cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3254
Views
0
Helpful
15
Replies

Pubic and Private listners on ESA 380

I would ask if there is limitation to use the public listener in the physical port DATA1 port and the private listener on DATA 2 port for the ESA C380 , Since I am trying to tenet the DATA 2 IP through the port 25 and it keep loose the connection.

 

I have added the exchange serve IP to the Relay list under the Relay list..

 

Best Regards

 

1 Accepted Solution

Accepted Solutions

Hello Mohammad,

 

It 'can' relate to the main issue depending on how your cluster is set for communication.

You need to go into CLI > Clusterconfig > Communication


Confirm the IP and ports used for communication between devices.

 

Run a telnet from both devices to one another on the right IPs and right interface to be used on port 22

 

Timeout means your ESA's are unable to communicate with eachother via the means setup on the cluster communication, normally a network error

 


As for your adding of IP into the RELAYLIST; this depends.

Is the LB acting as transparent (IE: it just transfers the connection with original source IP) or is it taking over the source IP before connecting to ESA.

 

Perhaps it would be good to add the IP of the HT servers instead (in the event your LB is transparent) and it should correct the nature.

 

As for the routing table and gateway.

If your current default gateway set (CLI > setgateway) is not reachable by data2. then you need to add an extra routing table for the data2 to use for a default gateway else it will not be able to reach out.

 

Regards,

Matthew

View solution in original post

15 Replies 15

It shouldn't be a problem.

Please provide a little more info about the problem:

- Are Exchange and ESA's data2 interface located in same vlan? If not, maybe firewall is doing some inspection (do you have esmtp inspection enabled)?

- Can you copy-paste transcript of telnet to port 25 session?

- Can you capture the traffic to see what's happening (maybe some IPS is sending RST packet)..

Thank you Jernej,

 

Exchange server and DATA 2 interface for both ESAs are in the same vlan and they all are have in one gateway .Since they are in cluster mode..

 

It is directly giving the following

 

Connection Lost from the exchange server , Even I could access the exchange in vise versa as per the attachment

 

Capturing is hard now since we are relaying to another Edge server at the moment..

 

Appreciate your help.

 

 

ESA1

 

For more information, First attached is the error toward the first ESA

Second attached is the error for the second ESA.

 

Enable log messages for rejected connection under Message tracking.

Connect with telnet again to ESA and try to send a test message.

Search message tracking logs for this connection. Did you find that connedtion has been blocked based on bad reputation?

 If so check the mail flow policy and fine tune settings.

If you're unsure how to,do,it copy-paste message trqcking logs+screenshot for mail flow policy.

And also check if you're using custom black lists.

Dear Jernej, 

Once I tried to add the appliances with the DATA 2 IPs in the SMA, It never establish the connection through the SSH and giving me time out error; But in the case of adding the DATA 1 IPs appliances into the SMA it has no issue...Is it mandatory to add the DATA2 IPs of ESAs into SMA in order to so see these outgoing logs in message tracking or adding the DATA 1 IPs are enough to achieve this info ? 

 

Thnaks

Hello Mohammad,


There is no mandatory nature of IP choices.

You can choose either.

 

But you need to ensure when SMA and ESA connectivity is to be achieved.

SSH protocol and port 22 connections between the two devices (and IP chosen) is allowable.

 

You can test connection to see if it's not a network issue with

 

SMA:

telnet

Select interface to be used

IP of the ESA to be communicated with (Data IP2 if you're using the interface 2)

 

Port 22

 

See the results

 

Now do the same from ESA to SMA
 

Telnet

Select Data 2 IP interface

Connect to SMA IP

Port 22

 

Attempt.

Hi Mathew,

 

I have tried to make the Exchange server HT to relay to the ESA devices but all users from internal domains couldn't send any E-mail to external domains through the DATA2 interface as private listener..Although form the ESA itself, It could send and Emails to the external domains..

In the messge tracking... you can see it is "Queued mail for delivery"

Hello Mohammad,

 

I assume this is for outbound emails as you mentioned external emails.

When you're seeing queued for delivery, is this on the actual ESA or on your exchange?

 

If on the ESA, you can force the deliveries with 'delivernow' and then 'tail mail_logs' to see what error appears if any

 

If it is queued on the exchange, this would mean exchange -> ESA connection isn't working.


I would recommend telnetting from the exchange to the ESA on port 25 to the IP that you have set as the connector.

 

So we can see if the ESA is dropping the connection or if there is a routing issue at hand.

Actually it is in ESA... I have forced them to deliver now and then tailed the logs 

In the message tracking you can see the following :

Message 300 to XXXXXX@xxxx.com received remote SMTP response '2.6.0 <466190$cd313c5=7d95a70a8b01bd81@XXXXX.xxx.com [InternalId=1998512] Queued mail for delivery'

 

In the tail logs 

 

 

(Machine xxxx.xxxx@xxx.org)> tail mail_logs

Press Ctrl-C to stop.
Sat Jun 20 00:10:11 2015 Info: Message finished MID 421 aborted
Sat Jun 20 00:10:11 2015 Info: ICID 67 close
Sat Jun 20 00:10:31 2015 Info: ICID 68 lost
Sat Jun 20 00:10:31 2015 Info: Message aborted MID 422 Receiving aborted
Sat Jun 20 00:10:31 2015 Info: Message finished MID 422 aborted
Sat Jun 20 00:10:31 2015 Info: ICID 68 close
Sat Jun 20 00:11:32 2015 Info: ICID 69 lost
Sat Jun 20 00:11:32 2015 Info: Message aborted MID 423 Receiving aborted
Sat Jun 20 00:11:32 2015 Info: Message finished MID 423 aborted
Sat Jun 20 00:11:32 2015 Info: ICID 69 close
Sat Jun 20 00:11:47 2015 Info: New SMTP ICID 72 interface Data 1 (10.10.99.53) address 209.51.199.2 reverse dns host smtp-out2.clickserv1.com verified yes
Sat Jun 20 00:11:47 2015 Info: ICID 72 RELAY SG RELAYLIST match sbrs[none] SBRS None
Sat Jun 20 00:11:47 2015 Info: ICID 70 lost
Sat Jun 20 00:11:47 2015 Info: Message aborted MID 424 Receiving aborted
Sat Jun 20 00:11:47 2015 Info: Message finished MID 424 aborted
Sat Jun 20 00:11:47 2015 Info: ICID 70 close
Sat Jun 20 00:11:47 2015 Info: Start MID 426 ICID 72
Sat Jun 20 00:11:47 2015 Info: MID 426 ICID 72 From: <bounced@click-jordan.com>
Sat Jun 20 00:11:47 2015 Info: MID 426 ICID 72 RID 0 To: <xxxx@internal.org>

Hello Mohammad,

 

Thanks for your update.

From what i can see, the original email has been delivered.

The other ones with the receiving aborted that you can see, this may be a different issue that needs to be reviewed as connections are being cut.

 

 

Hello Mohammad,


This may be a shot in the dark for me as there is limited information.

But typically when a second interface is enabled and also as a 'private' listener you are given a RELAYLIST and "ALL"

 

ALL is typically set to reject by default on a secondary private listener.

You need to ensure the send connector from your Exchange to this Data2 Private Listener is allowed through.

 

This means adding the IP of your exchange sender connector (that's reaching the IronPort's Data2 interface) into the RELAYLIST on the GUI > Mail Policies > HAT overview > select the data2 listener within the drop down 

 

Then click on RELAYLIST and add.

Else it would match "ALL" and by default it's rejecting -- typically this is what the '554' would mean if it reaches the ESA.

 

Please let me know or share further details if you're able to on your setup and i'll be happy to help.

 

Regards,

Matthew

Thank you matheu for the valuable info, 

actually we have LB in one IP mapping two IPs of HT servers, And I already added this VIP IP into the relay list,,What I tried to do is to send E-mail form the ESA itself to external email and it succeeded My queries are  as in the following  

 

1- Should I add route under the routing tab, to tell the ESA if you want to reach the Exchange server IP to go through the DATA 2 G.W, Since HT servers and DATA 2 are in the same subnet and both of them are having one G.W.

 

2- Should I add the the HT servers IPs instead of the LB IP mapping them into the relay list ? 

3- I am still receiving the warning message as in the following ; Does it related to my main issue and How could I solve it... 

The Warning message is:

 

Error connecting to cluster machine HOSTNAME (Serial #: XXXXX-YYYYY) at IP XXXXX - Operation timed out - Timeout connecting to remote cluster host

 

Last message occurred 60 times between Mon May 25 06:10:28 2015 and Mon May 25 07:09:29 2015.