16

On a site-to-site VPN using a ASA 5520 and 5540, respectively, I noticed that from time to time traffic doesn't pass any more, sometimes just there's even missing traffic just for one specific traffic selection / ACL while other traffic over the same VPN is running. It happens even though there's a constant ping running. The reason might be that it runs over a satellite link which isn't perfectly stable.

How can I reset the VPN to the working state, instead of reloading one of the ASAs?

Bulki
  • 2,363
  • 7
  • 25
  • 43
Stefan
  • 3,374
  • 6
  • 32
  • 49

5 Answers5

29

The VPN can be reset by entering

clear crypto ipsec sa peer <remote-peer-IP>

on one side. The following traffic will cause the IPSEC tunnel to be reestablished.

You can do it on your side, entering the remote IP. Or login to the remote site, but possibly you have to do it outside the VPN, so using a different interface, for example using the public IP instead of the IP to which you connect through the tunnel.

There will be a short VPN outage while reestablishing the tunnel. After entering that command, ensure that the tunnel is up again, such as doing a ping through it.

TomekG
  • 3
  • 2
Stefan
  • 3,374
  • 6
  • 32
  • 49
15

You can reset the tunnel via the ASDM software as well as in the command line.

In the ASDM (Version 6.3):

  1. Go to Monitoring, then select VPN from the list of Interfaces
  2. Then expand VPN statistics and click on Sessions.
  3. Choose the type of tunnel you're looking for from the drop-down at the right (IPSEC Site-To-Site for example.)
  4. Click on the tunnel you wish to reset and then click Logout in order to reset the tunnel.

This will cause a temporary outage of the VPN connection, but in most cases I've seen, you're only doing this because the tunnel is already down.

All things considered though, it is easier to log into the CLI and reset the tunnel, but I know some folks who are addicted to the ASDM.

Source

Brett Lykins
  • 8,288
  • 5
  • 36
  • 66
11

I just came across a new way that I was never aware of before and offers the same information you find in the ASDM interface, including the feature to logoff a vpn session.

Issue this for example to get a list of site to site vpn tunnels that are up. 

show vpn-sessiondb l2l

output example:

Connection   : 192.168.1.1
Index        : 330                    IP Addr      : 192.168.121.0
Protocol     : IKE IPsec
Encryption   : DES 3DES               Hashing      : MD5 SHA1
Bytes Tx     : 62226826               Bytes Rx     : 71173170
Login Time   : 17:15:49 PDT Sun Sep 7 2014
Duration     : 19h:08m:49s

Then to logoff that VPN tunnel you can execute the following to logoff based in index shown above.

vpn-sessiondb logoff index 330
Jim Scott
  • 211
  • 2
  • 3
9

By doing clear ipsec sa peer <peer IP> will only reset the IPSec portion.

There isn't a way to clear just one isakmp tunnel.

Therefore the best way that I know is to remove the peer from the crypto map and reapply it.

no crypto map mymap 40 set peer 12.1.1.1 
crypto map mymap 40 set peer 12.1.1.1

This way you can take the peer out, wait for the tunnel to come down and time out, then reapply it. This method gives you more control over the tunnels behavior.

tunnelsup
  • 828
  • 2
  • 8
  • 15
8

On 8.4 you can reset a single ISAKMP connection via:

clear cry ikev1 sa <ip>

Or if using ikev2, then:

clear cry ikev2 sa <ip>

On older versions, I believe the command is simply:

clear cry isa sa <ip>

Also in regard to Stefan's answer, if you do a clear on a remote device over the VPN you're resetting, typically it will re-establish the VPN and your SSH session will continue per normal instantaneously or at most within seconds. I do it quite often on ISR G1 and G2 routers all the time when modifying their tunnels.

some_guy_long_gone
  • 3,052
  • 1
  • 19
  • 30
  • 4
    On the ASA, the older `clear crypto isakmp sa` command does not accept an argument for the peer to reset. It resets all ISAKMP sessions. – James Sneeringer Sep 09 '14 at 13:23