Technical Tip: Unable to change IPSEC tunnel type and getting -9999: -9999 error

On v7.2.0 and later, after 'tun_id' is generated, the IPSEC VPN phase 1 interface type cannot be altered. Routes intended for the IPsec tunnel are matched using 'Tun_ID'. As a result, it will not be possible to change the interface type from static remote gateway to DDNS or vice versa.

Output on firmware versions earlier than v7.2.0 can be changed without error:

On v7.2.0 and later the '-9999: -9999' error will appear when changing the tunnel type.

It will also show the same results on the GUI:

To fix this issue and change the tunnel type from the static gateway to dynamic DNS, recreate the VPN tunnel or create a new tunnel interface.

Alternatively, it is possible to make the change by conducting a Backup, Edit, and restore which will require downtime.

Step 1: Backup the current configuration.
Step 2: Change the Phase1 tunnel type configuration via FortiGate's CLI so it is possible to copy what the changed configuration would look like:

config vpn ipsec phase1-interface
    edit <phase1_name>
        set type <new_type_of_tunnel> 
show 

Copy all of the contents after the show command.

Step 3: Navigate to the backup configuration file and replace the existing configuration with what was copied in the previous step.
Step 4: From the FortiGate, restore the edited configuration.

Step 5: After the device is up and running with the restored configuration, verify that all settings from the uploaded file have been correctly applied.

Below command can be run:

diagnose debug config-error-log read

This command is utilized to diagnose issues that arise following an upgrade or major configuration change.