This quick runbook summarizes the most common operational commands used to validate and reset Cisco site-to-site VPN tunnels on ASA firewalls and IOS-XE routers such as the ASR1001-HX. The goal is simple: verify tunnel state, isolate Phase 1 versus Phase 2 issues, and reset only the affected peer with minimal impact.
Phase 1 = IKE (ISAKMP/IKEv2) negotiation
Phase 2 = IPsec Security Associations
ASA Adaptive Security Appliance
show and clear commands do not take a VRF argument.
Check Status
Phase 1 (IKEv2)
show crypto ikev2 sa show crypto ikev2 sa detail
Phase 2 (IPsec)
show crypto ipsec sa
Combined / Session Summary (ASA specific)
show vpn-sessiondb l2l show vpn-sessiondb detail l2l
Reset / Clear
Phase 1 only (IKEv2)
clear crypto ikev2 sa 198.51.100.10 # All IKEv2 SAs (use with caution) clear crypto ikev2 sa
Phase 2 only (IPsec)
clear crypto ipsec sa peer 198.51.100.10 # All IPsec SAs (use with caution) clear crypto ipsec sa
Quick ASA Example
# Check both phases quickly show crypto ikev2 sa show crypto ipsec sa # Bounce just this peer's Phase 2 clear crypto ipsec sa peer 198.51.100.10
Pinpoint the Right Peer / Tunnel
show crypto ikev2 sa detail | include 198.51.100.10 show crypto ipsec sa | include 198.51.100.10 show vpn-sessiondb l2l | include 198.51.100.10
Optional ASA Debugs
debug crypto condition peer 198.51.100.10 debug crypto ikev2 protocol debug crypto ipsec no debug all
ASR1001-HX IOS-XE Router
FVRF (Front-Door VRF): routing table used to reach the public VPN peer.
IVRF (Inside VRF): routing table containing protected internal networks.
Check Status
All-in-one view
show crypto session show crypto session detail
Phase 1 (IKE)
show crypto ikev2 sa show crypto ikev2 sa detail show crypto isakmp sa show crypto isakmp sa detail
Phase 2 (IPsec)
show crypto ipsec sa show crypto ipsec sa peer 198.51.100.10 show crypto ipsec sa vrf CORDERO
Reset / Clear
clear crypto session clear crypto session remote 198.51.100.10
clear crypto sa clear crypto sa peer 198.51.100.10
clear crypto sa peer vrf <FVRF_NAME> 198.51.100.10 clear crypto sa vrf CORDERO
Phase 1 Only
clear crypto ikev2 sa peer 198.51.100.10 clear crypto ikev2 sa
VTI Option
configure terminal interface Tunnel100 shutdown no shutdown end
Additional Troubleshooting Commands
show crypto ikev2 stats show crypto ikev2 proposal show crypto engine connections active
Typical Troubleshooting Flow
- Run
show crypto session detail. - If IKE is up but IPsec is missing, check selectors and crypto ACL.
- If IKE is down, verify reachability, proposals, and authentication.
- Clear only the affected peer.
- Generate interesting traffic to trigger negotiation.
Scoped Debug Workflow (IOS-XE)
terminal monitor debug crypto condition peer ipv4 X.X.X.X debug crypto ikev2 protocol debug crypto ipsec clear crypto session remote X.X.X.X
show process cpu sorted
Disable debugging when finished:
undebug all no debug crypto condition terminal no monitor
Why Use terminal monitor?
On Cisco IOS and IOS-XE devices, debug output is normally sent only to the console session. If you are connected through SSH or Telnet (a VTY session), you will not see debug output unless you explicitly enable it.
terminal monitor
Without this command, debug messages may still be generated internally by the router but will only appear on the physical console, making it seem like the debug command is not working.
Best-Practice Debug Workflow (IOS-XE / ASR)
For production troubleshooting, limit debug output to a single VPN peer to prevent excessive logging and reduce router impact.
terminal monitor debug crypto condition peer ipv4 X.X.X.X debug crypto ikev2 protocol debug crypto ipsec
If you need to force negotiation to observe the exchange:
clear crypto session remote X.X.X.X