Article ID: 980674 - View products that this article applies to.
Consider the following scenario:
Note The scope of this problem is actually larger than IPsec site-to-site VPN. The problem that is described here may occur in any array-based TMG 2010 deployments for which integrated NLB is enabled when NLB WMI events such as node convergence are triggered. Site-to-site VPN that has NLB enabled is the most visible example.
This problem occurs because TMG 2010 incorrectly defines discretionary access control lists (DACLs) for the COM services that are exposed by TMG 2010. These DACLs prevent NLB WMI event notifications from being accepted by TMG services. Therefore, the internal NLB state of TMG is not updated, and subcomponents that depend on the NLB state, such as IPsec filter definitions, are not initialized correctly.
Service pack informationThis problem is fixed in Forefront TMG 2010 Service Pack 1.
For more information about how to obtain Forefront TMG 2010 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/981324/ )List of problems that are fixed in Forefront Threat Management Gateway 2010 Service Pack 1
Update informationTo resolve this problem, follow these steps:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Forefront TMG 2010 Service Pack 1.
Article ID: 980674 - Last Review: 09 October 2011 - Revision: 3.0
Contact us for more help