Symptom
Every 7 - 10 days an ASA begins to fail to rekey existing tunnels. All tunnels do not drop simultaneously, each tunnel goes down independently after attempting and failing to rekey. IPSec debugs show a failure to allocate a hardware context/create an SA:
IPSEC ERROR: Failed to allocate an outbound hardware context (rc: 0xFFFFFFFF), ctm_nlite_ipsec_alloc_hw_obsa:143
IPSEC ERROR: Failed to create outbound hardware SA for SPI 0xD6F20685
IPSEC ERROR: Failed to complete the UPDATE command from IKE
Jun 28 15:50:22 [IKEv1]Group = , IP = , Session is being torn down. Reason: Unknown
IPSEC ERROR: Invalid PF_Key DELETE - (scb_handle 0x0000000000000000, pfkey_sa_p 0x0000000000000000, spi 145335965) parameters
Conditions
Seen on an ASA 5508 running 9.16(3). There are 18 tunnels in total, a mixture of 10 dynamic crypto maps and 8 SVTI's.
Workaround
A reload is the only known way to recover.
