Hi,
We have a weird issue with our RA VPN. We have a router at the edge. ASA-5508X with FTD image is behind the router. FTDv is behind the ASA and the gateway of FTDv is ASA and VPN IP Pool is 192.168.240.0- 192.168.255.255.

Our netflow server notified us about a high traffic usage from some of our users. for example:
A user (192.168.247.190) received 10GB from 157.240.0.63 on UDP 443 and I checked and found out that the user was not connected to VPN on that time.
we have received too much notifications like this and all of them are UDP traffic but destination is not limit to this IP and some other private IPs also exist like our PBX server which is working over UDP.

I saw the high traffic on the FMC health monitor panel and this was not the netflow system false positive.
I took a pcap from this flow and it was strange:

aa:aa:cc:cc:11:11 is mac address of FTDv and aa:aa:bb:bb:77:77 is mac address of ASA. 
this image is only a small part of this pcap and as you can see this is happening in nano seconds.

I couldnt find the root cause and decided to change the design and moved FTDv behind the router and the gateway of FTDv changed to router. After the change this issue not happened again.

we had to change the design again because the FTDv can not implement geographic limit for its RA VPN because the traffic is not going through FTDv and is going to FTDv.

We decided to setup a Fortigate between FTDv and Router and the gateway of FTDv changed to fortigate and after this change the random high UDP traffic happend again. but its not that huge like that time which ASA was the gateway.

This is the main Interface of FTDv graph:

this is HA State Link:

 FTDv Version is 7.4.2.1 and FMC is 7.4.2.1

I really appreciate your help.