Using custom URL DDNS in FDM 7.2.5-208

dpkim · ‎02-24-2024

Dear all.

I'm using Cisco Firepower 1120 and configured to use DDNS with custom URL in FDM. But it does not work.

> show ddns update interface internet

Dynamic DNS Update on internet:
  Update Method Name            Update Destination
  Cloudflare                    not available

Last Update attempted on 18:45:42.449 UTC Sat Feb 24 2024 
Status : Failed
Reason : Could not establish a connection to the server

Our custom DDNS service runs on Cloudflare's worker, and it uses GTS Root R1 as Root CA.

So, I added GTS Root R1 (and other certificates that our Cloudflare zone uses) in the Trusted CA Certificate Group.

I also checked debug log of DDNS and FDM log, but they don't provide much information for debugging connection issue.

> debug ddns
DDNS update request = /update?hostname=<hostname_of_interface>&myip=<ip_of_firewall>
URL request = https://<our_ddns_worker>.workers.dev/update?hostname=<h>&myip=<a>
Buf request = text/plain; charset=UTF-8
Host: <our_ddns_worker>.workers.dev
Authorization: Basic <redacted>
User-Agent: Cisco/1.0

Failed to send HTTP(s) request
DDNS: Another update completed, outstanding = 0
DDNS: IDB SB total = 0

Feb 24 2024 19:03:36: %FTD-7-609001: Built local-host identity:<ip_of_firewall>
Feb 24 2024 19:03:36: %FTD-7-609001: Built local-host internet:<ip_of_ddns_worker>
Feb 24 2024 19:03:36: %FTD-6-302013: Built outbound TCP connection 1214 for internet:<ip_of_ddns_worker>/443 (<ip_of_ddns_worker>/443) to identity:<ip_of_firewall>/20130 (<ip_of_firewall>/20130)
Feb 24 2024 19:03:36: %FTD-6-725001: Starting SSL handshake with server internet:<ip_of_firewall>/20130 to <ip_of_ddns_worker>/443 for TLS session
Feb 24 2024 19:03:36: %FTD-7-725009: Device proposes the following 22 cipher(s) to server internet:<ip_of_firewall>/20130 to <ip_of_ddns_worker>/443
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[4] : ECDHE-ECDSA-AES256-GCM-SHA384
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[5] : ECDHE-RSA-AES256-GCM-SHA384
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[6] : DHE-RSA-AES256-GCM-SHA384
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[7] : AES256-GCM-SHA384
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[8] : ECDHE-ECDSA-AES256-SHA384
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[9] : ECDHE-RSA-AES256-SHA384
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[10] : DHE-RSA-AES256-SHA256
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[11] : AES256-SHA256
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[12] : ECDHE-ECDSA-AES128-GCM-SHA256
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[13] : ECDHE-RSA-AES128-GCM-SHA256
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[15] : AES128-GCM-SHA256
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[16] : ECDHE-ECDSA-AES128-SHA256
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[17] : ECDHE-RSA-AES128-SHA256
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[18] : DHE-RSA-AES128-SHA256
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[19] : AES128-SHA256
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[20] : AES256-SHA
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[21] : DHE-RSA-AES128-SHA
Feb 24 2024 19:03:36: %FTD-7-725011: Cipher[22] : AES128-SHA
Feb 24 2024 19:03:36: %FTD-3-331004: Dynamic DNS Web update for <hostname> => <ip_of_firewall> failed due to a connection failure to <our_ddns_worker>.workers.dev
Feb 24 2024 19:03:36: %FTD-6-302014: Teardown TCP connection 1214 for internet:<ip_of_ddns_worker>/443 to identity:<ip_of_firewall>/20130 duration 0:00:00 bytes 142 TCP Reset-O from identity
Feb 24 2024 19:03:36: %FTD-7-609002: Teardown local-host identity:<ip_of_firewall> duration 0:00:00
Feb 24 2024 19:03:36: %FTD-7-609002: Teardown local-host internet:<ip_of_ddns_worker> duration 0:00:00

Could you please help me resolve this issue?