Did you ever find a fix? Sort of. As I suggested above, we found that the ASA bug was supposed to be resolved in 9.6.3, but in practice we've still had occasional issues through 9.8.1 devices. We think this is identified in the ASA bug tracker as "Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 - CSCvb29688." We've successfully mitigated the issue by using the following tunnel settings on both sides: Phase 1: Enc: 3DES Auth: SHA1 DH Group: 2 Lifetime: 86400 seconds Phase 2: Enc: 3DES Auth: SHA1 PFS: Off Lifetime: 86400 seconds It is important that these be the ONLY accepted/offered tunnel parameters. It is also important that the ASA have NAT Exempt enabled for the tunnel.
... View more