I also want to add to David's reply. Some keep-alive mechanisms depending on which firewall and configuration you are using either have phase 1 keep-alive, or complete end to end phase 2 keep-alive.

I don't know the Cisco equivalent or if they even have one. Example of this with Juniper dead-peer-detection (DPD) only sends IKEv1/2 keep-alives, whereas VPN monitoring sends ICMP echo requests to keep the VPN up / or declare it dead.

With DPD, there isn't exactly any interesting traffic probing, its just the IKE "hello are you there" messages. After a while, the vpn may go down due to lack of interesting traffic or have to re-negotiate phase 2. Though to create interesting traffic, you could set an ip sla for icmp end to end.

You may have noticed in the past that VPN just goes down after a while (if you have had this setup)

On the ASA there are three modes RE how the negotiation actually starts

Answer-Only: Specifies that this peer only responds to inbound IKE connections first during the initial proprietary exchange to determine the appropriate peer to connect to.

Bidirectional (Default): Specifies that this peer can accept and originate connections based on this crypto map entry. This is the default connection type for all Site-to-Site connections. [Only if interesting traffic is matched]

Originate-Only: Specifies that this peer initiates the first proprietary exchange to determine the appropriate peer to connect to.

For ASA Experts out there, please correct me if I'm wrong.

Hope this helps

Bilal