Solved

While using VPN. The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator.

Posted on 2008-06-25
15
327 Views
Last Modified: 2010-03-06
I had recently setup a Cisco ASA 5510 for a remote location that has it's own Exchange server.

Through the ASA I setup VPN connectivity. The users use Cisco VPN client to connect to the network.

When the user works from home and tries to send email they get these as kick backs.

The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator. <exchangeserver.domain.local #5.4.0>

While inside the office the email works fine.

The users had used a Windows VPN session in the past and that worked fine. So it's after we setup VPN through the ASA did this problem start happening.
0
Comment
Question by:Drakin030
  • 7
  • 6
15 Comments
 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
Within the DHCP scope on the ASA for VPN connections you need to specify your AD DNS server....

That way, when clients log on they will use the internal DNS (and it's respective forwarders).

0
 

Author Comment

by:Drakin030
Comment Utility
In the DNS options, the DNS server is set to the correct internal DNS server.

After connection to the VPN I ran an ipconfig /all and it displayed that DNS server.
0
 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
ok.....

from the client can you open a command prompt and try

nslookup
set type=mx
gmail.com

The client should be able to see the mx records for gmail.  This should just test that the DNS traffic is functioning on the client machine....
0
 

Author Comment

by:Drakin030
Comment Utility
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

U:\>nslookup
*** Can't find server name for address 192.168.10.5: Non-existent domain
*** Can't find server name for address 192.168.1.50: Non-existent domain
*** Can't find server name for address 192.168.1.19: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.10.5

> set type=mx
> gmail.com
Server:  UnKnown
Address:  192.168.10.5

Non-authoritative answer:
gmail.com       MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com       MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google
.com
gmail.com       MX preference = 10, mail exchanger = alt2.gmail-smtp-in.l.google
.com
gmail.com       MX preference = 50, mail exchanger = gsmtp147.google.com
gmail.com       MX preference = 50, mail exchanger = gsmtp183.google.com

gmail.com       nameserver = ns2.google.com
gmail.com       nameserver = ns4.google.com
gmail.com       nameserver = ns3.google.com
gmail.com       nameserver = ns1.google.com
gmail-smtp-in.l.google.com      internet address = 72.14.205.114
gmail-smtp-in.l.google.com      internet address = 72.14.205.27
gsmtp147.google.com     internet address = 209.185.147.27
gsmtp183.google.com     internet address = 64.233.183.27
ns1.google.com  internet address = 216.239.32.10
ns2.google.com  internet address = 216.239.34.10
ns3.google.com  internet address = 216.239.36.10
ns4.google.com  internet address = 216.239.38.10
>

**10.5 = DNS/Exchange server**
0
 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
Possibly a bit of a ballache, but by any chance do any of your users use RPC/HTTPS - might be worth setting up to see if the fault can be replicated outside the VPN tunnel?

Just a though....
0
 

Author Comment

by:Drakin030
Comment Utility
RPC/HTTP is not used. I guess I could set it up, but if a user connects to the VPN would it not default back to the VPN tunnel over the internet? (If that makes sense)

I'd still like to try and figure out why I'm getting these responses...>Could the traffic be blocked maybe?
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
I think traffic is probably being blocked by the VPN, but not sure why this would happen.  

Thats why the RPC/HTTPS suggestion....just to see if the fault still occurs, in which case the VPN can be ruled out...

It depends on your VPN client config - you can either tunnel all traffic from a machine down a VPN or be a little more selective and only tunnel traffic for a particular network.  Because you generally use a hostname in Outlook for RPC/HTTPS, it should reconcile this as traffic for "outside" the tunnel...

0
 

Author Comment

by:Drakin030
Comment Utility
Doesn't that require a certificate on the mail server?

I'd still rather not go that route as a final answer, just because I'd rather then not use RPC/HTTP.

It's just a handful of users and VPN should work fine.

If it's traffic being blockes, then what ports should I have open?
0
 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
Yes....RPC over HTTP uses a certificate, and while I wouldn't recommend it for long term use, you can use a self signed SSL cert to test with.  This is the same cert that would be used if users use OWA....

I agree though that a VPN is possibly the best way forward....

The ports used by Outlook/Exchange are listed here, although ensure you only open these ports over the VPN, rather than publicly......

http://outlookexchange.blogspot.com/2006/07/ports-used-by-exchange.html



0
 

Author Comment

by:Drakin030
Comment Utility
I didn't know that you could actualy open ports for JUST VPN users.

Not 100% sure on how to do that but I'm going to do some research. I'll also give your RPC/HTTP a stab if this ends up taking to long.
0
 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
Some VPN's are capable of restricting the type of traffic permitted to enter a network based on port.....I know this is possible in Linux, but I'm not too familiar with the ASA and whether this is possible......

For example it is possible to permit inbound DNS and SMTP traffic through the VPN but deny FTP etc.....

0
 

Author Comment

by:Drakin030
Comment Utility
Still nothing, anyone got any ideas? I tried forwarding all traffic for the VPN network through the firewall. Still no luck.
0
 

Accepted Solution

by:
Drakin030 earned 0 total points
Comment Utility
Turns out the issue was that these users had there email setup via pop/smtp and not Exchange.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now