When Node-A sent a 1500 bytes packet to Node-B, Node-A marked
IPsec-SA as used and count used-bytes up. But the packet may
lost. In this case, Node-B can't count used-bytes. Even if
Node-A think IPsec-SA is expired at this time, Node-B doen't
think so. i.e. the states of IPsec-SA is mismatched.
Racoon's strategy of rekeying is "Initiator do it." If Node-B
is responder, Node-A doesn't start rekeying even if IPsec-SA is
That sounds like a bug in racoon. It seems that if either end is
unsatisfied with the SA, that end should trigger a new one. But the key
question is what the other implementions do, and what the standard says.
That said, I can see the argument that especially with a 24h or less
lifetime, AES doesn't need volume-based rekeying.