On the AR1220F-S and USG, an IPSec tunnel is established using the USG dynamic domain name mode. After the address changes, the IPSec tunnel fails to be established.
Both the HQ and branches use dynamic IP addresses. The USG is deployed at the HQ, and the AR is deployed at branches. P2MP is used.
The dynamic domain name is configured for the HQ, and the branch establishes an IPSec tunnel to the HQ. The IPSec tunnel fails to be established after the IP address of the HQ is changed. Ping the domain name of the device at the HQ from the PC. A new IP address is obtained. Ping the HQ domain name from the router. The original IP address is obtained.
This fault occurs due to the time difference of the dynamic domain name provider's device and the DNS server. The time difference problem cannot be solved on the device.
After DDNS is configured, the domain name is updated slowly because the dynamic domain name provider takes a long time to synchronize the change to the DNS server. The figure below shows the domain name update process of PeanutHull. The processes of other dynamic domain name providers are similar.
Ping the domain name. If the IP address changes to the new one, the dynamic domain name provider has synchronized the domain name address change to the DNS server.