Hello Everyone,
I'm experiencing a peculiar issue with our FortiClient VPN on Mac systems and I was hoping to get some guidance or suggestions from this community.
We have integrated Azure AD SSO with our Fortigates within our organization. The problem we're facing is quite aleatory. Mac users, when trying to connect, occasionally receive an error message stating: "Network error. Cannot connect to VPN server". The strange thing is that after several connection attempts, they are eventually able to connect. I've tried a number of troubleshooting steps, but the problem persists:
Below is the fortitray.log with details (I removed sensitive data):
20230716 12:42:34 [FortiTray:INFO] VpnManager.swift:1314 SAML VPN login from GUI: VPN Corp
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:879 Start SAML VPN: VPN Corp
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:882 FortiTray is launching application
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:886 fcpath: /Applications/FortiClient.app/Contents/Resources/runtime.helper/FortiTray.app
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:902 FortiTray is finished application
20230716 12:42:34 [FortiTray:INFO] FctBridge.m:908 FortiTray is sending GUI saml start message
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:493 Request VPN statistics
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:558 Waiting GUI login SAML VPN: VPN Corp
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:493 Request VPN statistics
20230716 12:42:34 [FortiTray:DEBG] AppDelegate.swift:189 Received message: reload config
20230716 12:42:34 [FortiTray:DEBG] VPNMessageBridge.m:493 Request VPN statistics
20230716 12:42:38 [FortiTray:INFO] VPNMessageBridge.m:439 Request VPN connect
20230716 12:42:38 [FortiTray:DEBG] VPNMessageBridge.m:466 SAML VPN profile: VPN Corp
20230716 12:42:38 [FortiTray:INFO] VpnManager.swift:1311 Connect SAML VPN: VPN Corp
20230716 12:42:38 [FortiTray:DEBG] VpnManager.swift:756 On VPN status change: DisconnectedBecauseOfError("Network error. Can not connect to VPN server.", true, FortiTray.VpnStatus.DisconnectedErrorType.CommonError) -> Connecting
20230716 12:42:38 [FortiTray:INFO] VpnManager.swift:791 VPN connecting
20230716 12:42:38 [FortiTray:INFO] VpnManager.swift:1112 Start VPN: VPN Corp
20230716 12:42:38 [FortiTray:INFO] FctBridge.m:123 Public IP retrieved: 777.777.777.777
20230716 12:42:38 [FortiTray:DEBG] vpnconnection.mm:676 Server URL: https://vpnssl.corp.com:10443
20230716 12:42:38 [FortiTray:DEBG] vpnconnection.mm:298 Request: [POST] "/remote/saml/login"
20230716 12:42:38 [FortiTray:DEBG] vpnconnection.mm:388 Resolved IP address 888.888.888.888 for domain name: vpnssl.corp.com
20230716 12:42:39 [FortiTray:EROR] vpnconnection.mm:507 Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x600002203fc0 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x600000f77890 [0x1f469c7f8]>{length = 16, capacity = 16, bytes = 0x100228cbc80aaa6b0000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <25F0F364-43F7-4D5F-B01E-A6B59E7BE6E0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <25F0F364-43F7-4D5F-B01E-A6B59E7BE6E0>.<1>"
), NSLocalizedDescription=The network connection was lost., NSErrorFailingURLStringKey=https://888.888.888.888:10443/remote/saml/login, NSErrorFailingURLKey=https://888.888.888.888:10443/remote/saml/login, _kCFStreamErrorDomainKey=4}
20230716 12:42:39 [FortiTray:EROR] vpnconnection.mm:536 Stop on error: Can not connect to VPN server.
20230716 12:42:39 [FortiTray:DEBG] vpnconnection.mm:520 Stop process.
20230716 12:42:39 [FortiTray:DEBG] vpnconnection.mm:564 Cancel http. http task is running: No
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:2117 Notification: Cancel input
20230716 12:42:39 [FortiTray:INFO] sslvpn_bridge.mm:209 VPN login exception: [1] Can not connect to VPN server.
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:1926 Notification: Login network error. Can not connect to VPN server.
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:741 No retry on manual connect
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:756 On VPN status change: Connecting -> DisconnectedBecauseOfError("Network error. Can not connect to VPN server.", true, FortiTray.VpnStatus.DisconnectedErrorType.CommonError)
20230716 12:42:39 [FortiTray:INFO] VpnManager.swift:766 VPN disconnected because of error: Network error. Can not connect to VPN server.
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:634 On VPN session end
20230716 12:42:39 [FortiTray:EROR] sslvpn_bridge.mm:638 Failed to get auth token.
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:673 Waiting for VPN session to end
20230716 12:42:39 [FortiTray:DEBG] sslvpn_bridge.mm:582 VPN session wait until finished
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:675 VPN session ended
20230716 12:42:39 [FortiTray:DEBG] VpnManager.swift:684 On VPN disconnected
Has anyone encountered a similar issue? If so, any advice or suggestions on potential solutions would be greatly appreciated.
Thanks in advance for your time and help!
Hello idanieri,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi Idanieri,
Thank you for the query!
May I request if you have taken sslvpnd and samld logs from the firewall when trying to connect to VPN from mac machines?
You may please share the below logs when the issue is happening?
di de reset
di de app samld -1
di de en
+ Once the above commands are run, please try to connect from mac machine and once the error is seen, please stop the debugs using:
di de di
di de reset
Thank you!
Thallapelly Thrilok.
Hi Thallapelly, thanks for your reply. Next is the debug log from the FGT:
SSLVPN-01 # diagnose debug application samld -1
Debug messages will be on for 30 minutes.
SSLVPN-01 # diagnose debug enable
SSLVPN-01 # __samld_sp_create_auth_req [447]: SAML SP algo: 0 -> lasso=1. Binding Method: urn:oasis:names:tc:SAML:2.0:b
indings:HTTP-POST
__samld_sp_create_auth_req [467]:
**** AuthnRequest URL ****
https://login.microsoftonline.com/c4a8886b-f140-478b-ac47-249555c30afd/saml2?SAMLRequest=jZJfb9sgFMW%2FisW7bbBx7KAkUhIvWqR2s5psD3u
ZCL5ukfiTAe62bz%2FitF37sGoSEuJwD9zf0V14rtWZrcfwYO7gxwg%2BJL%2B0Mp5NF0s0OsMs99IzwzV4FgQ7rG9vWJFhdnY2WGEVemV538G9BxekNSjZt0v0fYvpfE7
K9ezDhu4IKTZ1U5NmTvB2V7ZtVaDkKzgf65co2qPJ%2BxH2xgduQpRwUaa4Tgt8JJSVBSurbyhpI4M0PEyuhxDOnuW5svfSZFoKZ70dgjVKGsiE1bmgvGma2SkdCMUprZt
TygWNj9J5VVWixHzo8wtZbGZnnYApqyUauPJw6aiLUPIRXpTuKZWNNL009%2B8HcroWefbxeOzS7vPhiJL1c0hba%2FyowR3APUoBX%2B5u%2FgIVGGckrlkdt5oRTGmZO
9A2wNTtlRitFpcDm3Jzq%2F82awi854Ev8tf2xXVYPkWKfdtZJcXvSySah39DkoxMiuzTYSplo%2FFnEHKQ0EdWpezPrQMeYoDBjYDy1fXTt0O5%2BgM%3D&RelayState
=magic%3D468dc441c14e596d&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=DD5ighdlLPkxVgbdafFp%2BRztvPP4
jEU7WVooPys1rxtqc6TqZM2TtePra9enm46L%2FFeR5BfPTwRrFPznwMRPhWwWQ5KKKIdPNk6YbvaFclFYNhDbGUuMJ3TmUteFyMPLKQh5NtevLHVXvR54t%2BCtNr0ne%
2BlZaYFf4thKmCEz1LYOHT6nFTmYZ%2FqGUyX0YyQL1pYc9bid%2B26LyY%2BRcOLxOn4g9F3ECKcirpCmMQQC0LjSwZxyQnjWsXkPUzlb8iqkwdO6co1qtXPslM9ACiwJ
j43TAR6A2mfiJpooxSLrUeO8borYmBReZtCwIZVQQjj41Y7On%2FcIyG7JCAK0IsPxWQ%3D%3D
***********************
__samld_sp_create_auth_req [481]:
**** AuthnRequest ****
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_C04
9913A6EB4F112B78718910CF3DD52" Version="2.0" IssueInstant="2023-07-20T14:32:35Z" Destination="https://login.microsoftonline.com/c4
a8886b-f140-478b-ac47-249555c30afd/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oa
sis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://888.888.888.888:10443/remote/saml/login"><saml:Issue
r>https://888.888.888.888:10443/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-fo
rmat:unspecified" AllowCreate="true"/></samlp:AuthnRequest>
***********************
__samld_sp_create_auth_req [486]:
**** SP Login Dump ****
<lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns
:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_C049913A6EB4F112B787189
10CF3DD52" Version="2.0" IssueInstant="2023-07-20T14:32:35Z" Destination="https://login.microsoftonline.com/c4a8886b-f140-478b-ac4
7-249555c30afd/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.
0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://888.888.888.888:10443/remote/saml/login"><saml:Issuer>https://888.888.
888.888:10443/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" Al
lowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://sts.windows.net/c4a8886b-f140-478b-ac47-249
555c30afd/</lasso:RemoteProviderID><lasso:MsgUrl>https://login.microsoftonline.com/c4a8886b-f140-478b-ac47-249555c30afd/saml2?SAML
Request=jZJfb9sgFMW%2FisW7bbBx7KAkUhIvWqR2s5psD3uZCL5ukfiTAe62bz%2FitF37sGoSEuJwD9zf0V14rtWZrcfwYO7gxwg%2BJL%2B0Mp5NF0s0OsMs99Izwz
V4FgQ7rG9vWJFhdnY2WGEVemV538G9BxekNSjZt0v0fYvpfE7K9ezDhu4IKTZ1U5NmTvB2V7ZtVaDkKzgf65co2qPJ%2BxH2xgduQpRwUaa4Tgt8JJSVBSurbyhpI4M0PE
yuhxDOnuW5svfSZFoKZ70dgjVKGsiE1bmgvGma2SkdCMUprZtTygWNj9J5VVWixHzo8wtZbGZnnYApqyUauPJw6aiLUPIRXpTuKZWNNL009%2B8HcroWefbxeOzS7vPhiJ
L1c0hba%2FyowR3APUoBX%2B5u%2FgIVGGckrlkdt5oRTGmZO9A2wNTtlRitFpcDm3Jzq%2F82awi854Ev8tf2xXVYPkWKfdtZJcXvSySah39DkoxMiuzTYSplo%2FFnEH
KQ0EdWpezPrQMeYoDBjYDy1fXTt0O5%2BgM%3D&RelayState=magic%3D468dc441c14e596d&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxm
ldsig%23rsa-sha1&Signature=DD5ighdlLPkxVgbdafFp%2BRztvPP4jEU7WVooPys1rxtqc6TqZM2TtePra9enm46L%2FFeR5BfPTwRrFPznwMRPhWwWQ5KKKId
PNk6YbvaFclFYNhDbGUuMJ3TmUteFyMPLKQh5NtevLHVXvR54t%2BCtNr0ne%2BlZaYFf4thKmCEz1LYOHT6nFTmYZ%2FqGUyX0YyQL1pYc9bid%2B26LyY%2BRcOLxOn4
g9F3ECKcirpCmMQQC0LjSwZxyQnjWsXkPUzlb8iqkwdO6co1qtXPslM9ACiwJj43TAR6A2mfiJpooxSLrUeO8borYmBReZtCwIZVQQjj41Y7On%2FcIyG7JCAK0IsPxWQ%
3D%3D</lasso:MsgUrl><lasso:MsgRelayState>magic=468dc441c14e596d</lasso:MsgRelayState><lasso:HttpRequestMethod>4</lasso:HttpRequest
Method><lasso:RequestID>_C049913A6EB4F112B78718910CF3DD52</lasso:RequestID></lasso:Login>
***********************
samld_send_common_reply [114]: Code: 0, id: 61847, data_len: 3439
samld_send_common_reply [122]: Attr: 14, 2304, <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns
:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Reque
st><samlp:AuthnRequest ID="_C049913A6EB4F112B78718910CF3DD52" Version="2.0" IssueInstant="2023-07-20T14:32:35Z" Destination="https
://login.microsoftonline.com/c4a8886b-f140-478b-ac47-249555c30afd/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive=
"false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://888.888.888.888:10443
/remote/saml/login"><saml:Issuer>https://888.888.888.888:10443/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oa
sis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>
https://sts.windows.net/c4a8886b-f140-478b-ac47-249555c30afd/</lasso:RemoteProviderID><lasso:MsgUrl>https://login.microsoftonline.
com/c4a8886b-f140-478b-ac47-249555c30afd/saml2?SAMLRequest=jZJfb9sgFMW%2FisW7bbBx7KAkUhIvWqR2s5psD3uZCL5ukfiTAe62bz%2FitF37sGoSEuJ
wD9zf0V14rtWZrcfwYO7gxwg%2BJL%2B0Mp5NF0s0OsMs99IzwzV4FgQ7rG9vWJFhdnY2WGEVemV538G9BxekNSjZt0v0fYvpfE7K9ezDhu4IKTZ1U5NmTvB2V7ZtVaDkK
zgf65co2qPJ%2BxH2xgduQpRwUaa4Tgt8JJSVBSurbyhpI4M0PEyuhxDOnuW5svfSZFoKZ70dgjVKGsiE1bmgvGma2SkdCMUprZtTygWNj9J5VVWixHzo8wtZbGZnnYApq
yUauPJw6aiLUPIRXpTuKZWNNL009%2B8HcroWefbxeOzS7vPhiJL1c0hba%2FyowR3APUoBX%2B5u%2FgIVGGckrlkdt5oRTGmZO9A2wNTtlRitFpcDm3Jzq%2F82awi85
4Ev8tf2xXVYPkWKfdtZJcXvSySah39DkoxMiuzTYSplo%2FFnEHKQ0EdWpezPrQMeYoDBjYDy1fXTt0O5%2BgM%3D&RelayState=magic%3D468dc441c14e596d&
amp;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=DD5ighdlLPkxVgbdafFp%2BRztvPP4jEU7WVooPys1rxtqc6
TqZM2TtePra9enm46L%2FFeR5BfPTwRrFPznwMRPhWwWQ5KKKIdPNk6YbvaFclFYNhDbGUuMJ3TmUteFyMPLKQh5NtevLHVXvR54t%2BCtNr0ne%2BlZaYFf4thKmCEz1L
YOHT6nFTmYZ%2FqGUyX0YyQL1pYc9bid%2B26LyY%2BRcOLxOn4g9F3ECKcirpCmMQQC0LjSwZxyQnjWsXkPUzlb8iqkwdO6co1qtXPslM9ACiwJj43TAR6A2mfiJpooxS
LrUeO8borYmBReZtCwIZVQQjj41Y7On%2FcIyG7JCAK0IsPxWQ%3D%3D</lasso:MsgUrl><lasso:MsgRelayState>magic=468dc441c14e596d</lasso:MsgRelay
State><lasso:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_C049913A6EB4F112B78718910CF3DD52</lasso:RequestID></la
sso:Login>
samld_send_common_reply [122]: Attr: 11, 1119, https://login.microsoftonline.com/c4a8886b-f140-478b-ac47-249555c30afd/saml2?SA
MLRequest=jZJfb9sgFMW%2FisW7bbBx7KAkUhIvWqR2s5psD3uZCL5ukfiTAe62bz%2FitF37sGoSEuJwD9zf0V14rtWZrcfwYO7gxwg%2BJL%2B0Mp5NF0s0OsMs99Iz
wzV4FgQ7rG9vWJFhdnY2WGEVemV538G9BxekNSjZt0v0fYvpfE7K9ezDhu4IKTZ1U5NmTvB2V7ZtVaDkKzgf65co2qPJ%2BxH2xgduQpRwUaa4Tgt8JJSVBSurbyhpI4M0
PEyuhxDOnuW5svfSZFoKZ70dgjVKGsiE1bmgvGma2SkdCMUprZtTygWNj9J5VVWixHzo8wtZbGZnnYApqyUauPJw6aiLUPIRXpTuKZWNNL009%2B8HcroWefbxeOzS7vPh
iJL1c0hba%2FyowR3APUoBX%2B5u%2FgIVGGckrlkdt5oRTGmZO9A2wNTtlRitFpcDm3Jzq%2F82awi854Ev8tf2xXVYPkWKfdtZJcXvSySah39DkoxMiuzTYSplo%2FFn
EHKQ0EdWpezPrQMeYoDBjYDy1fXTt0O5%2BgM%3D&RelayState=magic%3D468dc441c14e596d&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%
23rsa-sha1&Signature=DD5ighdlLPkxVgbdafFp%2BRztvPP4jEU7WVooPys1rxtqc6TqZM2TtePra9enm46L%2FFeR5BfPTwRrFPznwMRPhWwWQ5KKKIdPNk6YbvaFc
lFYNhDbGUuMJ3TmUteFyMPLKQh5NtevLHVXvR54t%2BCtNr0ne%2BlZaYFf4thKmCEz1LYOHT6nFTmYZ%2FqGUyX0YyQL1pYc9bid%2B26LyY%2BRcOLxOn4g9F3ECKcir
pCmMQQC0LjSwZxyQnjWsXkPUzlb8iqkwdO6co1qtXPslM9ACiwJj43TAR6A2mfiJpooxSLrUeO8borYmBReZtCwIZVQQjj41Y7On%2FcIyG7JCAK0IsPxWQ%3D%3
After analyzing the session, it appears that there is no subsequent message following the last occurrence of "samld_send_common_reply [122]." In a successful connection, however, I would typically expect to receive "__samld_sp_login_resp [831]" along with the corresponding SP Login Response Message Body.
Thanks for the reply Thallapelly. I tried many times to post the reply with the log you requested but I continuously receive this message:
Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied.
Do you have some way to share this log with you? I also tried to attach the file into a post message but isn't possible.
Thanks in advance
I had a same issue.
Try connecting to the VPN with different network to see if the issue persists.
Thanks, I tried that but with no success... It looks like there is something wrong in the way the FortiClient uses the IPs deliverd by the DNS.
Hi all, I went deeper in the troubleshooting and found out that this happens also in notebooks with Windows and it looks like there is some extrange behaviour with the DNS resolution from the FortiClient app itself.
We have a load balancer that resolves vpnssl.corp.com with two IPs, and there is a sticky connection rule to resolve the same IP depending the source IP address
Tests performed from macOS 13.4.1 and Windows 10:
Observations:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.