FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rtichkule
Staff
Staff
Article Id 325885
Description

This article describes the conflict in VIP configuration.

Scope FortiGate.
Solution

The following error may be observed under certain conditions while configuring a VIP.

 

The extip is overlapped with the gateway of static route.
object check operator error, -5, discard the setting
Command fail. Return code -5

vip conf.png

 

Although there is no static route manually created with the gateway IP overlapping with the external IP being used in the VIP configuration, this issue could still arise due to various reasons. A few examples are provided below.

 

Example 1:
There is a possibility that the VIP's external IP is referenced as a remote gateway in the IPsec VPN configuration. Run the following command to check where this IP is used in the configuration.

 

show full-configuration | grep -f x.x.x.x    <----- Replace x.x.x.x with the external IP.

 

vpn1.png

 

vpn2.png


If the external IP for the VIP is already in use by an IPSec VPN tunnel, modify the remote gateway or use a different external IP for the VIP.


Example 2:

Review the static routes in the routing table to determine if any routes have the next hop set to the VIP’s external IP. For example, if the external IP is 192.168.64.1

 

FortiGate # get router info routing-table static | grep f 192.168.64.1    
S 10.12.101.0/24 [10/0] via Switch-FGT tunnel 192.168.64.1 [1/0]
S 10.12.103.0/24 [10/0] via Switch-FGT tunnel 192.168.64.1, [1/0]

 

The above output shows that the external IP is being used as a gateway of a route for an IPsec tunnel.


Check the output of diagnose vpn tunnel list | grep 192.168.64.1 to see if there is any IPSec tunnel with a tunnel ID that matches the external IP.

 

name=Switch-FGT ver=1 serial=1a4a 66.x.x.x:0->63.y.y.y:0 tun_id=192.168.64.1 tun_id6=::192.168.64.1 dst_mtu=1500 dpd-link=on weight=1

 

Since the tunnel ID is set to 192.168.64.1, the static route is using this tunnel ID as the Gateway IP for the IPSec route.


Since the tunnel ID cannot be changed, the solution is to delete and recreate the tunnel. After doing so, the IPSec tunnel will receive a new tunnel ID based on the updated remote gateway IP configured for the VPN. This will ensure that the static routes are assigned a new tunnel ID as Gateway IP that does not conflict with the external IP of the VIP.