Hey so I am seeing a weird issue with a few of my sites.

I run an IPSec hub/spoke with GRE ontop.

Recently upgraded the hub and a spoke to 6.46.2 and had GRE tunnel's that just refused to come back up. IPSec phase 2 successfully connected.

This config has been working for weeks/months now across multiple sites, so I don't believe the actual configuration is the problem here, have been pushing 20Mbps over these links for a long time now with no issues.

What I am observing is the following:
Side A pings Side B out the WAN (eth1) interface.
I can see the protocol 50/ipsec packets come into Side B's router but *not* get 'captured' by the SA
Instead they make their way into the input chain's firewall rules, and subsequently get dropped due to the drop all WAN -> LAN rule.
That rule is the last in my input chain rules, there are others for GRE/BGP/etc that I need.
Even if I add a manual rule to accept the protocol 50/ipsec on the input chain they don't go anywhere... (and that's not how the SA packet decryption process works afaik?)

In some of my sites, after rebooting both ends routers *multiple times* along with an hour or two of flipping firewall rules and logging, I've seen some sites just magically start working again, and my GRE tunnel just comes back up (because the SA starts magically working again?).

Is this... some weird connection tracking issue? Some state that's being cleared/reset on a timeout?

Things I've tried as well:
Flushing the SA's on both sides, I see the IPSec tunnel immediately reestablish and come back up on both sides, still same issue
Trying to terminate any connections in the firewall connection tracking area as well, but rebooting the routers would have the same effect I'd imagine.

Is there anything else I should be looking at?

Edit #1: I have also tried downgrading both sides to 6.46.1 but I am oddly... still seeing the behaviour...