Hello,
we have been experiencing issues with ssl vpn access from MacOs devices using forticlient 7.0.
The vpn uses Azure MFA with SAML SSO authentication.
The user can access the vpn via web browser but it's not a practical solution.
When accessing using forticlient the following error is displayed "The response from https://vpn.xx.xx:4443 was invalid".
From the Fortigate logs we have extracted the following error: "sslConnGotoNextState:301 error (last state: 1, closeOp: 0)"
We've researched the issue and found that fortitray had to be enabled or else vpn would not work, even this didn't resolve our issue.
We're aware of certain known issues for this vpn configuration specific for the forticlient macos releases:
https://docs.fortinet.com/document/forticlient/7.0.0/macos-release-notes/124818/known-issues
We' would like to know if it's possible to determine which of these bugs is related and if there's any workaround to apply until fortinet resolves it.
Any suggestion on the matter would be appreciated.
Thank you
Peter
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Peter
Is the issue macOS specific, so Windows/other OS FortiClients are unaffected? What about web-mode SSLVPN, does that work?
-> would help us narrow down if this is a general VPN issue, or if it is specifically a FortiClient/macOS issue
If you have a ticket with FortiGate support to investigate from that side, you should be able to ask if it is possible to get an earlier version of FortiCient to verify if the issue is with the specific FortiClient version.
As for the known issues you listed, these two could almost certainly cause the issue you outlined:
678564: FortiClient (macOS) does not honor remoteauthtimeout
or login-timeout
from FortiGate with SAML authentication.
-> remoteauthtimeout in particular; this is how long the FortiGate waits for a response from the remote auth server (in this case SAML IdP) before discarding the authentication, and in SAML MFA in particular, the entire login process can take a minute or so. Default value on the FortiGate is 5 seconds; I am not sure what value macOS FortiClient would enforce when ignoring remoteauthtimeout
684913: SAML authentication on SSL VPN with realms does not work
If you have SSLVPN realms (login at realm.<vpn>:<port> or <vpn>:<port>/<realm>), you might want to consider a test setup without realms to see if that resolves your issue.
Hello Debbie,
thank you for your response!
Yes the issue only happens when using forticlient on macos, it works from windows pcs and it also works using a web browser.
I'll try and perform the tests you suggested and will then update this thread.
I'm also having this problem. It just sits for few minutes, does not launch the SSO login prompt, then eventually states "the response from https://xyz.com.au:10443 was invalid"
Hi Tully,
If it sits there for minutes, that is a very different problem. The poster had it working but had error messages and reported it worked from the sslvpn web. Does it work for you on SSLVPN web? Better to post in a new thread (makes this easier to read and understand in 2 years time when someone finds this).
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.