Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff & Editor
Staff & Editor

Created on ‎11-09-2017 11:07 AM Edited on ‎08-28-2025 09:44 AM By Moderator

Article Id 198179

Troubleshooting Tip: FortiGuard DDNS IP update fails

Description


This article describes how to fix the 'IP not-updating' problem with FortiGuard DDNS.
When the public IP of the FortiGate has changed, FortiGuard DDNS updates are required over one specific ISP interface and sometimes FortiGuard DDNS does not update the IP.

One possible way to solve this, users need to configure static routing to allow the traffic from FortiGate to the FortiGuard IP addresses through that specific internet connection. This is shown below, and also other possible causes for this.

Related document:
DDNS

 

Scope

 

FortiGate.


Solution


One common solution is to configure a static route to a known FortiGuard IP through a specific ISP Internet connection.
First of all, make sure that the FortiGate knows the new IP address. This is reflected in the Dashboard status widget, or Network - > DNS.

Make sure this is the correct public IP that the user wants to update in DDNS. If not correct, try the following commands to see if correctly updated:

 

diagnose sys waninfo

diagnose sys waninfo ipify


Run the following command from the CLI to find out the IP address used by FortiGate for the DDNS server:

diagnose test application ddnscd 3

FortiDDNS status:
ddns_ip=208.91.113.230 ddns_port=443 svr_num=1 domain_num=3
svr[0]= 208.91.113.230     <-- FortiGuard IP used to create the static route.
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com

 

Technical Tip: How to check ddns status from command line interface

 

Creating the static Route:

config router static
    edit 0
        set status enable
        set dst 208.91.113.230
        set gateway <ip_gateway>  <- ISP's IP (remote IP).
        set device <interface_name>  <- WAN interface (internet connection).
    next
end

 

Another step is to manually set up the FortiGuard DDNS server IP address to a fixed one. This ensures the IP is not automatically changed, rendering the static route useless:

 

config system fortiguard
    set ddns-server-ip 208.91.113.230
end

 

Or (another IP that can be used):

 

    set ddns-server-ip 173.243.138.225 

 

If the problem persists, make sure that the correct configuration is done on the unit, then run the debug commands below to show potential problems with DDNS:

diagnose debug application update -1

diagnose debug application ddnscd -1

diagnose debug console timestamp enable

diagnose debug enable <----- One has to wait 5-10 minutes until the timeout expires and some relevant output is produced.

diagnose debug disable

 

The following errors may be seen:

 

Failed on update FortiGuardDDNS (your_domain.fortiddns.com), due to internal/config/connect/io err --> This usually points to a routing error.

 

A possible fix if the ISP router and a local subnet are used on the WAN interface is to change the following in the DDNS setup:

 

config system ddns

    show
        edit 1
            set use-public-ip enable     <----- Make sure this is enabled: Technical Tip: DDNS update with public IP on internal firewalls.
            set monitor-interface "port4" <--- Make sure this is the WAN interface.
        next
end

 

failed to establish SSLconnection <-- This shows a problem connecting to FortiGuard servers. Check the FortiGuard settings and change them accordingly: Technical Tip: FortiGuard is not reachable via Anycast default method.

 

next wait timeout 10 seconds.

 

This is not an error, but a repeating timer-message to show the DDNS is active. But in some cases, it may be the only thing displayed (no other output even after 15 minutes).

In this case, the user may try to restart the DDNS connection:

 

execute update-now

diagnose test app ddnscd 2

diagnose test app ddnscd 4

 

-->ResponseStatus=-2
fgt_unpack_fcpr()-578: Unpacked obj: Protocol=3.4|SerialNumber=DDNS-ANY-VM-0102|ResponseStatus=-2|Command=DDNSRemove|DomainName=xyxy.fortiddns.com
fgd_ddns_fcp_exchange()-935: Recvd FCPR=Protocol=3.4|SerialNumber=DDNS-ANY-VM-0102|ResponseStatus=-2|Command=DDNSRemove|DomainName=xyxy.fortiddns.com

 

'ResponseStatus=-2' indicates either that the domain name requested does not exist or is registered with a different device Serial Number.

 

The DDNS server list is obtained from FortiGuard, so FortiGuard settings may need to be reviewed. Sometimes disabling fortiguard-anycast and using SDNS server IP manually can be helpful.

 

config system fortiguard
    set fortiguard-anycast disable

    set protocol udp

    set port 8888

    set sdns-server-ip 208.91.112.220 173.243.140.53 

end

 

In some cases, despite the previous configurations, continues the error:

 

Failed on update FortiGuardDDNS (your_domain.fortiddns.com), due to internal/config/connect/io err

 

Note the involvement of some SD-WAN configuration at this point. The routing problem may be because in the 'config system fortiguard' configuration, the 'SDWAN' interface is being selected as the interface-select-method, and no SD-WAN Rule has been created for this condition. If this is the case, then change the method for choosing the SD-WAN interface to Auto (FortiGate needs to know a valid default route to the DDNS server), or create an SD-WAN Rule so that the SD-WAN method is applied correctly.

 

config system fortiguard
    set fortiguard-anycast disable

    set protocol udp

    set port 8888

    set sdns-server-ip 208.91.112.220 173.243.140.53 
    set ddns-server-ip 208.91.113.230

    set interface-select-method auto <-- Make sure that the fortigate recognizes a valid route to the DDNS server.

end

 

If the interface-select-method is SD-WAN instead of Auto, then create an SD-WAN Rule for the DDNS server, and the configuration will be applied correctly.

 

config system fortiguard
    set fortiguard-anycast disable

    set protocol udp

    set port 8888

    set sdns-server-ip 208.91.112.220 173.243.140.53 
    set ddns-server-ip 208.91.113.230

    set interface-select-method sdwan <-- Make sure to have created an SDWAN Rule for the DDNS server.

end

 

One more reason why the DDNS update might fail is if the WAN interface IP is assigned via DHCP and the 'override internal DNS' setting is enabled. The DNS server from the ISP may not be able to resolve the DDNS domain (globalddns.fortinet.net) and retrieve the IP for the FortiGuard DDNS servers.

  

In cases like this, the override has to be disabled:

 

In the GUI:

 

disable_override.PNG

 

In the CLI:

 

config system interface
   edit "<wan interface>"
        set dns-server-override disable
   next
end


If none of these steps allows the correct update of the IP, contact the Fortinet TAC team by creating a ticket for the issue and providing the above logs.

Updating the device with a new ISP link:
If the ISP link is getting changed with a new public-ip and the DDNS resolving to that entry also needs to be changed, reach out to the TAC team for deleting the old DDNS entry from the database.
After that, under DDNS settings via CLI, delete the copy config for the previous one and delete that entry. Once done, paste the copied configuration and only change attribute for set monitor-interface to the new WAN port.

Labels:
44139
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.