As an IT network architect, I like having a short, paste-ready runbook for common site-to-site VPN tasks:
validate Phase 1/Phase 2 state, pull a quick summary, and surgically clear SAs for a single peer without
impacting everything else.
ASA Adaptive Security Appliance
VRF note: ASA does not support VRF-Lite in the same way IOS-XE routers do, so the crypto show/clear
commands do not take a VRF argument.
Check Status
Phase 1 (IKEv2)
show crypto ikev2 sa show crypto ikev2 sa detail
Phase 2 (IPsec)
show crypto ipsec sa
Combined / Summary
show vpn-sessiondb l2l show vpn-sessiondb detail l2l
Reset / Clear
Phase 1 only (IKEv2)
clear crypto ikev2 sa 198.51.100.10 # all IKEv2 SAs (careful) clear crypto ikev2 sa
Important: Clearing Phase 1 also tears down associated Phase 2 SAs. They typically re-establish automatically
when interesting traffic flows.
Phase 2 only (IPsec)
clear crypto ipsec sa peer 198.51.100.10 # all IPsec SAs (careful) clear crypto ipsec sa
Quick ASA Example
# Check both phases quickly show crypto ikev2 sa show crypto ipsec sa # Bounce just this peer's Phase 2 clear crypto ipsec sa peer 198.51.100.10
Pinpoint the Right Peer / Tunnel (Optional but Recommended)
If you have multiple tunnels, filter on the peer IP to avoid clearing the wrong one:
show crypto ikev2 sa detail | include 198.51.100.10 show crypto ipsec sa | include 198.51.100.10 show vpn-sessiondb l2l | include 198.51.100.10
ASR1001-HX IOS-XE Router
VRF-aware IPsec note: In VRF-aware designs you may see two VRF concepts:
- FVRF (Front-Door VRF): the routing table used to reach the public peer (outside/transport side).
- IVRF (Inside VRF): the routing table for protected/inside traffic selectors (often the “tenant” VRF).
IOS-XE provides VRF scoping on many show commands. For clearing, I typically use clear crypto session remote
for a precise “both phases” reset, or clear crypto sa peer if I want to explicitly clear SAs for a peer. If your environment
uses VRFs (FVRF/IVRF), include the VRF option when available/necessary.
Check Status
All-in-one view (IKE + IPsec per session)
show crypto session show crypto session detail
Phase 1 (IKE)
# IKEv2 show crypto ikev2 sa show crypto ikev2 sa detail # (If using IKEv1) show crypto isakmp sa show crypto isakmp sa detail
Phase 2 (IPsec)
# All show crypto ipsec sa # Filter by peer show crypto ipsec sa peer 198.51.100.10 # Filter by VRF (typical: IVRF / inside VRF) show crypto ipsec sa vrf CORDERO
Tip: Depending on platform/version and design, you may also have a peer filter that can be scoped by a front-door VRF (FVRF).
If used in your environment, keep the intent clear: FVRF for “peer reachability,” IVRF for “protected traffic.”
Reset / Clear
Preferred, comprehensive clear (both phases)
clear crypto session clear crypto session remote 198.51.100.10
Clear SAs (both phases)
clear crypto sa clear crypto sa peer 198.51.100.10
VRF-aware clears (use when your design requires it)
# Clear SAs for one peer in a specific front-door VRF (FVRF) clear crypto sa peer vrf <FVRF_NAME> 198.51.100.10 # Clear SAs associated to an inside/protected VRF (IVRF) clear crypto sa vrf CORDERO
Phase 1 only (when you specifically want to bounce IKE)
# IKEv2 clear crypto ikev2 sa peer 198.51.100.10 clear crypto ikev2 sa # (If using IKEv1) clear crypto isakmp sa peer 198.51.100.10 clear crypto isakmp sa
VTI Option (If Using Tunnel Interfaces)
If the VPN is built using VTIs, you can bounce the tunnel interface (this is operationally simple and very explicit):
configure terminal interface Tunnel100 ! example (often in IVRF CORDERO) shutdown no shutdown end
Quick ASR Checks
# Check both phases fast show crypto session detail # See Phase 2 only for VRF CORDERO (display) show crypto ipsec sa vrf CORDERO
Operational Tip: Trigger Re-Negotiation
After any clear/reset, generate “interesting traffic” (for example, a ping across the selectors/crypto ACL) to trigger
re-negotiation if the tunnel is idle. This prevents false negatives where the SA looks down simply because nothing is trying
to use it.