Cisco VPN Tunnel Troubleshooting – IKEv1 and IKEv2 – ASA and ASR1001 (with VRF examples)

Phase 1 = IKE / Phase 2 = IPsec. Examples use a peer 198.51.100.10 and a VRF named CORDERO.

ASA Adaptive Security Appliance

ASA does not support VRF-Lite; commands have no vrf option.

Check status

Phase 1 (IKEv2)

show crypto ikev2 sa
show crypto ikev2 sa detail

Phase 2 (IPsec)

show crypto ipsec sa

Combined/summary

show vpn-sessiondb l2l
show vpn-sessiondb detail l2l

Reset / clear

Phase 1 only (IKEv2)

clear crypto ikev2 sa remote 198.51.100.10
# all IKEv2 SAs (careful)
clear crypto ikev2 sa

Clearing Phase 1 also tears down associated Phase 2 SAs; they typically re-establish automatically when interesting traffic flows.

Phase 2 only (IPsec)

clear crypto ipsec sa peer 198.51.100.10
# all IPsec SAs (careful)
clear crypto ipsec sa

Quick ASA example

# Check both phases quickly
show crypto ikev2 sa
show crypto ipsec sa

# Bounce just this peer's Phase 2
clear crypto ipsec sa peer 198.51.100.10

ASR1001-HX IOS-XE Router

Check status

All-in-one view (IKE + IPsec per session)

show crypto session
show crypto session detail

Phase 1 (IKE)

# IKEv2
show crypto ikev2 sa
show crypto ikev2 sa detail

# (If using IKEv1)
show crypto isakmp sa
show crypto isakmp sa detail

Phase 2 (IPsec)

# All
show crypto ipsec sa

# Filter by peer
show crypto ipsec sa peer 198.51.100.10

# Filter by VRF (display only)
show crypto ipsec sa vrf CORDERO

# Filter by both VRF and peer (display only)
show crypto ipsec sa vrf CORDERO peer 198.51.100.10

IOS-XE supports VRF filtering on show commands; clearing by peer/session automatically targets the correct VRF context.

Reset / clear

Preferred, comprehensive clear (both phases)

clear crypto session
clear crypto session remote 198.51.100.10

Clear all crypto SAs (both phases)

clear crypto sa
clear crypto sa peer 198.51.100.10

Phase 1 only (when you specifically want to bounce IKE)

# IKEv2
clear crypto ikev2 sa peer 198.51.100.10
clear crypto ikev2 sa

# (If using IKEv1)
clear crypto isakmp sa peer 198.51.100.10
clear crypto isakmp sa

Granular clear crypto ipsec sa ... with VRF/peer options is not available on IOS-XE. Use clear crypto session (recommended) or clear crypto sa [peer ...].

VRF-aware workflows (clearing handled via peer/session)

# Bounce BOTH phases for one peer (VRF resolved automatically)
clear crypto session remote 198.51.100.10

# Clear all SAs for one peer (both phases)
clear crypto sa peer 198.51.100.10

# If using VTIs, you can bounce the tunnel interface instead:
configure terminal
interface Tunnel100   ! (example in VRF CORDERO)
 shutdown
 no shutdown
end

Quick ASR checks

# Check both phases fast
show crypto session detail

# See Phase 2 only for VRF CORDERO (display)
show crypto ipsec sa vrf CORDERO

Tip: After any clear, generate interesting traffic (e.g., a ping across the crypto ACL/selectors) to trigger re-negotiation if the tunnel is idle.

Cisco VPN Tunnel Troubleshooting – IKEv1 and IKEv2 – ASA and ASR1001 (with VRF examples)

ASA Adaptive Security Appliance

Check status

Reset / clear

Quick ASA example

ASR1001-HX IOS-XE Router

Check status

Reset / clear

VRF-aware workflows (clearing handled via peer/session)

Quick ASR checks

Power Up Your Firewalls: A Guide to Using Palo Alto’s EDL Hosting Service

Using Chrome’s Net Export Tool for Network Diagnostics

Palo Alto PCNSE Study Guide

Troubleshooting ECDH vs. RSA: A Comparative Approach