After you change the network relationship type for an IPSec site-to-site network rule from Route to NAT and then back to Route, ICMP ping traffic does not pass through the ISA Server 2004 VPN connection for one minute

Assume the following: You change the network relationship type for an Internet Protocol security (IPSec) site-to-site network rule from Route to Network Address Translation (NAT) and then back to Route. In this scenario, Internet Control Message Protocol (ICMP) ping traffic does not pass through the virtual private network (VPN) connection for one minute. Other traffic types, such as HTTP, File Transfer Protocol (FTP), and User Datagram Protocol (UDP) Echo, pass through without interruption.

Note HTTP and FTP traffic types are Transmission Control Protocol (TCP)-based.

This issue occurs because, after you switch the network relationship type from Network Address Translation (NAT) back to Route, the firewall waits for one minute before it initiates a new connection. The firewall waits for one minute to prevent the premature termination of existing sessions. This behavior affects ICMP ping traffic because all ICMP ping traffic shares the same firewall connection state. TCP traffic and UDP traffic are not affected because a new connection chooses a different source port. Therefore, a new connection state is created for TCP and UDP traffic.

To work around this issue, use either of the following methods:

• Wait for one minute until a new connection for ICMP traffic is initiated.
• Restart the Microsoft Firewall service on the Microsoft Internet Security and Acceleration (ISA) Server 2004 computers on both ends of the VPN tunnel.

To restart the Microsoft Firewall service, follow these steps.

1. Click Start, click Run, type services.msc, and then click OK.
2. Right-click Microsoft Firewall, and then click Restart.

For more information about site-to-site VPN configuration in ISA Server 2004, visit the following Microsoft Web site: