Symptom
After a policy change on KS, with the next scheduled rekey Primary Key Server first sends rekey to GM's and then forwards the information to secondary KS, thus GM's running IOS-XE devices which re-register themselves on receiving first rekey after a policy change, do not get new SPI's. Thus at SA expiration, they re-register themselves.
Conditions
Issue affecting only those GM's which have secondary key server as preferred one.
Workaround
Use manual rekey via "crypto gdoi ks rekey" instead of scheduled rekey.
