Description
This article describes how to fix the 'IP not-updating' problem with FortiGuard DDNS.
When the public IP of the FortiGate has changed, FortiGuard DDNS updates are required over one specific ISP interface and sometimes FortiGuard DDNS does not update the IP.
One possible way to solve this, users need to configure static routing to allow the traffic from FortiGate to the FortiGuard IP addresses through that specific internet connection. This is shown below, and also other possible causes for this.
Related document:
DDNS
Solution
One common solution is to configure a static route to a known FortiGuard IP through a specific ISP Internet connection.
First of all, make sure that the FortiGate knows the new IP address. This is reflected in the Dashboard status widget, or Network - > DNS.
Make sure this is the correct public IP the user wants to update in DDNS. If not correct, try the following commands to see if correctly updated:
diag sys waninfo
diag sys waninfo ipify
Run the following command from the CLI to find out the IP address used by FortiGate for the DDNS server:
diagnose test application ddnscd 3
FortiDDNS status:
ddns_ip=208.91.113.230 ddns_port=443 svr_num=1 domain_num=3
svr[0]= 208.91.113.230 <-- FortiGuard IP used to create the static route.
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com
(Article: checking DDNS settings)
Creating the static Route:
config router static
edit 0
set status enable
set dst 208.91.113.230
set gateway <ip_gateway> <- ISP's IP (remote IP).
set device <interface_name> <- WAN interface (internet connection).
next
end
Another step is to manually set up the FortiGuard DDNS server IP address to a fixed one. This ensures the IP is not automatically changed, rendering the static route useless:
config system fortiguard
set ddns-server-ip 208.91.113.230
end
Or (another IP that can be used):
set ddns-server-ip 173.243.138.225
If the problem persists, make sure that the correct configuration is done on the unit, then run the debug commands below to show potential problems with DDNS:
diagnose debug application update -1
diagnose debug application ddnscd -1
diagnose debug enable <----- One has to wait 5-10 minutes until the timeout expires and some relevant output is produced.
diagnose debug disable
The following errors may be seen:
Failed on update FortiGuardDDNS (your_domain.fortiddns.com), due to internal/config/connect/io err --> This usually points to a routing error.
A possible fix if the ISP router and a local subnet are used on the wan interface is to change the following in the DDNS setup:
config system ddns
show
edit 1
set use-public-ip enable <- Make sure this is enabled.
set monitor-interface "port4" <- Make sure this is the WAN interface.
next
end
failed to establish SSL connection.
This shows a problem connecting to FortiGuard servers. Check the FortiGuard settings and change them accordingly:
Technical Tip: FortiGuard is not reachable via Anycast default method
next wait timeout 10 seconds.
This is not an error, but a repeating timer-message to show the DDNS is active. But in some cases, it may be the only thing displayed (no other output even after 15 minutes).
In this case, the user may try to restart the DDNS connection:
exec update-now
diagnose test app ddnscd 2
diagnose test app ddnscd 4
-->ResponseStatus=-2
fgt_unpack_fcpr()-578: Unpacked obj: Protocol=3.4|SerialNumber=DDNS-ANY-VM-0102|ResponseStatus=-2|Command=DDNSRemove|DomainName=xyxy.fortiddns.com
fgd_ddns_fcp_exchange()-935: Recvd FCPR=Protocol=3.4|SerialNumber=DDNS-ANY-VM-0102|ResponseStatus=-2|Command=DDNSRemove|DomainName=xyxy.fortiddns.com
'ResponseStatus=-2' indicates either the domain name requested does not exist or is registered with a different device Serial Number.
The DDNS server list is obtained from FortiGuard, so FortiGuard settings may need to be reviewed. Sometimes disabling fortiguard-anycast can be helpful.
config system fortiguard
set fortiguard-anycast disable
If none of these steps allows the correct update of the IP, contact the Fortinet TAC team by creating a ticket for the issue and providing the above logs.
Updating the device with new ISP link:
If the ISP link is getting changed with new public-ip and the DDNS resolving to that entry also needs to be changed, for that reach out to TAC team for deleting old DDNS entry from database.
After that, under DDNS settings via CLI delete copy config for previous one and delete that entry. Once done, paste the copied configuration and only change attribute for set monitor-interface with your new WAN port.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.