Solved: Re: FTD and DDNS

Chess Norris · ‎07-30-2024

Hello,

I'm trying to get DDNS to work on a FTD 7.4, but without any luck so far.

Previously I had a DDNS client configured on a Synology NAS and that worked without any issues, but I have problem getting it to work on the FTD.

When enable debug DDNS, I can see the following:

#debug ddns
DDNS update request = /xyz?hostname=vpn.mydomain.se&myip=78.71.10.10
URL request = https://dyndns.loopia.se/xyz?hostname=<h>&myip=<a>
Buf request = text/plain; charset=UTF-8
Host: dyndns.loopia.se
Authorization: Basic ZmlyZXBvd2VyLnNlOjNxd6Fv3Sdjb2s=
User-Agent: Cisco/1.0

A "show ddns update interface outside" gives this output:

show ddns update interface outside

Dynamic DNS Update on outside:
Update Method Name Update Destination
WEB not available

Last Update attempted on 12:13:05.337 UTC Tue Jul 30 2024
Status : Failed
Reason : Could not establish a connection to the server

The DDNS config looks like this and I have also downloaded and import the CA certificate from the DDNS provider according to the config guide.

interface Ethernet1/1
no switchport
nameif outside
security-level 0
ddns update hostname vpn.mydomain.se
ddns update WEB
dhcp client update dns server both
ip address dhcp setroute
!
!
ddns update method WEB
web update-url https://username:password@dyndns.loopia.se/xyz?hostname=<h>&myip=<a>
interval maximum 0 0 5 0

Anyone know what can be the issue? I can ping the DDNS server without any problem, so I dont think it's DNS related.

Thanks

/Chess

Jonatan Jonasson · ‎07-30-2024

Regarding DNS, just to be sure, when you try to ping the DDNS server (dyndns.loopia.se), you're doing so from the FTD appliance?
This could also be a certificate issue, if the appliance trusts the certificate from the dyndns server?

In order to check if connectivity is being made and successful, you could run a packet capture on the outside interface and matching all traffic to the IP address that dyndns.loopia.se resolves to, and verify if the FTD appliance is trying to make a connection and if three-way-handshake is successful.
This way you can rule out if it's a connectivity/DNS issue or not.

So if you can see the connection being made, I would verify if the FTD has a trustpoint for the CA of the DDNS server (step 9 in the guide you referenced), and debug SSL while verifying.

Another thing I want to point out, while getting the debug output is appreciated in your original post, the Authorization header includes a base64 encoded user/pass, which is reversible (it's an encoding technique, not encryption). If these are your credentials for this service I highly recommend you change them.

View solution in original post

balaji.bandi · ‎07-30-2024

Previously I had a DDNS client configured on a Synology NAS and that worked without any issues

is this with same FTD ?

but I have problem getting it to work on the FTD. - is this problem after upgrade to 7.4 or never worked ?

how are you managing FTD using FDM or FTD.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Chess Norris · ‎07-30-2024

This was the first time I tried to set it up with FTD. Before I had it configured on a Synology NAS behind the FTD.

I followed the guide here her: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-dhcp-ddns.html

FTD is managed by FMC.

/Chess

MHM Cisco World · ‎07-30-2024

Thanks

MHM

Chess Norris · ‎07-30-2024

Hi,

Are you sure about that? WEB method is mention in the configuration guide and I can select it in FMC.

MHM Cisco World · ‎07-30-2024

Fmc you use 7.x ?

MHM

Chess Norris · ‎07-30-2024

FMC and FTD are both on 7.4

Jonatan Jonasson · ‎07-30-2024

Regarding DNS, just to be sure, when you try to ping the DDNS server (dyndns.loopia.se), you're doing so from the FTD appliance?
This could also be a certificate issue, if the appliance trusts the certificate from the dyndns server?

In order to check if connectivity is being made and successful, you could run a packet capture on the outside interface and matching all traffic to the IP address that dyndns.loopia.se resolves to, and verify if the FTD appliance is trying to make a connection and if three-way-handshake is successful.
This way you can rule out if it's a connectivity/DNS issue or not.

So if you can see the connection being made, I would verify if the FTD has a trustpoint for the CA of the DDNS server (step 9 in the guide you referenced), and debug SSL while verifying.

Another thing I want to point out, while getting the debug output is appreciated in your original post, the Authorization header includes a base64 encoded user/pass, which is reversible (it's an encoding technique, not encryption). If these are your credentials for this service I highly recommend you change them.

Chess Norris · ‎07-31-2024

Thanks, It was indeed the certificate that caused the issue. I just received a new CA cert from Loopia and now everything looks good.

Update URL request = https://dyndns.loopia.se/xyz?hostname=<h>&myip=<a>
Successfuly updated the DDNS sever with current IP addresses
DDNS: Another update completed, outstanding = 0

Best regards

/Chess