>> Perhaps you should do "sysctl -w net.inet.tcp.keepidle=150", so that
>> any socket that is idle for more than 2.5 minutes, is forced to do a
>> keepalive.

Unless someone has drastically changed something, that should read
"...any socket which has keepalives turned on and is idle for...".

Quite a while ago, to deal with a broken NAT box (tho arguably there is
no other kind), I added a kernel compile option FORCE_TCP_KEEPALIVES
which disabled the check to see whether the socket had keepalives
turned on, doing keepalives anyway.  (In case anyone wants it, the
patch is small and simple
	--- OLD/sys/netinet/tcp_timer.c	Thu Jan  1 00:00:00 1970
	+++ NEW/sys/netinet/tcp_timer.c	Thu Jan  1 00:00:00 1970
	@@ -469,7 +469,10 @@
	 		else if (tp->t_in6pcb)
	 			so = tp->t_in6pcb->in6p_socket;
	 #endif
	-		if (so->so_options & SO_KEEPALIVE &&
	+		if (
	+#ifndef FORCE_TCP_KEEPALIVES
	+		    so->so_options & SO_KEEPALIVE &&
	+#endif
	 		    tp->t_state <= TCPS_CLOSE_WAIT) {
	 		    	if ((tcp_maxidle > 0) &&
	 			    (tp->t_idle >= tcp_keepidle + tcp_maxidle))
and really fairly obvious once sought after.)

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B