Packets from the branch office may not reach the destination servers in the central office in ISA Server 2006

Consider the following scenario:

• You use Microsoft Internet Security and Acceleration (ISA) Server 2006 to create a site-to-site VPN connection between a central office and a branch office.
• The ISA Server 2006 computer is located in the central office.
• Clients in the branch office use ISA Server to access servers in the central office.

In this scenario, packets from the branch office may not reach the destination servers in the central office. For example, DNS requests from a client in the branch office may not reach the DNS servers in the central office.

This problem occurs because the Microsoft Firewall service incorrectly handles IP address bindings. A site-to-site VPN connection may be lost and then re-created. However, ISA Server still uses the old IP address of the previous virtual network interface for the site-to-site VPN connection.

To resolve this problem, install hotfix 955151.

For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

To work around this problem, restart the Microsoft Firewall service on the computer that is running ISA Server 2006.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about a hotfix for a similar issue, click the following article numbers to view the articles in the Microsoft Knowledge Base: