Symptom
IOSXE routers with "responder-only" configuration can potentially run into this issue and start dropping traffic. This happens when the router reaches soft limit of volume lifetime, and before the initiator can start rekey, the IPSec tunnel will be dropped.
Conditions
This symptom is observed with IOS-XE running IKEv1/IPSec tunnel and responder-only (under ipsec-profile) is enabled.
Workaround
If using "responder-only" configuration then to avoid hitting this issue either:
a. Disable volume base rekey
no crypto ipsec security-association lifetime kilobytes
or b. Remove "responder-only" configuration from the IPSec profile
Further Problem Description
problem occurs only if customer has "responder-only" config and volume based rekey.
In all other scenarios deletion of SAs within 30 seconds is expected as new SAs would have formed by
then via rekey.
