Did you ever find a fix? Sort of.  As I suggested above, we found that the ASA bug was supposed to be resolved in 9.6.3, but in practice we've still had occasional issues through 9.8.1 devices.  We think this is identified in the ASA bug tracker as "Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 - CSCvb29688."   We've successfully mitigated the issue by using the following tunnel settings on both sides: Phase 1: Enc: 3DES Auth: SHA1 DH Group: 2 Lifetime: 86400 seconds Phase 2: Enc: 3DES Auth: SHA1 PFS: Off Lifetime: 86400 seconds It is important that these be the ONLY accepted/offered tunnel parameters. It is also important that the ASA have NAT Exempt enabled for the tunnel. ... View more

Hmm, we've seen similar issues with ASAv 9.5.x versions that were resolved by upgrades to 9.6.3 and later.   What we find is that duplicate IPSEC SAs are being created when they shouldn't be.  The bug can be confirmed on the ASA by running "show crypto ipsec sa inactive" and looking for an inactive tunnel.  Performing "clear crypto ipsec sa inactive" on the ASA is a workaround.  My understanding is that 9.8.x versions were unaffected.   ... View more