Hi Philip,

perman6974 · ‎02-27-2017

We have problem when send email to tgi.co.id, when we check in Cisco IronPort C170 we found that domain tgi.co.id is down as we can see in the picture below

We also try to check with nslookup for domain tgi.co.id on the Cisco IronPort C170 and we found result as follow

JMJKTIPO.JAMBIMERANG.CO.ID> nslookup

Please enter the host or IP address to resolve.
[]> cisco.com

Choose the query type:
1. A the host's IP address
2. AAAA the host's IPv6 address
3. CNAME the canonical name for an alias
4. MX the mail exchanger
5. NS the name server for the named zone
6. PTR the hostname if the query is an Internet address,

otherwise the pointer to other information
7. SOA the domain's "start-of-authority" information
8. TXT the text information
[1]> 4

MX=alln-mx-01.cisco.com PREF=10 TTL=30m
MX=rcdn-mx-01.cisco.com PREF=20 TTL=30m
MX=aer-mx-01.cisco.com PREF=30 TTL=30m
JMJKTIPO.JAMBIMERANG.CO.ID> nslookup

Please enter the host or IP address to resolve.
[]> tgi.co.id

Choose the query type:
1. A the host's IP address
2. AAAA the host's IPv6 address
3. CNAME the canonical name for an alias
4. MX the mail exchanger
5. NS the name server for the named zone
6. PTR the hostname if the query is an Internet address,

otherwise the pointer to other information
7. SOA the domain's "start-of-authority" information
8. TXT the text information
[1]> 4

Temporary query error: "unable to reach nameserver on any valid IP" looking up
MX record for "tgi.co.id" to nameserver recursive_nameserver1.parent
JMJKTIPO.JAMBIMERANG.CO.ID>

What should we do for this issue. Enclosed we attached detail information of interconnection for our network devices, so please give us some suggestion to solve this matter.

Best regards,

Perman

Philip D'Ath · ‎02-27-2017

It looks like you have a lack of network connectivity. Can you ping their name servers?

ns1.pgascom.co.id
ns2.pgascom.co.id

And can you ping well known DNS servers like 8.8.8.8?

If you can ping 8.8.8.8 and can not ping ns1.pgascom.co.id then do a traceroute to ns1.pgascom.co.id. Where does it stop? That is where your problem is.

perman6974 · ‎02-27-2017

Hi Phlip,

We can ping to ns1.pgascom.co.id and ns2.pgascom.co.id as well to Google DNS 8.8.8.8 from client PC and also exchange mail server. However, when we try to ping with basic ping command in ESA Cisco IronPort C170 everything seem ok. But when we try again with extended ping command via interface DATA2, we found that result is "request timed out". For more detail information we enclosed all this information as file attached.

Best regards,

Perman

Philip D'Ath · ‎02-27-2017

Are you using both DATA1 and DATA2 for trying to send external email?

If so, are these separate internet connections?

If so, your ISP is probably using RPF to prevent you using IP addresses from one connection on another. This is nothing wrong with your ISP doing this.

If this is the case, then unplug one of your DATA ports.

perman6974 · ‎02-28-2017

Hi Philip,

We don't sure for this matter because our vendor has been configured for the appliance. But for additional information that IP address on interface DATA2 (DMZ) that is 10.203.130.2 translated or natted to public IP address 202.158.18.163 or mx1.jambimerang.co.id in Cisco ASA5512 as you can see at the network diagram enclosed, so we think this IP address the real address for sending email to external party.

Best regards,

Perman

Philip D'Ath · ‎02-28-2017

I think you need to check the routing on your appliance and make sure everything is sent out DATA1 by default, and DATA2 is only used if the DATA1 interface is down.

perman6974 · ‎02-28-2017

Hi Philip,

Current config we used 10.203.130.1 as default route in ESA Cisco IronPort C170, is this right? Please see at attachment enclosed.

Best regards,

Perman

Problem Send Email to Specific Domain in ESA IronPort C170