Assume the following: You change the network relationship
type for an Internet Protocol security (IPSec) site-to-site network rule from
Route to
Network Address Translation (NAT)
and then back to
Route. In this scenario, Internet Control
Message Protocol (ICMP) ping traffic does not pass through the virtual private
network (VPN) connection for one minute. Other traffic types, such as HTTP,
File Transfer Protocol (FTP), and User Datagram Protocol (UDP) Echo, pass
through without interruption.
Note HTTP and FTP traffic types are Transmission Control Protocol
(TCP)-based.
Back to the top
This issue occurs because, after you switch the network
relationship type from
Network Address Translation (NAT) back
to
Route, the firewall waits for one minute before it
initiates a new connection. The firewall waits for one minute to prevent the
premature termination of existing sessions. This behavior affects ICMP ping
traffic because all ICMP ping traffic shares the same firewall connection
state. TCP traffic and UDP traffic are not affected because a new connection
chooses a different source port. Therefore, a new connection state is created
for TCP and UDP traffic.
Back to the top
To work around this issue, use either of the following
methods:
| • | Wait for one minute until a new connection for ICMP traffic
is initiated. |
| • | Restart the Microsoft Firewall service on the Microsoft
Internet Security and Acceleration (ISA) Server 2004 computers on both ends of
the VPN tunnel. |
To restart the Microsoft Firewall service, follow these
steps.
| 1. | Click Start, click Run,
type services.msc, and then click
OK. |
| 2. | Right-click Microsoft Firewall, and then
click Restart. |
Back to the top
For more information about site-to-site VPN configuration in
ISA Server 2004, visit the following Microsoft Web site:
Back to the top
Help and Support
