I really like days where I learn something new about something old. Makes it worth getting up in the morning.
Check out this post from Jim Harrison from a couple of years ago:
http://groups.google.com/group/microsoft.public.isa/msg/3c4c9481fae91b5f
To quote:
“Note that ISA enforces a 5-second delay in updating its internal routing table after a VPN client connects to control the CPU load (routing table updates are *expensive*). This may interfere with a client getting the additional information that is supplied in the DHCP Inform req.resp cycle, since these occur almost immediately after the connection is completed.
There is a previous thread in this same NG subj: “DHCP Request SPOOFING_PACKET_DROPPED” that includes the process you should follow to resolve the DHCP Inform issue *if and only if* you see ISA rejecting DHCP
traffic from VPN clients with a “SPOOFING_PACKET_DROPPED” status. This change is still getting regression testing, so you should use it with care.
Note: Do Not set that value lower than 1000 (0x3e8) (1 second)”
Nice! Thanks a bunch Jim, this was very enlightening.
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)