Cisco ASA: clearing specific IPsec SA tunnel

Sometimes when troubleshooting IPsec VPNs on the Cisco ASA it's necessary to clear the current VPN. This can be achieved using the "clear crypto ipsec sa", which resets all active IPsec SA entries. This is pretty brutal in a production environment, as all traffic passing trough the tunnels is suspended until the SA tunnels are re-established.

It is possible though to clear only a specific tunnel.

You can identify the SA tunnel with the command (the local ident/remote ident combination should match your traffic pattern):

ciscoasa# show crypto ipsec sa
interface: outside    
Crypto map tag: outside_map, seq num: 1, local addr: 10.99.0.1
...      
local ident (addr/mask/prot/port): (10.100.8.0/255.255.255.0/0/0)      
remote ident (addr/mask/prot/port): (10.200.8.0/255.255.0.0/0/0)      
current_peer: 172.16.10.1
...      
current outbound spi: 65D05DD4      
current inbound spi : 3B6C2C49
inbound esp sas:      spi: 0x3B6C2C49 (996944969)
...    
outbound esp sas:      spi: 0x65D05DD4 (1708154324)
...

Notice the inbound ESP (in our case) SA SPI (3B6C2C49). To clear the desired SA tunnel, issue the command:

ciscoasa# clear crypto ipsec sa entry 172.16.10.1 esp 3B6C2C49

Follow by Email

Sponsored Links

Labels