Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1404
Views
5
Helpful
5
Replies

Message Interruption

mdieken011
Level 1
Level 1

‎02-06-2018 09:29 AM - edited ‎03-08-2019 07:32 PM

Over night our incomming e-mail stopped being received at around 16:00 CST.  I suspect the messages were sitting on the Ironport ESA.  Somehow this morning e-mail started to be delivered at about 9:36 CST.  Is there some way to determine from the Ironport what could have been the issue.  As soon as we started to look at it messages started to be received.

Labels:
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎02-06-2018 11:03 AM

Look at the headers of the messages you got, especially the earliest ones.... Look at the headers and see where they sat.

Did they get received by the ESA but then not delivered to your mail system for hours? Or did they sit at the far end waiting for the ESA to actually take mail?






0 Helpful

mdieken011
Level 1
Level 1
In response to Ken Stieers

‎02-06-2018 12:03 PM

The best that I can tell is they sat on the ESA until the MS Exchange server started to accept the messages.  Unfortunately it started working again without us making any changes or being able to identify the cause.  The header isn't conclusive other than there is a delay in when the ESA get's the message and the Exchange server receives it.  I was hoping I could find in the logs where the ESA tried to deliver and any errors if any.

0 Helpful

Ken Stieers
VIP
VIP
In response to mdieken011

‎02-06-2018 12:50 PM

There are a few ways to track this down.

Easiest is to go to the GUI, click on Monitor/Message tracking and search for a message that got delayed.

Note the MID

 

For this issue, I'd go to System Administration/Log Subscriptions, find the mail logs, and if FTP is enabled, you can download the mail log for the time period this event happened.

Then using Notepad++ (free download) open the mail log file, find the MID, it will you'll also see logs for for the incoming connection (ICID) and delivery (DCID)

 

The DCID entries for this message may tell you what it was encountering as it tried to talk to Exchange...

0 Helpful

mdieken011
Level 1
Level 1
In response to Ken Stieers

‎02-06-2018 01:16 PM

Thanks for the reply Ken!  The DCID entries don't start until after a delay of some time.  I suspect our Exchange server had an issue that caused this.  I will look in the Exchange server logs.

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to mdieken011

‎02-07-2018 08:06 PM

Hello Mdieken011,

 

A useful command you can use in the CLI if accessible is:

grep -i "domain:name of the recipient domain" mail_logs

 

So for example if you were seeing delays to gmail.com, you can run grep -i "domain: gmail.com" mail_logs

 

It would show you all DCID attempts that may have failed (this is not shown in the message tracking) due to other reasons, this would allow you a better scope as well.

 

But I suspect based on your findings, if the Exchange was not accepting with a 4XX response and stopping the connection - this would cause the bounce settings to come into play and hold the emails up until allowable.

 

Regards,

Matthew

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents