Description
This article describes how to fix the 'IP not-updating' problem with FortiGuard DDNS.
When the public IP of the FortiGate has changed, FortiGuard DDNS updates are required over one specific ISP interface and sometimes FortiGuard DDNS does not update the IP.
One possible way to solve this, users need to configure static routing to allow the traffic from FortiGate to the FortiGuard IP addresses through that specific internet connection. This is shown below, and also other possible causes for this.
Related document.
https://docs.fortinet.com/document/fortigate/latest/administration-guide/685361/ddns
Solution
One common solution is to configure a static route to a known FortiGuard IP through specific ISP Internet connection.
First of all, make sure that the FortiGate knows the new IP address. This is reflected in Dashboard status widget, or in Network - > DNS.
Make sure this is the correct public IP user wants to update in DDNS. If not correct, try the following commands to see if correctly updated:
# diag sys waninfo
# diag sys waninfo ipify
Run the following command from the CLI to find out the IP address used by FortiGate for the DDNS server:
# diagnose test application ddnscd 3
FortiDDNS status:
ddns_ip=208.91.113.230 ddns_port=443 svr_num=1 domain_num=3
svr[0]= 208.91.113.230 <-- FortiGuard IP used to create the static route.
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com
(Article: checking DDNS settings)
Creating the static Route:
# config router static
edit 0
set status enable
set dst 208.91.113.230
set gateway <ip_gateway> <- ISP's IP (remote IP).
set device <interface_name> <- wan interface (internet connection)
next
end
Another step is to manually set up the FortiGuard DDNS server IP address to a fixed one.
This ensures the IP is not automatically changed, rendering the static route useless:
# config system fortiguard
set ddns-server-ip 208.91.113.230
end
OR (another IP that can be used):
set ddns-server-ip 173.243.138.225
If the problem persists, make sure that the correct configuration is done on the unit, then run the debug commands below to show potential problems with DDNS:
diagnose debug application update -1
diagnose debug application ddnscd -1
diagnose debug enable
(one has to wait a 5-10 minutes until timeout expires and some relevant output is produced)
diagnose debug disable
The following errors may be seen:
Failed on update FortiGuardDDNS (your_domain.fortiddns.com), due to internal/config/connect/io err
--> this usually points to a routing error
A possible fix if the ISP router and a local subnet are used on the wan interface, is to change the following in the DDNS setup:
# config system ddns
show
edit 1
set use-public-ip enable <- make sure this is enabled
set monitor-interface "port4" <- make sure this is the wan interface
next
end
failed to establish SSL connection
--> this shows a problem connecting to FortiGuard servers. Check the FortiGuard settings and change accordingly. See this article for details (last steps)
next wait timeout 10 seconds
--> this is not an error, but a repeating timer-message to show the DDNS is active. But in some cases it may be the only thing displayed (no other output even after 15min)
In this case, user may try to restart the DDNS connection:
exec update-now
diagnose test app ddnscd 2
diagnose test app ddnscd 4
The DDNS server list is obtained from FortiGuard, so FortiGuard settings may need to be reviewed.
If none of these steps allows the correct update of the IP, contact the Fortinet TAC team by creating a ticket for the issue and providing above logs.
