IA-32 defines various cases in which the CPU may invalidate the entire TLB. Starting with the ASID extensions that AMD released in Opteron Rev-F processors (Barcelona?) there are cases in which only the TLB entries of a certain ASID are invalidated.
The question is, does the ASID itself ever stop being valid? Does the Hypervisor have to check that an ASID is valid before using it?
I think the answer is 'not directly' - looking at the AMD system programming specification, the ASID field in the VM control block is simply a (up to) 32bit ID which the hypervisor sets to a unique value for each instance of a VM, and is used as an additional tag in the TLB lookup.
As you have no direct control over the TLB contents on x86, you can't control what entries end up in the TLB - if the processor decides to add an entry to the TLB, the entry will be tagged with the current ASID, which by definition will be valid when added.
This is described in a somewhat roundabout way in section 15.15.1 of the previously mentioned system programming spec:
In implementations that do not provide a way to selectively flush all translations of a single specified ASID, software may effectively flush the guest's TLB entries by allocating a new ASID for the guest and not reusing the old ASID until the entire TLB has been flushed at least once.
This implies that the processor has no concept of valid or invalid ASIDs - it's just a number whose current value must match a TLB entries ASID for the TLB to hit. Hence if the hypervisor doesn't correctly flush an ASID before it reuses it, you'll get stale TLB hits.