clear a – clear k

clear aaa kerberos

To clear Kerberos information, use the clear aaa kerberos command in privileged EXEC mode.

clear aaa kerberos { tickets [ username user ] | keytab }

Syntax Description

keytab

Clears the Kerberos keytab file.

tickets [username user ]

Clears Kerberos ticket information. All tickets are cleared unless you include the username keyword, which specifies the user whose ticket you want to clear.

Command Default

No defaults.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(1)

This command was added.

9.8(4)

The keytab keyword was added.

Examples

The following example shows how to clear all Kerberos tickets.


ciscoasa# clear aaa kerberos tickets
 
Proceed with deleting kerberos tickets? [confirm] y

The following example shows how to display, and then clear, the Kerberos keytab file.


ciscoasa# show aaa kerberos keytab
 
Principal:   host/asa2@BXB-WIN2016.EXAMPLE.COM
Key version: 10
Key type:    arcfour (23)
ciscoasa# clear aaa kerberos keytab
 
ciscoasa# show aaa kerberos keytab
 
No keys found
ciscoasa#

clear aaa local user

To unlock a user, or to reset a user’s failed authentication attempts to zero, use the clear aaa local user command in Privileged EXEC mode.

clear aaa local user { fail-attempts | lockout } { username name | all }

Syntax Description

all

Either unlocks all locked-out users, or resets the failed-attempts counter to 0 for all users.

failed-attempts

Resets the failed attempts counter to 0 for the specified user or all users.

lockout

Unlocks users that are currently locked out and resets to the failed-attempts counter for the users to 0. This option has no impact on users who are not locked out.

The administrator cannot be locked out of the device.

username name

Specifies a specific username to unlock or reset the failed-attempts counter to 0.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

Use this command if a user fails to authenticate after a few attempts.

After the configured number of failed authentication attempts, the user is locked out of the system and cannot successfully log in until either a system administrator unlocks the username or the system reboots. The number of failed attempts resets to zero and the lockout status resets to No when the user successfully authenticates, or when the system reboots. In addition, the system resets the counter to zero when the configuration has recently been modified.

Locking or unlocking a username results in a system log message. A system administrator with a privilege level of 15 cannot be locked out.

Examples

The following example shows how to reset the failed-attempts counter to 0 for the username anyuser:


ciscoasa# clear aaa local user fail-attempts
            username anyuser
ciscoasa#

The following example shows how to reset the failed-attempts counter to 0 for all users:


ciscoasa# clear aaa local user fail-attempts
            all
ciscoasa#

The following example shows to clear the lockout condition and reset the failed-attempts counter to 0 for the username anyuser:


ciscoasa# clear aaa local user lockout username anyuser
ciscoasa#

clear aaa sdi node-secret

To delete the node secret file for an RSA SecurID server, use the clear aaa sdi node-secret command in privileged EXEC mode.

clear aaa sdi node-secret rsa_server_address

Syntax Description

rsa_server_address

The IP address or fully-qualified hostname of the RSA SecurID/Authentication Manager server whose node secret file you want to delete.

Command Default

No defaults.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.15(1)

This command was added.

Examples

The following example shows how to view the list of node secret files, then delete one of them. Use the aaa sdi import-node-secret command to import a new node secret file for the server, if necessary.


ciscoasa# show aaa sdi node-secrets
 
Last update                    SecurID server
--------------------           --------------------
15:16:13 Jun 24 2020           rsaam.example.com
15:20:07 Jun 24 2020           10.11.12.13
ciscoasa# clear aaa sdi node-secret rsaam.example.com

clear aaa-server statistics

To reset the statistics for AAA servers, use the clear aaa-server statistics command in privilged EXEC mode.

clear aaa-server statistics [ LOCAL | groupname [ host hostname ] | protocol protocol ]

Syntax Description

groupname

(Optional) Clears statistics for servers in a group.

host hostname

(Optional) Clears statistics for a particular server in the group.

LOCAL

(Optional) Clears statistics for the LOCAL user database.

protocol protocol

(Optional) Clears statistics for servers of the specified protocol:

  • kerberos

  • ldap

  • nt

  • radius

  • sdi

  • tacacs+

Command Default

Remove all AAA server statistics across all groups.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was modified to adhere to CLI guidelines. In the protocol values, nt replaces the older nt-domain , and sdi replaces the older rsa-ace .

Examples

The following example shows how to reset the AAA statistics for a specific server in a group:


ciscoasa
(config)#
 
clear aaa-server statistics svrgrp1 host 1.2.3.4

The following example shows how to reset the AAA statistics for an entire server group:


ciscoasa
(config)#
 
clear aaa-server statistics svrgrp1

The following example shows how to reset the AAA statistics for all server groups:


ciscoasa
(config)# 
clear aaa-server statistics

The following example shows how to reset the AAA statistics for a particular protocol (in this case, TACACS+):


ciscoasa
(config)# 
clear aaa-server statistics protocol tacacs+

clear access-list

To clear an access-list counter, use the clear access-list command in global configuration mode.

clear access-list id counters

Syntax Description

counters

Clears access list counters.

id

Name or number of an access list.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

When you enter the clear access-list command, you must specify the id of an access list to clear the counters .

Examples

The following example shows how to clear a specific access list counter:


ciscoasa# clear access-list inbound counters

clear arp

To clear dynamic ARP entries or ARP statistics, use the clear arp command in privileged EXEC mode.

clear arp [ statistics ]

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Examples

The following example clears all ARP statistics:


ciscoasa# clear arp statistics

clear asp

To clear accelerated security path (ASP) statistics, use the clear asp command.

clear asp { cluster counter | drop [ flow | frame ] | event dp-cp | queue-exhaustion [ snapshot number ] | load-balance history | overhead | table [ arp | classify | network-object | filter [ access-list acl_name ] ] }

Syntax Description

access-list acl_name

(Optional) Clears the hit counters only for a specified access list.

arp

(Optional) Clears the hits counters in ASP ARP tables only.

classify

(Optional) Clears the hits counters in ASP classify tables only

cluster counter

Clears cluster counters.

event

Clears data-path to control-plane event statistics.

filter

(Optional) Clears the hits counters in ASP filter tables only

flow

(Optional) Clears the dropped flow statistics.

frame

(Optional) Clears the dropped frame/packet statistics.

load-balance history

Clears the history of ASP load balancing per packet and reset the number of times an automatic switch occurred

network-object

(Optional) Clears the hits counters in ASP network object tables only. These tables are used when object group search is enabled.

overhead

Clears all ASP multiprocessor overhead statistics.

queue-exhaustion

Clears the data-path inspection Snort queue snapshot.

snapshot number

(Optional) Clears the queue exhaustion by snapshot ID.

table

Clears the hit counters in the ARP tables. Specify the table type to limit the action.

Command Default

No default behavior or values.

Command History

Release

Modification

7.0(1)

This command was added.

7.2(4)

We added the table keyword.

8.2(2)

We added the filter keyword.

9.3(1)

We added the load-balance history keywords.

9.22(1)

The table network-object option was added.

Examples

The following example clears all ASP table statistics:


ciscoasa# clear asp table
Warning: hits counters in asp arp and classify tables are cleared, which might impact the hits statistic of other modules and output of other "show" commands! ciscoasa#clear asp table arp 
Warning: hits counters in asp arp table are cleared, which might impact the hits statistic of other modules and output of other "show" commands! ciscoasa#clear asp table classify 
Warning: hits counters in classify tables are cleared, which might impact the hits statistic of other modules and output of other "show" commands! ciscoasa(config)# clear asp table 
Warning: hits counters in asp tables are cleared, which might impact the hits statistics of other modules and output of other "show" commands! ciscoasa# sh asp table arp 
Context: single_vf, Interface: inside 10.1.1.11 Active 00e0.8146.5212 hits 0 
Context: single_vf, Interface: identity :: Active 0000.0000.0000 hits 0 0.0.0.0 Active 0000.0000.0000 hits 0 

clear bfd counters

To clear the BFD counters, use the clear bfd counters command in privileged EXEC mode.

clear bfd counters [ ld local_discr | interface_name | ipv4 ip-address | ipv6 ipv6-address ]

Syntax Description

ld local_discr

(Optional) Clears BFD counters for the specified local discriminator, 1 - 4294967295.

interface_name

(Optional) Clears BFD counters for the specified interface.

ipv4 ip_address

(Optional) Clears BFD counters for the specified neighbor IP address.

ipv6 ip_address

(Optional) Clears BFD counters for the specified neighbor IPv6 address.

Command Default

This command clears all BFD counters.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(2)

This command was added.

Examples

The following example clears all BFD counters.


ciscoasa# clear bfd counters

clear bgp

To reset Border Gateway Protocol (BGP) connections using hard or soft reconfiguration, use the clear bgp command in privileged EXEC mode.

clear bgp { [ * | external ] [ ipv4 unicast [ as_number | neighbor_address | table-map ] | ipv6 unicast [ as_number | neighbor_address ] ] [ soft ] [ in | out ] | as_number [ soft ] [ in | out ] | neighbor_address [ soft ] [ in | out ] | table-map }

Syntax Description

*

Specifies that all current BGP sessions will be reset.

as_number

(Optional) Number of the autonomous system in which all BGP peer sessions will be reset.

external

Specifies that all external BGP sessions will be reset.

in

(Optional) Initiates inbound reconfiguration. If neither the in nor out keywords are specified, both inbound and outbound sessions are reset.

ipv4 unicast

Resets BGP connections using hard or soft econfiguration for IPv4 address family sessions.

ipv6 unicast

Resets BGP connections using hard or soft econfiguration for IPv6 address family sessions.

neighbor_address

(Optional) Specifies that only the identified BGP neighbor will be reset. The value for this argument can be an IPv4 or IPv6 address.

out

(Optional) Initiates inbound or outbound reconfiguration. If neither the in nor out keywords are specified, both inbound and outbound sessions are reset.

soft

(Optional) Clears slow-peer status forcefully, and moves it to original update group.

table-map

Clears table-map configuration information in BGP routing tables. This command can be used to clear traffic-index information configured with the BGP Policy Accounting feature.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.2(1)

This command was introduced.

Usage Guidelines

The clear bgp command can be used to initiate a hard reset or soft reconfiguration. A hard reset tears down and rebuilds the specified peering sessions and rebuilds the BGP routing tables. A soft reconfiguration uses stored prefix information to reconfigure and activate BGP routing tables without tearing down existing peering sessions. Soft reconfiguration uses stored update information, at the cost of additional memory for storing the updates, to allow you to apply a new BGP policy without disrupting the network. Soft reconfiguration can be configured for inbound or outbound sessions.

Only the clear bgp * command is available in the system execution space in multiple context mode.

Examples

In the following example, all the BGP sessions in all contexts are reset when the clear bgp command is given in the system execution space. A warning is issued to confirm the action as this command will reset all the BGP sessions:


ciscoasa# clear bgp *
This command will reset BGP in ALL contexts.
Are you sure you want to continue? [no]:

In the following example, all the BGP sessions are reset in single mode or in a multiple context mode context:


ciscoasa# clear bgp *

In the following example, a soft reconfiguration is initiated for the inbound session with the neighbor 10.100.0.1, and the outbound session is unaffected:


ciscoasa# clear bgp 10.100.0.1 soft in

In the following example, the route refresh capability is enabled on the BGP neighbor routers, a soft reconfiguration is initiated for the inbound session with the neighbor 172.16.10.2, and the outbound session is unaffected:


ciscoasa# clear bgp 172.16.10.2 in

In the following example, a hard reset is initiated for sessions with all routers in the autonomous system numbered 35700:


ciscoasa# clear bgp 35700

In the following example, a soft reconfiguration is configured for all inbound eBGP peering sessions:


ciscoasa# clear bgp external soft in

In the following example, all outbound address family IPv4 multicast eBGP peering sessions are cleared:


ciscoasa# clear bgp external ipv4 multicast out

In the following example, a soft reconfiguration is initiated for the inbound sessions for BGP neighbors in IPv4 unicast address family sessions in autonomous system 65400, and the outbound session is unaffected:


ciscoasa# clear bgp ipv4 unicast 65400 soft in

In the following example, a hard reset is initiated for BGP neighbors in IPv4 unicast address family sessions in the 4-byte autonomous system numbered 65538 in asplain notation:


ciscoasa# clear bgp ipv4 unicast 65538

In the following example, a hard reset is initiated for BGP neighbors in IPv4 unicast address family sessions in the 4-byte autonomous system numbered 1.2 in asdot notation:


ciscoasa# clear bgp ipv4 unicast 1.2

The following example clears the table map for IPv4 unicast peering sessions:


ciscoasa# clear bgp ipv4 unicast table-map

clear blocks

To reset the packet buffer counters such as the exhaustion condition and history information, use the clear blocks command in privileged EXEC mode.

clear blocks [ exhaustion { history | snapshot } | export-failed | queue [ history [ core-local [ number ] ] ] ]

Syntax Description

core-local [ number ]

(Optional) Clears system buffers queued by application for all cores, or if you specify the core number, a specific core.

exhaustion

(Optional) Clears the exhaustion condition.

export-failed

(Optional) Clears the export failed counters.

history

(Optional) Clears the history.

queue

(Optional) Clears queued blocks.

snapshot

(Optional) Clears the snapshot information.

Command Default

No default behavior or values.

Command History

Release

Modification

7.0(1)

This command was added.

9.1(5)

The history and snapshot options were added.

Usage Guidelines

Resets the low watermark counters to the current available blocks in each pool. Additionally, this command clears the history information stored during the last buffer allocation failure.

Examples

The following example clears the blocks:


ciscoasa# clear blocks
         

clear-button

To customize the Clear button of the WebVPN page login field that is displayed to WebVPN users when they connect to the ASA, use the clear-button command in customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.

clear-button { text | style } value

no clear-button [{ text | style }] value

Syntax Description

style

Specifies you are changing the style.

text

Specifies you are changing the text.

value

The actual text to display or Cascading Style Sheet (CSS) parameters, each with a maximum of 256 characters allowed.

Command Default

The default text is “Clear”.

The default style is border:1px solid black;background-color:white;font-weight:bold;font-size:80%.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Customization configuration

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

  • You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

  • RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

  • HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.


Note


To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

Examples

The following example changes the default background color of the Clear button from black to blue:


ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# customization cisco
ciscoasa(config-webvpn-custom)# clear-button style background-color:blue

clear capture

To clear the capture buffer, use the clear capture command in privileged EXEC configuration mode.

clear capture { /all | capture_name }

Syntax Description

/all

Clears packets on all interfaces.

capture_name

Specifies the name of the packet capture.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The shortened form of the clear capture (for example, cl cap or clear cap ) is n ot supported to prevent accidental destruction of all the packet captures.

Examples

This example shows how to clear the capture buffer for the capture buffer “example”:


ciscoasa
(config)# 
clear capture example

clear clns cache

To clear and reinitialize the Connectionless Network Service (CLNS) routing cache, use the clear clns cache EXEC command.

clear clns cache

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


EXEC

Usage Guidelines

To clear routing cache information, use the clear clns cache command.

Examples

The following example clears CLNS routing cache:


ciscoasa# clear clns cache

clear clns is-neighbors

To remove IS neighbor information from the adjacency database, use the clear clns is-neighbors EXEC command.

clear clns is-neighbors

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


EXEC

Usage Guidelines

To clear IS neighbor information from the adjacency database, use the clear clns is-neighbors command.

Examples

The following example clears CLNS es-neighbor:


ciscoasa# clear clns is-neighbors

clear clns neighbors

To remove CLNS neighbor information from the adjacency database, use the clear clns neighbors EXEC command.

clear clns neighbors

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


EXEC

Usage Guidelines

To clear neighbor information from the adjacency database, use the clear clns neighbors command.

Examples

The following example removes the CLNS neighbor information from the adjacency database:


ciscoasa# clear clns neighbors

clear clns route

To remove all of the dynamically derived CLNS routing information, use the clear clns route EXEC command.

clear clns route

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


EXEC

Usage Guidelines

To clear routing information, use the clear clns is-neighbors command.

Examples

The following example removes all of the dynamically derived CLNS routing information:


ciscoasa# clear clns route

clear cluster info

To clear cluster statistics, use the clear cluster info command in privileged EXEC mode.

clear cluster info { flow-mobility counters | health details | trace | transport }

Syntax Description

flow-mobility counters

Clears the cluster flow-mobility counters.

health details

Clears cluster health information.

trace

Clears cluster event trace information.

transport

Clears cluster transport statistics.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.5(2)

We introduced the flow-mobility counters keywords.

9.0(1)

This command was added.

Usage Guidelines

To view cluster statistics, use the show cluster info command.

Examples

The following example clears cluster event trace information:


ciscoasa# clear cluster info trace

clear compression

To clear compression statistics for all SVC and WebVPN connections, use the clear compression command in privileged EXEC mode.

clear compression { all | anyconnect-ssl | http-comp }

Syntax Description

all

Clears all compressions statistics.

http-comp

Clears HTTP-COMP statistics.

anyconnect-ssl

Clears anyconnect-ssl compression statistics.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

8.4(1)

anyconnect-ssl replaced svc.

9.5(2)

Support for multiple context mode was added.

9.0(1)

Support for multiple context mode was added.

Examples

The following example, clears the compression configuration for the user:


hostname# clear configure compression

clear configuration session

To delete a configuration session, use the clear configuration session command in global configuration mode.

clear configuration session [ session_name ]

Syntax Description

session_name

The name of an existing configuration session. Use the show configuration session command for a list of current sessions. If you omit this parameter, all existing sessions are deleted.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.3(2)

This command was added.

Usage Guidelines

Use this command in conjunction with the configure session command, which creates isolated sessions for editing ACLs and their objects. If you decide you no longer need a session you created, and you do not want to commit the changes defined in the session, use this command to remove the session and the changes it contains.

If you want to simply clear the changes made within a session without deleting the session, use the clear session command instead of this one.

Examples

The following example deletes the session named old-session:


ciscoasa(config)# clear configuration session old-session

clear configure

To clear the running configuration, use the clear configure command in global configuration mode.

clear configure { primary | secondary | all | command }

Syntax Description

all

Clears the entire running configuration.

command

Clears the configuration for a specified command. For available commands, use the clear configure ? command for CLI help.

primary

For a failover pair, clears the primary unit configuration.

secondary

For a failover pair, clears the secondary unit configuration.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

When you enter this command in a security context, you clear only the context configuration. If you enter this command in the system execution space, you clear the system running configuration as well as all context running configurations. Because you cleared all context entries in the system configuration (see the context command), the contexts are no longer running, and you cannot change to a context execution space.

Before clearing the configuration, make sure you save any changes to the boot config command (which specifies the startup configuration location) to the startup configuration; if you changed the startup configuration location only in the running configuration, then when you restart, the configuration loads from the default location.


Note


When you enter the clear configure all command, the master pass phrase used in password encryption is not removed. For more information about the master pass phrase, see the config key password-encryption command.

Examples

The following example clears the entire running configuration:


ciscoasa(config)# clear configure all

The following example clears the AAA configuration:


ciscoasa(config)# clear
 configure
 aaa

clear conn

To clear a specific connection or multiple connections, use the clear conn command in privileged EXEC mode.

clear conn [ all ] [ tcp | udp | sctp } ] [ address src_ip ] [ - src_ip ] [ netmask mask ] ] [ port src_port [ - src_port ] ] [ address dest_ip [ - dest_ip ] [ netmask mask ] ] [ port dest_port [ - dest_port ] [ user [ domain_nickname\ ] user_name | user-group [ domain_nickname\\ ] user_group_name ] | zone [ zone_name ] ] [ data-rate ]

Syntax Description

address

(Optional) Clears connections with the specified source or destination IP address.

all

(Optional) Clears all connections, including to-the-box connections. Without the all keyword, only through-the-box connections are cleared.

dest_ip

(Optional) Specifies the destination IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-). For example:


10.1.1.1-10.1.1.5

dest_port

(Optional) Specifies the destination port number. To specify a range, separate the port numbers with a dash (-). For example:


1000-2000

netmask mask

(Optional) Specifies a subnet mask for use with the given IP address.

port

(Optional) Clears connections with the specified source or destination port.

protocol {tcp | udp | sctp}

(Optional) Clears connections with the specified protocol.

src_ip

(Optional) Specifies the source IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-). For example:


10.1.1.1-10.1.1.5

src_port

(Optional) Specifies the source port number. To specify a range, separate the port numbers with a dash (-). For example:


1000-2000

user [ domain_nickname \ ] user_name

(Optional) Clears connections that belong to the specified user. When you do not include the domain_nickname argument, the ASA clears connections for the user in the default domain.

user-group [ domain_nickname \\ ] user_group_name

(Optional) Clears connections that belong to the specified user group. When you do not include the domain_nickname argument, the ASA clears connections for the user group in the default domain.

zone [zone_name ]

Clears connections that belong to a traffic zone.

data-rate

(Optional) Clears the current maximum data-rate stored.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(8)/7.2(4)/8.0(4)

This command was added.

8.4(2)

Added the user and user-group keywords to support the Identity Firewall.

9.3(2)

The zone keyword was added.

9.5(2)

The protocol sctp keyword was added.

9.14(1)

The data-rate keyword was added.

Usage Guidelines

This command supports IPv4 and IPv6 addresses.

When you make security policy changes to the configuration, all new connections use the new security policy. Existing connections continue to use the policy that was configured at the time of the connection establishment. To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy using the clear conn command. You can alternatively use the clear local-host command to clear connections per host, or the clear xlate command for connections that use dynamic NAT.

When the ASA creates a pinhole to allow secondary connections, this is shown as an incomplete connection in the show conn command output. To clear this incomplete connection, use the clear conn command.

Examples

The following example shows how to view all connections and then clear the management connection between 10.10.10.108:4168 and 10.0.8.112:22:


ciscoasa# show conn all
TCP mgmt 10.10.10.108:4168 NP Identity Ifc 10.0.8.112:22, idle 0:00:00, bytes 3084, flags UOB
ciscoasa# clear conn address 10.10.10.108 port 4168 address 10.0.8.112 port 22
         

The following example shows how to clear connection maximum data-rate stored in the extension memory:


ciscoasa# clear conn data-rate
Released conn extension memory for 10 connection(s)

clear console-output

To remove the currently captured console output, use the clear console-output command in privileged EXEC mode.

clear console-output

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Examples

The following example shows how to remove the currently captured console output:


ciscoasa# clear console-output

clear coredump

To clear the coredump log, use the clear coredump command in global configuration mode.

clear coredump

Syntax Description

This command has no arguments or keywords.

Command Default

By default, coredumps are not enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes


Note


For ASAs that are operating on 4100/9300 platforms, use the bootstrap CLI mode for working with coredumps.

Command History

Release

Modification

8.2(1)

This command was added.

Usage Guidelines

This command removes the coredump file system contents and the coredump log. The coredump file system remains intact. The current coredump configuration remains unchanged.

Examples

The following example removes the coredump file system contents and the coredump log:


ciscoasa(config)# clear coredump 
Proceed with removing the contents of the coredump filesystem on 'disk0:' [confirm]

clear counters

To clear the protocol stack counters, use the clear counters command in global configuration mode.

clear counters [ all | context context-name | summary | top n ] [ detail ] [ protocol protocol_name | counter_name ] ] [ threshold n ]

Syntax Description

all

(Optional) Clears all filter details.

context context-name

(Optional) Specifies the context name.

counter_name

(Optional) Specifies a counter by name. Use the show counters protocol command to see which counters are available.

detail

(Optional) Clears detailed counters information.

protocol protocol_name

(Optional) Clears the counters for the specified protocol.

summary

(Optional) Clears the counter summary.

threshold n

(Optional) Clears the counters at or above the specified threshold. The range is 1 through 4294967295.

top n

(Optional) Clears the counters at or above the specified threshold. The range is 1 through 4294967295.

Command Default

The clear counters summary detail command is the default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Examples

The following example shows how to clear the protocol stack counters:


ciscoasa(config)# clear counters

clear cpu profile

To clear the CPU profiling statistics, use the clear cpu profile command in privileged EXEC mode.

clear cpu profile

Syntax Description

This command has no arguments or keywords.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Examples

The following example shows how to delete the crash file:


ciscoasa# clear cpu profile

clear crashinfo

To delete all the crash information files stored in flash memory, use the clear crashinfo command in privileged EXEC mode.

clear crashinfo [ module { 0 | 1 } ]

Syntax Description

module {0 | 1 }

(Optional) Clears the crash file for a module in slot 0 or 1.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.7(1)

The output was updated to delete all the crashinfo files that are written to flash memory.

Examples

The following example shows how to delete the crash file:


ciscoasa# clear crashinfo

clear crypto accelerator statistics

To clear the the global and accelerator-specific statistics from the crypto accelerator MIB, use the clear crypto accelerator statistics command in privileged EXEC mode.

clear crypto accelerator statistics

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the mode in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Examples

The following example entered in global configuration mode, displays crypto accelerator statistics:


ciscoasa(config)# clear crypto accelerator statistics
ciscoasa(config)# 

clear crypto ca crls

To empty the CRL cache of all CRLs associated with a specified trustpoint, all CRLs associated with the trustpool from the cache, or the CRL cache of all CRLs, use the clear crypto ca crls command in privileged EXEC mode.

clear crypto ca crls [ trustpoool | trustpoint trust_point_name ]

Syntax Description

trustpoint trust_point_name

The name of a trustpoint. If you do not specify a name, this command clears all CRLs cached on the system. If you give the trustpoint keyword without a trust_point_name , the command fails.

trustpool

Indicates that the action should be applied only to the CRLs that are associated with certificates in the trustpool.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

Examples

The following independent examples issued in privileged EXEC configuration mode clear all of the trustpool CRLs, clears all of the CRLs associated with trustpoint123, and removes all of the cached CRLs from the ASA:


ciscoasa# clear crypto ca crl trustpool
ciscoasa# clear crypto ca crl trustpoint trustpoint123
ciscoasa# clear crypto ca crl
         

clear crypto ca trustpool

To remove all certificates from the trustpool, use the clear crypto ca trustpool command in privileged EXEC mode.

clear crypto ca trustpool [ noconfirm ]

Syntax Description

noconfirm

(Optional) Suppresses user confirmation prompts, and the command will be processes as requested.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

Usage Guidelines

The user is asked to confirm this action before carrying it out.

Examples

The following example clears all certificates:


ciscoasa# clear crypto ca trustpool
You are about to clear the trusted certificate pool. Do you want to continue? (y/n) y
ciscoasa#

clear crypto ikev1

To remove the IPsec IKEv1 SAs or statistics, use the clear crypto ikev1 command in privileged EXEC mode. To clear all IKEv1 SAs, use this command without arguments.

clear crypto ikev1 { sa ip_address | stats }

Syntax Description

sa ip_address

Clears the SA.

stats

Clears the IKEv1 statistics.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

To clear all IPsec IKEv1 SAs, use this command without arguments.

Examples

The following example removes all of the IPsec IKEv1 statistics from the ASA:


ciscoasa# clear crypto ikev1 stats
ciscoasa# 

The following example deletes SAs with a peer IP address of 10.86.1.1:


ciscoasa# clear crypto ikev1 sa peer 10.86.1.1

ciscoasa#

clear crypto ikev2

To remove the IPsec IKEv2 SAs or statistics, use the clear crypto ikev2 command in privileged EXEC mode. To clear all IKEv2 SAs, use this command without arguments.

clear crypto ikev2 { sa ip_address | stats }

Syntax Description

sa ip_address

Clears the SA.

stats

Clears the IKEv2 statistics.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

To clear all IPsec IKEv2 SAs, use this command without arguments.

Examples

The following example removes all of the IPsec IKEv2 statistics from the ASA:


ciscoasa# clear crypto ikev2 stats
ciscoasa# 

The following example deletes SAs with a peer IP address of 10.86.1.1:


ciscoasa# clear crypto ikev2 sa peer 10.86.1.1

ciscoasa#

clear crypto ipsec sa

To remove the IPsec SA counters, entries, crypto maps or peer connections, use the clear crypto ipsec sa command in privileged EXEC mode. To clear all IPsec SAs, use this command without arguments.

clear crypto ipsec sa [ counters | entry ip_address { esp | ah } spi | map map name | peer ip_address ]

Syntax Description

ah

Authentication header.

counters

Clears all IPsec per SA statistics.

entry ip_address

Deletes the tunnel that matches the specified IP address/hostname, protocol, and SPI value.

esp

Encryption security protocol.

map map name

Deletes all tunnels associated with the specified crypto map as identified by map name.

peer ip_address

Deletes all IPsec SAs to a peer as identified by the specified hostname or IP address.

spi

Identifies the Security Parameters Index (a hexidecimal number). This must be the inbound SPI. We do not support this command for the outbound SPI.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

To clear all IPsec SAs, use this command without arguments.

Examples

The following example removes all of the IPsec SAs from the ASA:


ciscoasa# clear crypto ipsec sa
ciscoasa# 

The following example deletes SAs with a peer IP address of 10.86.1.1:


ciscoasa# clear crypto ipsec peer 10.86.1.1
         

ciscoasa#

clear crypto ipsec stats

To remove the global IPsec statistics and reset the statistics, use the clear crypto ipsec stats command in privileged EXEC mode.

clear crypto ipsec stats

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.16(1)

This command was added.

Usage Guidelines

To clear all the global IPsec statistics, use this command without arguments.

Examples

The following example removes and resets the the IPsec statistics in the ASA:


ciscoasa# clear crypto ipsec stats
ciscoasa# 

clear crypto isakmp

To clear ISAKMP SAs or statistics, use the clear crypto isakmp command in privileged EXEC mode.

clear crypto isakmp [ sa | stats ]

Syntax Description

sa

Clears IKEv1 and IKEv2 SAs.

stats

Clears IKEv1 and IKEv2 statistics.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

To clear all ISAKMP operational data, use this command without arguments.

Examples

The following example removes all of the ISAKMP SAs:


ciscoasa# clear crypto isakmp sa
ciscoasa# 

clear crypto protocol statistics

To clear the protocol-specific statistics in the crypto accelerator MIB, use the clear crypto protocol statistics command in privileged EXEC mode.

clear crypto protocol statistics protocol

Syntax Description

protocol

Specifies the name of the protocol for which you want to clear statistics. Protocol choices are as follows:

  • all —All protocols currently supported.

  • ikev1 —Internet Key Exchange (IKE) version 1.

  • ikev2 —Internet Key Exchange (IKE) version 2.

  • ipsec-client —IP Security (IPsec) Phase-2 protocols.

  • other —Reserved for new protocols.

  • srtp—Secure RTP (SRTP) protocol

  • ssh—Secure Shell (SSH) protocol

  • ssl-client— Secure Socket Layer (SSL) protocol.

Command Default

No default behavior or values.

Command Modes


The following table shows the mode in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

8.4(1)

The ikev1 and ikev2 keywords were added.

9.0(1)

Support for multiple context mode was added.

Examples

The following example clears all crypto accelerator statistics:


ciscoasa# clear crypto protocol statistics all
ciscoasa# 

clear crypto ssl

To clear SSL information, use the clear crypto ssl command in privileged EXEC mode.

clear crypto ssl { cache [ all ] | errors | mib | objects }

Syntax Description

cache

Clears expired sessions in the SSL session cache.

all

(Optional) Clears all sessions and statistics in the SSL session cache.

errors

Clears SSL errors.

mib

Clears SSL MIB statistics.

objects

Clears SSL object statistics.

Command Default

No default behavior or values.

Command Modes


The following table shows the mode in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Examples

The following example clears all SSL cache sessions and statistics:


ciscoasa# clear crypto ssl cache all
ciscoasa# 

clear cts

To clear data used by the ASA when integrated with Cisco TrustSec, use the clear cts command in global configuration mode:

clear cts { environment-data | pac } [ noconfirm ]

Syntax Description

noconfirm

Clears the data without asking for confirmation.

environment-data

Clears all CTS environment data downloaded from Cisco ISE.

pac

Clears the CTS PAC information stored in NVRAM.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

Usage Guidelines

If you clear the environment data, you can trigger the next environment data refresh manually or the system will refresh the data when the refresh timer expires. Clearing environment data does not remove the Cisco TrustSec PAC from the system, but it does impact traffic policy.

Before clearing the stored PAC, please understand that without a PAC, the system cannot download Cisco TrustSec environment data. However, environment data that is already on the system remains in use. Running the clear cts pac command renders the system unable to retrieve environment data updates.

In a cluster, you can use this command on the master unit only. In active/standby high-availability (failover), you can use it on the active unit only.

Examples

The following examples show how to clear CTS data from the system.


ciscoasa# clear cts pac
Are you sure you want to delete the cts PAC? (y/n) y
 
ciscoasa# clear cts environment-data
Are you sure you want to delete the cts environment data? (y/n) y

clear dhcpd

To clear the DHCP server bindings and statistics, use the clear dhcp command in privileged EXEC mode.

clear dhcpd { binding [ all | ip_address ] | statistics }

Syntax Description

all

(Optional) Clears all dhcpd bindings.

binding

Clears all the client address bindings.

ip_address

(Optional) Clears the binding for the specified IP address.

statistics

Clears statistical information counters.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

If you include the optional IP address in the clear dhcpd binding command, only the binding for that IP address is cleared.

To clear all of the DHCP server commands, use the clear configure dhcpd command.

Examples

The following example shows how to clear the dhcpd statistics:


ciscoasa# clear dhcpd statistics

clear dhcprelay statistics

To clear the DHCP relay statistic counters, use the clear dhcprelay statistics command in privileged EXEC mode.

clear dhcprelay statistics

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The clear dhcprelay statistics command only clears the DHCP relay statistic counters. To clear the entire DHCP relay configuration, use the clear configure dhcprelay command.

Examples

The following example shows how to clear the DHCP relay statistics:


ciscoasa# clear dhcprelay statistics
ciscoasa# 

clear dns

To clear IP addresses associated with fully qualified domain name (FQDN) hosts, use the clear dns command in privileged EXEC mode.

clear dns [ host fqdn_name | ip-cache [ counters ] ]

Syntax Description

host fqdn_name

(Optional) Specifies the fully qualified domain name of the host whose addresses should be cleared.

ip-cache [ counters]

Clear the IP cache that is used to hold domain name resolutions for network-service objects. Once removed, domains in network-service objects will not be matched until client DNS resolution requests are resolved and snooped to rebuild the cache.

Include the counters keyword to simply reset the hit counts for the domains and leave the IP cache in place.

Command Default

Without parameters, all DNS resolutions are cleared for hosts used in access control rules. For domain names used in network-service objects, the counters are cleared, but the IP cache is not removed.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(2)

This command was added.

9.17(1)

The ip-cache keyword was added.

Examples

The following example clears the IP address associated with the specified FQDN host used in an FQDN network object:


ciscoasa# clear dns host www.example.com
         

Note


The setting of the dns expire-entry keyword is ignored when resolutions are cleared. New DNS queries are sent for each activated FQDN host specified in an FQDN network object.


The following example clears hit counts for domains used in network-service objects.


ciscoasa# clear dns ip-cache counters 

clear dns-hosts cache

To clear the DNS cache, use the clear dns-hosts cache command in privileged EXEC mode.

clear dns-hosts cache

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

This command does not clear static entries that you added with the name command.

Examples

The following example clears the DNS cache:


ciscoasa# clear dns-hosts cache

clear dynamic-filter dns-snoop

To clear Botnet Traffic Filter DNS snooping data, use the clear dynamic-filter dns-snoop command in in privileged EXEC mode.

clear dynamic-filter dns-snoop

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.2(1)

This command was added.

Examples

The following example clears all Botnet Traffic Filter DNS snooping data:


ciscoasa# clear dynamic-filter
 dns-snoop