I am seeing a similar issue in 9.8(3) where the client's SonicWall is sending DPDs but we are not negotiating a MOBIKE session.
Is anyone else familiar with the following scenario?
Peer-1
Cisco ASA 9.8(3)
L2L using IKEv2
DfltGrpPlcy idle timeout 30minutes
Peer-2
SonicWall NSA 4600 -
Firmware: (6.2.6.1-25n)
L2L using IKEv2
Sending constant DPDs to Cisco ASA
----
Issue:
Tunnel passes interesting traffic to one host in the encryption domain, but not the second host, for 30minutes then both SAs drop and 4-5 minutes later a re-key occurs and both SAs re-establish.
Essentially, even though SA-1 is actively seeing interesting traffic to it's destination, the ASA drops the connection entirely because the SA-2 hasn't had traffic in 30minutes (since it's initialization).
SYSLOG only records "IKEv2 SA DOWN. Reason: unknown"
Workaround:
The client sends ICMPs to the production host, so I asked them to add another cron job to send them to the test host at the same frequency and the issue stopped occurring. Afterwards, I found the bug in the title (CSCvh14743) which is similar in nature, although it was supposed to be resolved in 9.8(3).