Troubleshooting Tip: Unable to change Split tunnel address object in IPSec Dialup VPN gives error 'Can not change address members. Group is used by ipsec mode-cfg'
| Description | This article describes the troubleshooting steps when editing the Address group for split tunnel in dial-up IPsec VPN gives the error 'Can not change address members. Group is used by IPsec mode-cfg'. |
| Scope | FortiGate v7.4.8. |
| Solution | When trying to edit the Address group for split tunnel in a dial-up IPsec VPN tunnel, it fails with the error 'Can not change address members. Group is used by IPsec mode-cfg', as shown below:
It is not possible to edit it via the CLI either. The following error will be displayed:
Can not change address members. Group is used by ipsec mode-cfg. object set operator error, -23 discard the setting Command fail. Return code 1
This is because, from version 7.4.8, if the address group is referenced in Dial-up Tunnel, it cannot be edited.
As a solution, the split tunnel address group in the Dial IPSec VPN tunnel has to be changed to any other address group or select 'none', and then the address group should be edited and reinserted into the Dial-up IPSec VPN Tunnel.
Or disable the 'Mode Config' in IPSec Dialup VPN tunnel phase-1, and then edit the address group, and then enable mode-cfg back in the phase-1:
In this way, the address group for split tunneling in IPSec dial-up VPN tunnels can be edited without any issues. Important Note: If the VPN is created via the VPN wizard, 'Mode Config' will not be visible in the GUI. It is possible to disable it in the CLI to apply the change.
config vpn ipsec phase1-interface edit "VPNNAME" set mode-config disable end
Mode config settings will disappear in the GUI when it is disabled in the CLI.
After the address group is modified, enable the mode config back in the CLI. All settings will appear again in the GUI.
config vpn ipsec phase1-interface edit "VPNNAME" set mode-config enable end
This behavior is present in v7.4.8+, in v7.6 or higher, the address group can be edited without the need to remove it from the IPsec configuration.
This behavior will NOT be changed in 7.4. x version and in any further release of 7.4.x version. This behavior will only be changed in the v7.6 train.
Note: Making the above changes will drop the IPsec Tunnel, so it is recommended to make these changes during maintenance time to avoid production issues.
To avoid downtime, another solution is to clone the Split Tunnel Address Group, then add the new subnet.
|
