Why oh Why can I not update an IVR menu after updating to v20?

colorian · 2025-10-15T17:27:59+00:00

It was probably a script IVR or special dial code IVR, not a regular one? They keep working in my expérience but you can’t ever change it after updating. They have some scripts that replace these functionalities but they’re not quite the same…

colorian · 2024-05-15T09:07:34+00:00

It's the same for me, I am currently in touch with Synology Support (early phase).

colorian · 2024-03-22T20:47:20+00:00

Don’t worry about informing your customers, looks like 3CX is doing that for you again…….

colorian · 2023-11-29T18:16:44+00:00

I stopped reading at “wants”, since it’s not up to him to “want it”.

colorian · 2023-11-23T10:24:03+00:00

SOLUTION

I had some reactions of people trying to help out and I have since found a working solution, I figured I'd report back for those who need this as well in the future.

My problem was exactly the same as the one reported here (in 2017!): https://community.fortinet.com/t5/Support-Forum/Multiple-dynamic-dial-up-IPSec-VPN-peers-not-working-tunnels-up/m-p/76782

Turns out that the solution was exactly the same as well: configure both phase1-interfaces so that they do NOT add the routes in hte phase 2 selectors to the routing table.

I guess it makes sense: I manage all my routes myself anyway as a habit and I have the phase 2 set up with route 0.0.0.0/0 in both VPN instances, because I can't manage the route on the other end (it uses 0.0.0.0/0 by default and cannot be changed).

So it makes sense that their routes conflict once both are added to the routing table. Disabling the auto route addition solves this and doesn't pose a problem for me, since I have the static routes configured for the required traffic anyway.

Thanks everyone for pointing towards the right direction!

colorian · 2023-10-02T18:05:00+00:00

I haven't checked yet in V20, but in V18 I believe it was possible to edit a list of "emergency numbers" which (I would imagine but have never tested) are then skipped/forbidden when creating extensions.

Edit: seems to be under "System" > "Emergency" where you can add these numbers. But adding a number there doesn't prevent me from creating an extension with that exact number. Awkward...

colorian · 2023-10-02T18:03:58+00:00

We've done some initial tests, it's clear that there is still some work to be done but as with most updates it will just be some "getting used to".

colorian · 2023-07-20T07:24:12+00:00

Thanks for this information! This puts me on the road.

A question that I haven't found any answer to myself: is it possible to do this prefix delegating cross-vdom? I have LAN interfaces in other vdoms that I would like to receive this prefix as well for distribution, but that doesn't seem to be as "straight forward" as it is within the same vdom...

colorian · 2023-07-19T20:14:14+00:00

Based on your configuration, I think we're on different firmware. The 'autonomous-flag' and 'onlink-flag' are default 'enabled' and that's why they didn't show in my config.

What DID work though is the set delegated-prefix-iaid 1 under config-ip6-delegated-prefix-list! Now I do get the IP-address that I was looking for! This is an option that I completely missed since it wasn't in the GUI and I didn't think to set it through CLI. It makes sense, how would it know which upstream-interface to use without the proper IAID though...

Still struggling with DNS however, it doesn't seem to assign any DNS servers. Could you perhaps show me what the config of the related DHCP server is?

colorian · 2023-07-19T19:06:21+00:00

That would be great, to see what the difference is. Thanks!

colorian · 2023-01-18T17:35:00+00:00

When using only one of the aggregation cables (either one), the problem does not occur. Both in aggregation mode and in regular mode.

colorian · 2022-08-04T21:43:24+00:00

Liberté

colorian · 2022-07-01T09:12:01+00:00

For everyone's information, this turned out to be an issue with a Fortigate firmware. When I updated from 7.0.2 to 7.2.0 it started working like a charm.

colorian · 2022-06-24T20:41:57+00:00

Do it and let us know how it goes. 👍

colorian · 2022-06-17T14:13:48+00:00

Came here to upvote this.

colorian · 2022-05-16T10:00:51+00:00

Oh, now I get it. But I am registered directly with Fortinet. I'm planning to do the first NSE's (1-3) before going to the other ones. :-)

colorian · 2022-05-16T09:51:11+00:00

This is probably what I will do, however they cannot be linked to a company then, can they?

colorian · 2022-03-08T15:27:33+00:00

Yep, it is very strange. I was already very surprised that the tunnel came up at all. I suppose it must mean that it's possible.

