This article has been archived. It is offered "as is" and will no longer be updated.
Consider the following scenario:
You use Microsoft Internet Security and Acceleration (ISA) Server 2006 to create a site-to-site VPN connection between a central office and a branch office.
The ISA Server 2006 computer is located in the central office.
Clients in the branch office use ISA Server to access servers in the central office.
In this scenario, packets from the branch office may not reach the destination servers in the central office. For example, DNS requests from a client in the branch office may not reach the DNS servers in the central office.
This problem occurs because the Microsoft Firewall service incorrectly handles IP address bindings. A site-to-site VPN connection may be lost and then re-created. However, ISA Server still uses the old IP address of the previous virtual network interface for the site-to-site VPN connection.
To resolve this problem, apply the hotfix rollup package that is described in the following Microsoft Knowledge Base article:
947257 Description of the Internet Security and Acceleration (ISA) Server 2006 hotfix package: January 8, 2008
To work around this problem, restart the Microsoft Firewall service on the ISA Server 2006 computer.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.