F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Command Reference-6PW100
57
Hardware Ke
y
words com
p
atible
F1000-E Yes
F5000 Yes
Firewall module Yes
U200-A Yes
U200-S No
Usage guidelines
If you do not specify any parameter, the command clears all ISAKMP SAs.
When you clear the active ISAKMP SAs on the active device, the active device automatically notifies the
standby device to clear the standby ISAKMP SAs.
When you clear the standby ISAKMP SAs on the standby device, the standby device re-synchronizes the
ISAKMP SA data with the active device to set up new standby ISAKMP SAs.
When you clear a local IPsec SA, its ISAKMP SA can transmit the Delete message to notify the remote
end to delete the paired IPsec SA. If the ISAKMP SA has been cleared, the local end cannot notify the
remote end to clear the paired IPsec SA, and you must manually clear the remote IPsec SA.
Examples
# Clear the IKE SA that uses connection ID 2.
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
2 202.38.0.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT
<Sysname> reset ike sa 2
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT
# Clear all active IKE SAs.
<Sysname> display ike sa
total phase-1 SAs: 2
connection-id peer flag phase doi status
----------------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC ACTIVE
1 201.31.0.9 RD|ST 1 IPSEC STANDBY
2 202.38.0.2 RD|ST 2 IPSEC ACTIVE
2 201.31.0.9 RD|ST 2 IPSEC STANDBY
flag meaning