Core issue
The %VPN-SM-4-ICPUPP9 error occurs because IP Security (IPSec) packets fail the anti-replay check. The IPsec packets fails the anti replay checks because the packet does not fit into the 64-packet anti-replay window. A sliding window performs the anti-replay check to prevent replay attacks.
The most common cause is the use of Quality of Service (QoS) in the network. QoS causes some packets to be prioritized over others. As a result, some packets arrive late, and are out of window. Usually, this delay does not impact the functionality, because higher level protocols take care of retransmission. The most apparent impact of this problem is choppy voice output if some voice packets are dropped.
Resolution
Currently, the only workaround is to stop authentication on the IPsec packets by removing the Hash-Based Message Authentication Code (HMAC) function from the IPsec transform set to disable anti-replay checks.
Note: Removing Hash-Based Message Authentication code(HMAC) function will result in highly degraded security.