1.) VPN is a tunnel, which ends behind one of the devices. So it depends where your tunnel ends. Some routers have a setting to handle VPN traffic themselves or to pass through VPN traffic through the device and therefore to go around the NAT. This is necessary as you would have to open several ports in all NAT devices to open VPN through a NAT. At the end of the tunnel, the client behaves as it would be part of the subnet, where the VPN tunnel end.
If cisco / Netgear handles VPN, then the client is inside the 192.168.21.x or 192.168.22.x network. From this point, all necessary ports have to be open (must be listener) on the other devices.
I'm not quite sure, how Linksys handles VPN traffic, due to the fact, that this traffice can not be load balanced. So if a clients connect via cisco, the linksys has to send back all traffic back to the cisco as the netgear doesn't know anything about the VPN tunnel.
From my perspective, VPN tunnel should end at the ISA, as there is no need for additional ports to be open to serve services for the client.
2.) Your second post says only, that there is not feedback from the device. If a client connects via VPN, there is a handshake, where the server and the client handles out the connection details (i.e. the authentication). So either the authentication fails for any reason, or the packages are lost as the loas balancer may send it back via the other router.
If you enable PPTP Pass through on the Linksys, you have also to make sure, that it passes through the cisco or netgear. If Pass Through is enabled, there is usually no additional need for additional rules (may vary from routewr to router, but this is the sense of the pass through setting).
If ISA is the endpoint, you need to configure ISA to allow VPN traffic. You may test this with a laptop, first connect to the external interface of ISA, then to LinkSys and then to one of the third devices. This way you find out, if ISA is configured correctly and which devices has problems with the VPN tunnel.
Some routers also have a DMZ setting, which means something like send everything to this device (IP) and ignore all NAT rules. As every device may have restrictions, you have to open ports on all devices between internet and your internal network. But as a port is either closed or open, it will not be more close because of two firewalls behind each other.
3.) What do you mean with traffic loss from ISA / Linksys subnet? The route of a package is defined by the default gateway. But there has also to be a route back. If you send a package from your internal network and it comes back, there is not reason why is should not come back from the other side. ISA has as default gateway the Linksys, the linksys has to handle it itself (as load balancer) and the cisco / netgear get their gateway frokm your ISPs. The back route is either NAT or the DMZ setting or any kind of forwarding rule. Cisco / Netgear forwards to Linksys and Linksys forwards to ISA.
4.) DMZ should be between Linksys and ISA, but in that way, ISA works usually in NAT mode.
5.) I would leave the Cisco and Netgear device out of scope. You have the Linksys as external FW and the ISA as internal (if needed). So if possible, I would just tell cisco and netgear to forward everything to Linksys and let Linksys filter the traffic. Just reduces configuration problems and additionally avoid confusion about the settings on these devices.
Summary:
Cisco: Default Gateway from ISP, DMZ setting point to Linksys --> forward all to Linksys without filters
NetGear: the same as Cisco
Basic filters are allowed, but for testing purposes, disable everything first, then you can enable everything step by step.
Basic filtering (DOS attack, DNS attack) keep this away from the other devices.
Linksys: Router or NAT, dependend what realized Load balancing --> VPN Passthrough
If NAT, you have to open external ports for your services to be routet to ISA, but usually not VPN as it is pass through.
Otherwise you have to tell Linksys to forward everything to ISA
Default Gateway is handled by the load balancer.
ISA: Router or NAT (i.e. for DMZ), VPN endpoint
Default gateway is Linksys (on external NIC, internal is empty)
If NAT, open all ports (publishing rule with a listener) which are needed for services from external to internal
If routing, define access rules from externbal to internal.
Traffic from internal to external is all the time an access rule. Nevertheless the rule only allows, what is defined as protocol.
ISA blocks all not defined protocols in general.
VPN do not need additional rules in ISA as they are set access rule (2004 / 2006) or as system rules (TMG) via the VPN configuration.
There is a (simpel access-) rule which states VPN Clients to Internal / LocalHost (not back to internet !!)
The default network relation for VPN is Route (as the endpoint is internal)
The default network relation outgoing is NAT, but VPN clients are not included (!!).
