Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fouad
New Contributor

Created on ‎02-04-2023 02:40 PM

Cannot delete IpSec tunnel interface

Helo , 

 

the probleme was started whene i tryed to creat a new IPSec Tunnel using my ne internet connexion , the tunnel was creating as a custum one ( in the begining of the config , Site to Site , hube and spoke , etc ), i puted all information to creat my ip sec tunnel , at the end of the configuration , clicking on ok , a error appeared with faild as message , but when i closed i saw that there is a tunnel interfaces who was created , now the problem is that i cannot delete it , there is no route no role refer to this interface 


Fouad_0-1675550224891.png

 

Thank you 

Labels:
8874
0 Kudos
5 REPLIES 5
Fouad
New Contributor

Created on ‎02-04-2023 03:35 PM

bellow the error whene i ryed to delete interface using cli 

Fouad_0-1675553723685.png

 

8863
0 Kudos
akileshc
Staff
Staff
In response to Fouad

Created on ‎02-05-2023 12:43 AM Edited on ‎02-05-2023 12:44 AM

The error message "A tunnel interface cannot be deleted directly" is typically encountered when trying to delete a tunnel interface on a FortiGate firewall. This error occurs because a tunnel interface is a virtual interface that is created as part of a VPN configuration, and it is associated with multiple other configuration elements, such as security policies, routing entries, and other VPN tunnels.

 

To resolve this issue, you need to follow these steps:
1. Remove any security policies or firewall rules that reference the tunnel interface.
2. Delete any routing entries that are associated with the tunnel interface.
3. Remove any VPN tunnels that use the tunnel interface as an endpoint.
4. Finally, you should be able to delete the tunnel interface.

 

Note: These steps may vary slightly depending on the version of the Fortigate firmware you are using and the specific VPN configuration you have set up. Before making any changes, it's always a good idea to back up your firewall configuration to avoid any unintended consequences.

 

 

Akilesh
8835
jerict
New Contributor
In response to akileshc

Created on ‎09-13-2023 12:42 PM

This worked for me. I used the IPSec wizard to  create the vpn tunnel. It

automatically creates a Firewall Policy which corresponds to  the  IPSec tunnel  being created. In my case;

  1. I just have  to delete the  policy created by the wizard
  2. And finally delete the IPSec-tunnel.

Thanks  @akileshc . Cheers.

 

 

7751
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-04-2023 06:24 PM Edited on ‎02-04-2023 06:25 PM

As it says the tunnel interface can not be deleted. When you delete the phase1-interface the interface under "config system interface" would be deleted at the same time.

 

However, to be able to delete the phase1-interface "xxx-Backup" you have to remove the dependencies, like a phase2-interface, static routes, etc. To find those out, go to GUI VPN->IPsec Tunnels. And look for "Ref" column at the end. It should show the number of dependencies. When you click the number, a sliding window opens to show those. Those dependencies might have further nesting dependencies. You need to repeat the process to get to the bottom and remove them from the bottom up. Then finally you can remove the phase1-interface.

 

You can do the same via CLI as well. Just go up to the top of the CLI hierarchy, then run "show | grep -f xxx-Backup", which would show you what are using the phase1-interface/interface name. Then you might need to repeat the process to find the bottom of the dependency chain.

 

Toshi

8853
0 Kudos
Durga_Ashwath
Staff
Staff

Created on ‎09-14-2023 02:22 AM

Hi,

When the FortiGate is in the state, where there is a tunnel interface configured, but the VPN itself is already deleted, the tunnel interface cannot be deleted directly.

For this you have to create an IPsec interface and then delete this VPN.

FGT # config vpn ipsec phase1-interface

FGT (phase1-interface) # edit ipsec-tunnel

new entry 'ipsec-tunnel' added

FGT (ipsec-tunnel) # set remote-gw x.x.x.x

FGT (ipsec-tunnel) # set interface wan1

FGT (ipsec-tunnel) # set psksecret XXXXXXXX

FGT (ipsec-tunnel) # end

FGT # config vpn ipsec phase1-interface

FGT (phase1-interface) # delete ipsec-tunnel

FGT (phase1-interface) # end

FGT # show system interface ipsec-tunnel

entry is not found in table

Please do follow the below articles for the same:
> https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-delete-a-tunnel-interface/ta-p/2...
> https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-delete-VPN-tunnel-even-if-policy...

Regards,
Durga A


7727
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.