Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
workerDrone
New Contributor II

Unable to reconfigure an IPSEC tunnel - error code -9999:-9999

I have an IPSEC tunnel configuration that refuses to allow GUI re-configuration. Displayed error is -9999:-9999.
Objective: I am migrating from one IP/ISP/fiber to another, at the remote location. Local (HQ) connection will remain the same.
I wish to run both tunnels until configuration is up and running. Otherwise, termination of existing tunnel disconnects all communication with the remote fortigate 80e.
I originally configured the HQ connection to point to the DynDNS address of the remote site, I am unable to reconfigure this connection to a fixed IP.
This connection is up and running. Firmware v.7.2.3 on both fortigates.

 

When I change the Remote Gateway from Dynamic to fixed, it accepts the change, it recognizes and validates the IP address (malformed addresses are rejected). and when the 'check mark' is clicked the changes get locked in.
But, when I click the OK button to accept the configuration, I am greeted with a red 'tag' in the lower right that displays and unhelpful '-9999:-9999'. And the page will not close, nor allow exit. I have to change back to get out.
Searches of both Forti-forums, and general web searches do not identify this behavior. The error code only appears in a query regarding mobile connection without IP.

 

How do I edit the remote gateway field of an established, active, tunnel?

1 Solution
workerDrone

To provide for the next person looking for this error; I had a support call and they tried the same setting from the command line. This was the response:

 

Cannot change tunnel type once configured.

object set operator error, -9999, roll back the setting

Command fail. Return code -9999

 

So THERE is the answer, once a tunnel type is configured, it can not be changed.

This, despite the fact that the GUI will accept, validate and 'lock-in' changes. 

Also, GUI error message could use a bit more verbosity!

 

Hope this helps someone.

 

View solution in original post

5 REPLIES 5
gfleming
Staff
Staff

You should consider using dynamic dial-up VPN tunnel at HQ. This way spokes can use dynamic IP addresses and you don't need to maintain it on the hub.

 

As it stands now you can use CLI to make this change most likely. have you tried using CLI? Or just create a new tunnel for the new ISP at the remote site?

Cheers,
Graham
workerDrone

That (in part) is the problem. I AM currently using dyn-dns addresses. On both sites.

 

I need to assign TWO addresses to the remote site. To differentiate them, I need to use the IP addresses - FortiDynDNS will only allow a single address for a box.

When I try to edit the (existing FortiDynDns) to be an IP, I get the -9999 error.

 

I have a configuration for the new tunnel to the new address, but again, as soon as I change configuration, the FortiDynDns would get updated, and it would point to the new IP - Not what I want to happen. (Even if I could get the second tunnel to open - I found this issue, while diagnosing that problem.)

 

I have not tried it on a CLI.

 

workerDrone
New Contributor II

Continuing on diagnostics; I brought down that tunnel, rebooted firewall and attempted to edit... no-joy, same message, -9999:-9999. (Since rebooting the firewall takes the entire company offline, I can only do that in the wee hours of a weekend.) So this error is not blocking, due to an attempt to modify an 'active' tunnel.

workerDrone

To provide for the next person looking for this error; I had a support call and they tried the same setting from the command line. This was the response:

 

Cannot change tunnel type once configured.

object set operator error, -9999, roll back the setting

Command fail. Return code -9999

 

So THERE is the answer, once a tunnel type is configured, it can not be changed.

This, despite the fact that the GUI will accept, validate and 'lock-in' changes. 

Also, GUI error message could use a bit more verbosity!

 

Hope this helps someone.

 

JB79
New Contributor

Hoping this helps someone - regardless of what support says, you can change the tunnel type, as long as phase 1 interface is down.

config system interface
    edit <tunnel name>
    set status down.
    next
end  

Config vpn ipsec phase1-interface
edit <tunnel name>
set type <dynamic/static/ddns)
next
end  

 

Labels
Top Kudoed Authors