Great post from Stefaan Pouseele on the ISAserver.org Web boards regarding SA Idle Timeout problems with site to site VPNs with third party VPN gateways:

==========================

Hey guys,

the issue is known as ’QM SA IdleTime problem’. Because it is a bug introduced by Windows 2003 SP1 you should never be charged for it by PSS.
 
Regarding the packet loss problem during the initial QM SA negotiation and the QM SA renegotiation, that issue has been fully investigated by PSS together with the development team. In Windows Server 2003 SP1 some changes were made in the way ipsec.sys handles traffic during an IKE renegotiation. The bottom line is that the ISA 2004 Firewall Engine Kernel Mode driver fweng.sys is not treating those changes correctly and therefore drops the packets with the error code FWX_E_FWE_SPOOFING_PACKET_DROPPED. 
 
Because the IKE renegotiation should not happen that often (assuming the QM SA IdleTime problem has been fixed) and that packet loss must be expected in a networked environment in anyway, we don’t think this is a major area of concern. Moreover, in all our repro’s we never had a single instance that a TCP connection was dropped due to this issue. The TCP Retransmission took care of the dropped packets. There will be certainly a performance hit for TCP connections due to the Slow Start Algorithm however the development team does not see this as a justification for a fix at the moment.

Therefore, if anybody has hard evidence that the IKE renegotation could lead to a broken TCP connection, please let us know so we can take the appropriate actions.

HTH,
Stefaan
==========================

For the full thread, check out: http://forums.isaserver.org/m_2002001812/mpage_1/tm.htm

HTH,

Tom

Thomas W Shinder, M.D.

Site: www.isaserver.org

Blog: http://blogs.isaserver.org/shinder/

Book: http://tinyurl.com/3xqb7

MVP — ISA Firewalls