ISA enforces a 5-second delay in updating its internal routing table after a VPN client connects

image I really like days where I learn something new about something old. Makes it worth getting up in the morning.

Check out this post from Jim Harrison from a couple of years ago:

http://groups.google.com/group/microsoft.public.isa/msg/3c4c9481fae91b5f

To quote:

“Note that ISA enforces a 5-second delay in updating its internal routing table after a VPN client connects to control the CPU load (routing table updates are *expensive*). This may interfere with a client getting the additional information that is supplied in the DHCP Inform req.resp cycle, since these occur almost immediately after the connection is completed.

There is a previous thread in this same NG subj: “DHCP Request SPOOFING_PACKET_DROPPED” that includes the process you should follow to resolve the DHCP Inform issue *if and only if* you see ISA rejecting DHCP
traffic from VPN clients with a “SPOOFING_PACKET_DROPPED” status. This change is still  getting regression testing, so you should use it with care.

Note: Do Not set that value lower than 1000 (0x3e8) (1 second)”

Nice! Thanks a bunch Jim, this was very enlightening.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

image
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top