After HA cluster upgrade from R80.20 to R80.40 with the latest jumbo take 118, we started facing issues with 2 VPN tunnels which use IKEv2. One of them is with Palo Alto device, and the other one is with Azure. We opened case to TAC and they gave us custom patch which had to improve the things or fix the issues, but unfortunately that not happened. This is not the first time we have VPN issues after upgrade to R80.40. The previous time it was related with gateways which have dual-ISP setup. We have "keep_IKE_SAs" enabled in the Global Properties -> Advanced settings. We were also advised to enable delete_ikev2sa_before_init_ex option but that didn't help either. We are still receiving logs like:
Informational exchange: Sending notification to peer: Invalid IKE SPI IKE SPIs: 2d49d13048e8c3d7:136debd1278baccd
We asked the 3rd parties to reset the tunnels on their end, so they can generate new keys, but it didn't help either.
Did anyone have similar problems?