Ok, let me try to explain.
What I've found on the firewall after the IPSec has been restored between MM and MD sites was the state for a connection UDP MD:4500 -> MM:4500 via outside interface of ASA. It was weird, because I had a more specific route towards the MM subnet via the IPSec VTI tunnel interface, meaning the connection from MD towards MM supposed to be made via tunnel interface instead of the egress outside interface.
ASA has an old feature which prevents the box from clearing the connection even after we installed a more specific route into the routing table. In other words, when the IPSec tunnel restored and routing changed, we still had a connection via the outside interface, which was established when MD was trying to re-connect to MM at the time of IPSec outage, and since at that time we had only a default route via outside, the state has been programmed by the firewall. And since MM/MD uses NAT-T to build the tunnel, the firewall will see a UDP flow, which will never expire, since MD is constantly trying to re-establish the tunnel.
The configuration knob timeout floating-conn 0:00:00, which is a default for ASA pretty much says never clear the connection I've described above.
Changing to timeout floating-conn 0:00:30, will make sure the connection will be cleared after 30s when the IPSec is restored and we have a better route towards MM.
If the description above is vague, please, check this out to get another take on it:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html