For TCP scheduling on Cisco ASA with IOS 9.*, you can't utilize IP SLA or IP MONITOR because they are not supported on ASA appliances, but a decent workaround is to route the traffic to a router that is connected and supports these commands to generate periodic TCP packets. Another alternative is to activate TCP Keepalive on the ASA to keep it open, or utilize a customized script on a separate appliance to generate TCP packets on a periodic interval. Third-party monitoring tools like SolarWinds or PRTG can also be used to generate simulated traffic and keep the tunnel open.-zone traffic with a zone-pair configuration in the Zone-Based Firewall (ZBF). As a workaround, you can use internal DNS to resolve fish.example.com to 10.0.0.107 so that local clients do not require hairpin NAT, or you can use a NAT loopback configuration if your platform supports it. Also, verify and update your ZBF rules to permit intra-zone traffic explicitly.