On logs, with the following grep I get nothing unexplained:
root@ubnt:/var/log# grep -v default-D messages*|grep -v sudo|grep -v dhcpd|grep -v CRON|grep -v \ su|grep -v sshd|grep -v promiscuous|grep -v login|grep -v rsyslogd|more
So, excluding:
1) firewall default drops
2) sudo commands as part of vyatta
3) dhcpd messages
4) crontab
5) su as part of login
6) tcpdumps
7) login attempts
8) rsyslog errors as I haven't finished setting it up.
All the remaining items are expected and unsurprising. The firewall blocks no site-to-site traffic. The asterisk box shows a couple of errors on the extensions in question-- stale nonce, but those happen all the time. There is no other useful logging to help me find either when the events occured or what it might be.
I can cobble a script together to ping every 5 seconds and log errors across tunnel and from remote site to WAN, which should at least give me a better sense of what is going down... maybe.
If it helps anything, my guess is that the calls are over 60 minutes, and possibly over 90 minutes... but I can't see how that would impact LAN activity.
So, is pinging my only strategy?