Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff

Created on ‎09-25-2022 09:07 PM Edited on ‎01-14-2025 11:38 PM By Community Manager

Article Id 224717

Troubleshooting Tip: Unable to delete a tunnel interface or a vdom

Description

When the FortiGate is in a state where there is a tunnel interface configured but the VPN itself is already deleted, the tunnel interface cannot be deleted directly.

 

This article describes how to delete it.

 

Error message when deleting the InterfaceError message when deleting the Interface

 

This interface also cannot be directly deleted from the CLI:

 

show system interface ipsec-tunnel

config system interface

edit "ipsec-tunnel"

set vdom "root"

set type tunnel

set snmp-index 27

set interface "wan1"

next

end

config system interface


delete ipsec-tunnel

A tunnel interface cannot be deleted directly.
command_cli_delete:6564 delete table entry ipsec-tunnel unset oper error ret=-160
Command fail. Return code -160

end

 

Another symptom is that is not possible to delete a VDOM in both CLI and GUI:

 

"...OBBPRFW11 (vdom-property) # delete OBBPRAENU_HRSFW
Can not delete a static table entry
Command fail. Return code -61
OBBPRFW11 (vdom-property) # end
OBBPRFW11 (global) # diag sys cmdb refcnt reset system.interface.name ssl.HRSFW
The total reference number is 0.

OBBPRFW11 (global) # diag sys cmdb refcnt reset system.interface.name ssl.OBBPRAEN001
The total reference number is 0.

OBBPRFW11 (global) # diag sys cmdb refcnt reset system.interface.name naf.OBBPRAEN001
The total reference number is 0.

OBBPRFW11 (global) # diag sys cmdb refcnt reset system.interface.name l2t.OBBPRAEN001
The total reference number is 0.

OBBPRFW11 (global) # end
OBBPRFW11 # c v
OBBPRFW11 (vdom) # delete OBBPRAENU_HRSFW
Domain OBBPRAENU_HRSFW: used by interface, can not delete
Command fail. Return code -23
..."
Scope FortiGate.
Solution

The workaround is to create an IPSec interface and then delete this VPN.

 

config vpn ipsec phase1-interface

edit ipsec-tunnel

set remote-gw 192.0.2.1

set interface wan1

set psksecret XXXXXXXX

end


config vpn ipsec phase1-interface

delete ipsec-tunnel

end


show system interface ipsec-tunnel

entry is not found in table

 

Note:

The VPN interface must have precisely the same name as the interface that needs to be removed. After that, the tunnel interface and a VDOM should be able to delete. 

 

If the issue persists, try the following workaround:
Download the FortiGate configuration file, remove the reference interface using Notepad, and upload the configuration again to the FortiGate.

 

Related article:

Technical Tip: Unable to delete VPN tunnel even if policy/routes are deleted.

 

Labels:
26620
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.