Microsoft Exchange ActiveSync Event ID: 3005 ... how to resolve?

Hi folks,

I hope someone can help me troubleshoot this. I have been having a constant HTTP 500 problem getting users to have DirectPush technology on our exchange server 2003.

Here are some hardware background information:

Front-End server:
Exchagne 2003 SP2 with Windows Server 2003

Back-End Server:
Exchange 2003 SP2 with Windows Server 2003

We have tried the following articles
Deleting and recreating Microsoft-Server-ActiveSync in IIS
http://hardware.mcse.ms/archive35-2005-12-262517.html

Problems in Synchronizing a Pocket PC with Exchange Server 2003 when using SSL and Forms-Based Authentication in OWA
http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm

And ..
How did we setup our Exchange for OWA, OMA, ActiveSync and RPC over HTTPS
http://www.howtonetworking.com/email/oma1.htm

But we still seem to have the problem.. The exact event ID error is the common:

Event Type:      Error
Event Source:      Server ActiveSync
Event Category:      None
Event ID:      3005
Date:            3/21/2006
Time:            10:02:53 AM
User:            XXX\YYY
Computer:      FRONT-END
Description:
Unexpected Exchange mailbox Server error: Server: [XXX.XXX.XXX] User: [XXXX@ZZZ.com] HTTP status code: [400]. Verify that the Exchange mailbox Server is working correctly.

I know this has been severly discussed before, but it seems that all available options do not work.  I almost feel compelled to call M$ and pay some money, but hopefully this answer can be the 'end all solution' to everyone's problem.

Thanks and look forward to your responses,
Kit
kitkit201Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kitkit201Author Commented:
BTW, The event ID error is shown on the Front end server
SembeeCommented:
Those instructions you followed were for an SBS system - the rules are slightly different with a frontend/backend. As such, this will not be the end all solution question because most people don't run frontend/backend scenarios.

The articles on forms based authentication and EAS don't apply to you - because you are on FE/BE.

Does OMA work? EAS uses the OMA infrastructure to connect and it is easier to diagnose.
Is the frontend server working correctly? If you connect to OWA does the URL stay the same or does it redirect you to the backend server?

Simon.

kitkit201Author Commented:
Hi Simon-

Does OMA work?
-->OMA works on a PC and works on the mobile we are trying to configure (Tmobile MDA)

If you connect to OWA does the URL stay the same or does it redirect you to the backend server?
-->When we type http://weboutlook.website.com/exchange , it transfers us to https://weboutlook.website.com/exchweb/bin/auth/owalogon.asp?url=https://weboutlook.website.com/exchange/&reason=1 for the FBA login page. After logging it, it goes back to https://weboutlook.website.com/exchange . We have it force to HTTPS and FBA for OWA.

Thank you,
Kit
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

SembeeCommented:
You need to remove the require SSL. That breaks EAS.

What I was more interested in was whether the URL did something like...

https://webmail.domain.com
http://server1.domain.com

ie redirected to a different server altogether. That is an indication that the frontend feature isn't' working.

Simon.
kitkit201Author Commented:
Simon-

Not sure why I would remove the SSL for? What does EAS stand for? SSL is on OWA for PC user access and that has been working fine.

ie redirected to a different server altogether. That is an indication that the frontend feature isn't' working.
-->This is not happening. When it gets into the mailbox from the front-end server, the URL stays as https://weboutlook.website.com/exchange (no server name)

Kit
SembeeCommented:
EAS = Exchange Active Sync

There is a quirk with EAS. It makes an internal communication over http to the /exchange virtual folder. Forcing SSL on the /exchange virtual folder breaks EAS. It is buried in this article: http://support.microsoft.com/default.aspx?kbid=817379

I am not asking you to remove SSL, just remove the setting that REQUIRES SSL on that virtual folder.

Simon.
kitkit201Author Commented:
I see Simon

From what I can see, on the front-end server, it has /exchange, /exchange-oma (the virtual server created of an offspring of /exchange.
/exchange has Basic Authentication, SSL
/exchange-oma Integrated and Basic Authentation, No SSL

The back-end server has the same virtual folders: /exchange /exchange-oma.
/exchange has Integrated and Basic Authentication, No SSL
/exchange-oma has Integrtated and Basic Authentication, No SSL

My Mobile user says now there is a 409 error on his page. He gets an error when he deletes an email on his pda and then does a send/receive....

Feeling we are getting close, but not close enough
kitkit201Author Commented:
Is my settings correct Simon?
SembeeCommented:
By SSL what do you mean?
Do you mean that the there is a requirement for SSL to be used to connect?

Simon.
kitkit201Author Commented:
WHen I say "SSL", i meant that the checkbox in IIS Properities of /exchange, Directory Security, Secure Communications, Edit "Require Secure channel (SSL)" is checked.

kitkit201Author Commented:
I changed 1 setting and my PDA user to sync and his error code changed from 409 to 400.

The change I made was in the front-end server /exchange. I checked the "Integrated Authentication" which changed his error from 409 to 400...
SembeeCommented:
Ok - that needs to be removed on the /exchange virtual directory.
It causes problems with EAS when it is enabled.

The site will still use SSL for communications.
To give you an idea - I usually refuse to open port 80 to production sites, including my home Exchange server. However with the requirement for SSL off, but only port 443 open, everything works correctly.

