Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
159
Views
1
Helpful
2
Replies

How to clear virtual-access interfaces

mario.jost
Level 3
Level 3

‎09-23-2024 08:55 AM - edited ‎09-24-2024 04:36 AM

We have a FlexVPN Setup where Spoke2Spoke connections get created dynamically with the help of virtual access interfaces. So if i want to edit something within a virtual-template, i get the error that it is locked:

 

 

router(config)#interface Virtual-Template2
% Virtual-template config is locked, active vaccess present

 

 

If i then show all the interfaces, i can see that there are still virtual-access interfaces that got clonec from this virtual-template 2:

 

 

router#show ip interface brief | include Access
Virtual-Access1 172.18.0.132 YES unset up down
Virtual-Access2 172.18.0.132 YES unset up down
Virtual-Access3 172.18.0.132 YES unset up down
Virtual-Access4 172.18.0.132 YES unset up down
Virtual-Access5 172.18.0.132 YES unset up down
Virtual-Access6 172.18.0.132 YES unset up down
Virtual-Access7 172.18.0.132 YES unset up down
Virtual-Access8 172.18.0.132 YES unset up down
Virtual-Access9 172.18.0.132 YES unset up down
Virtual-Access10 172.19.0.76 YES unset up down <--- These wer cloned from VT2
Virtual-Access11 172.19.0.76 YES unset up down <--- These wer cloned from VT2
Virtual-Access12 172.18.0.132 YES unset up down
Virtual-Access13 172.18.0.132 YES unset up down
Virtual-Access15 172.18.0.132 YES unset up down
Virtual-Access16 172.19.0.76 YES unset up down <--- These wer cloned from VT2

 

 

So we can see that these interfaces are up down. There are no active VPN connections anymore to the destinations that these virtual-access interfaces were brought up. So i just go ahead and shut the tunnel2 interface, which gives me following picture:

 

 

router#show ip interface brief 
Virtual-Access1        172.18.0.132    YES unset  up                    down    
Virtual-Access2        172.18.0.132    YES unset  up                    down    
Virtual-Access3        172.18.0.132    YES unset  up                    down    
Virtual-Access4        172.18.0.132    YES unset  up                    down    
Virtual-Access5        172.18.0.132    YES unset  up                    down    
Virtual-Access6        172.18.0.132    YES unset  up                    down    
Virtual-Access7        172.18.0.132    YES unset  up                    down    
Virtual-Access8        172.18.0.132    YES unset  up                    down    
Virtual-Access9        172.18.0.132    YES unset  up                    down    
Virtual-Access10       unassigned      YES unset  up                    down    <- unassigned IP
Virtual-Access11       unassigned      YES unset  up                    down    <- unassigned IP
Virtual-Access12       172.18.0.132    YES unset  up                    down    
Virtual-Access13       172.18.0.132    YES unset  up                    down    
Virtual-Access15       172.18.0.132    YES unset  up                    down    
Virtual-Access16       unassigned      YES unset  up                    down    <- unassigned IP

 

 

So if i try to run the command clear interface virtual-access10 this does nothing:

 

 

router#clear interface virtual-access 10
router#clear interface virtual-access 11
router#show ip int brief | include Access
Virtual-Access1        172.18.0.132    YES unset  up                    down    
Virtual-Access2        172.18.0.132    YES unset  up                    down    
Virtual-Access3        172.18.0.132    YES unset  up                    down    
Virtual-Access4        172.18.0.132    YES unset  up                    down    
Virtual-Access5        172.18.0.132    YES unset  up                    down    
Virtual-Access6        172.18.0.132    YES unset  up                    down    
Virtual-Access7        172.18.0.132    YES unset  up                    down    
Virtual-Access8        172.18.0.132    YES unset  up                    down    
Virtual-Access9        172.18.0.132    YES unset  up                    down    
Virtual-Access10       unassigned      YES unset  up                    down    <- still here
Virtual-Access11       unassigned      YES unset  up                    down    <- still here
Virtual-Access12       172.18.0.132    YES unset  up                    down    
Virtual-Access13       172.18.0.132    YES unset  up                    down    
Virtual-Access15       172.18.0.132    YES unset  up                    down    
Virtual-Access16       unassigned      YES unset  up                    down

 

 

There are no NHRP entries active (as there are no Spoke2Spoke VPNs active) So my go-to workaround has always been to just shut the tunnel2 and reload the router. Shutting the tunnel2 makes sure no new virtual-access connections will be created after the router is back online. But with this, i have to wait for a maintenance window and its a pretty bad workaround to be honest. Is there another way to remove these virtual-access interfaces in order to edit the virtual template interface?

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎09-23-2024 08:58 AM

First, there are svti tunnel toward hub

And there is virtual template between spokes 

Config new virtual template with different number, then add it under the ikev2 profile 

Lastly shut the old virtual template and remove it 

MHM

balaji.bandi
Hall of Fame
Hall of Fame

‎09-23-2024 01:02 PM

You can create a new virtual template assign to profile if you like to change, or shutdown the tunnel and make changes.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card