To delete IPSec security associations, use the clear crypto sa global configuration command.
clear crypto sa
clear crypto sa peer {ip-address | peer-name}
clear crypto sa map map-name
clear crypto sa entry destination-address protocol spi
clear crypto sa counters
ip-address Specify a remote peer's IP address.
peer-name Specify a remote peer's name as the fully qualified domain name, for example remotepeer.domain.com.
map-name Specify the name of a crypto map set.
destination-address Specify the IP address of your peer or the remote peer.
protocol Specify either the AH or ESP protocol.
spi Specify an SPI (found by displaying the security association database).
If the peer , map , entry , or counters keywords are not used, all IPSec security associations are deleted.
Global configuration
| Release | Modification | 11.3 T | This command was introduced. |
|---|
This command clears (deletes) IPSec security associations.
If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.)
If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.)
If peer , map , entry , or counters keywords are not used, all IPSec security associations will be deleted.
If any of the above commands cause a particular security association to be deleted, all the "sibling" security associationsthat were established during the same IKE negotiationare deleted as well.
The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves.
If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear crypto sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations you must use the clear crypto sa command before the changes take effect.
If the router is processing active IPSec traffic, it is suggested that you only clear the portion of the security association database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.
Note that this command only clears IPSec security associations; to clear IKE state, use the clear cryptoisakmp command.
The following example clears (and reinitializes if appropriate) all IPSec security associations at the router:
clear crypto sa
The following example clears (and reinitializes if appropriate) the inbound and outbound IPSec security associations established along with the security association established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto sa entry 10.0.0.1 AH 256
| Command | Description |
|---|---|
| clear crypto isakmp | Clears active IKE connections. |
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.