Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Cache conflict with DDNS gateway

Hi, recently we moved an old Mikrotik router with Cloud DDNS from a location to a new one. We use IPsec Tunnels, and when changing the Remote DDNS Gateway on FortiGate we receive this alert


ike 0:VPN-3: cache conflict with ddns gateway VPN-5


What can I do?. VPN-5 had the same DDNS than VPN-3 two months ago, but now has a different one (new router). Workaround is set the current remote IP address, but with DDNS set, FortiGate doesn't accept connections because doesn't match local policy, but the dns resolves current remote IP correctly.



New Contributor III

To resolve the cache conflict with the DDNS gateway on your FortiGate device, follow these steps:

  1. Clear the DDNS cache: Use the command "diag ip ddns reset-cache" in the CLI.

  2. Clear the IPsec cache: Enter the command "diag vpn ike config-clear" in the CLI.

  3. Update the Remote DDNS Gateway: Configure the Remote DDNS Gateway settings for VPN-3 and VPN-5 with their respective new DDNS addresses.

  4. Test the connection: Verify if the IPsec connection works correctly after the changes.

If the issue persists, seek further assistance from FortiGate technical support.

Farina Ahmed
Farina Ahmed
Contributor II

The "cache conflict with ddns gateway" alert message suggests that the FortiGate is experiencing a conflict with the cached DNS records for the old DDNS gateway. This could be causing the FortiGate to use the wrong IP address when establishing the IPsec tunnel.

One potential solution is to clear the DNS cache on the FortiGate to ensure that it is using the correct DNS records. You can do this by going to "System" > "FortiGuard" > "Web Filter" and selecting the "Cache" tab. From there, you can click "Clear Cache" to clear the DNS cache.

If clearing the DNS cache does not resolve the issue, you may want to try manually configuring the IP address for the new DDNS gateway in the FortiGate's IPsec settings. To do this, go to "VPN" > "IPsec Wizard" and select "Custom VPN Tunnel". Under the "VPN Tunnel" section, select "Static IP Address" and enter the IP address of the new DDNS gateway.

Alternatively, you may want to try deleting the old IPsec tunnel configuration and creating a new one with the updated DDNS gateway. This should ensure that the FortiGate is using the correct IP address for the new DDNS gateway.

Thanks & Regards,
Faizal Emam
Thanks & Regards,Faizal Emam
Top Kudoed Authors