Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sky
Participant

Unable to remove a VTI interface from the firewall

Hi All,

I am currently facing an issue when trying to remove a vpn tunnel (VTI) used for a route based vpn.

The infrastructure is based on a R80.30 cluster and I was able to remove this VTI on the standby node.

The only difference between the 2 nodes is related to how the static routes were tested on the active node during the S2S VPN route based setup:

 

set static-route NETWORK nexthop gateway logical vpntX on

 

The message I get when trying to remove it as below:

delete vpn tunnel X

"VpntErr0005 There is a static or default route by name for interface vpntX"

 

I have tried putting the static route back with nexthop address, disable the route, disable the interface, but

NOTHING SEEMS TO WORK!!!

 

Stuck on this and really would appreciate any idea. Maybe a way to remove this interface  from the expert mode?!?!

 

Regards

0 Kudos
9 Replies
Bob_Zimmerman
Authority
Authority

You mention disabling the route, but did you delete it?

set static-route NETWORK nexthop gateway logical vpntX off

 

0 Kudos
Sky
Participant

I think that deleting a route is possible by switching off that static route "off" CLI command in the end, am I wrong?

Trying any delete CLI command:
> delete static-route
CLINFR0329 Invalid command:' delete static-route '

> delete route
CLINFR0329 Invalid command:' delete route '.

Not able to find any other command.

Can you please help me with the appropriate command?

0 Kudos
Bob_Zimmerman
Authority
Authority

Setting the route to 'off' deletes it. Anything else leaves it in the config, still referencing the VTI.

set static-route NETWORK nexthop gateway logical vpntX off

You should also look for any other routes referencing that VTI and remove them.

0 Kudos
Sky
Participant

That is the problem it seems I do not have any other configuration related to that interface except of:

add vpn tunnel X type numbered local 1.2.3.4 remote 1.2.3.5 peer SOMEONE

set interface vpntX comments "SOMEONE"
set interface vpntX state off
set interface vpntX mtu 1500

As I stated previously the only thing that I have done differently in this occasion is testing the route by using not an address but the actual logical interface, then I changed to referring address:  

So from -> set static-route NETWORK nexthop gateway logical vpntX on

To -> set static-route NETWORK nexthop gateway address 1.2.3.4 priority 1 on

I have deleted the routes related to this IP/interface.

Some other thing I have noticed, if I put back the static route like I did the test in the beginning:

set static-route NETWORK  nexthop gateway logical vpntX on

and try to delete the interface by :

delete vpn tunnel X

I get the below messages:

This interface is used by the Dynamic Routing Protocols:
This interface is used by the Dynamic Routing Protocols:
Please remove this configuration before deleting the vpn tunnel interface
VpntErr0005 Dynamic Routing Protocols present on VPNT

If the behavior would be "normal", I would be able to delete the interface by just doing:

delete vpn tunnel X

This seems not the case and I'm not able to find a solution to this. I have found some similar situation described by someone some time ago:

https://community.checkpoint.com/t5/Security-Gateways/Can-t-delete-interfaces-This-interface-is-used...

Maybe this information ring a bell 😊

Thank you for the support so far.

0 Kudos
dphonovation
Collaborator

Experiencing this on 81.10 as well

0 Kudos
Sky
Participant

Hello @dphonovation,

If I remember correctly, what made it work was a reboot.

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi @Sky,

 

Can you please share show configurations of your static routes and show route?

looks like you have some route that leading through this VTI.

 

Thanks,

Ilya 

0 Kudos
spottex
Contributor

Hi I had this issue yesterday and needed to Google fast as I was in the middle of a change window. This thread was a top result and seemed to have the closest info so thought I would update how I actually got it sorted for others in the future.

The route error message is from the directly connected interface I believe and throws us a bit.

Via the web portal I disabled the interfaces by unchecking the enable check box when editing the VTI interface on each cluster node.

Then in smart console > Gateway cluster properties > Network Management > Get interfaces 'without' topology... the view refreshed without the vti interface. Pushed policy and all sorted.

You could possibly have disable the interface via cli somehow with 'off' maybe - but did not try. Possibly someone did in this thread.

esskr
Explorer

Thanks, had the same issue. But above from spottex solved it. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events