Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Replaced ASA & E-mail


This may not be the right forum for this, but over the weekend I tried to replace my PIX515e with a new ASA5520.  I got it online and then right away in testing when sending outbound e-mails I got the below NDR.  I use Exchange.  It goes Back End to Front End and then forwarded to a delivery service (ProofPoint).   I assumed if I would have had delivery problems messages would just have queued up rather than users getting an NDR.   After unsuccessfully trying to resolve the issue I had to revert back to the PIX515e.  When I did that I was not getting NDR's anymore, but NAT's and e-mail were not working.   I ended up flushing the ARP cache on my upstream router and then everything returned to normal. 

Could a bad ARP entries on my upstream router caused NDR's like what I saw?

*******************   NDR   *******************

Your message did not reach some or all of the intended recipients.

      Subject:    How are you

      Sent: 8/8/2010 3:54 PM

The following recipient(s) cannot be reached: on 8/8/2010 3:54 PM

            You do not have permission to send to this recipient.  For assistance, contact your system administrator.

            <SERVER.DOMAIN.COM #5.7.1 smtp;550 5.7.1 Unable to relay for>

Harrison Midkiff

Cisco Employee

Re: Replaced ASA & E-mail


I am not sure which source IP sent this NDR and to which destination IP.  I am thinking that your e-mail server tried to deliver messages not looking like the MX record so, the receiving MTA didn't accept it. This could have had something to do with translation.

Any time you replace a unit (move the cables between units) and keep the IP addresses you should clear the upstream router's cache. If you shut the old PIX then, plug the cables on the ASA and then power it on, it should have proxy arp-ed and the router would have updated its arp cache.


CreatePlease to create content