Hi, recently we moved an old Mikrotik router with Cloud DDNS from a location to a new one. We use IPsec Tunnels, and when changing the Remote DDNS Gateway on FortiGate we receive this alert
ike 0:VPN-3: cache conflict with ddns gateway VPN-5
What can I do?. VPN-5 had the same DDNS than VPN-3 two months ago, but now has a different one (new router). Workaround is set the current remote IP address, but with DDNS set, FortiGate doesn't accept connections because doesn't match local policy, but the dns resolves current remote IP correctly.
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
To resolve the cache conflict with the DDNS gateway on your FortiGate device, follow these steps:
Clear the DDNS cache: Use the command "diag ip ddns reset-cache" in the CLI.
Clear the IPsec cache: Enter the command "diag vpn ike config-clear" in the CLI.
Update the Remote DDNS Gateway: Configure the Remote DDNS Gateway settings for VPN-3 and VPN-5 with their respective new DDNS addresses.
Test the connection: Verify if the IPsec connection works correctly after the changes.
If the issue persists, seek further assistance from FortiGate technical support.
The "cache conflict with ddns gateway" alert message suggests that the FortiGate is experiencing a conflict with the cached DNS records for the old DDNS gateway. This could be causing the FortiGate to use the wrong IP address when establishing the IPsec tunnel.
One potential solution is to clear the DNS cache on the FortiGate to ensure that it is using the correct DNS records. You can do this by going to "System" > "FortiGuard" > "Web Filter" and selecting the "Cache" tab. From there, you can click "Clear Cache" to clear the DNS cache.
If clearing the DNS cache does not resolve the issue, you may want to try manually configuring the IP address for the new DDNS gateway in the FortiGate's IPsec settings. To do this, go to "VPN" > "IPsec Wizard" and select "Custom VPN Tunnel". Under the "VPN Tunnel" section, select "Static IP Address" and enter the IP address of the new DDNS gateway.
Alternatively, you may want to try deleting the old IPsec tunnel configuration and creating a new one with the updated DDNS gateway. This should ensure that the FortiGate is using the correct IP address for the new DDNS gateway.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.