Microsoft KB Archive/887002

= After you change the network relationship type for an IPSec site-to-site network rule from Route to NAT and then back to Route, ICMP ping traffic does not pass through the ISA Server 2004 VPN connection for one minute =

Article ID: 887002

Article Last Modified on 1/5/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





SYMPTOMS
Assume the following: You change the network relationship type for an Internet Protocol security (IPSec) site-to-site network rule from Route to Network Address Translation (NAT) and then back to Route. In this scenario, Internet Control Message Protocol (ICMP) ping traffic does not pass through the virtual private network (VPN) connection for one minute. Other traffic types, such as HTTP, File Transfer Protocol (FTP), and User Datagram Protocol (UDP) Echo, pass through without interruption.

Note HTTP and FTP traffic types are Transmission Control Protocol (TCP)-based.



CAUSE
This issue occurs because, after you switch the network relationship type from Network Address Translation (NAT) back to Route, the firewall waits for one minute before it initiates a new connection. The firewall waits for one minute to prevent the premature termination of existing sessions. This behavior affects ICMP ping traffic because all ICMP ping traffic shares the same firewall connection state. TCP traffic and UDP traffic are not affected because a new connection chooses a different source port. Therefore, a new connection state is created for TCP and UDP traffic.



WORKAROUND
To work around this issue, use either of the following methods:
 * Wait for one minute until a new connection for ICMP traffic is initiated.
 * Restart the Microsoft Firewall service on the Microsoft Internet Security and Acceleration (ISA) Server 2004 computers on both ends of the VPN tunnel.

To restart the Microsoft Firewall service, follow these steps.
 * 1) Click Start, click Run, type services.msc, and then click OK.
 * 2) Right-click Microsoft Firewall, and then click Restart.



MORE INFORMATION
For more information about site-to-site VPN configuration in ISA Server 2004, visit the following Microsoft Web site:

http://www.microsoft.com/technet/isa/2004/plan/sitetositevpn.mspx

Additional query words: ICMP ping VPN

Keywords: kbtshoot kbfirewall kbprb KB887002

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.