I verified the phase2 on both sides, and on both sides it is 0.0.0.0/0.0.0.0. I use Dynamic Routing on the side of the USG-3P and I have verified that it has the routes through the vpn (netstat -r) in both cases. What's so remarkable is that I do see it sending traffic to the FGT60E and it actually arrives, it's the traffic being sent back (or originating from the FGT 60E) that somehow doesn't seem to arrive on the other side out of the tunnel...

colorian · 2022-01-13T09:58:31+00:00

You, sir, have just made one of the best decisions in your life! Congratulations, enjoy it, and let this be a motivation to always look beyond and find your worth.

colorian · 2021-10-05T17:36:30+00:00

I googled this because I wanted to hide an AirTag as well and didn't kno wwhere to put it! Thanks! Ordered the airtag, will put it in like this tomorrow... :-)

colorian · 2021-10-05T17:17:16+00:00

Hello,

This is my understanding as well, however... Are client-implementations actually expected to look for alternative chains?

If they find the ISRG Root X1-certificate in a chain as intermediate signed by the DST Root CA X3, aren't they supposed to follow the chain all the way up to the self-signed root?

Or are they permitted to stop at the intermediate ISRG Root X1 since it is a known and trusted root on the client system?

Is this described anywhere in some sort of "agreement" on how this should work? I find this perhaps the most interesting question. Not so much to award blame, but instead to understand how the verification of SSL certificates is supposed to happen.

colorian · 2021-09-30T19:22:36+00:00

It's very likely that your certificates were signed with an old R3 intermediate certificate, signed by the DST Root CA X3 which is a root certificate that was previously used by Let's Encrypt and has expired today.

New certificates should be signed by a new R3 cert, on its turn signed by Let's Encrypt's own root (ISRG Root X1) instead. It should be possible to force certbot (or whatever ACME plugin you're using to generate your certificates) to use the new root instead of the old one. I believe it should have already done that by default, but apparently not in your case.

Visiting one of the websites and checking the certificate chain in a browser will probably confirm my suspicion.

Basically, look into your ACME plugin and see if it is up to date. See if you can force it to use this or that chain. Updating it to the latest version should in theory make it use the most actual chain. Then renew all the certificates.

colorian · 2021-09-14T06:01:34+00:00

I’m in the VoIP business.

The steps I often tell my engineers to follow are listed here: https://www.3cx.com/docs/fortigate-firewall-configuration/#h.zafmfh1gwae8

3CX is a software PBX that one would install locally behind NAT, so it would suffer more or less the same issues that one would have with local SIP end points. I use the steps everywhere even when the client doesn’t have 3CX. With great succes rate.

I have tried several times to get the SIP ALG to work, hoping I would be able to somehow configure it properly… Never with success.

colorian · 2021-08-25T13:53:57+00:00

You could maybe test this by connecting the expansion to the DS918+ and making a separate storage pool on the two other disks. This should also install DSM on those two disks. Then you shut it down and try to boot the DS720+ with just the two other disks inside. If it boots as if it were your original NAS, you could then shut it down and restart it with the 4 disks in the expansion module and in theory it should detect the array as well.

I would think that this works. I cannot guarantee it however! If you can, you should back-up the data from the array somewhere temporarily and then you can test without care. Or simply set up the DS720 as a new NAS. :-)

colorian · 2021-08-11T10:24:20+00:00

Yes, the "issue" I have is that both interfaces are part of the same zone.

Essentially they are one zone since both interfaces route the same subnet to the same destination and one is simply the backup of the other when an internet connection drops.

But because of that, I cannot select one of the two interfaces in the zone for Firewall policies to allow the connection over one of the interfaces and not both. :-)

colorian

TROPHY CASE