Traffic stops passing at certain times over the Site to Site VPN between the Check Point Cluster in the High Availability mode and a 3rd party VPN peer
Site to Site VPN tunnel disconnects during IKEv2 renegotiation between the Check Point ClusterXL in the High Availability mode and a 3rd party VPN peer.
Traffic capture (or IKE debug) shows that when the 3rd party VPN peer sends the IKE "Child SA" packet, the Check Point ClusterXL responds with the "Invalid SPI" packet.
Traffic capture (or IKE debug) shows that the Check Point ClusterXL keeps sending the IKE Phase 2 "Child SA" packets with the SPI from the previous IKE negotiation.
The Site to Site VPN tunnel starts passing traffic again in these cases:
The cluster does not delete the IKE SA correctly during the cluster synchronization.