We have two Cisco C170 Ironports, one at each of our two main sites, both in the same Domain. We also have two exchange server 2010 units these guys are filtering for. Each C170 is configured with an external NAT and MX record weighted at 10 and email passes through either and both equally.
I have just noticed that one is showing ONLY mail incoming and NOTHING outgoing and the other is showing the opposite. Only mail outgoing and NOTHING incoming. We are trying to determine is this is normal. What would be causing these to filter this way?
Is the order of the ironport addresses the same in each connector?
My guess is that the load is low enough that you never get into a state where it opens another connection, it keeps one open, closes it at some point, and then starts a new one... starting at the top of the list..
I would recommend opening a TAC case but keep in my that it does not sounds like the ESA has anything to do with the issue, assuming that I understand the issue.
Did you try, from each Exchange, to relay mail through both ESAs? I am asking because that way you can make sure both ESAs would allow the outbound traffic.
The SMTPPing feature in the ESAs would help you to make sure each ESA can deliver messages to the Exchanges, both of them.
With the tests above I would say you could pretty much rollout the ESAs from the equation.
The final test would completely track inbound and outbound mail using both Exchanges and ESAs logs.
If either Exchange and/or ESA are configured to use FQDN, then the issue could be the DNS answer these devices are getting from the DNS servers configured on both. I would recommend review the settings and, at least for the purpose of this troubleshoot, use IP addresses instead of FQDN. In this scenario, you would need to review both ESAs and Exchanges configurations to make sure they are not using DNS names and are using IP addresses. It would be also advisable to make sure there is no Load Balancer in place and between the Exchanges and ESAs.
If you are willing to share the logs as evidence of the issue, I believe we can assist you further.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :