diff --git a/res/values/strings.xml b/res/values/strings.xml
index 4dcca6224ce..877da582145 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -5357,6 +5357,8 @@
 
     <!-- Toast message when there is no network connection to start VPN. [CHAR LIMIT=100] -->
     <string name="vpn_no_network">There is no network connection. Please try again later.</string>
+    <!-- Toast message when VPN has disconnected automatically due to Clear credentials. [CHAR LIMIT=NONE] -->
+    <string name="vpn_disconnected">Disconnected from VPN</string>
     <!-- Toast message when a certificate is missing. [CHAR LIMIT=100] -->
     <string name="vpn_missing_cert">A certificate is missing. Please edit the profile.</string>
 
diff --git a/src/com/android/settings/CredentialStorage.java b/src/com/android/settings/CredentialStorage.java
index eed380bae4f..df3d3e9becd 100644
--- a/src/com/android/settings/CredentialStorage.java
+++ b/src/com/android/settings/CredentialStorage.java
@@ -47,6 +47,7 @@ import android.widget.Toast;
 import com.android.internal.widget.LockPatternUtils;
 import com.android.org.bouncycastle.asn1.ASN1InputStream;
 import com.android.org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import com.android.settings.vpn2.VpnUtils;
 
 import sun.security.util.ObjectIdentifier;
 import sun.security.x509.AlgorithmId;
@@ -361,6 +362,7 @@ public final class CredentialStorage extends Activity {
             if (success) {
                 Toast.makeText(CredentialStorage.this,
                                R.string.credentials_erased, Toast.LENGTH_SHORT).show();
+                clearLegacyVpnIfEstablished();
             } else {
                 Toast.makeText(CredentialStorage.this,
                                R.string.credentials_not_erased, Toast.LENGTH_SHORT).show();
@@ -369,6 +371,14 @@ public final class CredentialStorage extends Activity {
         }
     }
 
+    private void clearLegacyVpnIfEstablished() {
+        boolean isDone = VpnUtils.disconnectLegacyVpn(getApplicationContext());
+        if (isDone) {
+            Toast.makeText(CredentialStorage.this, R.string.vpn_disconnected,
+                    Toast.LENGTH_SHORT).show();
+        }
+    }
+
     /**
      * Prompt for key guard configuration confirmation.
      */
diff --git a/src/com/android/settings/vpn2/ConfigDialogFragment.java b/src/com/android/settings/vpn2/ConfigDialogFragment.java
index 788b9a97262..af435f003dc 100644
--- a/src/com/android/settings/vpn2/ConfigDialogFragment.java
+++ b/src/com/android/settings/vpn2/ConfigDialogFragment.java
@@ -176,9 +176,7 @@ public class ConfigDialogFragment extends DialogFragment implements
         try {
             LegacyVpnInfo connected = mService.getLegacyVpnInfo(UserHandle.myUserId());
             if (connected != null && profile.key.equals(connected.key)) {
-                VpnUtils.clearLockdownVpn(getContext());
-                mService.prepareVpn(VpnConfig.LEGACY_VPN, VpnConfig.LEGACY_VPN,
-                        UserHandle.myUserId());
+                VpnUtils.disconnectLegacyVpn(getContext());
             }
         } catch (RemoteException e) {
             Log.e(TAG, "Failed to disconnect", e);
diff --git a/src/com/android/settings/vpn2/VpnUtils.java b/src/com/android/settings/vpn2/VpnUtils.java
index 6afa79b73bd..0e9a87e9df8 100644
--- a/src/com/android/settings/vpn2/VpnUtils.java
+++ b/src/com/android/settings/vpn2/VpnUtils.java
@@ -17,8 +17,15 @@ package com.android.settings.vpn2;
 
 import android.content.Context;
 import android.net.ConnectivityManager;
+import android.net.IConnectivityManager;
+import android.os.RemoteException;
+import android.os.ServiceManager;
 import android.security.Credentials;
 import android.security.KeyStore;
+import android.util.Log;
+
+import com.android.internal.net.LegacyVpnInfo;
+import com.android.internal.net.VpnConfig;
 
 /**
  * Utility functions for vpn.
@@ -27,6 +34,8 @@ import android.security.KeyStore;
  */
 public class VpnUtils {
 
+    private static final String TAG = "VpnUtils";
+
     public static String getLockdownVpn() {
         final byte[] value = KeyStore.getInstance().get(Credentials.LOCKDOWN_VPN);
         return value == null ? null : new String(value);
@@ -48,4 +57,21 @@ public class VpnUtils {
     public static boolean isVpnLockdown(String key) {
         return key.equals(getLockdownVpn());
     }
+
+    public static boolean disconnectLegacyVpn(Context context) {
+        try {
+            int userId = context.getUserId();
+            IConnectivityManager connectivityService = IConnectivityManager.Stub
+                    .asInterface(ServiceManager.getService(Context.CONNECTIVITY_SERVICE));
+            LegacyVpnInfo currentLegacyVpn = connectivityService.getLegacyVpnInfo(userId);
+            if (currentLegacyVpn != null) {
+                clearLockdownVpn(context);
+                connectivityService.prepareVpn(null, VpnConfig.LEGACY_VPN, userId);
+                return true;
+            }
+        } catch (RemoteException e) {
+            Log.e(TAG, "Legacy VPN could not be disconnected", e);
+        }
+        return false;
+    }
 }