If the central firewall receives an unknown SPI and is unable to resolve the peer to an object (in the event the peer has a dynamically assigned IP address) then it will try to pull the SPI from the crash recovery database to send the delete. The issue here is that the firewall is not properly storing the information in the crash recovery database and thus cannot send a delete message to inform the peer to delete the SA and renegotiate the tunnel.