I have some more info (this time from physical machines): After a switchover I can see incoming flow on enc0 on the new master, and it IS decoded correctly. It is just not pushed out into the protected network.
Additionally, the replay counters seem to be all in sync except for one - return tunnel to client on a backup node has replay counter inreased by 16384 (for example replay: rpl 167 on master and replay: rpl 16551 on backup). -- Paweł Kraszewski
