Hotfix for SA Idle Timeout Problem

Great post from Stefaan Pouseele on the Web boards regarding SA Idle Timeout problems with site to site VPNs with third party VPN gateways:


Hey guys,

the issue is known as ’QM SA IdleTime problem’. Because it is a bug introduced by Windows 2003 SP1 you should never be charged for it by PSS.
Regarding the packet loss problem during the initial QM SA negotiation and the QM SA renegotiation, that issue has been fully investigated by PSS together with the development team. In Windows Server 2003 SP1 some changes were made in the way ipsec.sys handles traffic during an IKE renegotiation. The bottom line is that the ISA 2004 Firewall Engine Kernel Mode driver fweng.sys is not treating those changes correctly and therefore drops the packets with the error code FWX_E_FWE_SPOOFING_PACKET_DROPPED. 
Because the IKE renegotiation should not happen that often (assuming the QM SA IdleTime problem has been fixed) and that packet loss must be expected in a networked environment in anyway, we don’t think this is a major area of concern. Moreover, in all our repro’s we never had a single instance that a TCP connection was dropped due to this issue. The TCP Retransmission took care of the dropped packets. There will be certainly a performance hit for TCP connections due to the Slow Start Algorithm however the development team does not see this as a justification for a fix at the moment.

Therefore, if anybody has hard evidence that the IKE renegotation could lead to a broken TCP connection, please let us know so we can take the appropriate actions. s3


For the full thread, check out:



Thomas W Shinder, M.D.




MVP — ISA Firewalls

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top