How to clear vpn client connections

Unanswered Question
Jan 9th, 2008
User Badges:

IOS - 12.2 18 SXF

crypto isakmp client configuration group keeps the count of dropped vpn connnections (those which are dropped due to internet failure on Client part and not disconnected properly)

Though this does not block the IP from pool and client is able to make another session. But thatz another addition to the count of connections.

Even if the IP Pool is for 5 IP addresses the connection counter goes up to 15-20.

I need command to clear such connections for particular Client configuration group.


#show crypto session summary

Group MYVPNGP has 15 connections

While it actually has 1 active connection and only have 3 IP in its pool.

The 'Clear' command and not the 'idle-timeout'.

Clear Sessions not helping here.

This bug could be a close match but its New and not yet fixed:

CSCse29085 - Duplicate IPSEC SA's are not deleted & SPI allocated are not freed up

Many Thanx in Advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ivillegas Wed, 01/16/2008 - 06:37
User Badges:
  • Silver, 250 points or more

First clear the VPN connection using crypto clear sa command and then use the show command.

vijay sanwal Wed, 01/16/2008 - 06:43
User Badges:

Just before I was going to open a TAC for this case, I found the cause of issue affecting this IOS.




When a vpnclient session is disconnected ungracefully, it is possible that the user will be stuck in the local database if they are reconnecting with the same IP address but a different group name. This can lead to problems when the 'max-logins' configuration command is used, since a user is accounted for although he is no longer active.


-ungraceful vpnclient disconnect.

-'max-logins' feature is used.

- Same IP address, send initial-contact but different group


Have users in single groups, try to ensure clients disconnect properly if they are likely to be swapping groups during a session.

Further Problem Description:

The show crypto session summary command will display some users as being active, although there is actually no longer a valid crypto session for them.



This Discussion