If R1 lost the VPN connectivity, sometime the other end will not realize that the tunnel was down. Then R1 will try to bring up tunnel with a different SPI (that's normal) but R2 already has a tunnel with the old SPI with that peers and flag the log message that you have.
You may not be able to active that kind of function on your non-cisco device. But I don't know if there's a other way to solve that on the cisco device.
The problem I am facing is at cisco isr device. The other end vpn device (non-cisco) trys to start the vpn sessions, but the cisco vpn`s old tunnel is there and it will not re-establish the connections.
The problem continues for so many hours and I have to manually re-establish the connection.
As per cisco document, The keepalive packets are sent every 10 seconds (30 sec for me) by default. Once three packets are missed, an IPSec termination point concludes that it has lost connectivity with its peer.
The IPSec SA (phase 2) has 3600 second for lifetime by default I think, and the ISAKMP (phase 1) has 86400. But some non-cisco device doesn't permit to modify these setting, so try to bring the cisco phase 1 and 2 lifetime to their default values or modify the non-cisco's lifetime to those that your cisco has.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...