We are an ISP that hosts several commercial customers using Cisco VPN hardware (IOS, PIX & ASA devices) for site-to-site connectivity to their head offices on other networks. We've had several situations where there was a loss of connectivity between two of these end points (host on our network and off network) and the headoffice VPN device 'flooded' our network with thousands of ESP packets for several minutes. This has casued us service issues and we are searching for a way to mitigate this activity. The VPN is never an issue when the connection is good and we have no control over the configuration of the end points.
We have two devices in our ISP headend that I think can be used to throttle this traffic, a 4507 IOS 12.2(31)SGA1 and an ASA 5540 8.2 with a ASA-SSM-20 7.0 module. The goal is to identify this traffic behavior and rate limit the traffic to a level that doesn't cause network issues when flooding but not interfer with normal VPN operation for our customers. Can anyone recommend which solution would work best?