02-10-2014 10:20 AM
Dear Community,
We have two Cisco C170 Ironports, one at each of our two main sites, both in the same Domain. We also have two exchange server 2010 units these guys are filtering for. Each C170 is configured with an external NAT and MX record weighted at 10 and email passes through either and both equally.
I have just noticed that one is showing ONLY mail incoming and NOTHING outgoing and the other is showing the opposite. Only mail outgoing and NOTHING incoming. We are trying to determine is this is normal. What would be causing these to filter this way?
Thanks.
RH
02-10-2014 10:47 AM
Inbound, I'd double check the MX records and A records, and make sure both are actually accessble...
You can use sites like dnsstuff.com to test all of it in one go...
Outbound, check the Exchange config.
Organization Configuration
Hub Transport
Send Connectors tab
you should see 1 send connector here
Address Space tab, should be just SMTP, * , weight of 1, and "Scoped send connector" is unchecked.
Network tab, should have both ESAs listed
Source Server tab, should have all of your "gateway" hub transports listed.
Its possible that they were concerned about mail from site A exiting via the ESA in site B, and vice versa. In which case they should have 2 send connectors, one for each site.
Address space tab. Check the "Scoped Send connector" box. Set a weight of 1...
Network tab - just the local ESA
Source server tab - the local hub transport boxes.
They may have something slightly out of alignment so all outbound wants to go to one site... Weight, one is scoped and the other isn't, etc.
02-10-2014 11:42 AM
Ken,
Thanks for replying.
In my first Exchange server, in the Send Connector tab of the Hub Transport, I have TWO Send Connectors, one for each site. The properties of each are as you described above:
SMTP Weight of 1 (Only)
Scoped send connector unchecked
Network tab with both Ironport addresses
But the Source server tab only has the Exchange server for each Send connector listed for that connector.
It is identically set on the second Exchange Server (Both are in a DAG)
What does that tell you?
Thanks.
RH
02-10-2014 12:20 PM
Is the order of the ironport addresses the same in each connector?
My guess is that the load is low enough that you never get into a state where it opens another connection, it keeps one open, closes it at some point, and then starts a new one... starting at the top of the list..
02-10-2014 01:19 PM
Yes Ken,
The order is EXACTLY the same in each connector.
And the Smart Host IPs are in the same order on each connector.
And both Exchange servers are identical.
Which is what is confusing me.
Everything is being routed through One Connector first and thru One Ironport first.
Which is why I cannot see why one is handling all incoming and one all outgoing.
The Send Connectors are both configured as OUTBOUND.
And they both point first to the Ironport that is NOT handling OUTBOUND.
It is handling INBOUND.
It is hard to decipher right now.
02-10-2014 02:02 PM
Rocky,
I would recommend opening a TAC case but keep in my that it does not sounds like the ESA has anything to do with the issue, assuming that I understand the issue.
Did you try, from each Exchange, to relay mail through both ESAs? I am asking because that way you can make sure both ESAs would allow the outbound traffic.
The SMTPPing feature in the ESAs would help you to make sure each ESA can deliver messages to the Exchanges, both of them.
With the tests above I would say you could pretty much rollout the ESAs from the equation.
The final test would completely track inbound and outbound mail using both Exchanges and ESAs logs.
If either Exchange and/or ESA are configured to use FQDN, then the issue could be the DNS answer these devices are getting from the DNS servers configured on both. I would recommend review the settings and, at least for the purpose of this troubleshoot, use IP addresses instead of FQDN. In this scenario, you would need to review both ESAs and Exchanges configurations to make sure they are not using DNS names and are using IP addresses. It would be also advisable to make sure there is no Load Balancer in place and between the Exchanges and ESAs.
If you are willing to share the logs as evidence of the issue, I believe we can assist you further.
Regards.
-Valter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide