One of the more common ticket-generating topics that we see from our Cisco IronPort Email Security Appliance(ESA) customers, are delivery related issues. Among the various types of delivery issues that can occur, a common question is why a message was "queued for delivery." The purpose of this blog is to unveil any mystery about messages that have a last status of "queued for delivery," and to provide some basic troubleshooting technics regarding this topic.
What can cause delivery delays? How does IronPort message delivery work?
There are many variables involved, so it is difficult to say what is causing specific messages to be delayed, without investigating each occurrence individually. However, here is a basic overview of how delivery works on the ESA:
Once a message is fully scanned through the workqueue, the message recipients are divided up by destination domain in the delivery queue. The ESA scans the destination domain queues on an ongoing basis; the more destinations in memory, the longer each pass of scans will take. If the system is under heavy load, this can delay the delivery queue scans.
Messages that are larger will take longer to deliver than smaller messages. If the network connection or path to the destination server is slow for any reason, mail delivery will be slow as well. If there are network errors reaching a particular destination server, the messages will be re-queued for another connection. If there are DNS errors looking up a destination domain or all hosts are unreachable, all mail for that domain will be re-queued until the issue is resolved. Network and/or issue at the destination server end are the most common reason for a message to be stuck as "queued for delivery."
Regardless of the reason for the re-queue, there will definitely be a soft bounce code logged somewhere in the mail logs. It is also important to note that if a particular destination domain was not reachable when the ESA attempted to deliver previous messages addressed to the same domain, all proceeding messages addressed to that same domain will not show any immediate delivery attempts. This is primarily why you will find messages with a last status of "queued for delivery."
The next delivery attempts for the unreachable destination domain in question will be made in the background and not tied to any known MID number. Only successful connections will be tied to an MID. This is what can often make this type of issue difficult to troubleshoot. The frequency of delivery attempts is controlled by the 'Initial Period to Wait Before Retrying an Unreachable Host' parameter in the global settings of your ESAs Bounce Profile. While these retries are made in the background, you can actually locate them in the mail logs. Locating these retries requires that you know the IP address(es) of the destination domain in question. Use the IP(s) as your characters string, when using 'grep' against the mail logs. This will show each retry and more importantly, the bounce that was logged. Viewing the bounce that occurs during a failed delivery will often help you understand why the delivery attempts have been failing.
As an example, the following grep was run against a known IP address of a partular destination domain. This particular example shows connection errors occuring between the ESA interface and the destination IP address.
mail.@20120328T152739.s:Wed Mar 28 16:25:36 2012 Info: New SMTP DCID 42470002 interface 10.33.130.150 address 220.127.116.11 port 25
Once you know the IP address(es) of the destination server in question, you can also attempt to telnet to them, from the ESA CLI-over port 25. If there is still a delivery issue, this will manifest itself in real-time. You can then use the tools and suggestions in the "How to troubleshoot deliver issues" Knowledge Base article link below, to gain additional information on resolving the issue at hand.
Is there is any way we can have ISE integrate with an always-on VPN? here is what I have in mind User John is part of HR, when he connects to the VPN he will get IP from 10.10.x.x User bob is Part of IT , he will get IP from 10.10.y.y ...
I downloaded cisco migration tool v 2.3.1. I started the cmt, i loged and when i want to connect on the asa 5510 with credentials in log i receive error windows error 10060, on the asa 5510 i set ssh on inside port of the asa and i set inside port like ma...
Hello @Rob Ingram @balaji.bandi @Richard Burts @Aref Alsouqi I have Cisco ASA with Firepower Module, I want to confirm that Firewall is having features like IPS/IDS, DNS filtering, Botnet Protection etc.&nb...
Dear all ,How can I create a LoopBack on my FTD . I dont want my BGP Neighbor to be related to my physical FTD´s interface. I have two links and I´d like my BGP neighbor to be assigned on my Loopback interface.I couldn´t find the Interface Loopback on FTD...
I am familiar with the Process to Recover / Reset the Console password on my ASA5508x HA pair of firewalls.They are running in an Active/Active Failover configuration. Can I perform the reset procedure on the standby, reload and come back online wit...