You can enable automatic recovery when peers in a security association (SA) become unsynchronized. When peers become unsynchronized, this can cause the transmission of packets with invalid security parameter index (SPI) values and the dropping of those packets by the receiving peer. You can enable automatic recovery by using the new respond-bad-spi max-responses configuration statement, which appears under the hierarchy level [edit services ipsec-vpn ike policy]. This statement results in a resynchronization of the SAs.