Summary: Clears stuck or broken IKE/IPsec SAs and NHRP state on IOS-XE. Use when tunnels are down but SA entries still show in the crypto table, or when a tunnel won't re-establish cleanly.
Clear in this order — NHRP last, otherwise spokes re-register before the crypto state is fully reset.
! Clear IKEv1 SAs to a specific spoke (preferred over clearing all)
clear crypto isakmp remote <spoke-ip>
! Or clear IKEv2 SAs
clear crypto ikev2 sa remote <spoke-ip>
! Clear IPsec SAs for the peer
clear crypto sa peer <spoke-ip>
! Clear the DMVPN session
clear dmvpn session remote <spoke-ip>
! Clear NHRP entries for the spoke
clear ip nhrp <spoke-ip>
To clear all DMVPN sessions at once (use with caution on a hub — drops all spokes):
clear crypto session
clear ip nhrp
! Clear by peer address
clear crypto session remote <peer-ip>
! Or clear IKE and IPsec SAs separately
clear crypto ikev2 sa remote <peer-ip>
clear crypto sa peer <peer-ip>
For IKEv1 tunnels:
clear crypto isakmp remote <peer-ip>
clear crypto sa peer <peer-ip>
! Watch tunnel re-establishment in real time
show crypto session remote <peer-ip>
show crypto ikev2 sa remote <peer-ip>
show crypto ipsec sa peer <peer-ip>
! For DMVPN — confirm spoke re-registers
show dmvpn detail
show ip nhrp
⚠️ Hub Considerations
Runningclear crypto sessionwithout a peer address on a hub clears all spoke sessions simultaneously. This causes a brief outage across all DMVPN spokes. Always target a specific peer in production unless a full reset is intentional.