- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPsec phase-1 vpn removal in secondary HA
Dear All
Good afternoon
I am requesting your help with removing a phase1 ipsec vpn from the secondary HA. After generating an Ipsec VPN for some tests, I proceeded to eliminate it and a few days later the HA was not synchronized. When I checked the config, I realized that the secondary Fortigate was added to the configuration of phase 1 of the VPN and the interface. the VPN, but with 1 reference object. When trying to delete it gives me various errors, it does not have routes or rules (it already checks both configurations). The temporary solution was to add these settings to the primary Fortigate and it was synchronized again, but when you delete it, it is not removed from the secondary and it is desynchronized again.
I tried to force the synchronization at the time and it didn't work, the commands could only be added to the primary
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can just delete it from the secondary unit. Kindly execute the following commands:
-------------
exec ha manage 0/1 [username] <-- It will either be 0 or 1 depending on the HA cluster.
config vpn ipsec phase1-interface
delete [phase 1 name]
end
-------------
If you get an error, please share it here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, in this way I have tried to delete the created phase 1, according to the documentation found on the internet.
The error it throws is:
This phase1-interface is currently used
command_cli_delete:6826 delete table entry to_alabarca unset oper error ret=-23
Command fail. Return code -23
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pollognr911,
It could be used in firewall policies, static routes, etc. Please check and remove those first. You can run "show full | grep to_alabarca -f".
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear, thank you very much for your comment. It was solved by downloading the backup of the correct firewall and changing the name of the firewall with the problem. After loading it, it synchronized. It had to be done manually connected via console.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your description, something on the secondary unit's memory is preventing the HA process from removing the IPsec config on the secondary when you removed the phase1 at the primary. This mostlikely can be resolved when you reboot the secondary unit.
Just shut down the secondary unit's in/out interfaces on the switch side to make sure it wouldn't affect to the operation then execute a reboot. It would come back and likely remove the IPsec config, which doesn't exist on the primary, automatically and get back in sync.
Don't forget to normalize those in/out interfaces again once it's done.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear, thank you very much for your comment.
It was solved by downloading the backup of the correct firewall and changing the name of the firewall with the problem. After loading it, it synchronized. It had to be done manually connected via console.