Symptom
1. Unable to initiate the IKE SA for a specific peer.
2. Following is seen in the output of IKEv2 debugs (unconditional):
IKEv2:SA is already in negotiation, hence not negotiating again
3. Stale crypto session entry created for the peer (can be viewed in "show crypto session detail"):
Interface: (unknown)
Uptime: 00:00:00
Session status: DOWN-NEGOTIATING
Peer: 10.10.10.10 port 500 fvrf: fvrf1 ivrf: fvrf1
Desc: (none)
Phase1_id: (none)
Session ID: 4
IKEv2 SA: local 192.168.10.1/500 remote 10.10.10.10/500 Inactive
Capabilities:(none) connid:14 lifetime:0
Conditions
1. Router (IOS/IOS-XE) terminating an IKEv2 VTI tunnel.
2. Traffic loss during IKE Rekey.
3. IKEv2 IETF Fragmentation configured and negotiated between the peers.
Workaround
To avoid this issue:
1. Disable IKEv2 Fragmentation OR
2. Configure the IKEv2 Fragmentation MTU such that the IKE rekey packets (CREATE_CHILD_SA) is not fragmented at the UDP layer.
If the SA has been leaked, to recover from the erroneous state, reload the router.
Further Problem Description
