What do transmit errors on Linux IPsec virtual tunnel interfaces indicate?

The transmit errors on VTI interfaces (and other tunneling interfaces) have special meanings. Unfortunately it's poorly documented and I've looked into the source code of kernel to investigate this (see the /net/ipv4/ip_vti.c file).

To list the categories of TX errors use the ip -s -s -d link show [ dev <vti-iface> ] command.

TX carrier errors and troubleshooting:

• No suitable route was found - check it with the ip route get <dst> command
• No suitable policy was found - check the policies with the ip xfrm policy get ... command
• No suitable SA was found - check the SA status with the ip xfrm state get ... command
• The SA isn't in the tunnel mode - check the SA mode with the ip xfrm state show or the ip xfrm state get ... commands

TX collision errors:

• Routing loop found - after transformation a packet should be sent through the same VTI interface - check the SA configuration and the routing configuration.

The errors that you're seeing can happen for a number of reasons. My suggestion would be to dig through your logs for a message that looks like:

Nov 25 21:18:00.000 UTC: ISAKMP (0:1): deleting node ######## error TRUE reason "[the answer you seek is likely in this string]"

I'd take a look at this link for troubleshooting IPSec VPNs. Normally, I'd summarize as links can go down for any reason, but without knowing more specifics, you want to generally look for troubleshooting guides not relating to initial configuration (as you have a working setup -- only occasional errors). Which is to say, the answers to your question likely live as a string in your logfiles.

More generally, transmit errors can occur for any number of reasons - mangled checksums, mangled authentication headers, need to retransmit due to congestion or dropped packets, really any error in any of the layers of the IPSec affected network stack can bubble up.