Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pollognr911
New Contributor

IPsec phase-1 vpn removal in secondary HA

Dear All

Good afternoon

 

I am requesting your help with removing a phase1 ipsec vpn from the secondary HA. After generating an Ipsec VPN for some tests, I proceeded to eliminate it and a few days later the HA was not synchronized. When I checked the config, I realized that the secondary Fortigate was added to the configuration of phase 1 of the VPN and the interface. the VPN, but with 1 reference object. When trying to delete it gives me various errors, it does not have routes or rules (it already checks both configurations). The temporary solution was to add these settings to the primary Fortigate and it was synchronized again, but when you delete it, it is not removed from the secondary and it is desynchronized again.

 

I tried to force the synchronization at the time and it didn't work, the commands could only be added to the primary

6 REPLIES 6
johnathan
Staff
Staff

You can just delete it from the secondary unit. Kindly execute the following commands:
-------------
exec ha manage 0/1 [username] <-- It will either be 0 or 1 depending on the HA cluster.
config vpn ipsec phase1-interface
delete [phase 1 name]

end

-------------

If you get an error, please share it here.

"Never trust a computer you can't throw out a window."
pollognr911

Hello, in this way I have tried to delete the created phase 1, according to the documentation found on the internet.

The error it throws is:

This phase1-interface is currently used

command_cli_delete:6826 delete table entry to_alabarca unset oper error ret=-23

Command fail. Return code -23

hbac

Hi @pollognr911,

 

It could be used in firewall policies, static routes, etc. Please check and remove those first. You can run "show full | grep to_alabarca -f". 

 

Regards, 

pollognr911

Dear, thank you very much for your comment. It was solved by downloading the backup of the correct firewall and changing the name of the firewall with the problem. After loading it, it synchronized. It had to be done manually connected via console.

Toshi_Esumi
SuperUser
SuperUser

Based on your description, something on the secondary unit's memory is preventing the HA process from removing the IPsec config on the secondary when you removed the phase1 at the primary. This mostlikely can be resolved when you reboot the secondary unit.
Just shut down the secondary unit's in/out interfaces on the switch side to make sure it wouldn't affect to the operation then execute a reboot. It would come back and likely remove the IPsec config, which doesn't exist on the primary, automatically and get back in sync.
Don't forget to normalize those in/out interfaces again once it's done.

Toshi

pollognr911

Dear, thank you very much for your comment.

It was solved by downloading the backup of the correct firewall and changing the name of the firewall with the problem. After loading it, it synchronized. It had to be done manually connected via console.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors