Contributor

Question

DynDNS Issue

Forum|Forum|16 years ago
August 31, 2009
7 replies
5718 views

Hello, I have a Customer with a Fortigate 60B Firewall. He is using SSL-VPN. Clients only allowed to login from some ip-adresses. To allow some dynamic ips wo created a dyndns host entry and allowed this fqdn in fortigate firewall to connect via vpn. But it only works, if we usw ip in firewall rule instead of dyndns name. Die Fortigate itself is allow to do dns requests. And if i run nslookup from a box behind firewall and ask firewall for ip of dyndns hostname, then it will resolve the right ip. Does anyloby know any help? Thank you!

rwpatterson

New Member

Check the DNS settings on the FGT itself. From the command line, try " exec ping dyndnsname.dyndns.com" and see it if resolves. If that does not work there' s your problem. Post back with more information.

A

Anonymous_UserAuthor

Contributor

Hello Bob, thanks for your reply! For ping from CLI, I get a normal ping reply (4x) with correct DNS resolution. Even changes of dyndns IP were detected after 2 minutes. But Login to SSL-VPN HTML-Page say " Error:Permission denied" to me... If you need more information, which information do you need?

rwpatterson

New Member

ORIGINAL: pdcemulator But Login to SSL-VPN HTML-Page say " Error:Permission denied" to me...

If you are getting to this page, then dynamic DNS is working. You are at the firewall... You need to figure out why the SSL VPN is not accepting your login credentials.

emnoc

New Member

What fortiOS are your running? Also have you tried any diag debug flow to see what the unit is reporting. ? That would be my 1st to options, that I would try.

A

Anonymous_UserAuthor

Contributor

Also have you tried any diag debug flow to see what the unit is reporting.?

How I can do this? I only see in log from web-gui an error message, but no futher information about the error. OS ist 4.x, dont have the exact version here. I post it asap...

emnoc

New Member

login into the CLI and look at the diag commands. You might want to review the KB for fortigate on this. Go to KB and do a search on diag debug flow

Yngve0

New Member

I have an similar issue with an IPSEC-VPN: - The DDNS-entry is updated correctly - Ping <ddns-host> from a PC returns the correct IP-address - Ping <ddns-host> from the actual FG returns the correct IP-address - User, monitpr, ipsec show the previous ip and try to etablish a tunnel against this IP which of course fails Any one with a good solution here? If change the hostname on the tunnel to something and the reenter the correct ddns-host and synchronize the PSK, the tunnel is re-etablished with correct ip. best regards Y

rwpatterson

New Member

ORIGINAL: Yngve Ã˜ines If change the hostname on the tunnel to something and the reenter the correct ddns-host and synchronize the PSK, the tunnel is re-etablished with correct ip.

One of my tunnels still has this issue (and I use the same trick). 4.0.3 on the static end, v3 MR7 p5 on the remote. Only happens when I take down the remote (dynamic) end before the rekeying takes place. Recently upped to MR7P7. Let' s see how this goes...

Yngve0

New Member

One of my tunnels still has this issue (and I use the same trick). 4.0.3 on the static end, v3 MR7 p5 on the remote. Only happens when I take down the remote (dynamic) end before the rekeying takes place. Recently upped to MR7P7. Let' s see how this goes...

I can hardly believe that my issue is related to the firmware on remote end (Dynamic), since name resultion, even done from CLI on static FG, returns correct IP but ipsec-monitor show an old and expired IP.

rwpatterson

New Member

May be the static side, but I' m not into a firmware upgrade yet. Small price to pay for stability....

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded