topic Re: FTD and DDNS in Network Security

FTD and DDNS

Chess Norris — Wed, 31 Jul 2024 07:15:05 GMT

Hello,

I'm trying to get DDNS to work on a FTD 7.4, but without any luck so far.

Previously I had a DDNS client configured on a Synology NAS and that worked without any issues, but I have problem getting it to work on the FTD.

When enable debug DDNS, I can see the following:

#debug ddns
DDNS update request = /xyz?hostname=vpn.mydomain.se&myip=78.71.10.10
URL request = https://dyndns.loopia.se/xyz?hostname=<h>&myip=<a>
Buf request = text/plain; charset=UTF-8
Host: dyndns.loopia.se
Authorization: Basic ZmlyZXBvd2VyLnNlOjNxd6Fv3Sdjb2s=
User-Agent: Cisco/1.0

A "show ddns update interface outside" gives this output:

show ddns update interface outside

Dynamic DNS Update on outside:
Update Method Name Update Destination
WEB not available

Last Update attempted on 12:13:05.337 UTC Tue Jul 30 2024
Status : Failed
Reason : Could not establish a connection to the server

The DDNS config looks like this and I have also downloaded and import the CA certificate from the DDNS provider according to the config guide.

interface Ethernet1/1
no switchport
nameif outside
security-level 0
ddns update hostname vpn.mydomain.se
ddns update WEB
dhcp client update dns server both
ip address dhcp setroute
!
!
ddns update method WEB
web update-url https://username:password@dyndns.loopia.se/xyz?hostname=<h>&myip=<a>
interval maximum 0 0 5 0

Anyone know what can be the issue? I can ping the DDNS server without any problem, so I dont think it's DNS related.

Thanks

/Chess

Re: FTD and DDNS

balaji.bandi — Tue, 30 Jul 2024 13:18:00 GMT

Previously I had a DDNS client configured on a Synology NAS and that worked without any issues

is this with same FTD ?

but I have problem getting it to work on the FTD. - is this problem after upgrade to 7.4 or never worked ?

how are you managing FTD using FDM or FTD.

Re: FTD and DDNS

MHM Cisco World — Tue, 30 Jul 2024 14:00:22 GMT

Thanks

MHM

Re: FTD and DDNS

Chess Norris — Tue, 30 Jul 2024 13:50:02 GMT

This was the first time I tried to set it up with FTD. Before I had it configured on a Synology NAS behind the FTD.

I followed the guide here her: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-dhcp-ddns.html

FTD is managed by FMC.

/Chess

Re: FTD and DDNS

Chess Norris — Tue, 30 Jul 2024 13:54:01 GMT

Hi,

Are you sure about that? WEB method is mention in the configuration guide and I can select it in FMC.

Re: FTD and DDNS

MHM Cisco World — Tue, 30 Jul 2024 13:59:42 GMT

Fmc you use 7.x ?

MHM

Re: FTD and DDNS

Chess Norris — Tue, 30 Jul 2024 14:00:56 GMT

FMC and FTD are both on 7.4

Re: FTD and DDNS

Jonatan Jonasson — Wed, 31 Jul 2024 00:06:57 GMT

Regarding DNS, just to be sure, when you try to ping the DDNS server (dyndns.loopia.se), you're doing so from the FTD appliance?
This could also be a certificate issue, if the appliance trusts the certificate from the dyndns server?

In order to check if connectivity is being made and successful, you could run a packet capture on the outside interface and matching all traffic to the IP address that dyndns.loopia.se resolves to, and verify if the FTD appliance is trying to make a connection and if three-way-handshake is successful.
This way you can rule out if it's a connectivity/DNS issue or not.

So if you can see the connection being made, I would verify if the FTD has a trustpoint for the CA of the DDNS server (step 9 in the guide you referenced), and debug SSL while verifying.

Another thing I want to point out, while getting the debug output is appreciated in your original post, the Authorization header includes a base64 encoded user/pass, which is reversible (it's an encoding technique, not encryption). If these are your credentials for this service I highly recommend you change them.

Re: FTD and DDNS

Chess Norris — Wed, 31 Jul 2024 07:14:14 GMT

Thanks, It was indeed the certificate that caused the issue. I just received a new CA cert from Loopia and now everything looks good.

Update URL request = https://dyndns.loopia.se/xyz?hostname=<h>&myip=<a>
Successfuly updated the DDNS sever with current IP addresses
DDNS: Another update completed, outstanding = 0

Best regards

/Chess