I have an IPSEC tunnel configuration that refuses to allow GUI re-configuration. Displayed error is -9999:-9999.
Objective: I am migrating from one IP/ISP/fiber to another, at the remote location. Local (HQ) connection will remain the same.
I wish to run both tunnels until configuration is up and running. Otherwise, termination of existing tunnel disconnects all communication with the remote fortigate 80e.
I originally configured the HQ connection to point to the DynDNS address of the remote site, I am unable to reconfigure this connection to a fixed IP.
This connection is up and running. Firmware v.7.2.3 on both fortigates.
When I change the Remote Gateway from Dynamic to fixed, it accepts the change, it recognizes and validates the IP address (malformed addresses are rejected). and when the 'check mark' is clicked the changes get locked in.
But, when I click the OK button to accept the configuration, I am greeted with a red 'tag' in the lower right that displays and unhelpful '-9999:-9999'. And the page will not close, nor allow exit. I have to change back to get out.
Searches of both Forti-forums, and general web searches do not identify this behavior. The error code only appears in a query regarding mobile connection without IP.
How do I edit the remote gateway field of an established, active, tunnel?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
To provide for the next person looking for this error; I had a support call and they tried the same setting from the command line. This was the response:
Cannot change tunnel type once configured.
object set operator error, -9999, roll back the setting
Command fail. Return code -9999
So THERE is the answer, once a tunnel type is configured, it can not be changed.
This, despite the fact that the GUI will accept, validate and 'lock-in' changes.
Also, GUI error message could use a bit more verbosity!
Hope this helps someone.
You should consider using dynamic dial-up VPN tunnel at HQ. This way spokes can use dynamic IP addresses and you don't need to maintain it on the hub.
As it stands now you can use CLI to make this change most likely. have you tried using CLI? Or just create a new tunnel for the new ISP at the remote site?
That (in part) is the problem. I AM currently using dyn-dns addresses. On both sites.
I need to assign TWO addresses to the remote site. To differentiate them, I need to use the IP addresses - FortiDynDNS will only allow a single address for a box.
When I try to edit the (existing FortiDynDns) to be an IP, I get the -9999 error.
I have a configuration for the new tunnel to the new address, but again, as soon as I change configuration, the FortiDynDns would get updated, and it would point to the new IP - Not what I want to happen. (Even if I could get the second tunnel to open - I found this issue, while diagnosing that problem.)
I have not tried it on a CLI.
Continuing on diagnostics; I brought down that tunnel, rebooted firewall and attempted to edit... no-joy, same message, -9999:-9999. (Since rebooting the firewall takes the entire company offline, I can only do that in the wee hours of a weekend.) So this error is not blocking, due to an attempt to modify an 'active' tunnel.
To provide for the next person looking for this error; I had a support call and they tried the same setting from the command line. This was the response:
Cannot change tunnel type once configured.
object set operator error, -9999, roll back the setting
Command fail. Return code -9999
So THERE is the answer, once a tunnel type is configured, it can not be changed.
This, despite the fact that the GUI will accept, validate and 'lock-in' changes.
Also, GUI error message could use a bit more verbosity!
Hope this helps someone.
Hoping this helps someone - regardless of what support says, you can change the tunnel type, as long as phase 1 interface is down.
config system interface edit <tunnel name> set status down. next end
Config vpn ipsec phase1-interface
edit <tunnel name>
set type <dynamic/static/ddns)
next
end
This workaround doesnt work in 7.4.5
There is a knowledge base article for this specific error on IPSec tunnel setting with the workaround to make the change directly on the configuration.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-change-IPSEC-tunnel-type-and-get...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.