When the 2NN wants to perform a checkpoint, it figures out the highest transaction ID of the fsimage files on the NN, and if the 2NN has a copy of that fsimage file (because it created that merged fsimage file the last time it did a checkpoint) then the 2NN won't download the fsimage file from the NN, and instead only gets the new edits files from the NN. In this case, the 2NN also doesn't even bother reloading the fsimage file it has from disk, since it has all of the namespace state in-memory. This all works just fine.
When the 2NN doesn't have a copy of the relevant fsimage file (for example, if the NN had restarted since the last checkpoint) then the 2NN blows away its in-memory namespace state, downloads the fsimage file from the NN, and loads the newly-downloaded fsimage file from disk. The bug is that when the 2NN clears its in-memory state, it only resets the namespace, but not the delegation token map.
The fix is pretty simple - just make the delegation token map get cleared as well as the namespace state when a running 2NN needs to load a new fsimage from disk.
Credit to Stephen Chu for identifying this issue.