Cisco ASA 5500 – Reset / Recycle VPN Tunnels

KB ID 0000586 

Problem

I’ve been asked this before and it came up on EE today, basically you have a site to site VPN tunnel and you either want to restart it or reset it.

Solution

Cisco ASA Reset ALL VPN Tunnels

1. Connect to your ASA, then to reset ALL your ISAKMP VPN tunnels use the following command;

[box] clear crypto isakmp sa [/box]

In the example below I’ve reset ALL my tunnels. I had a constant ping running across the VPN, and it only dropped one packet before the tunnel established again.

WARNING: This will reset ALL ISAKMP VPN tunnels (both site to site, and client to gateway).

Cisco ASA Reset One VPN Tunnel

1. If you just want to reset one site to site VPN then you need to reset the IPSEC SA to the peer (IP Address of the other end of the tunnel). Use the following command;

[box] clear ipsec sa peer X.X.X.X [/box]

Unlike above, in the example below I’ve reset just ONE tunnel. I had a constant ping running across the VPN, and it only dropped one packet before the tunnel established again.

Cisco ASA Check VPN Uptime

Just to prove this isn’t all smoke an mirrors, after the tunnel has re-connected you can check its uptime with the following command;

[box] show vpn-sessiondb detail l2l [/box]

 

Related Articles, References, Credits, or External Links

Cisco ASA5500 Site to Site VPN from ASDM

 

Cisco ASA – Find Out VPN Tunnel Uptime

KB ID 0000863 

Problem

I needed to get the Uptime/Duration of a particular VPN tunnel this week. It was for a client with multiple VPN tunnels that was having problems with just one.

Solution

Option 1 via Command Line

1. Connect to to the firewall > Go to enable mode and use the following command, replace 123.123.123.123 with the IP of your VPN endpoint.

[box]

PetesASA>
PetesASA> enable
Password: ********
PetesASA# show vpn-sessiondb l2l filter name 123.123.123.123 | incl Duration
Duration : 0h:08m:26s <<<<<<<
PetesASA#

[/box]

If you want a LOT MORE information use the following command;

[box]

PetesASA# show vpn-sessiondb detail l2l filter name 123.123.123.123

Session Type: LAN-to-LAN Detailed

Connection : 123.123.123.123
Index : 312 IP Addr : 123.123.123.123
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)3DES IPsec: (1)3DES
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 18999 Bytes Rx : 26267
Login Time : 14:20:36 UTC Mon Sep 30 2013
Duration : 0h:32m:55s <<<<<<<
IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
Tunnel ID : 312.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 84425 Seconds
D/H Group : 2
Filter Name :
IPv6 Filter :

IPsec:
Tunnel ID : 312.2
Local Addr : 10.254.254.0/255.255.255.0/0/0
Remote Addr : 172.16.254.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 26825 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607975 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 26 Minutes
Bytes Tx : 18999 Bytes Rx : 26267
Pkts Tx : 94 Pkts Rx : 114

NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 2000 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :

PetesASA#

 

[/box]

Option 2 Via the ASDM

1. Connect to the ASDM > Monitoring > VPN > Sessions > Select the one you are interested in > Logon time Duration.

Related Articles, References, Credits, or External Links

NA