Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rvillaroman
Staff
Staff

Created on ‎02-18-2024 10:07 PM

Article Id 299983

Technical Tip: Unable to change IPSEC tunnel type and getting -9999: -9999 error

Description This article describes why the tunnel type can no longer be changed after upgrading to v7.2.0 and later. 
Scope FortiGate v7.2.0 and later.
Solution

On v7.2.0 and later, after 'tun_id' is generated, the IPSEC VPN phase 1 interface type cannot be altered. Routes intended for the IPsec tunnel are matched using 'Tun_ID'. As a result, it will not be possible to change the interface type from static remote gateway to DDNS or vice versa.

 

sample-vpn.png

 

Output on firmware versions earlier than v7.2.0 can be changed without error:

 test-vpn70.PNG

 

On v7.2.0 and later the '-9999: -9999' error will appear when changing the tunnel type.

 

Capture.PNG

 

It will also show the same results on the GUI:

 

GUI-9999.png

 

To fix this issue and change the tunnel type from the static gateway to dynamic DNS, recreate the VPN tunnel or create a new tunnel interface.
245
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.