Mobile clients(roadwarriors) IKEv2 PSK reauthentication issue

laped

I got about 100 RW clients that are connecting to a pfsense 2.2.6 and are seeing something odd when the clients are reauthenticating IKE_SA. Can anybody tell why two different virtual IP's are received within 1 second? On the pfsense side I see that the same two roadwarriors are "fighting" between the two virtuel ip's, so if one gets 10.75.4.75 the other will get 10.75.4.54.

pfSense WAN IP: 200.100.10.1
rwclient IP: 192.168.248.17

daemon.info charon: 10[IKE] sending keep alive to 200.100.10.1[4500]
daemon.info charon: 11[IKE] reauthenticating IKE_SA roadwarrior[1]
authpriv.info charon: 11[IKE] reauthenticating IKE_SA roadwarrior[1]
daemon.info charon: 11[IKE] installing new virtual IP 10.75.4.75
daemon.info charon: 11[IKE] initiating IKE_SA roadwarrior[2] to 200.100.10.1
authpriv.info charon: 11[IKE] initiating IKE_SA roadwarrior[2] to 200.100.10.1
daemon.info charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) V ]
daemon.info charon: 11[NET] sending packet: from 192.168.248.17[4500] to 200.100.10.1[4500] (384 bytes)
daemon.info charon: 16[NET] received packet: from 200.100.10.1[4500] to 192.168.248.17[4500] (320 bytes)
daemon.info charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
daemon.info charon: 16[IKE] local host is behind NAT, sending keep alives
daemon.info charon: 16[IKE] authentication of 'rwclient' (myself) with pre-shared key
daemon.info charon: 16[IKE] establishing CHILD_SA roadwarrior
authpriv.info charon: 16[IKE] establishing CHILD_SA roadwarrior
daemon.info charon: 16[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CPRQ(ADDR) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
daemon.info charon: 16[NET] sending packet: from 192.168.248.17[4500] to 200.100.10.1[4500] (330 bytes)
daemon.info charon: 13[NET] received packet: from 200.100.10.1[4500] to 192.168.248.17[4500] (267 bytes)
daemon.info charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
daemon.info charon: 13[IKE] authentication of 'roadwarriorvpn-1' with pre-shared key successful
daemon.info charon: 13[IKE] IKE_SA roadwarrior[2] established between 192.168.248.17[rwclient]…200.100.10.1[roadwarriorvpn-1]
authpriv.info charon: 13[IKE] IKE_SA roadwarrior[2] established between 192.168.248.17[rwclient]…200.100.10.1[roadwarriorvpn-1]
daemon.info charon: 13[IKE] scheduling reauthentication in 27604s
daemon.info charon: 13[IKE] maximum IKE_SA lifetime 28204s
daemon.info charon: 13[IKE] installing new virtual IP 10.75.4.54
daemon.info charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
daemon.info charon: 13[IKE] CHILD_SA roadwarrior{4} established with SPIs ca8a86af_i ce37776b_o and TS 10.75.4.54/32 === 10.75.0.0/16
authpriv.info charon: 13[IKE] CHILD_SA roadwarrior{4} established with SPIs ca8a86af_i ce37776b_o and TS 10.75.4.54/32 === 10.75.0.0/16
daemon.info charon: 13[IKE] received AUTH_LIFETIME of 28167s, scheduling reauthentication in 27567s
daemon.info charon: 09[IKE] deleting IKE_SA roadwarrior[1] between 192.168.248.17[rwclient]…200.100.10.1[roadwarriorvpn-1]
authpriv.info charon: 09[IKE] deleting IKE_SA roadwarrior[1] between 192.168.248.17[rwclient]…200.100.10.1[roadwarriorvpn-1]
daemon.info charon: 09[IKE] sending DELETE for IKE_SA roadwarrior[1]
daemon.info charon: 09[ENC] generating INFORMATIONAL request 4 [ D ]
daemon.info charon: 09[NET] sending packet: from 192.168.248.17[4500] to 200.100.10.1[4500] (65 bytes)
daemon.info charon: 05[NET] received packet: from 200.100.10.1[4500] to 192.168.248.17[4500] (57 bytes)
daemon.info charon: 05[ENC] parsed INFORMATIONAL response 4 [ ]
daemon.info charon: 05[IKE] IKE_SA deleted
authpriv.info charon: 05[IKE] IKE_SA deleted