Hi, Strange problem with an ISA server / VPN inbound. When a user connects from the Internet using the correct domain / username / password no issues, no alerts from the ISA server, user connects & can access internal servers / e-mail / web browse exactly as you would expect. If they enter a CORRECT domain / username, but an INCORRECT password, the ISA server sends the following alerts. The internal address range for the lan is 192.168.1.0/24, the internal address of the ISA server is 192.168.1.1 the internet connects to a hardware router with port forwarding which NATs the internet to 10.1.1.1, the external interface on the ISA server is 10.1.1.2. There is nothing on the network on address 192.168.2.103 ! First it sends a; ISA Server name: EBG-ISA The VPN connection attempt by user EBG\glenn.johnston from VPN client IP address 60.240.40.192 could not be established. The failure is due to error: 0xc0040021 Which is expected, when this alert is active. Then over a period of 3 - 4 minutes several hundred copies of; which is not expected, always referring to address 192.168.2.103. ISA Server name: EBG-ISA ISA Server detected a spoof attack from Internet Protocol (IP) address 192.168.2.103. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log. Then about 2 or 3 minutes after the spoof attack e-mails stop, it sends a final ISA Server name: EBG-ISA ISA Server disconnected the following client: 60.240.40.192 because its connection limit was exceeded. For more information about this event, see the Windows event viewer. The VPN client on the notebook is set to not to retry, on connect failure. And, there is nothing in the event viewer referring to the connection limit being exceeded. What's going on ? It's not causing any operational issues, if the user attempts to connect again with the correct password, they connect straight in, even while the spoof messages are being sent. But it's driving me craze, I know something is not right, but can not work out what. Regards Glenn