Dear All
Good afternoon
I am requesting your help with removing a phase1 ipsec vpn from the secondary HA. After generating an Ipsec VPN for some tests, I proceeded to eliminate it and a few days later the HA was not synchronized. When I checked the config, I realized that the secondary Fortigate was added to the configuration of phase 1 of the VPN and the interface. the VPN, but with 1 reference object. When trying to delete it gives me various errors, it does not have routes or rules (it already checks both configurations). The temporary solution was to add these settings to the primary Fortigate and it was synchronized again, but when you delete it, it is not removed from the secondary and it is desynchronized again.
I tried to force the synchronization at the time and it didn't work, the commands could only be added to the primary
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can just delete it from the secondary unit. Kindly execute the following commands:
-------------
exec ha manage 0/1 [username] <-- It will either be 0 or 1 depending on the HA cluster.
config vpn ipsec phase1-interface
delete [phase 1 name]
end
-------------
If you get an error, please share it here.
Hello, in this way I have tried to delete the created phase 1, according to the documentation found on the internet.
The error it throws is:
This phase1-interface is currently used
command_cli_delete:6826 delete table entry to_alabarca unset oper error ret=-23
Command fail. Return code -23
Hi @pollognr911,
It could be used in firewall policies, static routes, etc. Please check and remove those first. You can run "show full | grep to_alabarca -f".
Regards,
Dear, thank you very much for your comment. It was solved by downloading the backup of the correct firewall and changing the name of the firewall with the problem. After loading it, it synchronized. It had to be done manually connected via console.
Based on your description, something on the secondary unit's memory is preventing the HA process from removing the IPsec config on the secondary when you removed the phase1 at the primary. This mostlikely can be resolved when you reboot the secondary unit.
Just shut down the secondary unit's in/out interfaces on the switch side to make sure it wouldn't affect to the operation then execute a reboot. It would come back and likely remove the IPsec config, which doesn't exist on the primary, automatically and get back in sync.
Don't forget to normalize those in/out interfaces again once it's done.
Toshi
Dear, thank you very much for your comment.
It was solved by downloading the backup of the correct firewall and changing the name of the firewall with the problem. After loading it, it synchronized. It had to be done manually connected via console.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.