Symptom
IKEv2 tunnel fails to build and the following message is seen in IKEv2 debug:
IKEv2-ERROR:(SESSION ID = 263,SA ID = 5):: Creation/Installation of IPsec SA into IPsec DB failed
Also, %CRYPTO-4-RECVD_PKT_INV_SPI message can be seen in syslog:
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.0.2.4, prot=50, spi=0x44A4038(71974968), srcaddr=192.0.2.3, input interface=GigabitEthernet0/1
Conditions
This can happen when two IKEv2 peers initiate negotiation almost simultaneously. DMVPN spoke-to-spoke dynamic tunnels is one example when this can occur. When second (duplicate) IKEv2 session comes up, creation of IPsec SA in IPsec database can fail.
This is a day-1 issue and both IOS and IOS-XE are affected.
Further Problem Description
In case of DMVPN spoke-to-spoke dynamic tunnel user traffic can be lost for few seconds (it won't go through the hub).
