Phase 1 = IKE / Phase 2 = IPsec. Examples use a peer 198.51.100.10
and a VRF named CORDERO
.
ASA Adaptive Security Appliance
ASA does not support VRF-Lite; commands have no vrf
option.
Check status
Phase 1 (IKEv2)
show crypto ikev2 sa
show crypto ikev2 sa detail
Phase 2 (IPsec)
show crypto ipsec sa
Combined/summary
show vpn-sessiondb l2l
show vpn-sessiondb detail l2l
Reset / clear
Phase 1 only (IKEv2)
clear crypto ikev2 sa remote 198.51.100.10
# all IKEv2 SAs (careful)
clear crypto ikev2 sa
Clearing Phase 1 also tears down associated Phase 2 SAs; they typically re-establish automatically when interesting traffic flows.
Phase 2 only (IPsec)
clear crypto ipsec sa peer 198.51.100.10
# all IPsec SAs (careful)
clear crypto ipsec sa
Quick ASA example
# Check both phases quickly
show crypto ikev2 sa
show crypto ipsec sa
# Bounce just this peer's Phase 2
clear crypto ipsec sa peer 198.51.100.10
ASR1001-HX IOS-XE Router
Check status
All-in-one view (IKE + IPsec per session)
show crypto session
show crypto session detail
Phase 1 (IKE)
# IKEv2
show crypto ikev2 sa
show crypto ikev2 sa detail
# (If using IKEv1)
show crypto isakmp sa
show crypto isakmp sa detail
Phase 2 (IPsec)
# All
show crypto ipsec sa
# Filter by peer
show crypto ipsec sa peer 198.51.100.10
# Filter by VRF (display only)
show crypto ipsec sa vrf CORDERO
# Filter by both VRF and peer (display only)
show crypto ipsec sa vrf CORDERO peer 198.51.100.10
IOS-XE supports VRF filtering on show commands; clearing by peer/session automatically targets the correct VRF context.
Reset / clear
Preferred, comprehensive clear (both phases)
clear crypto session
clear crypto session remote 198.51.100.10
Clear all crypto SAs (both phases)
clear crypto sa
clear crypto sa peer 198.51.100.10
Phase 1 only (when you specifically want to bounce IKE)
# IKEv2
clear crypto ikev2 sa peer 198.51.100.10
clear crypto ikev2 sa
# (If using IKEv1)
clear crypto isakmp sa peer 198.51.100.10
clear crypto isakmp sa
Granular clear crypto ipsec sa ...
with VRF/peer options is not available on IOS-XE. Use clear crypto session
(recommended) or clear crypto sa [peer ...]
.
VRF-aware workflows (clearing handled via peer/session)
# Bounce BOTH phases for one peer (VRF resolved automatically)
clear crypto session remote 198.51.100.10
# Clear all SAs for one peer (both phases)
clear crypto sa peer 198.51.100.10
# If using VTIs, you can bounce the tunnel interface instead:
configure terminal
interface Tunnel100 ! (example in VRF CORDERO)
shutdown
no shutdown
end
Quick ASR checks
# Check both phases fast
show crypto session detail
# See Phase 2 only for VRF CORDERO (display)
show crypto ipsec sa vrf CORDERO
Tip: After any clear, generate interesting traffic (e.g., a ping across the crypto ACL/selectors) to trigger re-negotiation if the tunnel is idle.