Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

After you change the network relationship type for an IPSec site-to-site network rule from Route to NAT and then back to Route, ICMP ping traffic does not pass through the ISA Server 2004 VPN connection for one minute


View products that this article applies to.

Symptoms

Assume the following: You change the network relationship type for an Internet Protocol security (IPSec) site-to-site network rule from Route to Network Address Translation (NAT) and then back to Route. In this scenario, Internet Control Message Protocol (ICMP) ping traffic does not pass through the virtual private network (VPN) connection for one minute. Other traffic types, such as HTTP, File Transfer Protocol (FTP), and User Datagram Protocol (UDP) Echo, pass through without interruption.

Note HTTP and FTP traffic types are Transmission Control Protocol (TCP)-based.

↑ Back to the top


Cause

This issue occurs because, after you switch the network relationship type from Network Address Translation (NAT) back to Route, the firewall waits for one minute before it initiates a new connection. The firewall waits for one minute to prevent the premature termination of existing sessions. This behavior affects ICMP ping traffic because all ICMP ping traffic shares the same firewall connection state. TCP traffic and UDP traffic are not affected because a new connection chooses a different source port. Therefore, a new connection state is created for TCP and UDP traffic.

↑ Back to the top


Workaround

To work around this issue, use either of the following methods:
  • Wait for one minute until a new connection for ICMP traffic is initiated.
  • Restart the Microsoft Firewall service on the Microsoft Internet Security and Acceleration (ISA) Server 2004 computers on both ends of the VPN tunnel.

To restart the Microsoft Firewall service, follow these steps.
  1. Click Start, click Run, type services.msc, and then click OK.
  2. Right-click Microsoft Firewall, and then click Restart.

↑ Back to the top


More information

For more information about site-to-site VPN configuration in ISA Server 2004, visit the following Microsoft Web site:

↑ Back to the top


Keywords: KB887002, kbprb, kbfirewall, kbtshoot

↑ Back to the top

Article Info
Article ID : 887002
Revision : 5
Created on : 1/5/2007
Published on : 1/5/2007
Exists online : False
Views : 331