topic Unable to remove a VTI interface from the firewall in Firewall and Security Management

Unable to remove a VTI interface from the firewall

Sky — Wed, 21 Apr 2021 17:47:14 GMT

Hi All,

I am currently facing an issue when trying to remove a vpn tunnel (VTI) used for a route based vpn.

The infrastructure is based on a R80.30 cluster and I was able to remove this VTI on the standby node.

The only difference between the 2 nodes is related to how the static routes were tested on the active node during the S2S VPN route based setup:

set static-route NETWORK nexthop gateway logical vpntX on

The message I get when trying to remove it as below:

delete vpn tunnel X

"VpntErr0005 There is a static or default route by name for interface vpntX"

I have tried putting the static route back with nexthop address, disable the route, disable the interface, but

NOTHING SEEMS TO WORK!!!

Stuck on this and really would appreciate any idea. Maybe a way to remove this interface from the expert mode?!?!

Regards

Re: Unable to remove a VTI interface from the firewall

Bob_Zimmerman — Thu, 22 Apr 2021 13:26:18 GMT

You mention disabling the route, but did you delete it?

set static-route NETWORK nexthop gateway logical vpntX off

Re: Unable to remove a VTI interface from the firewall

Sky — Thu, 22 Apr 2021 13:34:11 GMT

I think that deleting a route is possible by switching off that static route "off" CLI command in the end, am I wrong?

Trying any delete CLI command:
> delete static-route
CLINFR0329 Invalid command:' delete static-route '

> delete route
CLINFR0329 Invalid command:' delete route '.

Not able to find any other command.

Can you please help me with the appropriate command?

Re: Unable to remove a VTI interface from the firewall

Bob_Zimmerman — Thu, 22 Apr 2021 15:44:51 GMT

Setting the route to 'off' deletes it. Anything else leaves it in the config, still referencing the VTI.

set static-route NETWORK nexthop gateway logical vpntX off

You should also look for any other routes referencing that VTI and remove them.

Re: Unable to remove a VTI interface from the firewall

Sky — Thu, 22 Apr 2021 19:11:32 GMT

That is the problem it seems I do not have any other configuration related to that interface except of:

add vpn tunnel X type numbered local 1.2.3.4 remote 1.2.3.5 peer SOMEONE

set interface vpntX comments "SOMEONE"
set interface vpntX state off
set interface vpntX mtu 1500

As I stated previously the only thing that I have done differently in this occasion is testing the route by using not an address but the actual logical interface, then I changed to referring address:

So from -> set static-route NETWORK nexthop gateway logical vpntX on

To -> set static-route NETWORK nexthop gateway address 1.2.3.4 priority 1 on

I have deleted the routes related to this IP/interface.

Some other thing I have noticed, if I put back the static route like I did the test in the beginning:

set static-route NETWORK nexthop gateway logical vpntX on

and try to delete the interface by :

delete vpn tunnel X

I get the below messages:

This interface is used by the Dynamic Routing Protocols:
This interface is used by the Dynamic Routing Protocols:
Please remove this configuration before deleting the vpn tunnel interface
VpntErr0005 Dynamic Routing Protocols present on VPNT

If the behavior would be "normal", I would be able to delete the interface by just doing:

delete vpn tunnel X

This seems not the case and I'm not able to find a solution to this. I have found some similar situation described by someone some time ago:

https://community.checkpoint.com/t5/Security-Gateways/Can-t-delete-interfaces-This-interface-is-used-by-the-Dynamic/td-p/13853

Maybe this information ring a bell 😊

Thank you for the support so far.

Re: Unable to remove a VTI interface from the firewall

dphonovation — Fri, 07 Oct 2022 23:35:28 GMT

Experiencing this on 81.10 as well

Re: Unable to remove a VTI interface from the firewall

Ilya_Yusupov — Tue, 11 Oct 2022 05:35:43 GMT

Hi @Sky,

Can you please share show configurations of your static routes and show route?

looks like you have some route that leading through this VTI.

Thanks,

Ilya

Re: Unable to remove a VTI interface from the firewall

Sky — Thu, 13 Oct 2022 07:16:12 GMT

Hello @dphonovation,

If I remember correctly, what made it work was a reboot.

Re: Unable to remove a VTI interface from the firewall

spottex — Thu, 19 Oct 2023 22:43:19 GMT

Hi I had this issue yesterday and needed to Google fast as I was in the middle of a change window. This thread was a top result and seemed to have the closest info so thought I would update how I actually got it sorted for others in the future.

The route error message is from the directly connected interface I believe and throws us a bit.

Via the web portal I disabled the interfaces by unchecking the enable check box when editing the VTI interface on each cluster node.

Then in smart console > Gateway cluster properties > Network Management > Get interfaces 'without' topology... the view refreshed without the vti interface. Pushed policy and all sorted.

You could possibly have disable the interface via cli somehow with 'off' maybe - but did not try. Possibly someone did in this thread.

Re: Unable to remove a VTI interface from the firewall

esskr — Thu, 14 Mar 2024 11:41:23 GMT

Thanks, had the same issue. But above from spottex solved it.