I had a problem today with two Exchange 2013 Servers, one at a UK site and the other at our Data Centre connected by a IPSEC VPN.
We suddenly saw no email being delivered from the UK site to the Data Centre Mailbox Server, the emails were being queued with a 451 5.7.3 error in the Queue viewer.
The message describes that Exchange Authentication has failed.
I first checked my Receive Connectors thinking that they did not have Exchange Authentication enabled but they did, this was not the issue. Never the less emails were building at my CAS Server and not delivering to my Mailbox Server. This is on a system that had been working for weeks.
What was different I thought. Well the Exchange Servers in the data centre were behind a Cisco ASA 5510 with a CSC module for scanning traffic for malware. This was different, before this the Exchange Mailbox Servers were behind a Watch Guard Firewall.
So what had happened? Well the CSC unit had failed and went this happens there is a default policy for what the traffic should do and in this case the traffic from my Exchange Server in the UK site to the Data Centre was not excluded and was dropped.
What I needed was to bypass the CSC Access Control List for this traffic so it was not dropped. To do this I found the CSC Class map and then the Global Policy, this references an Access Control List.
In the ACL I then added a line to deny traffic from my Exchange Server and stop it being dropped by the CSC policy. In this case the lines I added were
access-list global_mpc line 1 extended deny ip host 10.0.0.200 any
As soon as this was added the mail started to flow. This was a case to always check your Firewalls even when passing all IP traffic across a VPN.
No comments:
Post a Comment