Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
0
Helpful
5
Replies

C170 team dividing up work

rockyhabeeb
Level 1
Level 1

‎02-10-2014 10:20 AM

Dear Community,


We have two Cisco C170 Ironports, one at each of our two main sites, both in the same Domain.  We also have two exchange server 2010 units these guys are filtering for.  Each C170 is configured with an external NAT and MX record weighted at 10 and email passes through either and both equally.

I have just noticed that one is showing ONLY mail incoming and NOTHING outgoing and the other is showing the opposite.  Only mail outgoing and NOTHING incoming.  We are trying to determine is this is normal.  What would be causing these to filter this way?

Thanks.


RH

Labels:
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎02-10-2014 10:47 AM

Inbound, I'd double check the MX records and A records, and make sure both are actually accessble...

You can use sites like dnsstuff.com to test all of it in one go...

Outbound, check the Exchange config.

     Organization Configuration

          Hub Transport

               Send Connectors tab

                    you should see 1 send connector here

                              Address Space tab, should be just SMTP, * , weight of 1, and "Scoped send connector" is unchecked.

                                Network tab, should have both ESAs listed

                                Source Server tab, should have all of your "gateway" hub transports listed. 

                              

Its possible that they were concerned about mail from site A exiting via the ESA in site B, and vice versa.  In which case they should have 2 send connectors, one for each site. 

               Address space tab.  Check the "Scoped Send connector" box. Set a weight of 1...

               Network tab - just the local ESA

               Source server tab - the local hub transport boxes.

They may have something slightly out of alignment so all outbound wants to go to one site... Weight, one is scoped and the other isn't, etc.

0 Helpful

rockyhabeeb
Level 1
Level 1
In response to Ken Stieers

‎02-10-2014 11:42 AM

Ken,

Thanks for replying.

In my first Exchange server, in the Send Connector tab of the Hub Transport, I have TWO Send Connectors, one for each site. The properties of each are as you described above:

SMTP Weight of 1 (Only)

Scoped send connector unchecked

Network tab with both Ironport addresses

But the Source server tab only has the Exchange server for each Send connector listed for that connector.

It is identically set on the second Exchange Server (Both are in a DAG)

What does that tell you?

Thanks.

RH

0 Helpful

Ken Stieers
VIP
VIP
In response to rockyhabeeb

‎02-10-2014 12:20 PM

Is the order of the ironport addresses the same in each connector?

My guess is that the load is low enough that you never get into a state where it opens another connection, it keeps one open, closes it at some point, and then starts a new one... starting at the top of the list.. 

0 Helpful

rockyhabeeb
Level 1
Level 1

‎02-10-2014 01:19 PM

Yes Ken, 

The order is EXACTLY the same in each connector.

And the Smart Host IPs are in the same order on each connector.

And both Exchange servers are identical.

Which is what is confusing me.

Everything is being routed through One Connector first and thru One Ironport first.

Which is why I cannot see why one is handling all incoming and one all outgoing.

The Send Connectors are both configured as OUTBOUND.

And they both point first to the Ironport that is NOT handling OUTBOUND.

It is handling INBOUND.

It is hard to decipher right now.

0 Helpful

Valter Da Costa
Cisco Employee
Cisco Employee
In response to rockyhabeeb

‎02-10-2014 02:02 PM

Rocky,

I would recommend opening a TAC case but keep in my that it does not sounds like the ESA has anything to do with the issue, assuming that I understand the issue.

Did you try, from each Exchange, to relay mail through both ESAs? I am asking because that way you can make sure both ESAs would allow the outbound traffic.

The SMTPPing feature in the ESAs would help you to make sure each ESA can deliver messages to the Exchanges, both of them. 

With the tests above I would say you could pretty much rollout the ESAs from the equation.

The final test would completely track inbound and outbound mail using both Exchanges and ESAs logs.

If either Exchange and/or ESA are configured to use FQDN, then the issue could be the DNS answer these devices are getting from the DNS servers configured on both. I would recommend review the settings and, at least for the purpose of this troubleshoot, use IP addresses instead of FQDN. In this scenario, you would need to review both ESAs and Exchanges configurations to make sure they are not using DNS names and are using IP addresses. It would be also advisable to make sure there is no Load Balancer in place and between the Exchanges and ESAs.

If you are willing to share the logs as evidence of the issue, I believe we can assist you further.

Regards.

-Valter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents