I am experiencing an issue with FortiClient VPN on a MacBook Pro M3. After successfully connecting to the corporate VPN server, I lose access to external internet services (e.g., Google, Spotify, and general web browsing), even though the VPN status shows as “Connected.” Below are the details for your reference:
Environment Details:
Symptoms:
Troubleshooting Steps Already Performed:
Additional Information:
The VPN is injecting to your MacOS a default route through the tunnel. You can confirm by displaying the routing table.
Can you confirm that the split tunnel config is enabled on your IPsec config from FGT side?
If so, then it is probably a bug related to FCT on MacOS, or due to the MacOS version. A workaround would be to remove the injected default route manually every time you connect, until a new FCT version fixes the issue.
Created on 02-12-2025 04:56 PM Edited on 02-12-2025 05:05 PM
Thank you for your prompt response.
Destination        Gateway            Flags               Netif Expire
default            [LAN_GATEWAY]      UGScg                 en0       
default            [LAN_GATEWAY]      UGScIg                en0        
[VPN_GATEWAY]      [LAN_GATEWAY]      UGSc                  en0       
169.254            link#14            UCS                   en0      !
169.254.x.x/x      [VPN_GATEWAY]      UGSc                utun4       
169.254.x.x        link#14            UHLSW                 en0      !
[VPN_GATEWAY]      [VPN_GATEWAY]      UGSc                utun4       
[VPN_GATEWAY]      [VPN_GATEWAY]      UHr                 utun4       
[VPN_GATEWAY]      link#22            UCS                 utun4       
[LAN_GATEWAY]      link#14            UCS                   en0      !
[LAN_GATEWAY]      link#14            UCS                   en0      !
Additional Context:
The issue persists despite reinstalling FortiClient and testing multiple VPN profiles.
As mentioned earlier, the same configuration works flawlessly on Windows 11.
Hi DaveRDev,
I have seen this issue before in Windows, it was caused by 'persistent routes' leftover in that Windows machine. As per quick research, persistent routes sometime do exist in macOS as well. 
Perhaps you can check if there is persistent route in this particular macOS:
https://chatgpt.com/share/67aff9a8-272c-8006-bb76-d13492fb373b
If I'm not wrong I see there is no default gateway injected in your routing table. In that case you need to confirm if it is actually sending all traffic through the tunnel or not.
But now I'm suspecting that your DNS queries are being sent through the tunnel. Can you confirm that? If it is confirmed then you will need to disable injecting DNS server info.
On the other hand here is how you confirm if split tunneling is enabled on your FGT IPsec config.
Thank you for your feedback.
I am using FortiClient VPN-only version and there is no split tunneling option available in the GUI or advanced settings.
To clarify my setup:
I am connecting to a remote organizational network via IPsec VPN (FortiClient VPN-only version).
I believe the issue may be related to a specific configuration on my MacBook (i.e., client-side), as the same VPN connection works correctly on a Windows device using the same network and credentials. This leads me to rule out a server-side misconfiguration or internal network policy issue, since the behavior is consistent across other devices. I suspect factors such as macOS network settings, local firewall conflicts, or even the macOS Sequoia might be interfering with the VPN connection.
Exact same issue here, colleagues on windows machine's have no problem. Using VPN Only app, MacOS Sequoia 15.5. Did you find a solution Dave?
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.