Hi people

I've been tearing my hair out over this so hoping someone can give me a hand before I go bald!
I've setup my Microsoft ISA 2006 server to allow remote access via VPN, I can connect via VPN locally within the network however when I try external it fails, my ISA server is behind another ISA server which has apparently be select to allow traffic from port 500, 4500 and 1701 however when I look at my firewall log it only shows requests coming to port 500 and 4500 as shown below, none to port 1701.

VPN Setup:
L2TP Protocol
IPSec Preshared Key (for now.. will update to certificate based auth later on)

Network Layout:
Internet --> 1st ISA --> 2nd ISA (the one within my building) --> Internal Network

Snippet from ISA Firewall Log - Note IP address have been removed
Code:
BLACKHOLE	2008-02-19	07:57:02	UDP	<<USERIP>>:61079	<<2ndISA IP>>:500	87.194.101.102	External	Local Host	Establish	0x0	[System] Allow VPN client traffic to ISA Server	IKE Client	0	0	0	0	-	-	-	-	184502	2249727


BLACKHOLE	2008-02-19	08:05:14	UDP	<<USERIP>>:61079	<<2ndISA IP>>:500	87.194.101.102	External	Local Host	Terminate	0x80074e20	[System] Allow VPN client traffic to ISA Server	IKE Client	2400	2400	7280	7280	492000
Am guessing that the 1701 (L2TP Client) port has not been opened on the first ISA server that is causing this problem however when I confirmed whether it was open I was told it was... but with the fact I am not even seeing L2TP client hitting the firewall nevermind being even allowed or disallow I still think its blocked.

Anyone got any ideas?

Thanks