Packets from a branch office may not reach the destination servers in the central office after you use ISA Server 2006 to create a site-to-site VPN connection between a central office and a branch office

Consider the following scenario:

• You use Microsoft Internet Security and Acceleration (ISA) Server 2006 to create a site-to-site VPN connection between a central office and a branch office.
• The ISA Server 2006 computer is located in the central office.
• Clients in the branch office use ISA Server to access servers in the central office.

In this scenario, packets from the branch office may not reach the destination servers in the central office. For example, HTTP requests from a client in the branch office may not reach Web servers in the central office.

This problem occurs because the Microsoft Firewall service incorrectly handles IP address bindings. A site-to-site VPN connection may be lost and then re-created. However, ISA Server still uses the old IP address of the previous virtual network interface for the site-to-site VPN connection.

To resolve this problem, apply the hotfix rollup package that is described in the following Microsoft Knowledge Base article:

To work around this problem, restart the Microsoft Firewall service on the ISA Server 2006 computer.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

The hotfix that is described in this article resolves an issue for a scenario that resembles the hotfix in the following Microsoft Knowledge Base articles: