Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JohnFisher
New Contributor

MacOS SSL VPN fails to connect (SSL error)

  • Deploying SSL VPN for emergency OOB access.
  • Certificate authenticated users (configure user peer)
  • Single profile for Tunnel and Web-mode access
  • Works from Windows using both browser and Forticlient
  • Web VPN works from browser on MacOS
  • FortiClient cannot connect on MacOS ("Network error. Can not connect to VPN server")
  • FortiClient 7.2.3 (VPN Only) and 7.0.10 (VPN Only)
  • MacOS 13.6.3
  • Full Disk Access is enabled for Forticlient and fctservctl

I'm not an expert on Mac, and have to rely on other users to test this. According to the logs there is an SSL error:

 

20240122 15:14:47 TZ=+0000 [FortiTray:DEBG] vpnconnection.mm:886 Server URL: https://vpn.site.com:443
20240122 15:14:47 TZ=+0000 [FortiTray:DEBG] vpnconnection.mm:408 Request: [GET] "/remote/info"
20240122 15:14:47 TZ=+0000 [FortiTray:DEBG] vpnconnection.mm:382 Resolved IP address 1.2.3.4 for domain name: vpn.site.com
20240122 15:14:49 TZ=+0000 [FortiTray:EROR] vpnconnection.mm:535 Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://1.2.3.4:443/remote/info, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <1C316736-E7BD-48BF-9E84-0F989B09BCCB>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <1C316736-E7BD-48BF-9E84-0F989B09BCCB>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://1.2.3.4:443/remote/info, NSUnderlyingError=0x600002ecc870 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9816}}, _kCFStreamErrorCodeKey=-9816}
20240122 15:14:49 TZ=+0000 [FortiTray:EROR] vpnconnection.mm:729 Stop on error: Can not connect to VPN server.

 

My head tells me this is related to the name being used in the application as the remote address, but the certificate is attempting to validate against the IP address.  I don't have a working Mac/VPN combo to verify that this is not "normal" behaviour.  If this is the case, I assme it's a Forticlient bug?  Can anyone point me in the direction of the bug ID, and a fixed version?  If not, could you please explain what the above error is failing on?

 

Edit:  Fortigate logs and packet captures show that the client is not sending the required client certificate, even though the certificate is visible and selected in the interface.  This seems to be a common issue on Mac, but as far as I can tell all the required access has been granted.  Is there a good set of documentation on how to get client certificates working with MacOS Ventura?  We have read and applied the "special notice" instructions from the release notes, and applied the workaround for bug 870198

 

NB: FQDN and IPs were changed for privacy.

2 REPLIES 2
AEK
SuperUser
SuperUser

In case you have access to the remote FGT try to checks logs from there as well.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542

AEK
AEK
JohnFisher
New Contributor

Hi AEK - thanks for the reply - I did check these and they show "No client certificate".  This is backed up by a PCAP, so that does appear to be the issue.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors