ssadm lib/statetables -f

ssadm lib/statetables -f causes the Screen to flush (discard) all of its connection state information. This causes all previously active connections through the Screen to be effectively disconnected.

The -f option is often useful after activating a modified policy that disallows some traffic that was previously allowed. Without running statetables -f, you allow any previously existing connections to remain active even if the new policy does not allow them. Running statetables -f causes all previously existing state sessions to be disconnecte; the active policy applies to any subsequent connections.

The -fs or -f -s option sets all IKE security associations (SAs) that are in kernel SADB to "expired" by setting their lifetime to the current time. The expired SAs can be renegotiated if they are needed. This option does not apply to IPsec manual SAs. Manually-keyed SAs never expire.