If you have recently upgraded to ASA 8.4 or above, you might have come across a VPN behavior where the outbound IPSec SA reaches it’s data lifetime threshold and you have to manually bounce the tunnel to bring it back up.
This happens because of a bug found in the code 8.4(2.240) and 8.6. The bug is such that the IPSec outbound SA in Phase 2 fails to rekey when the ‘data lifetime’ reaches it’s threshold limit (default 4608000). CSCtq57752 is the bug ID which you can lookup in the bug tool kit (requires a CCO login).
There is a workaround and a fix for this issue;
1. Workaround: The lifetime values for the particular VPN tunnel in question needs to be adjusted where the re-key for the VPN should happen with the seconds lifetime and not the data lifetime.
2. Fix: Upgrade to ASA 8.4(3) or the other versions in which the bug is fixed.
Change the lifetime seconds to a lower value so that the outbound IPsec SA rekey happens when the seconds threshold is reached.
And change the lifetime kilobytes to the highest value so that the outbound IPSec SA never rekeys with the kilobytes lifetime because this is where the bug kicks in.
crypto map outside_map 10 set lifetime seconds 3600 crypto map outside_map 10 set lifetime kilobytes 2147483647
Although you can set these lifetime values globally, I wouldn’t recommend it because you do not want the ASA to rekey for all the VPN tunnels you have in every one hour! So, just monitor the VPNs and see which ones would need the workaround to get over this issue.
Upgrading the firewall in a production environment to solve the issue might not be the most appropriate choice specially when you have a workaround that works pretty well. So you can implement the workaround until you get a maintenance window for the upgrade. The bug fixed versions can be found here > CSCtq57752 Bug Details
Hope you find this useful and get your VPN tunnels up and running as quickly as possible!