In the example used in this article, the IP address of the wan1 interface is used for DDNS on FortiGate. FortiGate is unable to update the DDNS due to a connection error. The solution will explain how to update the DDNS in FortiGate.

Below is the IP address of the interface.

config system interface

edit "wan1"

set ip 10.109.17.53 255.255.240.0

set allowaccess ping https ssh http

next

edit "dmz"

set ip 10.10.5.3 255.255.240.0

set allowaccess ping https ssh http

next

end

Below is the DDNS setting for fortiservice.fortiddns.com.

config system ddns

edit 1

set ddns-server FortiGuardDDNS

set ddns-domain "fortiservice.fortiddns.com"

set use-public-ip enable

set monitor-interface "wan1"

next

end

To learn the IP address of the FortiGuard DDNS server and which port number is used by FortiGate to connect to the DDNS server, run the following command. Example output is attached.

diagnose test application ddnscd 3
FortiDDNS status:
ddns_ip=173.243.138.225, ddns_ip6=::, ddns_port=443 svr_num=1 domain_num=3 <<<-----
svr[0]= 173.243.138.225
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com

Since the DDNS server IP address is set to 0.0.0.0 and the connection port is 443 by default under the FortiGuard settings, FortiGate will connect to the resolved IP of the domain globalddns.fortinet.net with destination port 443, unless a DDNS server IP address is configured specifically as follows.

config system fortiguard

set ddns-server-ip 173.243.138.225

set ddns-server-port 443

end

Run the following debug commands in the CLI to find the root cause of the DDNS issue in FortiGate:

diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug application ddnscd -1

Debug messages will be enabled for 30 minutes. Or to disable the debug, press ctrl + c and enter 'diagnose debug disable'

....
136003188-Connected # 2023-04-27 22:30:18 1659713418: next wait timeout 9 seconds
2023-04-27 22:30:28
1659713428: Start to update FortiGuardDDNS (fortiservice.fortiddns.com)
2023-04-27 22:30:28 1659713428: next wait timeout 10 seconds
2023-04-27 22:30:38 1659713438: next wait timeout 10 seconds
2023-04-27 22:30:48 1659713448: next wait timeout 10 seconds
2023-04-27 22:30:58 fgt_ddns_socket()-892: cannot connect to 173.243.138.225:443
2023-04-27 22:30:58 1659713458: Failed on update FortiGuardDDNS (fortiservice.fortiddns.com), due to internal/config/connect/io err
2023-04-27 22:30:58 1659713458: Failed on update FortiGuardDDNS (fortiservice.fortiddns.com), next try in 60 seconds
2023-04-27 22:30:58 1659713458: next wait timeout 4 seconds
2023-04-27 22:31:03 name=globalddns.fortinet.net, id=5504, cb=0x82b8b8
2023-04-27 22:31:03 name=globalddns.fortinet.net, id=5505, cb=0x82b8b8

To resolve the issue, follow the steps below.:

1. Ensure there is a route through the correct interface in FortiGate to the DDNS server.

Check which interface there is an internet connection from:

get router info routing-table details 173.243.138.225

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 10.109.31.254, via wan1

In the above output, the FortiGate has a default route 0.0.0.0 through the wan1 interface. However, an incorrect interface and source IP have been configured in FortiGuard settings. As a result, FortiGate will not be able to connect to the FortiGuard server:

config system fortiguard

set source-ip 10.10.5.3

set interface-select-method specify

set interface dmz

end

Note:
If the FortiGate is configured under VDOMs, on both DNS and FortiGuard Settings, to avoid specifying any interface, keep default as 'Auto'.

To resolve the issue, a correct source IP and interface must be configured under FortiGuard settings. Since the internet is accessible through a WAN1 interface, the FortiGuard settings have been changed as follows:

config system fortiguard

set source-ip 10.109.17.53

set interface-select-method specify

set interface wan1

end

Check the new details of the updated DDNS on FortiGate:

config sys ddns

edit 1

get

ddnsid : 1

ddns-server : FortiGuardDDNS

server-type : ipv4

ddns-domain : fortiservice.fortiddns.com

use-public-ip : enable

addr-type : ipv4

update-interval : 0

monitor-interface : "wan1"

bound-ip : 10.109.17.53

Note:

If the use-public-ip setting in DDNS is disabled on FortiGate, the bound-ip will not be visible in the above output.

To ensure the DDNS is updated (when a correct IP address is set for the DDNS in FortiGate):

exe ping fortiservice.fortiddns.com
PING fortiservice.fortiddns.com (10.109.17.53): 56 data bytes
64 bytes from 193.86.26.196: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 193.86.26.196: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 193.86.26.196: icmp_seq=2 ttl=255 time=0.3 ms
64 bytes from 193.86.26.196: icmp_seq=3 ttl=255 time=0.3 ms
64 bytes from 193.86.26.196: icmp_seq=4 ttl=255 time=0.3 ms

--- fortiservice.fortiddns.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.2/0.3 ms

diagnose test application ddnscd 5
2023-04-27 23:26:21 0, id=1, ddns entry (intf:wan1 domain:fortiservice.fortiddns.com, address:10.109.17.53, use interface ip), server:FortiGuardDDNS globalddns.fortinet.net, status:updated

2. There are some cases where even if the routing of FortiGate and the DDNS server is good, the same error occurs. This can be resolved by deleting the DDNS configuration and then reconfiguring it.

Delete the existing entry:

config system ddns

    delete 1

end

Reconfigure the DDNS again:

config system ddns

     edit 1

          set ddns-server <ddns server>

          set ddns-domain <Domain name>

          set use-public-ip enable

          set monitor-interface <wan interface>

     next

end

Screenshot from successful GUI access through DDNS:

Related documents:

config system ddns - FortiOS CLI reference

Technical Tip: How to transfer the DDNS record to new FortiGate