Under some conditions, when a VPN object is deleted from Junos Space, the VPN object entry remains in Security Director. This article provides a script to run as a workaround for the issue.

 

• Preview configuration for VPNs shows deleted gateways (IKE/IPSec tunnels) to be pushed to the firewall.

• Preview configuration for VPNs shows deleted routes (static/dynamic) to be pushed to the firewall.

• Preview configuration for VPNs shows deleted routing instances to be pushed to the firewall.

 

If the Security Directory IPSec VPN policy delete or modification task/job fails or is interrupted for any reason, the intermediate published data tables may have incorrect data.

 

Workaround: Run the attached script to clean up the most common incompletely removed VPN DB entries. Contact Support with any questions or assistance when using this script.

Before running this script, ensure all VPNs that exist in the Security Director UI have been published. (It is recommended to run the publish operation for all VPNs and check the result prior to using this script.)

Note: This script is designed for use with Security Director 17.1 - 19.1. It may or may not work as expected on later versions.

1. Make a backup of the Space database by following the steps in Backing Up the Junos Space Network Management Platform Database. (The process is the same for all Space versions.)

2. Download the script file: KB34766_CleanupStaleVPNs_Oct2020.zip

3. SCP the script file to the server and unzip. (Unzip the script on the server to ensure file integrity.)

Example:

unzip KB34766_CleanupStaleVPNs_Oct2020.zip

4. Run the script:

sh CleanupStaleVPNs.sh  

Note: The script can be extracted on your computer. Each command inside the script can run on from the CLI if copying to a remote system is difficult. The script first contains select queries which list out all the stale entries followed by the delete queries which will be deleting the stale entries.

 

2020-10-16: Script file updated