Fortigate cannot delete VDOM or other object in use problem solution

Sun 14 May 2023 in Fortigate

#Fortigate

I file it under "feature, not a bug" category - you are trying to delete some object, say VDOM, which is NOT actually used anywhere, but the Fortigate throws an error command fail. Return code -23. Fortigate keeps reference count of all objects at all times, and if for any given object its reference count is not 0, trying to delete it will cause an error. This is a safety feature to prevent admins deleting an object in use. In older Check Point versions - before R80, you could delete an object used in rules, and firewall would replace it with Any, what a disaster. But back to Fortigates - this error may, unfortunately happen when you deleted all references to the object, for reasons not under our control - be stuck in the cache, or you deleted all references to the object in the wrong (to Fortigate) order. The solution is simple (CLI only). Let’s take an example of deleting a VDOM.

Delete VDOM called MyVDOM:

config vdom
del MyVDOM

Domain MyVDOM: used by interface, can not delete
Command fail. Return code -23

First, make sure the object is indeed not used:

show | grep -f MyVDOM

config vdom
edit MyVDOM <---
next
end
config global
config sys interface
        edit "ssl.MyVDOM"
                set vdom "MyVDOM"
                set status down
                set type tunnel
        next
end

We can see, that only ssl.MyVDOM interface exists in this VDOM, and it is OK - this interface is auto-created by Fortigate, and will be auto-deleted by it together with the VDOM.

See what Fortigate thinks about references to the object in question:

diagnose sys cmdb refcnt show system.interface.name ssl.MyVDOM

diagnose sys cmdb refcnt show system.interface.name ssl.MyVDOM
The total reference number is 0

Anyway, the secret command to refresh/reset reference count. Here I run it on both - interface, and the VDOM, just in case:

diagnose sys cmdb refcnt reset system.interface.name ssl.MyVDOM

dia sys cmdb refcnt reset system.vdom.name MyVDOM

diagnose sys cmdb refcnt reset system.interface.name ssl.MyVDOM

The total reference number is reset to 0 from 1.

dia sys cmdb refcnt reset system.vdom.name MyVDOM

Entry used by table system.interface.name 'ssl.MyVDOM'
entry used by child table gui-dashboard:id '222'
... CUT...
The total reference number is reset to 14 from 20

After that, I could delete the VDOM:

config vdom
delete MyVDOM
end

Resources

This and other debug in Fortigate debug cheat sheet on Github

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.