Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- VPN Connection Blocks Internet Access on MacBook M...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Connection Blocks Internet Access on MacBook M3 (macOS Sequoia 15.3) - FortiClient 7.4.2
I am experiencing an issue with FortiClient VPN on a MacBook Pro M3. After successfully connecting to the corporate VPN server, I lose access to external internet services (e.g., Google, Spotify, and general web browsing), even though the VPN status shows as “Connected.” Below are the details for your reference:
Environment Details:
- FortiClient Version: 7.4.2
- macOS Version: Sequoia 15.3
- Device: MacBook Pro M3
- VPN Configuration: IPsec VPN
Symptoms:
- VPN connection establishes successfully.
- No internet access for external services (e.g., browsers, apps like Spotify).
- Internal corporate resources (e.g., intranet, servers) are accessible without issues.
- DNS resolution fails for public domains (e.g., google.com), but IP-based pinging (e.g., 8.8.8.8) works.
Troubleshooting Steps Already Performed:
- Tested with IPsec protocol (issue persists).
- Temporarily disabled macOS firewall (no impact).
- Confirmed the issue occurs only when VPN is active
Additional Information:
- No errors appear in FortiClient logs, but VPN connectivity seems to override external routing.
- Note: The same VPN configuration was tested on a Windows 11 device (FortiClient 7.4.2), and internet access worked correctly alongside the VPN connection. This confirms the issue is isolated to the macOS Sequoia environment.
FortiClient
FortiClient
Labels:
- Labels:
-
FortiClient
-
IPsec
3433
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The VPN is injecting to your MacOS a default route through the tunnel. You can confirm by displaying the routing table.
Can you confirm that the split tunnel config is enabled on your IPsec config from FGT side?
If so, then it is probably a bug related to FCT on MacOS, or due to the MacOS version. A workaround would be to remove the injected default route manually every time you connect, until a new FCT version fixes the issue.
AEK
AEK
Created on 02-12-2025 04:56 PM Edited on 02-12-2025 05:05 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your prompt response.
- Split Tunneling:
As mentioned earlier, the split tunneling option is not visible in the FortiClient GUI. - Routing Table:
Below is a sanitized version of the routing table after connecting to the VPN:
Destination Gateway Flags Netif Expire
default [LAN_GATEWAY] UGScg en0
default [LAN_GATEWAY] UGScIg en0
[VPN_GATEWAY] [LAN_GATEWAY] UGSc en0
169.254 link#14 UCS en0 !
169.254.x.x/x [VPN_GATEWAY] UGSc utun4
169.254.x.x link#14 UHLSW en0 !
[VPN_GATEWAY] [VPN_GATEWAY] UGSc utun4
[VPN_GATEWAY] [VPN_GATEWAY] UHr utun4
[VPN_GATEWAY] link#22 UCS utun4
[LAN_GATEWAY] link#14 UCS en0 !
[LAN_GATEWAY] link#14 UCS en0 !
Additional Context:
The issue persists despite reinstalling FortiClient and testing multiple VPN profiles.
As mentioned earlier, the same configuration works flawlessly on Windows 11.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi DaveRDev,
I have seen this issue before in Windows, it was caused by 'persistent routes' leftover in that Windows machine. As per quick research, persistent routes sometime do exist in macOS as well.
Perhaps you can check if there is persistent route in this particular macOS:
https://chatgpt.com/share/67aff9a8-272c-8006-bb76-d13492fb373b
Regards,
Bon
Bon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I'm not wrong I see there is no default gateway injected in your routing table. In that case you need to confirm if it is actually sending all traffic through the tunnel or not.
But now I'm suspecting that your DNS queries are being sent through the tunnel. Can you confirm that? If it is confirmed then you will need to disable injecting DNS server info.
On the other hand here is how you confirm if split tunneling is enabled on your FGT IPsec config.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your feedback.
I am using FortiClient VPN-only version and there is no split tunneling option available in the GUI or advanced settings.
To clarify my setup:
I am connecting to a remote organizational network via IPsec VPN (FortiClient VPN-only version).
- I do not have administrative access to the FortiGate server or internal network configurations. The VPN profile is managed by the organization, and I cannot modify server-side settings (e.g., split tunneling, DNS policies).
I believe the issue may be related to a specific configuration on my MacBook (i.e., client-side), as the same VPN connection works correctly on a Windows device using the same network and credentials. This leads me to rule out a server-side misconfiguration or internal network policy issue, since the behavior is consistent across other devices. I suspect factors such as macOS network settings, local firewall conflicts, or even the macOS Sequoia might be interfering with the VPN connection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exact same issue here, colleagues on windows machine's have no problem. Using VPN Only app, MacOS Sequoia 15.5. Did you find a solution Dave?
Labels
-
FortiGate
10,646 -
FortiClient
2,169 -
FortiManager
892 -
5.2
687 -
FortiAnalyzer
683 -
5.4
638 -
FortiSwitch
589 -
FortiClient EMS
567 -
FortiAP
562 -
IPsec
422 -
6.0
416 -
SSL-VPN
385 -
FortiMail
372 -
5.6
362 -
FortiNAC
288 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
197 -
FortiAuthenticator
178 -
FortiGuard
160 -
5.0
152 -
Firewall policy
145 -
FortiGate-VM
134 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiToken
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
78 -
ZTNA
77 -
Routing
75 -
Fortivoice
73 -
SAML
73 -
DNS
72 -
VLAN
71 -
BGP
70 -
FortiEDR
69 -
FortiADC
68 -
Authentication
68 -
Certificate
66 -
RADIUS
61 -
LDAP
60 -
FortiLink
57 -
SSO
54 -
NAT
54 -
FortiSandbox
53 -
FortiExtender
52 -
4.0MR3
49 -
vdom
47 -
Interface
46 -
Application control
46 -
FortiDNS
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
SSL SSH inspection
36 -
FortiConnect
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
API
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
WAN optimization
21 -
FortiMonitor
20 -
OSPF
20 -
FortiSoar
19 -
Security profile
19 -
Web rating
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
FortiAP profile
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiCASB
14 -
NAC policy
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2612 | |
| 1390 | |
| 804 | |
| 666 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.