How can I reset a VPN tunnel on a Cisco ASA?

The VPN can be reset by entering

clear ipsec sa peer <remote-peer-IP>

on one side. The following traffic will cause the IPSEC tunnel to be reestablished.

You can do it on your side, entering the remote IP. Or login to the remote site, but possibly you have to do it outside the VPN, so using a different interface, for example using the public IP instead of the IP to which you connect through the tunnel.

There will be a short VPN outage while reestablishing the tunnel. After entering that command, ensure that the tunnel is up again, such as doing a ping through it.

*****************************************************

You can reset the tunnel via the ASDM software as well as in the command line.

In the ASDM (Version 6.3):

  1. Go to Monitoring, then select VPN from the list of Interfaces
  2. Then expand VPN statistics and click on Sessions.
  3. Choose the type of tunnel you’re looking for from the drop-down at the right (IPSEC Site-To-Site for example.)
  4. Click on the tunnel you wish to reset and then click Logout in order to reset the tunnel.

This will cause a temporary outage of the VPN connection, but in most cases I’ve seen, you’re only doing this because the tunnel is already down.

All things considered though, it is easier to log into the CLI and reset the tunnel, but I know some folks who are addicted to the ASDM.

********************************************************

clear cry ikev1 sa <ip>

Or if using ikev2, then:

clear cry ikev2 sa <ip>

On older versions, I believe the command is simply:

clear cry isa sa <ip>

Also in regard to Stefan’s answer, if you do a clear on a remote device over the VPN you’re resetting, typically it will re-establish the VPN and your SSH session will continue per normal instantaneously or at most within seconds. I do it quite often on ISR G1 and G2 routers all the time when modifying their tunnels.

Comments are closed.