Problem with VPN's on ISA Server 2004 SP1

I've done a number of upgrades on our network and ever since I'm having
problems sending large amounts of data over VPN connections. This shows best
when doing a file copy over the VPN connection. Before the upgrades this
went fine. After the upgrades we get a Semaphore Timeout Error during the
copy. We also get occasional problems trying to connect via terminal
services over the VPN's.
I think the problem is in ISA Server 2004 SP1 (which is handling the VPN's).
Anybody else seen this behaviour and have a solution for it?

Here's some history:
- installed Windows Server 2003 SP1 on an internal test server
- we noticed problems when we connect from the test server over a VPN
connection towards a Win2003 Server for server management. We then installed
ISA Server 2004 SP1, which seemed to solve this problem
- at about the same time we and a number of our customers started to have
all kinds of problems communicating to machines over VPN. We tracked this
down and installed hotfix 898060 on our servers (not yet on our ISA Server),
which solved these problems
- then we noticed the copy problem mentioned above, which occured from our
workstations and servers
- we then installed Windows Server 2003 SP1 on the ISA Server box and
applied hotfix 898060, but the problem stayed exactly the same

Doing a network monitor trace the problem seems to be a network packet that
never gets to the destination. All traffic runs well (with now and then a
packet loss causing a retry) up to a certain point where an IP packet does
not arrive at the destination, although it is retried 5 times before giving
up.

We've then done the following tests:
- connect a PC directly to the Internet, bypassing ISA Server: things work
fine
- test at a customers site between 2 machines that have an ISA Server 2000
between them: things work fine
- the same machines that work fine in the scenarios above fail though when
we run it over the ISA Server 2004 SP1 (we tested L2TP, PPTP VPN's and IPSec
tunnelling connections, all have the same problem)

Any help would be greatly appreciated.

regards,
Stefan Cuypers




.

Relevant Pages

  • Re: ISA 2006 Basic Configuration
    ... Troubleshooting Client Authentication on Access Rules in ISA Server 2004 ... Microsoft Internet Security & Acceleration Server: ... Microsoft ISA Server Partners: Partner Hardware Solutions ... The routing table for the network adapter Internal ...
    (microsoft.public.isa.configuration)
  • Re: ISA 2006 Basic Configuration
    ... Does the AD/DNS Server have the ISP's DNS properly configured as a Forwarder? ... Microsoft Internet Security & Acceleration Server: ... Microsoft ISA Server Partners: Partner Hardware Solutions ... The routing table for the network adapter Internal includes IP address ranges that are not defined in the array-level network Internal, ...
    (microsoft.public.isa.configuration)
  • RE: Digest authentication does not work for HTTPS-requests through MS
    ... I've seen this problem happening when the network range in your "Internal" ... Clients use Internet Explorer 6.0. ... All the testing was performed having SP1 for ISA Server 2004 installed. ...
    (microsoft.public.isa)
  • Re: ISA 2006 proxy error
    ... and to correctly configure the Internl Network Definition ... Understanding the ISA 2004 Access Rule Processing ... Microsoft Internet Security & Acceleration Server: ... Microsoft ISA Server Partners: Partner Hardware Solutions ...
    (microsoft.public.isa.configuration)
  • RE: DNS MS Firewall error: 21174...
    ... Thank you for posting in SBS newsgroup. ... Using ISA Server 2004 with Exchange Server 2003 ... the problem may be caused by the Internal network is ...
    (microsoft.public.windows.server.sbs)