New firewall - lots of MALEx errors all the time

Unanswered Question

We recently replaced a Cisco 6503 with a FWSM firewall with a Juniper SSG550. Our domain controllers are on a separate network from our Unity and Exchange server. Ever since we cut over to the Junipers, we are getting CiscoUnity_MALEx errors what seems like every time someone leaves a message. Most of the time everything is OK however it seems like the first few messages left in the AM fails into the MTA folder. Restarting the AvUMRSyncSvr delivers those messages.

We plugged the Cisco firewall back in and all was fine again.

From what we can tell the Juniper has the same rules that the Cisco had however something is still blocking communication. Just wondering if there are some oddball ports that Unity / Exchange needs with the domain controllers.

We are on Unity 4.1(1) with Exchange 2003 off box. The Exchange box is only used for voicemail and is on the same subnet that the Unity boxes and Call Managers are.

The text of the error is below:

Event Type: Warning

Event Source: CiscoUnity_MALEx

Event Category: Warning

Event ID: 30019

Date: 5/31/2007

Time: 2:44:57 PM

User: N/A

Computer: UNITY1


The MAPI subsystem has indicated that the Global Catalog Server which is used to resolve addresses for message submission cannot be reached, and that it has switched to using Global Catalog server Unity will continue to function using this newly selected Global Catalog server and will not automatically switch back to the original one. If Unity does not have a dedicated connection with sufficient bandwidth to the newly selected server, then there may be significant delays in Exchange access by Unity. Please verify that Unity has a good connection to the new Global Catalog for proper functioning.

For more information, click:

These errors will flip flop between dc1 and dc2 and sometimes dc1 to dc1.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

The problem is almost 100% coming from our Juniper firewall. Today we placed one of the domain controllers on the same vlan that the unity/exchange boxes are on and no more errors. The rule on the firewall is any to any on any service between the voice vlan and the domain controllers. Couldn't get more open than that.

Any ideas?

I've posted the AvDSGlobalCatalog log for those interested.


I'd like to update this for archival purposes....

We were never able to clear up the communication problem between our domain controllers and unity/exchange boxes between the Juniper firewall. We ended up building a third domain controller and placing it on the same VLAN that the unity/exchange/call managers are on.

No more errors and everything works 100%.

Best to follow Cisco documentation and not place a firewall between this stuff. What's strange is our Cisco firewall posed no problems in the same setup!


This Discussion