Setup: Running ISA 2k4 Enterprise w/ 2 servers. Users are establishing outgoing VPN connections to various sites using the Nortel Contivity and Cisco VPN Client software. ISA(s) configured to allow NAT-T connections, destination VPN servers (and client software) using NAT-T. Using NLB on the ISA boxes to load balance (and provide redundency) on and internal IP and several external IPs.
Problem: Users can establish the VPN connections and use the remote resources without issue. We have had at least 6 concurrent users connecting to the remote VPN sites without issue. Then, occasionally, a user (who was connected earlier in the day) will try to re-establish an outgoing VPN connection, and they will get the Cisco error "Remote Peer is no longer responding" and they are never prompted for their credentials. Other machines are still connected, and other people try to connect and are successful..
If I shut down one of the ISA boxes (doesn't matter which), then the users getting the errors can connect successfully. If I bring both boxes back online, users can still connect, for a while. Sometimes we go days without this issue, sometimes it happens several times a day.
When I have searched the web (and these forums) for this issue, I get two type of results back: 1) Users can never connect and receive the error. This is NOT what we get. We can properly establish the NAT-T VPN connection MOST of the time. 2) A user can connect, sometimes. When they can't, the admin has fixed the problem by restarting the firewall service. This is VERY similar to what we are seeing. I only found 1 hit like this, and that was on these forums. (http://forums.isaserver.org/m_130254900/mpage_1/key_cisco,remote,peer,longer/tm.htm) But that user was using ISA2k from SBS2000, and never documented a solution. I considered upgrading to ISA2k6, but I would like to resolve this first.
Any Suggestions on how to resolve or debug this?
< Message edited by pstemper -- 5.Oct.2006 2:59:43 AM >
Anyone have any news on this issue? I am seeing the same thing, although I have an EE array with ISA 2006, and we are trying to VPN to another site which has a single ISA 2004 EE server. Various machines will stop being able to VPN out (L2TP/IPSec). We can get it working again on on an affected client by changing the IP address. If I turn off either of the ISA servers, they are able to VPN out to the remote site without issue. As long as they are both on, the problem randomly starts cropping up again.
Also, I should note that the NAT-T registry change for XP SP2 and Vista has not helped either of those types of clients.
< Message edited by jerrice -- 2.Nov.2007 6:45:42 PM >