Symptom
"show crypto ipsec sa" for the same outbound SPI shows multiple inbound SPIs.
In failover the following messages might be flooded:
"Failed to update IPSec failover runtime data on the standby unit. Outbound SPI 0x......."
"show crypto ipsec sa inactive" shows multiple stuck IPSEC SAs, e.g.:
"Inactive inbound SA: SPI: 0x1AAC9593, state: dead, reason: Phase 2 Error",
and "clear crypto ipsec sa inactive" doesn't remove them.
"show counters protocol ipsec" shows non-zero value:
'Protocol Counter Value Context
IPSEC DELETE_SA_VPN_CTX_ASYNC_CMD_FAILURE 2 Summary"
When cleared with "clear counters protocol ipsec" the counter increases with new inactive IPSEC SAs appearing.
In the "debug crypto ipsec 255" the following error can be seen:
"IPSEC ERROR: Failed to cleanup inbound SPI 0x............"
Apart from excessive logging rate no impact for VPN traffic observed.
Conditions
Crypto map based L2L VPN using IKEv1 or IKEv2.
More detailed conditions currently unknown.
Problem seen on FMC managed FTD on Firepower 2140
Workaround
Reload of the device (in case of single device) or both devices at the same time (in case of failover pair) will remove the stuck IPSEC SAs.
