Overall the new 6wind behaves much better. However, there are still some cases where StrongSwan fails to remove IKE/IPsec SAs. The tunnel below, for example, was deleted by the client but persists on the FSG even after it should have expired. The other tunnels from this client were removed without issue. The charon log for this tunnel mentions delaying task initiation: Jan 31 17:57:02.732 13[IKE] queueing CHILD_REKEY task Jan 31 17:57:02.733 13[IKE] delaying task initiation, INFORMATIONAL exchange in progress Jan 31 18:20:28.732 09[IKE] queueing CHILD_REKEY task Jan 31 18:20:28.732 09[IKE] delaying task initiation, INFORMATIONAL exchange in progress Jan 31 19:52:17.732 14[IKE] queueing CHILD_DELETE task Jan 31 19:52:17.732 14[IKE] delaying task initiation, INFORMATIONAL exchange in progress Jan 31 19:52:17.733 07[IKE] queueing CHILD_DELETE task Jan 31 19:52:17.733 07[IKE] delaying task initiation, INFORMATIONAL exchange in progress Jan 31 20:05:40.401 08[IKE] queueing CHILD_REKEY task Jan 31 20:05:40.401 08[IKE] delaying task initiation, INFORMATIONAL exchange in progress Jan 31 20:22:11.392 06[IKE] queueing CHILD_REKEY task Jan 31 20:22:11.392 06[IKE] delaying task initiation, INFORMATIONAL exchange in progress Jan 31 21:30:41.391 08[IKE] queueing CHILD_DELETE task Jan 31 21:30:41.391 08[IKE] delaying task initiation, INFORMATIONAL exchange in progress Jan 31 21:30:41.401 07[IKE] queueing CHILD_DELETE task Jan 31 21:30:41.401 07[IKE] delaying task initiation, INFORMATIONAL exchange in progress ikev2-conn-qa: #68486, ESTABLISHED, IKEv2, f95a227d122d94df_i f2c954770b0a70f9_r* local 'C=US, ST=IL, L=Lisle, O=Labs, OU=QA, CN=site1pair2' @ 2001:1890:111b:7001:2::1[500] remote 'ST=IL, L=Lisle, O=Labs, OU=QA, CN=ss02-405' @ 2001:41:0:1e:2222::195[500] [2001:1890:111b:6ab2::4a4] AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048 established 85430s ago, rekeying in 7172s queued: CHILD_REKEY CHILD_REKEY CHILD_DELETE CHILD_DELETE CHILD_REKEY CHILD_REKEY CHILD_DELETE CHILD_DELETE active: IKE_DPD ikev2-conn-qa: #103176, reqid 1812, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/MODP_1024/ESN installed 89101s ago, rekeying in -56416s, expires in -49501s in c5edf2c3, 0 bytes, 0 packets out cc5c9d9a, 0 bytes, 0 packets local 2001:1890:111b:7001:2::1/128 remote 2001:1890:111b:6ab2::4a4/128 ikev2-conn-qa: #104206, reqid 1812, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/MODP_1024/ESN installed 83197s ago, rekeying in -48698s, expires in -43597s in cfe165cf, 0 bytes, 0 packets out c1f88ca9, 0 bytes, 0 packets local 2001:1890:111b:7001:2::1/128 remote 2001:1890:111b:6ab2::4a4/128 I manually deleted the IKE SA on A2 (backup) first then B2 (master). B2 did not remove the SA and spit out some errors. [root@FUSQALA2 advantis]# swanctl -t -I 68486 terminate completed successfully [root@FUSQALB2 advantis]# swanctl -t -I 68486 [KNL] querying SAD entry with SPI c5edf2c3 failed: No such process (3) [KNL] querying SAD entry with SPI cc5c9d9a failed: No such process (3) [KNL] querying SAD entry with SPI cfe165cf failed: No such process (3) [KNL] querying SAD entry with SPI c1f88ca9 failed: No such process (3) [KNL] querying SAD entry with SPI c5edf2c3 failed: No such process (3) [KNL] querying SAD entry with SPI cc5c9d9a failed: No such process (3) [KNL] querying SAD entry with SPI cfe165cf failed: No such process (3) [KNL] querying SAD entry with SPI c1f88ca9 failed: No such process (3)