We are experiencing a weird issue with many of our users (including myself) who have Verizon FiOS. For years, we've been using VPN3030's for VPN. We give our users 3 VPN profiles in their client- a native IPSec, a TCP encapsulated, and a UDP encapsulated (with NAT-T). TCP seemed to be the best bet in most places, and is our default. A few months ago, we migrated to an ASA to replace the 3030's. We didn't change the profiles- just point the DNS hostnames to the new IP address. Since we've moved to the ASA's, many users have been experiencing TCP VPN drops after 30 seconds. It works fine when first connecting, but after 30 seconds, the tunnel stops forwarding traffic altogether. UDP works fine. It turns out this issue is ONLY affecting users on Verizon FiOS with the Actiontec router. It seems to stop forwarding any packets. Normally, I would just tell the users to use UDP. However, because this issue only started when they connect to the ASA, I need to explain why the Actiontec has an issue with the ASA.
I've done the basic checks- clients are configured with an MTU of 1300, the are negotiating the same types of SA's for the tunnel, and as far as I can see, configurations of the ASA are as close as can be to the 3030. (MTU, fragmentation handling, etc).