Question : Remote VPN Subnet routing issue

We are seeing a strange phenomenon with our Remote VPN subnet.  We have a remote VPN subnet (172.16.11.XXX) connected to our main LAN (172.16.1.XXX) via identical LinkSys VPN firewalls.   Here's our basic setup:

Internet --- ISA Server (172.16.1.1) --- Main LAN (172.16.1.xxx)
                                                                   |
                                                   LINKSYS VPN Router (172.16.1.8)
                                                                   |
                                                  (Internet via Hardware VPN)
                                                                   |
                                                LINKSYS VPN Router (172.16.11.1)
                                                                   |
                                               Remote LAN (172.16.11.XXX)

The issue we're seeing is that we cannot access servers on the main LAN from the VPN Subnet unless the Server first initializes the connection.  All Main LAN servers are using the ISA Server as the default gateway, and the ISA server has defined the route to 172.16.11.XXX through 172.16.1.8 (this was done using ROUTE ADD -p).  At first, the server on the Remote LAN cannot ping some servers on the main LAN.  To troubleshoot, we tested whether or not the servers on the main LAN ocould ping the remote server - which was successful.  After that, the remote server could see that main server just fine.  We tried this on two more servers, and determined that the remote server could not PING the main server unless the main server initiated the PING first. AFter that, all resources were accessible (PING, file shares, etc.)

Is there something in our configuration that would prevent the main server from discovering the route to the remote subnet unless it initiated the connection (and thus couldn't respond to the first set on PINGs)?  

Are there any known issues with using ISA Server as a router as well in this type of configuration?  At one point, we were using a separate server to define this route, and all other servers were using it as the default gateway, but I much prefer the notion of using the ISA as the default gateway instead of some other internal server.

I hope this makes sense.  Any input is appreciated.

Thanks,

Don

Answer : Remote VPN Subnet routing issue

This link describes a situation very similar to yours  http://support.microsoft.com/?kbid=888042

The solutions suggested are to either have static routes on each of the servers for the remote networks or to have the remote router as the default gateway. The connectivity could be designed better, these solutions make it real messy.

> It just seems kludgey to me to use a separate server to route ALL traffic when all I really need to is add that routing table entry to the ISA - which handles all other routing (to the internet) and IS the gateway for the internal LAN.

Indeed, which is why I suggested having the ISA server as the central router. One interface each for of the WAN, LAN and VPN link
Random Solutions  
 
programming4us programming4us