Symptom
On ASR1001x/1hx/2x/2hx, controller mode (SDWAN).
Anti-replay drop may be increasing on the router.
RTR1#sho platform hardware qfp active feature ipsec datapath drops
------------------------------------------------------------------------
Drop Type Name Packets
------------------------------------------------------------------------
4 IN_US_V4_PKT_SA_NOT_FOUND_SPI 15
19 IN_OCT_ANTI_REPLAY_FAIL 193298532 <<<<<<<<<<<<<<<<<
Conditions
cEdge ASR1001x/1hx/2x/2hx platforms
When IPsec sequence number are beyond 32 bits.
Workaround
- change ipsec rekey (lifetime) with a shorter period to reduce the chance of run out of 32-bit sequence number. default rekey is 1 day.
- perform a rekey manually: "request platform software sdwan security ipsec-rekey" to clear the issue
Further Problem Description
