Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Cannot delete IpSec tunnel interface

Helo , 


the probleme was started whene i tryed to creat a new IPSec Tunnel using my ne internet connexion , the tunnel was creating as a custum one ( in the begining of the config , Site to Site , hube and spoke , etc ), i puted all information to creat my ip sec tunnel , at the end of the configuration , clicking on ok , a error appeared with faild as message , but when i closed i saw that there is a tunnel interfaces who was created , now the problem is that i cannot delete it , there is no route no role refer to this interface 



Thank you 

New Contributor

bellow the error whene i ryed to delete interface using cli 




The error message "A tunnel interface cannot be deleted directly" is typically encountered when trying to delete a tunnel interface on a FortiGate firewall. This error occurs because a tunnel interface is a virtual interface that is created as part of a VPN configuration, and it is associated with multiple other configuration elements, such as security policies, routing entries, and other VPN tunnels.


To resolve this issue, you need to follow these steps:
1. Remove any security policies or firewall rules that reference the tunnel interface.
2. Delete any routing entries that are associated with the tunnel interface.
3. Remove any VPN tunnels that use the tunnel interface as an endpoint.
4. Finally, you should be able to delete the tunnel interface.


Note: These steps may vary slightly depending on the version of the Fortigate firmware you are using and the specific VPN configuration you have set up. Before making any changes, it's always a good idea to back up your firewall configuration to avoid any unintended consequences.




This worked for me. I used the IPSec wizard to  create the vpn tunnel. It

automatically creates a Firewall Policy which corresponds to  the  IPSec tunnel  being created. In my case;

  1. I just have  to delete the  policy created by the wizard
  2. And finally delete the IPSec-tunnel.

Thanks  @akileshc . Cheers.




As it says the tunnel interface can not be deleted. When you delete the phase1-interface the interface under "config system interface" would be deleted at the same time.


However, to be able to delete the phase1-interface "xxx-Backup" you have to remove the dependencies, like a phase2-interface, static routes, etc. To find those out, go to GUI VPN->IPsec Tunnels. And look for "Ref" column at the end. It should show the number of dependencies. When you click the number, a sliding window opens to show those. Those dependencies might have further nesting dependencies. You need to repeat the process to get to the bottom and remove them from the bottom up. Then finally you can remove the phase1-interface.


You can do the same via CLI as well. Just go up to the top of the CLI hierarchy, then run "show | grep -f xxx-Backup", which would show you what are using the phase1-interface/interface name. Then you might need to repeat the process to find the bottom of the dependency chain.





When the FortiGate is in the state, where there is a tunnel interface configured, but the VPN itself is already deleted, the tunnel interface cannot be deleted directly.

For this you have to create an IPsec interface and then delete this VPN.

FGT # config vpn ipsec phase1-interface

FGT (phase1-interface) # edit ipsec-tunnel

new entry 'ipsec-tunnel' added

FGT (ipsec-tunnel) # set remote-gw x.x.x.x

FGT (ipsec-tunnel) # set interface wan1

FGT (ipsec-tunnel) # set psksecret XXXXXXXX

FGT (ipsec-tunnel) # end

FGT # config vpn ipsec phase1-interface

FGT (phase1-interface) # delete ipsec-tunnel

FGT (phase1-interface) # end

FGT # show system interface ipsec-tunnel

entry is not found in table

Please do follow the below articles for the same:

Durga A

Top Kudoed Authors