Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Interface/Vlan/Vdom Removing Problem

hello experts

i have a serious problem with removing an aggregated interface in an almost empty VDOM.

recently i take a backup  from a VDOM in a fortigate 600c 5.2.8 and restore it on a fortigate600d 5.2.8 and it runs in a company with strict SLA so i can't reboot it even!

in this VDOM only there are 2 elements.

one: an aggregated interface named "port-agg"

two: an interface vlan that is assigned to the aggregation interface, named "Vlan-400".

there are no reference to the Vlan-400, but in GUI it shows number 1 in the references column! but when i click on it ... there is nothing !

i restored a default factory backup to that VDOM, but the interfaces still are remained.

the command "diagnose sys checkused" does not give a proper information.

is this a serious BUG in fortigate or it has a plain solution?

can i force the fortigate to remove that VDOM whitout removing those fake references?



Contributor III

download a backup of the config and open it in a text editor. Search for the name of the interface in question and you should see it somewhere else in the config. It's possible that it's being referenced by something that is CLI only, so you may need to change whatever it is from there.




You can use this command to see what the references are:


diagnose sys checkused [ interface name ]

Valued Contributor II

A page that gives examples of using the diag sys checkused command is: 

New Contributor

wrong answers

please first read the question carefully and then reply!


You said the GUI was not showing what the references are, so I suggested checking from the CLI.

Valued Contributor II



If you want help with this you will need to be more specific.


1. I hope you realize that copying a config from one device (600C) to another device (600D) with different hardware is unsupported by Fortinet and can can leave you with unusable configs?   Even if you follow some of the instructions for moving configs over ( you still may end up with a mess.


2. Have you searched through a text copy of the config for references to the interface Vlan-400?  What did you find?


3. You said "the command 'diagnose sys checkused' does not give a proper information" but you didn't say how you ran the command or what the output was.

New Contributor


Dear tanr

1. about your first hint, yes i did a mistake and i didn't know about that. now i want to fix it.

2. i searched on my new text file that is running on the new 600D with ctrl+f, and thats just what i see right now:

edit "Vlan-400"

     set vdom "something"

     set status down

     set snmp-index 64

     set interface "port-agg"

     set vlanid 400


3. here is the outputs:

(global) # Diagnose sys checkused port-agg

entry used by table system.interface:name 'Vlan-400'


(global) # Diagnose sys checkused Vlan-400


(global) #config system interface

(interface) # delete Vlan-400

The entry is used by other 1 entries

Command fail. Return code -23


P.S the reference of port-agg, is Vlan-400 that its not the issue now, because i should delete the Vlan-400 first.

thanks for your help

Valued Contributor II

A few things to check - anybody else who's more familiar with this feel free to comment!


Some references:


If it's possible to reboot the new firewall (wasn't sure if you meant you weren't allowed to reboot the 600C or the 600D), hook up a laptop to the console, then reboot the FGT while hooked up and see if any errors show in the config.


If you can't reboot it, at least run the following command and see if it recorded any errors:


      diagnose debug config-error-log read


Just to confirm, your admin session isn't on the Vlan-400 interface, correct?    

And the "something" vdom is not your management vdom?


If you search your config file, do you have any other objects with the same name as any of the problematic objects, like port-agg?  Duplicate names can cause some odd problems.


In case it isn't showing up correctly in the dependencies, make sure you've checked the other common references like dns server, dhcp, ntp on the interface, zone, SSID, virtual switches, etc.


Try to look at references another way around by checking to your "something" vdom with:


      diag sys checkused something


Also, have you tried changing the Vlan-400 vdom to root (or some other vlan) prior to attempting to delete it?  

Similarly, have you tried changing to port-agg to another vdom beforehand?


And that's about all I can suggest to try before opening a support ticket with Fortinet.


Good luck!

Valued Contributor

Were you able to find the answer to your issue?

Mike Pruett Fortinet GURU | Fortinet Training Videos

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors