FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

When the FortiGate is in the state, where there is a tunnel interface configured, but the VPN itself is already deleted, the tunnel interface cannot be deleted directly.


This article describes how to delete it.


Error message when deleting the InterfaceError message when deleting the Interface


This interface also cannot be directly deleted from CLI:


# show system interface ipsec-tunnel

  config system interface
    edit "ipsec-tunnel"
    set vdom "root"
    set type tunnel
    set snmp-index 27
    set interface "wan1"

FGT # config system interface

FGT (interface) # delete ipsec-tunnel

A tunnel interface cannot be deleted directly.
command_cli_delete:6564 delete table entry ipsec-tunnel unset oper error ret=-160
Command fail. Return code -160

FortiGate (interface) #end

Scope FortiGate

The workaround is to create an IPSec interface and then delete this VPN.


FGT # config vpn ipsec phase1-interface

FGT (phase1-interface) # edit ipsec-tunnel

new entry 'ipsec-tunnel' added

FGT (ipsec-tunnel) # set remote-gw

FGT (ipsec-tunnel) # set interface wan1

FGT (ipsec-tunnel) # set psksecret XXXXXXXX

FGT (ipsec-tunnel) # end

FGT # config vpn ipsec phase1-interface

FGT (phase1-interface) # delete ipsec-tunnel

FGT (phase1-interface) # end

FGT # show system interface ipsec-tunnel

entry is not found in table




The VPN interface must have precisely the same name as the interface that needs to be removed.


Related Article:

Technical Tip: Unable to delete VPN tunnel even if policy/routes are deleted