Symptom
ASAs which had a working L2L VPN tunnel suddenly stops encrypting traffic.
The ASP table will show duplicate ASP entries and traffic is hitting an ASP entry
that is stale and the traffic for particular SA is blackholed.
Conditions
ASA5500 running 9.1 or later code with IKEv2 L2L tunnels configured with default IKEv2 rekey configuration supporting both time and data-based rekeys.
Workaround
Potential workarounds:
1)Disable data-based rekeying:
"crypto map set security-association lifetime kilobytes unlimited"
2) clear crypto ipsec sa inactive
Further Problem Description
Side effect observed - packet capture on inside can not work for incoming affected traffic. Packets decrypted from VPN are captured, but replies, hitting the outbound inactive ipsec sa, are not captured. Other traffic from same host to different destinations is captured.
