No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
reset ike sa

reset ike sa


The reset ike sa command deletes a specified IKE SA or all IKE SAs.


reset ike sa { all | conn-id connection-id }





conn-id connection-id

Specifies the connection ID of the SA to be deleted.

The value is an integer that ranges from 1 to 200704.


Deletes all IKE SAs.



User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To delete an IPSec tunnel established through IKE negotiation, you need to run the reset ike sa command to delete the IKE SA that is used to negotiate the tunnel.


When the number of IPSec tunnels is larger than 50% of the maximum limit, high CPU usage alarms may be generated in a short period of time after the command is run. After all the SAs are cleared, the CPU usage restores to the normal range.

In IKEv1, IKE negotiation consists of two phases. The IKE SA in phase 1 is used for negotiation, and the IKE SA in phase 2 is used to establish the IPSec SA to protect data flows based on the IKE SA in phase 1.

  • If the IKE SA corresponding to the specified connection ID (you can run the display ike sa command to view the connection ID) is in phase 1, both ends negotiate a new IKE SA in phase 1 under the protection of the IKE SA in phase 2 after the old one is deleted.
  • If the IKE SA corresponding to the specified connection ID is in phase 2, neither end negotiates a new IKE SA in phase 2 after the old one is deleted. A new IKE SA in phase 2 is negotiated only when the data flows match the ACL in the IPSec policy. If auto-negotiation is enabled in the IPSec policy, SA negotiation is performed even if data flows do not match the ACL.
  • If the connection ID is not specified, all IKE SAs in phase 1 are deleted, and new IKE SAs in phase 1 are established.


# Delete all IKE SAs.

<Huawei> reset ike sa all
Related Topics
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 90638

Downloads: 124

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next