Hi, I observed that if an S2S VPN connection of type IPSec Tunnel is used between two ISA 2004 servers, or between two Windows 2003 RRAS servers, or between an ISA 2004 server and a Windows 2003 RRAS server, then every 5 minutes the QM SA is deleted (Event ID 542) and a complete new QM SA is renegotiated (Event ID 541), even if there is traffic all the time (ping -t). In the ISA MMC, the summary of the IPSec configuration is: --- Begin --- Local Tunnel Endpoint: 192.168.1.30 Remote Tunnel Endpoint: 192.168.1.10 To allow HTTP proxy or NAT traffic to the remote site, the remote site configuration must contain the local site tunnel end-point IP address. IKE Phase I Parameters: Mode: Main mode Encryption: 3DES Integrity: SHA1 Diffie-Hellman group: Group 2 (1024 bit) Authentication method: Pre-shared secret (azerty) Security Association lifetime: 28800 seconds IKE Phase II Parameters: Mode: ESP tunnel mode Encryption: 3DES Integrity: SHA1 Perfect Forward Secrecy: ON Diffie-Hellman group: Group 2 (1024 bit) Time rekeying: ON Security Association lifetime: 3600 seconds <<<< one hour !!! Kbyte rekeying: OFF Remote Network 'RemoteSite#22' IP Subnets: Subnet: 192.168.1.10/255.255.255.255 Subnet: 192.168.22.0/255.255.255.0 Local Network 'Internal' IP Subnets: Subnet: 192.168.44.0/255.255.255.0 --- End --- According to http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechR ef/8fbd7659-ca23-4320-a350-6890049086bc.mspx and http://www.microsoft.com/windowsserver2003/techinfo/overview/ipsecfaq.mspx the default idle timeout for a quick mode SA is 300 seconden. This can be changed with the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec Value name: SAIdleTime Data Type: REG_DWORD Value data: 300 - 3600 (default=300) So, it sounds that on a fully patched Windows 2003 SP1, the QM SA idle timeout function is *not* working very well. A workaround is to set SAIdleTime=3600, that's the same value as the default QM SA lifetime. In other words, after maximum one hour a complete new QM SA will be renegotiated because the session keys must be refreshed in any way. Is this a known issue and is there already a fix available? Also, I assume that KB907259 You cannot sustain a connection for longer than 3 to 10 minutes between a Windows Server 2003 Service Pack 1-based computer and a Linux-based computer (http://support.microsoft.com/kb/907259/en-us) has nothing to do with this issue. Right? Thanks, Stefaan