Troubleshooting Tip: Unable to delete a tunnel interface

When the FortiGate is in a state where there is a tunnel interface configured but the VPN itself is already deleted, the tunnel interface cannot be deleted directly.

This article describes how to delete it.

Error message when deleting the Interface

This interface also cannot be directly deleted from the CLI:

show system interface ipsec-tunnel

config system interface

edit "ipsec-tunnel"

set vdom "root"

set type tunnel

set snmp-index 27

set interface "wan1"

next

end

config system interface

delete ipsec-tunnel

A tunnel interface cannot be deleted directly.
command_cli_delete:6564 delete table entry ipsec-tunnel unset oper error ret=-160
Command fail. Return code -160

end

The workaround is to create an IPSec interface and then delete this VPN.

config vpn ipsec phase1-interface

edit ipsec-tunnel

set remote-gw 192.0.2.1

set interface wan1

set psksecret XXXXXXXX

end

config vpn ipsec phase1-interface

delete ipsec-tunnel

end

show system interface ipsec-tunnel

entry is not found in table

Note:

The VPN interface must have precisely the same name as the interface that needs to be removed.

If the issue still persists, try the following workaround:
Download the FortiGate configuration file, remove the reference interface using notepad, and upload the configuration again to the FortiGate.

Related article:

Technical Tip: Unable to delete VPN tunnel even if policy/routes are deleted.