Experiencing tunnel failures periodically and receiving these messages at the Head End Router in front of they Key Server roughly at the same time the remote router is dropping the tunnel.

%GDOI-3-REPLAY_FAILED: An anti replay check has failed in group gdoi-group. my_pseudotime is 184467440722644365.83 secs, peer_pseudotime is 184467440722644223.30 secs, replay_window is 5 (second)

The tunnel recovers itself within 10 - 15 minutes. Difficulty has been trying to catch the problem as it happens so I can gather more information. Logging messages aren't providing any more than the above.

Remote Router shows - nothing more than Tunnel recovered

Checking the System Messages, it says this is informational and no action is necessary. Yet in other searches I have found this may be due to;

- fragmentation (ruled this out)

- traffic load (not seeing anything that leads to this)

- too short a time replay windows (thinking this may be something to look into)

Before I changed the the anti-replay time window size on the key server I was looking for some advice;

1) Am I on the right path

2) Are there other steps to take to zero in on the problem as it's happening (hard to predict when and where - over 50 remote sites)

3) If I change the anti-replay time window size, will it disrupt communications to the remote sites when the new value is pushed out from the Key Server

Key Server Config for reference

crypto gdoi group gdoi-group
identity number 1
server local
  rekey lifetime seconds 10800
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa xyzxyz
  rekey transport unicast
  sa ipsec 1
   profile gdoi-profile
   match address ipv4 sa-acl
   replay time window-size 5
  address ipv4 1.2.3.4

Thanks in advance