Symptom
SDWAN BFD may stay down due to IPSec anti-replay window drops.
Log message will be seen on the PEER:
1. IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:083 TS:00 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 2770, src_addr >, dest_addr , SPI 0x293
2. cpp_cp logs like
anti-replay drop on sa=0x1xxxx, src dst , spi 3855/(0xf0f), ip_id 43798, sns_idx 0, seq_no=5, ar_highest=2554
seq_no is very low comparing to the ar_highest.
Conditions
May happen after CC flap on WAN interface and port-hop.
Workaround
clear sdwan omp all (on the router, that has low seq number)
Further Problem Description
Affecting devices with CSCwb07307 fix only.
Seq_no could be verified without using cpp logs:
step 1: collect "show platform hardware qfp active feature ipsec data crypto-sa in" on the router with IPSec anti-replay logs
step 2: on the same peer collect "show platform hardware qfp active feature ipsec data crypto-sa "
step 3: collect "show platform hardware qfp active feature ipsec data crypto-sa out" on the remote router
step 4: on the same peer collect "show platform hardware qfp active feature ipsec data crypto-sa "
Difference between ar_numbers on steps 2 and 4 wil be above 8K.
