What are the exact symptoms when this problem occurs? When you are experiencing the issue, please take a look at "show crypto ipsec sa peer x.x.x.x" (where x.x.x.x is the crypto peer address) output to see whether or not the 3825 or the ASA is failing to encrypt traffic anymore. Issuing the command multiple times will show you whether or not packet encrypt/decrypt counters are increasing. If we see that one of the counters is not incrementing, we've pinpointed where the problem is occurring.
Since this issue sounds like it's intermittent and a reboot of the ASA fixes the issue, take a look at the following bugs. They all pertain to the ASA intermittently getting into a state where it duplicates an entry in its crypto classification table. This causes the ASA to be confused as to which security-association info it needs to use to encrypt traffic to the remote VPN peer. Ultimately, the symptoms that you'll is the ASA will stop encrypting traffic until a reboot is done.
CSCsh48962 - Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI
CSCso50996 - ASA dropping the packet instead of encrypting it.
CSCsd48512 - Duplicate ASP crypto table entry causes firewall to not encrypt traffic
Please look through the bug notes and see if you can identify whether or not you are hitting this defect. If so, please make sure you are running a fixed version of code.
Here is a link to Bug Toolkit on CCO to view the bug details.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...