IPSec : Is it normal to see packet drops during SA re-keying? In our environment we are noticing packet drops (with reason "No SA Found") during the SA re-keying. The traffic rate is about 1.2Gbps (pkt size: 800 bytes...--prophetes.ai

IPSec : Is it normal to see packet drops during SA re-keying? In our environment we are noticing packet drops (with reason "No SA Found") during the SA re-keying. The traffic rate is about 1.2Gbps (pkt size: 800 bytes) and the packet drops are about 200-300 packets in one hour happening during re-keying. Is this normal? The RFC seems to acknowledge that this drop CAN happen and implementations MAY provide a solution for this. (< Strongswan seems to have decided not to fix this. Our IP stack is proprietary, however I would like to know if these drops are seen on other implementations like cisco or juniper and so on. Also, what is normally the lifetime configured for an SA? We are using 1 hour, but what is normally used in real production networks?

Yes, this is quite common and I've seen it first hand for many years on both Cisco (ASA) and Juniper (SSG/SRX).

As for the amount being dropped, it will depend on your PPS and your SA timer, but I generally see 1-2 seconds of loss during a re-key.