This article discusses how to troubleshoot an issue that occurs when a client computer on a remote subnet sends TCP traffic to another internal computer.

When a client computer that is behind Microsoft Internet Security and Acceleration (ISA) Server 2004 or Microsoft ISA Server 2006 sends traffic to another internal computer, the ISA Server computer may drop the traffic.

This behavior occurs when TCP packets in one direction follow a route that does not involve ISA Server, and TCP packets in the other direction follow a route that does involve ISA Server.

For example, consider a client computer on a remote subnet that is behind an internal network. In this case, the remote subnet is separated from the ISA Server computer by a router. When the client computer sends a packet to another client computer that is located on the internal network, the traffic is forwarded directly to the computer on the internal network.

When the client computer on the internal network responds, the packet is routed through ISA Server because this computer has the IP address of the internal network defined as its default gateway. ISA Server has no route back to the remote subnet. Therefore, the source IP address is identified as spoofed.

This issue occurs even when the server has valid routes to both source and destination subnets. In this situation, the TCP connection request (SYN) from the client to the server bypasses ISA Server. However, the SYN-ACK packet is routed to the server and dropped with a TCP_NOT_SYN_PACKET error. In short, both sides of a TCP session must go through the ISA Server computer.

This behavior may not occur with User Datagram Protocol (UDP) traffic, or Internet Control Message Protocol (ICMP) traffic.

For more information about how to troubleshoot this issue and other network configuration issues, visit the following Microsoft Web site:For more information about how to configure ISA Server 2004 networks, visit the following Microsoft Web site: