Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
I tried all of the recommendations that were described here. None of them worked. I am currently with a setup and recommendation from MPipes and ddns is not working with DuckDNS service.
error i am getting: 'Interface vlan.10 DDNS registration to DuckDNS v1 unsuccessful for host #####.duckdns.org with 10.xx.xx.4 Server response: Couldn\'t connect to server'
Certificates imported:
Certificate profile setup:
in my setup I am using vlan that has internet access and setup is as following:
vlan.10 == PA220 == eth1/1 == NAT router = ISP (no security profiles are used in security policy allowing traffic to internet)
Anyone with an idea what to do, what to troubleshoot?
I tried all of the previous recommendations and combinations with certificates and i am out of ideas. Any help more than welcome.
Make sure you imported the certificates as Trusted Root CA Certificates. I also imported DuckDNS's certificate
updated certificates as Trusted CA and imported DuckDNS cert too.
DuckDNS cert cannot be imported under cert profile since it is not a CA certificate.
I am still getting the same error: "Interface vlan.10 DDNS registration to DuckDNS v1 unsuccessful for host ####.duckdns.org with 10.XX.XX.4 Server response: Couldn't connect to server."
after i checked the traffic logs and url logs, whenever i run the "test dns-proxy ddns update interface name vlan.10"
it only generates logs under system logs, no traffic logs for the source.
also debug dataplane shows no logs:
duckdns.org is resolved to 35.165.107.187.
having in mind that vlan.10 interface is local firewall interface that has to match fw policy and nat policy in order to reach to internet ran packet-diag:
admin@PAFW> debug dataplane packet-diag show setting
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: yes
Index 1: 10.xx.xx.4/32[0]->35.165.107.187/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
Index 2: 35.165.107.187/32[0]->10.xx.xx.4/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: yes
Log-throttle: no
Sync-log-by-ticks: yes
Features:
flow : basic ager np arp receive ha nd mcast log track cluster pred
ctd : basic
ssl : basic
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: yes
Snaplen: 0
Username:
Stage receive : file duck-receive
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage firewall : file duck-firewall
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage transmit : file duck-transmit
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage drop : file duck-drop
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------
perhaps i might be wrong, but i do think that pa220 is not making requests to duckdns when i run test dns-proxy ddns update interface name vlan.10, and there is no ssl session for that matter to use certificate profiles.
Based on my previous update and further digging, the PA was not initiating traffic due to incorrect (default) service route configuration. After changing the setting and placing vlan.10 instead of default value DuckDns started to update properly.
