07-30-2024 05:20 AM - edited 07-31-2024 12:15 AM
Hello,
I'm trying to get DDNS to work on a FTD 7.4, but without any luck so far.
Previously I had a DDNS client configured on a Synology NAS and that worked without any issues, but I have problem getting it to work on the FTD.
When enable debug DDNS, I can see the following:
#debug ddns
DDNS update request = /xyz?hostname=vpn.mydomain.se&myip=78.71.10.10
URL request = https://dyndns.loopia.se/xyz?hostname=<h>&myip=<a>
Buf request = text/plain; charset=UTF-8
Host: dyndns.loopia.se
Authorization: Basic ZmlyZXBvd2VyLnNlOjNxd6Fv3Sdjb2s=
User-Agent: Cisco/1.0
A "show ddns update interface outside" gives this output:
show ddns update interface outside
Dynamic DNS Update on outside:
Update Method Name Update Destination
WEB not available
Last Update attempted on 12:13:05.337 UTC Tue Jul 30 2024
Status : Failed
Reason : Could not establish a connection to the server
The DDNS config looks like this and I have also downloaded and import the CA certificate from the DDNS provider according to the config guide.
interface Ethernet1/1
no switchport
nameif outside
security-level 0
ddns update hostname vpn.mydomain.se
ddns update WEB
dhcp client update dns server both
ip address dhcp setroute
!
!
ddns update method WEB
web update-url https://username:password@dyndns.loopia.se/xyz?hostname=<h>&myip=<a>
interval maximum 0 0 5 0
Anyone know what can be the issue? I can ping the DDNS server without any problem, so I dont think it's DNS related.
Thanks
/Chess
Solved! Go to Solution.
07-30-2024 05:06 PM
Regarding DNS, just to be sure, when you try to ping the DDNS server (dyndns.loopia.se), you're doing so from the FTD appliance?
This could also be a certificate issue, if the appliance trusts the certificate from the dyndns server?
In order to check if connectivity is being made and successful, you could run a packet capture on the outside interface and matching all traffic to the IP address that dyndns.loopia.se resolves to, and verify if the FTD appliance is trying to make a connection and if three-way-handshake is successful.
This way you can rule out if it's a connectivity/DNS issue or not.
So if you can see the connection being made, I would verify if the FTD has a trustpoint for the CA of the DDNS server (step 9 in the guide you referenced), and debug SSL while verifying.
Another thing I want to point out, while getting the debug output is appreciated in your original post, the Authorization header includes a base64 encoded user/pass, which is reversible (it's an encoding technique, not encryption). If these are your credentials for this service I highly recommend you change them.
07-30-2024 06:18 AM
Previously I had a DDNS client configured on a Synology NAS and that worked without any issues
is this with same FTD ?
but I have problem getting it to work on the FTD. - is this problem after upgrade to 7.4 or never worked ?
how are you managing FTD using FDM or FTD.
07-30-2024 06:50 AM
This was the first time I tried to set it up with FTD. Before I had it configured on a Synology NAS behind the FTD.
I followed the guide here her: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-dhcp-ddns.html
FTD is managed by FMC.
/Chess
07-30-2024 06:25 AM - edited 07-30-2024 07:00 AM
Thanks
MHM
07-30-2024 06:54 AM
Hi,
Are you sure about that? WEB method is mention in the configuration guide and I can select it in FMC.
07-30-2024 06:59 AM
Fmc you use 7.x ?
MHM
07-30-2024 07:00 AM
FMC and FTD are both on 7.4
07-30-2024 05:06 PM
Regarding DNS, just to be sure, when you try to ping the DDNS server (dyndns.loopia.se), you're doing so from the FTD appliance?
This could also be a certificate issue, if the appliance trusts the certificate from the dyndns server?
In order to check if connectivity is being made and successful, you could run a packet capture on the outside interface and matching all traffic to the IP address that dyndns.loopia.se resolves to, and verify if the FTD appliance is trying to make a connection and if three-way-handshake is successful.
This way you can rule out if it's a connectivity/DNS issue or not.
So if you can see the connection being made, I would verify if the FTD has a trustpoint for the CA of the DDNS server (step 9 in the guide you referenced), and debug SSL while verifying.
Another thing I want to point out, while getting the debug output is appreciated in your original post, the Authorization header includes a base64 encoded user/pass, which is reversible (it's an encoding technique, not encryption). If these are your credentials for this service I highly recommend you change them.
07-31-2024 12:14 AM
Thanks, It was indeed the certificate that caused the issue. I just received a new CA cert from Loopia and now everything looks good.
Update URL request = https://dyndns.loopia.se/xyz?hostname=<h>&myip=<a>
Successfuly updated the DDNS sever with current IP addresses
DDNS: Another update completed, outstanding = 0
Best regards
/Chess
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide