I'm not an expert on Mac, and have to rely on other users to test this. According to the logs there is an SSL error:
20240122 15:14:47 TZ=+0000 [FortiTray:DEBG] vpnconnection.mm:886 Server URL: https://vpn.site.com:443
20240122 15:14:47 TZ=+0000 [FortiTray:DEBG] vpnconnection.mm:408 Request: [GET] "/remote/info"
20240122 15:14:47 TZ=+0000 [FortiTray:DEBG] vpnconnection.mm:382 Resolved IP address 1.2.3.4 for domain name: vpn.site.com
20240122 15:14:49 TZ=+0000 [FortiTray:EROR] vpnconnection.mm:535 Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://1.2.3.4:443/remote/info, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <1C316736-E7BD-48BF-9E84-0F989B09BCCB>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <1C316736-E7BD-48BF-9E84-0F989B09BCCB>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://1.2.3.4:443/remote/info, NSUnderlyingError=0x600002ecc870 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9816}}, _kCFStreamErrorCodeKey=-9816}
20240122 15:14:49 TZ=+0000 [FortiTray:EROR] vpnconnection.mm:729 Stop on error: Can not connect to VPN server.
My head tells me this is related to the name being used in the application as the remote address, but the certificate is attempting to validate against the IP address. I don't have a working Mac/VPN combo to verify that this is not "normal" behaviour. If this is the case, I assme it's a Forticlient bug? Can anyone point me in the direction of the bug ID, and a fixed version? If not, could you please explain what the above error is failing on?
Edit: Fortigate logs and packet captures show that the client is not sending the required client certificate, even though the certificate is visible and selected in the interface. This seems to be a common issue on Mac, but as far as I can tell all the required access has been granted. Is there a good set of documentation on how to get client certificates working with MacOS Ventura? We have read and applied the "special notice" instructions from the release notes, and applied the workaround for bug 870198
NB: FQDN and IPs were changed for privacy.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In case you have access to the remote FGT try to checks logs from there as well.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542
Hi AEK - thanks for the reply - I did check these and they show "No client certificate". This is backed up by a PCAP, so that does appear to be the issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.