Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff

Created on ‎08-24-2023 07:57 AM Edited on ‎09-02-2024 10:21 PM By Community Manager

Article Id 270240

Troubleshooting Tip: Error '-9999' when changing remote gateway type of an IPsec tunnel

Description

This article describes how to fix Error '-9999: -9999', which appears when trying to change the Remote Gateway type of an IPsec tunnel on the GUI or CLI. In this example, an attempt was made to change the Remote Gateway from static to Dynamic DNS under an IPsec tunnel 'SiteA'.

 

                               SiteA.png

                                    

CLI.png
Scope FortiGate v7.2.0 and later.
Solution

This is an expected behavior in v7.2.0 and later. The IPsec phase 1 interface type cannot be changed after it is configured.

This is due to the tunnel ID parameter (tun_id), which is used to match routes to IPsec tunnels to forward traffic. If the IPsec phase 1 interface type needs to be changed, a new interface must be configured.

Here is a related article on how to reconfigure the IPSEC and change the tunnel type:
Technical Tip: Unable to change IPSEC tunnel type and getting -9999: -9999 error

 

Note:

This is only applicable to Route-based IPsec VPN. Changing of the remote gateway is still possible with a Policy-based IPsec VPN. Refer below to learn more about the difference between the two.

 

Related document:

VPN security policies
2395
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.