Usually the problem is that remote access tunnels are never truely idle. Microsoft, especially, is so chatty there is always something traversing the tunnel. It's tough to apply idle timeouts with RA tunnels.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...