Symptom
When running IPSec sessions using DVTI's to clone the tunnel Virtual-Access interfaces then under prolonged tunnel churn due to remote endpoints toggling their connections some VAI's are never cleared from the interface list, leading to the total number of VAIs slowly increasing over time.
The affected VAIs can be identified because they remain indefinately in Up/Down state on the device. Eventually the large number of VAI leads to increased processing during bring up of new incoming IPSec connections as the router needs to check the tunnel-interface cache for the remote endpoint in case of reusing an existing VAI before cloning a new one from the VTemplate.
Conditions
IOS-XE device running IPSec using DVTI interfaces to clone the incoming tunnel requests.
