IPSec Traffic intermittent drops

Hey Team,

Topology: 

Spoke A ------------ipsec tunnel-------------Hub-------------ipsec tunnel------------Spoke B

Scenario: Migration from SSG to SRX

When sending traffic from spoke A to Spoke B Lan side, there is packet loss between 10-20% over the VPN. No packet loss is observer when pinging Hub side using MPLS addresses on which Ipsec vpn runs. Route based vpn.

All three devices are SRXes. 

Spoke A: 

PING 172.24.11.33 (172.24.11.33): 56 data bytes

64 bytes from 172.24.11.33: icmp_seq=2 ttl=252 time=69.842 ms

64 bytes from 172.24.11.33: icmp_seq=3 ttl=252 time=60.986 ms

64 bytes from 172.24.11.33: icmp_seq=6 ttl=252 time=59.521 ms << seq 4 and 5 never made it.

On Hub side:

I see three being processed in traces:

May 16 03:26:23 03:26:23.381298:CID-01:FPC-01IC-00:THREAD_ID-26:RT:<172.24.8.93/3->172.24.11.33/3712;1> matched filter pf1:

May 16 03:26:23 03:26:23.381341:CID-01:FPC-01IC-00:THREAD_ID-26:RTacket [84] ipid = 35815, @0xf8cbc914

but then traces move to seq 6: 

May 16 03:26:26 03:26:26.384147:CID-01:FPC-01IC-00:THREAD_ID-10:RT:<172.24.8.93/6->172.24.11.33/3712;1> matched filter pf1:

May 16 03:26:26 03:26:26.384182:CID-01:FPC-01IC-00:THREAD_ID-10:RTacket [84] ipid = 35846, @0xfc31f114

===============

Also, 

Also, policy denied counters were increasing consistently on hub side when SRX devices were being used on the spoke side instead of SSG from which we migrated during the window:

 run show interfaces st0.28 statistics detail | match policy     

      Bytes permitted by policy :        152998034129

      Bytes permitted by policy :        170287121600 

      Policy denied:                     24433

run show interfaces st0.28 statistics detail | match policy    

      Bytes permitted by policy :        152998051349

      Bytes permitted by policy :        170287132067 

      Policy denied:                     24436

But nothing in the policies which would drop the traffic. 

=======================================

Spoke B is communicating fine with other Spokes and no packet loss.

=======================================

When change is rolled back on Spoke A side not to use SRX and go back to SSG no more packet loss and those counters dont increase any more. To rollback move the cabes, disable enable interfaces and update vpn monitoring on hub rest configuration including st0 interfaces stays same on hub side.

Both Spoke A , Hub are running 12.3X48 D 50.6 which is standard across all the devices. 

Any help would be really appreciated.