IPIP virtual interface experiencing discards

I've established route-based IPSec connection via IPIP tunnel to Amazon (using StrongSwan), and on tunnel statistics I see incrementing discards. On physical interface there was some discards too, but I increased the ring buffer (ethtool -G). So now physical interface is OK.

I can't imagine where could be a problem. Because IPSec tunnel is Up. But increasing discards on that particular interface getting me nervous..

VTI_awssg1: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1422
    inet 169.254.134.26  netmask 255.255.255.252  destination 169.254.134.25
    inet6 fe80::200:5efe:b954:3ce9  prefixlen 64  scopeid 0x20<link>
    tunnel   txqueuelen 1000  (IPIP Tunnel)
    RX packets 164515900  bytes 18901337790 (17.6 GiB)
    **RX errors 206912  dropped 206912**  overruns 0  frame 0
    TX packets 110799736  bytes 85951146842 (80.0 GiB)
    TX errors 6  dropped 0 overruns 0  carrier 6  collisions 0

OS: Centos 7.9

Any help ? Thanks

The problem was with replay window setting. Default Strongswan value of 32 was too small. Increased it to 1024 - errors disappeared.

It's a very interesting question.

I've looked into the source code.

Seems like there is only single line related with incrementing of these counters.

Unfortunately you should use the kernel with enabled CONFIG_XFRM_STATISTICS option to see the exact reasons of these errors.

The brief description of errors read in the kernel documentation. More detailed meaning of these metrics you can see in the source code of xfrm_input functiion.