Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sky
Participant

Unable to remove a VTI interface from the firewall

Hi All,

I am currently facing an issue when trying to remove a vpn tunnel (VTI) used for a route based vpn.

The infrastructure is based on a R80.30 cluster and I was able to remove this VTI on the standby node.

The only difference between the 2 nodes is related to how the static routes were tested on the active node during the S2S VPN route based setup:

 

set static-route NETWORK nexthop gateway logical vpntX on

 

The message I get when trying to remove it as below:

delete vpn tunnel X

"VpntErr0005 There is a static or default route by name for interface vpntX"

 

I have tried putting the static route back with nexthop address, disable the route, disable the interface, but

NOTHING SEEMS TO WORK!!!

 

Stuck on this and really would appreciate any idea. Maybe a way to remove this interface  from the expert mode?!?!

 

Regards

0 Kudos
4 Replies
Bob_Zimmerman
Advisor

You mention disabling the route, but did you delete it?

set static-route NETWORK nexthop gateway logical vpntX off

 

0 Kudos
Sky
Participant

I think that deleting a route is possible by switching off that static route "off" CLI command in the end, am I wrong?

Trying any delete CLI command:
> delete static-route
CLINFR0329 Invalid command:' delete static-route '

> delete route
CLINFR0329 Invalid command:' delete route '.

Not able to find any other command.

Can you please help me with the appropriate command?

0 Kudos
Bob_Zimmerman
Advisor

Setting the route to 'off' deletes it. Anything else leaves it in the config, still referencing the VTI.

set static-route NETWORK nexthop gateway logical vpntX off

You should also look for any other routes referencing that VTI and remove them.

0 Kudos
Sky
Participant

That is the problem it seems I do not have any other configuration related to that interface except of:

add vpn tunnel X type numbered local 1.2.3.4 remote 1.2.3.5 peer SOMEONE

set interface vpntX comments "SOMEONE"
set interface vpntX state off
set interface vpntX mtu 1500

As I stated previously the only thing that I have done differently in this occasion is testing the route by using not an address but the actual logical interface, then I changed to referring address:  

So from -> set static-route NETWORK nexthop gateway logical vpntX on

To -> set static-route NETWORK nexthop gateway address 1.2.3.4 priority 1 on

I have deleted the routes related to this IP/interface.

Some other thing I have noticed, if I put back the static route like I did the test in the beginning:

set static-route NETWORK  nexthop gateway logical vpntX on

and try to delete the interface by :

delete vpn tunnel X

I get the below messages:

This interface is used by the Dynamic Routing Protocols:
This interface is used by the Dynamic Routing Protocols:
Please remove this configuration before deleting the vpn tunnel interface
VpntErr0005 Dynamic Routing Protocols present on VPNT

If the behavior would be "normal", I would be able to delete the interface by just doing:

delete vpn tunnel X

This seems not the case and I'm not able to find a solution to this. I have found some similar situation described by someone some time ago:

https://community.checkpoint.com/t5/Security-Gateways/Can-t-delete-interfaces-This-interface-is-used...

Maybe this information ring a bell 😊

Thank you for the support so far.

0 Kudos