Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VIP issues - firewall/vipgrp/<name>/ : empty member is not allowed


I'm having a lot of issues regarding VIP / VIP groups lately. It all started after we have connected 1500D 6.2.X FGT to the FMG, for some reason, all VIPs (static) from Fortigate were converted to "dynamic" version and only few zones were imported, without all the other vlans (why? other adoms usually don't have any issues with importing all interfaces/vlans/emacs/zones). So I have manually mapped approx 500 vlans in ADOM database and I had to manually fix all VIPs (from dynamic to static, with extinf parametr > before it was set as zone, not vlan). Now I'm fighting with another issue... I'm not allowed to create new VIPgrp from imported VIPs (1:1 FGT configuration). I'm always getting error "empty member is not allowed".


Example config:

edit "SecretVIP1" set extip set extintf "V666-Hell" set mappedip "" next


edit "SecretVIP2" set extip set extintf "V666-Hell" set mappedip "" next


edit "VerySecretVIPgroup"  set interface "V666-Hell" set member "SecretVIP1" "SecretVIP2" next



I'm losing my mind here, am I doing something wrong? Please help:D


Thanks in advance! :)



 01001000 01001001 

&#x1f3c4; 01001000 01001001 &#x1f3c4;

I know this doesn't help your situation and too late when you already have mulitple VIPs created by FMG. But we recently encountered a similar issue when I created a VIP and added it to a policy package. I still don't know the exact mechanism inside the FMG to handle a VIP with multiple FGT devices (or even with a single one) with a PP.

But when I created a VIP and a policy addition to a PP with two separate CLI scripts, it tried to map VIP per device dynamically despite my intention, changing VIP per location when install although this would cause the other locations to go out-of-sync. It was temporary to each so out-of-sync was acceptable.

What I did to fix the issue was 1) wiping out what previously created, VIP and policy. then 2) create one CLI script to create a VIP and a referencing policy so that the FMG doesn't set up mapping mechanism.


This solution was provided by TAC when I opened a ticket. So I recommend you do the same and get help from TAC. You might need to escalate the ticket to get the answer you want though if it doesn't go anywhere with the L1 tech.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors