgRelayState>magic=468dc441c14e596d</lasso:MsgRelayState><lasso:HttpRequestMethod>4</lasso:HttpRequest
Method><lasso:RequestID>_C049913A6EB4F112B78718910CF3DD52</lasso:RequestID></lasso:Login>
***********************
samld_send_common_reply [114]: Code: 0, id: 61847, data_len: 3439
samld_send_common_reply [122]: Attr: 14, 2304, <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns
:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Reque
st><samlp:AuthnRequest ID="_C049913A6EB4F112B78718910CF3DD52" Version="2.0" IssueInstant="2023-07-20T14:32:35Z" Destination="https
://login.microsoftonline.com/c4a8886b-f140-478b-ac47-249555c30afd/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive=
"false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://888.888.888.888:10443
/remote/saml/login"><saml:Issuer>https://888.888.888.888:10443/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oa
sis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>
https://sts.windows.net/c4a8886b-f140-478b-ac47-249555c30afd/</lasso:RemoteProviderID><lasso:MsgUrl>https://login.microsoftonline.
com/c4a8886b-f140-478b-ac47-249555c30afd/saml2?SAMLRequest=jZJfb9sgFMW%2FisW7bbBx7KAkUhIvWqR2s5psD3uZCL5ukfiTAe62bz%2FitF37sGoSEuJ
wD9zf0V14rtWZrcfwYO7gxwg%2BJL%2B0Mp5NF0s0OsMs99IzwzV4FgQ7rG9vWJFhdnY2WGEVemV538G9BxekNSjZt0v0fYvpfE7K9ezDhu4IKTZ1U5NmTvB2V7ZtVaDkK
zgf65co2qPJ%2BxH2xgduQpRwUaa4Tgt8JJSVBSurbyhpI4M0PEyuhxDOnuW5svfSZFoKZ70dgjVKGsiE1bmgvGma2SkdCMUprZtTygWNj9J5VVWixHzo8wtZbGZnnYApq
yUauPJw6aiLUPIRXpTuKZWNNL009%2B8HcroWefbxeOzS7vPhiJL1c0hba%2FyowR3APUoBX%2B5u%2FgIVGGckrlkdt5oRTGmZO9A2wNTtlRitFpcDm3Jzq%2F82awi85
4Ev8tf2xXVYPkWKfdtZJcXvSySah39DkoxMiuzTYSplo%2FFnEHKQ0EdWpezPrQMeYoDBjYDy1fXTt0O5%2BgM%3D&amp;RelayState=magic%3D468dc441c14e596d&
amp;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&amp;Signature=DD5ighdlLPkxVgbdafFp%2BRztvPP4jEU7WVooPys1rxtqc6
TqZM2TtePra9enm46L%2FFeR5BfPTwRrFPznwMRPhWwWQ5KKKIdPNk6YbvaFclFYNhDbGUuMJ3TmUteFyMPLKQh5NtevLHVXvR54t%2BCtNr0ne%2BlZaYFf4thKmCEz1L
YOHT6nFTmYZ%2FqGUyX0YyQL1pYc9bid%2B26LyY%2BRcOLxOn4g9F3ECKcirpCmMQQC0LjSwZxyQnjWsXkPUzlb8iqkwdO6co1qtXPslM9ACiwJj43TAR6A2mfiJpooxS
LrUeO8borYmBReZtCwIZVQQjj41Y7On%2FcIyG7JCAK0IsPxWQ%3D%3D</lasso:MsgUrl><lasso:MsgRelayState>magic=468dc441c14e596d</lasso:MsgRelay
State><lasso:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_C049913A6EB4F112B78718910CF3DD52</lasso:RequestID></la
sso:Login>
samld_send_common_reply [122]: Attr: 11, 1119, https://login.microsoftonline.com/c4a8886b-f140-478b-ac47-249555c30afd/saml2?SA
MLRequest=jZJfb9sgFMW%2FisW7bbBx7KAkUhIvWqR2s5psD3uZCL5ukfiTAe62bz%2FitF37sGoSEuJwD9zf0V14rtWZrcfwYO7gxwg%2BJL%2B0Mp5NF0s0OsMs99Iz
wzV4FgQ7rG9vWJFhdnY2WGEVemV538G9BxekNSjZt0v0fYvpfE7K9ezDhu4IKTZ1U5NmTvB2V7ZtVaDkKzgf65co2qPJ%2BxH2xgduQpRwUaa4Tgt8JJSVBSurbyhpI4M0
PEyuhxDOnuW5svfSZFoKZ70dgjVKGsiE1bmgvGma2SkdCMUprZtTygWNj9J5VVWixHzo8wtZbGZnnYApqyUauPJw6aiLUPIRXpTuKZWNNL009%2B8HcroWefbxeOzS7vPh
iJL1c0hba%2FyowR3APUoBX%2B5u%2FgIVGGckrlkdt5oRTGmZO9A2wNTtlRitFpcDm3Jzq%2F82awi854Ev8tf2xXVYPkWKfdtZJcXvSySah39DkoxMiuzTYSplo%2FFn
EHKQ0EdWpezPrQMeYoDBjYDy1fXTt0O5%2BgM%3D&RelayState=magic%3D468dc441c14e596d&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%
23rsa-sha1&Signature=DD5ighdlLPkxVgbdafFp%2BRztvPP4jEU7WVooPys1rxtqc6TqZM2TtePra9enm46L%2FFeR5BfPTwRrFPznwMRPhWwWQ5KKKIdPNk6YbvaFc
lFYNhDbGUuMJ3TmUteFyMPLKQh5NtevLHVXvR54t%2BCtNr0ne%2BlZaYFf4thKmCEz1LYOHT6nFTmYZ%2FqGUyX0YyQL1pYc9bid%2B26LyY%2BRcOLxOn4g9F3ECKcir
pCmMQQC0LjSwZxyQnjWsXkPUzlb8iqkwdO6co1qtXPslM9ACiwJj43TAR6A2mfiJpooxSLrUeO8borYmBReZtCwIZVQQjj41Y7On%2FcIyG7JCAK0IsPxWQ%3D%3

After analyzing the session, it appears that there is no subsequent message following the last occurrence of "samld_send_common_reply [122]." In a successful connection, however, I would typically expect to receive "__samld_sp_login_resp [831]" along with the corresponding SP Login Response Message Body.

idanieri · ‎07-20-2023

Thanks for the reply Thallapelly. I tried many times to post the reply with the log you requested but I continuously receive this message:

Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied.

Do you have some way to share this log with you? I also tried to attach the file into a post message but isn't possible.

Thanks in advance

nehakwilas · ‎07-20-2023

I had a same issue.

Try connecting to the VPN with different network to see if the issue persists.

idanieri · ‎07-24-2023

Thanks, I tried that but with no success... It looks like there is something wrong in the way the FortiClient uses the IPs deliverd by the DNS.

idanieri · ‎07-24-2023

Hi all, I went deeper in the troubleshooting and found out that this happens also in notebooks with Windows and it looks like there is some extrange behaviour with the DNS resolution from the FortiClient app itself.

We have a load balancer that resolves vpnssl.corp.com with two IPs, and there is a sticky connection rule to resolve the same IP depending the source IP address

Tests performed from macOS 13.4.1 and Windows 10:

I started with a "flushdns" before conducting the tests.
When performing a DNS query from the command line interface to vpnssl.corp.com, it provides us with the IPs 666.666.666.666 (primary) and 777.777.777.777 (secondary).
The Wireshark capture begins.
I open FortiClient and initiate the VPN connection. In Wireshark, I observe that the traffic is directed to 666.666.666.666 for SAML login. Once both the credentials and the token are accepted, the traffic is redirected to 777.777.777.777.
The 777.777.777.777 FGT send a RST message, I assume this happens because all the login went to the other host.
I also tried the FortiClient v7.2.0 but with the same result

Observations:

FortiClient performs a single DNS query at the start of the connection, where it receives the two IPs of vpnssl.corp.com.
FortiClient manages to validate the credentials but then, for some reason, it attempts to establish the connection against the secondary node.
I identified in the wireshark capture that FortiClient makes the decision to route the traffic to the secondary node without performing a new DNS query. This leads me to believe that it might be storing both IPs in the application's code and, by mistake, uses the secondary one at some point.