Showing results for 
Search instead for 
Did you mean: 
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in:
Encryption Bug Search
Encryption Plug-in:
Cloud Mailbox Notification Service
Outlook Add-in(s): More info


SMTP 5.4.7 - Delivery expired - unable to reach nameserver on any valid IP

We recently started having issues delivering email to,, and addresses (possibly more domains, but

haven't heard of others yet).  They return the following error (email addresses have been altered):

Diagnostic information for administrators:

Generating server:

#< #5.0.0 smtp; 5.4.7 - Delivery expired (message too old) 'DNS Soft Error looking up (MX) while asking recursive_nameserver1.parent. Error was: unable to reach nameserver on any valid IP' (delivery attempts: 0)> #SMTP#

Original message headers:

Received: from ([])  by with ESMTP; 29 Dec 2009 09:15:36 -0600
Received: from ([])
  by with ESMTP; 29 Dec 2009 09:15:40 -0600
Received: from ([fe80::45fe:26d:54cd:6aeb]) by ([fe80::xxxx:xxxx:xxxx:xxxx%10]) with mapi; Tue, 29
Dec 2009 09:15:19 -0600
From: Internal User <>
To: User <>
Date: Tue, 29 Dec 2009 09:15:18 -0600
Subject: Blood Drive Today
Thread-Topic: Blood Drive Today
Thread-Index: AcqImccN9I6lWOw9QuGSrMji25lA2A==
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative;
MIME-Version: 1.0
X-Auto-Response-Suppress: DR, OOF, AutoReply

Any ideas as to why this is occuring?  I have the ironport appliance's (C150) DNS pointing to our internal DNS servers.  I am able to resolve all mailservers to IPs via nslookup and can ping's servers, but not's or's (possibly by their design?).  There are some MX issues with AOL and Amtrak, but not Hotmail.  Any help is appreciated.  Thanks,

Hans Schroeder | Network Specialist

City of Edmond |


Hello Hans,

It looks like your DNS server(s) are overloaded or refusing their job for some other reason.

What is the response of your DNS servers when you request the problematic domains? Please try from Ironport nslookup and from any other nslookup/dig that is using the same DNS servers.

One thing that once bothered us was that our DNS servers where allowed to perform UDP queries only, some MX targets with a lot (in this case 18) of servers in their MX records exceeded the UDP packet size and DNS tried to switch over to TCP. that traffic was dropped so the DNS server never got it's result back. I think the MX records of AOL and Amtrak are not that bid (4 and 3 mail servers) but maybe it's a start.

You can also try to enable query logging on your DNS servers and check the results of that.

Good luck,


Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad