I have a Cisco 1811 running IOS 15.1(4)M4 It has both static (crypto map vpn) entries and temporary entries created by L2TP/IPsec users calling in from Windows XP. When I use "show crypto ipsec sa" I see the static entries, the dynamic entries active at that time, but also after the router has been up for some time I see more and more entries that are no longer in use but still are in that output. The "show crypto ipsec sa" output already is formatted in an unclear way (should have been an overview table and an additional command to request detail of a specific entry), but this accumulating garbage does not make it easier to find an entry I am looking for. The virtual interfaces of the leftover entries are long gone, but apparently this does not always clear the ipsec association entries. (it does not accumulate all entries, maybe only those that terminate with some specific failure condition) Is there a way to cleanup the table without a reload, or to fix this problem altogether?