I have been experiencing a very strange problem for the past few months, probably since January time.
I have two ISA 2006 (5.0.5721.263) servers in my domain. One of them is set up to be the VPN gateway server that handles VPN remote access and 3 L2TP tunnels to remote site offices. Every now and then, probably once a week on a random day I will get an excessive amount of calls from my users stating that their VPN client won't connect and is bringing back an error about authentication protocols (I have the exact error but it isn't nessesary to post it).
Now I have 2 custom Rules in my "Remote Access Policies" in RRAS, one that handles VPN conenctions and the other handles Remote Sites. When i first set up the RRAS server they were in the correct order: VPN (custom) > RemoteSite (custom) > "Connections to other access servers" (default policy) > "Connections to Micr..." (default policy) > ISA Server Default Policy.
The problem being - randomly the "ISA Server Default Policy" will jump to the top of the list and deny access to everything connecting to RRAS, which as you can imagine - is quite annoying.
Has anyone ever experienced this sort of issue before and resolved it? I would greatly appreciate any help with this matter.
I have been having this exact same problem after the ISA DB stuffed itself. Two days of beating my heading against a wall...
ISA Server Overwrites Routing and Remote Access Settings
Problem: Routing and Remote Access settings are overwritten by ISA Server. Demand-dial interfaces created with Routing and Remote Access are deleted.
Cause: Remote access settings must be specified using ISA Server Management. Any demand-dial interfaces created or modified using Routing and Remote Access that do not match networks in ISA Server are overwritten and deleted by ISA Server. Note the following limitations when creating demand-dial interfaces using the VPN Wizard:
ISA Server does not support the assignment of a persistent connection, and persistent connections you assign in Routing and Remote Access are deleted. This may be an issue if you want a VPN connection to configure automatically when the server comes online, rather than waiting for traffic to trigger the interface to dial. ISA Server does not allow creation of multiple VPN connections to a particular network using different metrics. Such functionality allows more than one route to a particular network, so that if a primary route goes down, a backup route with different metrics is available. ISA Server does not allow you to disable or enable specific services or network components on a specific VPN interface. You cannot configure the number of redial attempts the VPN connection makes. ISA Server does not allow modem demand-dial interfaces.
Solution: For more information about solutions, see the following Knowledge Base articles:
837353, "Configuration changes that are made to Routing and Remote Access when you install ISA Server 2004" 842639, "Redial attempts and Average redial interval settings are reset in Routing and Remote Access service"
ISA Server default policy takes precedence in the ordering list of Routing and Remote Access policies. To put another remote access policy above the ISA Server policy, do the following:
At the command prompt, type net stop ISACTRL. Change the policy order. At the command prompt, type net start ISACTRL.