Hi Fawad,
The SSL-Tunnel is the TCP tunnel that is first created to the ASA. When it
is fully established, the client will then try to negotiate a UDP
DTLS-Tunnel. While the DTLS-Tunnel is being established, data can pass over
the SSL-Tunnel. When the DTLS-Tunnel is fully established, all data now
moves to the DTLS-tunnel and the SSL-tunnel is only used for occasional
control channel traffic. If something should happen to UDP, the DTLS-Tunnel
will be torn down and all data will pass through the SSL-Tunnel again.
The decision of how to send the data is very dynamic. As each network bound
data packet is processed there is a point in the code where the decision is
made to use either the SSL connection or the DTLS connection. If the DTLS
connection is heathly at that moment, the packet is sent via the DTLS
connection. Otherwise it is sent via the SSL connection.
The SSL connection is established first and data is passed over this
connection while attempting to establish a DTLS connection. Once the DTLS
connection has been established, the decision point in the code described
above just starts sending the packets via the DTLS connection instead of the
SSL connection. Control packets, on the other hand, always go over the SSL
connection.
I would suggest you to enable DTLS and DPD's for this tunnel and then test the issue.
You can enable DTLS using following command:-
hostname(config)# group-policy testattributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# svc dtls enable
hostname(config-group-policy)# svc dpd-interval gateway 30
hostname(config-group-policy)# svc dpd-interval client 10
Let me know if it helps.
Regards,
Naresh