Clear Commands

Qiw.com

router#

clear

crypto

sa

clear

crypto

sa

peer <IP address | peer name>

clear

crypto

sa

map <map name>

clear

crypto

sa

entry <destlnation address protocol spi>

• Clears IPSec SAs in router's database

• Clears IPSec SAs in router's database

© 2004 Cisco Systems, Inc. All rights reserved. BCRAN v2.1—5-7

The clear commands are helpful to use after altering VPN configurations. When changing transform sets and global lifetimes, the changes will not all be applied to existing IPSec connections. To ensure that these settings affect all VPN connections, the clear commands must be used. If a VPN device is processing a great deal of IPSec traffic that should remain uninterrupted, the clear commands may be applied to specific maps, entries, or peers, if specified within the command.

Note Using clear commands requires reestablishment of the VPN tunnel between devices and might cause inconvenience to the user.

The clear commands are also beneficial when troubleshooting VPN connectivity. They can show if SAs are no longer being built by peers. By comparing results of show commands before and after clear commands are used, it is often apparent that ISAKMP or IPSec SAs are not created after making a network change.

Occasionally, the Address Resolution Protocol (ARP) table will interfere with establishment or changes to IPSec tunnels and must be cleared. This ARP table interference occurs more often in PIX VPN configurations and can be remedied by clearing the ARP cache. Although not an IPSec-specific clear command, use the clear arp command to clear the ARP cache.

0 0

Post a comment