Simon.
kitkit201Author Commented:
Changed exchange on the front-end back to not having it be Integrated Authentication

On our firewall, weboutlook.website.com is open to 80 and 443... what now?
kitster510Commented:
ActiveSync over the air works fine (meaning it updates the device and exchange server) but then throws the 3005 error (Http 400)... on the device and on the front-end server.
gizmobugCommented:
Just a clarification here. No error is thrown on the device, only on the front-end exchange server. Initiating a sync wirelessly on the device works fine (things are updated) but then the event error is thrown.
Also, no DirectPush works. Just the 15 minute normal over the air activesync (with event error).
We tried the same process with a newer exchange user and had the same results, although interestingly, we had a 409 error then followed by the usual 400 errors.
SembeeCommented:
With the direct push, do you have a device that has that feature enabled? If so, I suspect that direct push is not working because the connection is being dropped by the error. Direct push works by maintaining a connection between your server and the handheld.

The latest issue I have heard is with multiple homed or multiple IP addresses on the machine.
Something about the Active Sync process having to find the server itself to connect correctly. This would tally up with the requirement to ensure that Require SSL connection is not enabled on certain folders that would appear at first glance not to have anything to do with the sync process.

Simon.
gizmobugCommented:
The feature on the MDA is enabled. The CommManager has the Microsoft DirectPush button. We are still getting errors from the BE server (the HTTP 400 error - event 3005). We tried some other items and that killed OWA and we had to roll back. Any more advice?
gizmobugCommented:
Update. We did have 2 IP addresses on the single NIC. We deleted one and still get the same issue.

Also, something interesting. If I turn OFF the DirectPush, and initiate an over the air sync or a send and receive on the device, we do NOT get the 3005 error.

If I turn ON the DirectPush on the device, we DO get the error. In fact, we get it as soon as the DirectPush button is clicked.

Grrrrrr!
SembeeCommented:
Does the sync actually complete successfully with Direct Push disabled?

If so, then it might be a problem with the Direct Sync mechanism and your firewall.
I have heard that some firewalls cannot cope with the extended length of the packet that is used for Direct Sync. If the firewall has any kind of http inspection facility enabled it may cause a problem.

As you can probably appreciate it is early days with this technology, and troubleshooting is a challenge.

Simon.
gizmobugCommented:
yes. with directpush disabled there is no problem doing an ota sync and no entry in the event log. I will have IT check about the firewall. thanks for your help!
kitkit201Author Commented:
THank you for your help thus far Simon-

As for our firewall, we are using a cisco firewall and the we set the UDP timeout to be 15 mins. (I'm assuming Direct Push Technology is using this protocol).
SembeeCommented:
It is standard http packets, so should be TCP not UDP.
There isn't much from Microsoft on the firewall configuration.
So far this is all we have to go on (that I can share with you anyway) http://support.microsoft.com/default.aspx?kbid=905013

Simon.
kitkit201Author Commented:
Hi Simon,

We have a good update, but are ever so close to solving this situation. After finding an article (http://groups.google.com/group/microsoft.public.pocketpc.activesync/browse_frm/thread/96a012d52673c49b/22bdad20f97e9745?lnk=st&q=activesync+3005+http+400&rnum=1#22bdad20f97e9745) that said that described our HTTP400 problem, we at least resolved the error, but it now the DirectPushTechnolgoy is not working.

We had to do this on our end
1) Edit a host file at c:\windows\system32\drivers\etc\hosts with an entry for the public IP address of the weboutlook, but with the Windows name + Domain as a DNS entry.
2) Added local DNS for the weboutlook and back-end exchange servers with their FQDN and internal IP address

These two changes have resolved the problem, but when I send an email to my co-worker, the emails are still not "directly pushed" like you would expect a BlackBerry to be like.  Although we are not getting any errors, he has to wait 5 mins for send/receive or manual sync in order to get the email.

I believe you have a point in that they are standard HTTP packets. Running Ethereal on the WebOutlook Server, we noticed that they are https packets using TCP, rather than UDP.  In our case, we have a CIsco 515 Pix but it's not clear how to change the timeout to not timeout so quickly with https. We believe that is the issue at this moment.

Maybe you ran into something this week that could shed some more light on this situation. Thanks and hope to hear from you soon.

Kit
SembeeCommented:
I had seen that resolution before.

What I couldn't work out is what that poster had done to their server to make all of the IP addresses go in to DNS.
My Exchange server at home has 40 IP addresses on it as I put each web site that I work with on to its own IP address rather than use host headers. Yet the only IP address that appears in the AD DNS is the master one of the server - as such I don't have to make any of the changes that are outlined in that posting.

I also dislike hosts files with a passion and will do everything that I can to avoid using them in any deployment I am involved in.

I have deployed push through a couple of PIX 501s recently, without any problems. However it is still early days with this technology and if there have been any changes required, they aren't in the public domain yet.

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kitkit201Author Commented:
Thanks Simon for all your help,

Well, it seems like we have resolved the issue.. my co-worker was out of office last week so we could not test it since his GSM network lacked coverage..

We last left off at the heartbeat situation, and this morning, he mentioned that there was the Event ID: 3033 error. Googling lead to the MS article (http://support.microsoft.com/Default.aspx?kbid=905013) so I looked at the 4 registry hacks...

The Outlook server had the MaxhearbeatInterval set as 2700 (secs) while the Back End Exchange Server was only set to 900 (secs). Changing the BE-ES to 2700 secs. Restarted IIS and then my co-worker informed me that it just started to work. Sending an email to him, it pushed out in less than 10 secs to him.

Great! I am estatic this finally worked out...

For those that want to read what we did, please read this entire thread and it should work.

Cheers,
Kit
GarrethSpeerCommented:
We had a similar situation where DirectPush would not work and would log (Event ID 3005) HTTP 501 and 400 errors only on the Front-end server. We only had the issue on our Exchange 2003 SP2 back-end clusters.

Solution: Remove all additional Host headers under Default website in IIS except
-Unassigned, port 80, blank
-IP Address, port 80, host name (Netbios name)
Also installed Hotfix Exchange2003-KB941439 on front-end and back-end servers.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.