[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

While using VPN. The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator.

Posted on 2008-06-25
15
Medium Priority
?
335 Views
Last Modified: 2010-03-06
I had recently setup a Cisco ASA 5510 for a remote location that has it's own Exchange server.

Through the ASA I setup VPN connectivity. The users use Cisco VPN client to connect to the network.

When the user works from home and tries to send email they get these as kick backs.

The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator. <exchangeserver.domain.local #5.4.0>

While inside the office the email works fine.

The users had used a Windows VPN session in the past and that worked fine. So it's after we setup VPN through the ASA did this problem start happening.
0
Comment
Question by:Drakin030
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
15 Comments
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21866684
Within the DHCP scope on the ASA for VPN connections you need to specify your AD DNS server....

That way, when clients log on they will use the internal DNS (and it's respective forwarders).

0
 

Author Comment

by:Drakin030
ID: 21866786
In the DNS options, the DNS server is set to the correct internal DNS server.

After connection to the VPN I ran an ipconfig /all and it displayed that DNS server.
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21867045
ok.....

from the client can you open a command prompt and try

nslookup
set type=mx
gmail.com

The client should be able to see the mx records for gmail.  This should just test that the DNS traffic is functioning on the client machine....
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 

Author Comment

by:Drakin030
ID: 21867078
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

U:\>nslookup
*** Can't find server name for address 192.168.10.5: Non-existent domain
*** Can't find server name for address 192.168.1.50: Non-existent domain
*** Can't find server name for address 192.168.1.19: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.10.5

> set type=mx
> gmail.com
Server:  UnKnown
Address:  192.168.10.5

Non-authoritative answer:
gmail.com       MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com       MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google
.com
gmail.com       MX preference = 10, mail exchanger = alt2.gmail-smtp-in.l.google
.com
gmail.com       MX preference = 50, mail exchanger = gsmtp147.google.com
gmail.com       MX preference = 50, mail exchanger = gsmtp183.google.com

gmail.com       nameserver = ns2.google.com
gmail.com       nameserver = ns4.google.com
gmail.com       nameserver = ns3.google.com
gmail.com       nameserver = ns1.google.com
gmail-smtp-in.l.google.com      internet address = 72.14.205.114
gmail-smtp-in.l.google.com      internet address = 72.14.205.27
gsmtp147.google.com     internet address = 209.185.147.27
gsmtp183.google.com     internet address = 64.233.183.27
ns1.google.com  internet address = 216.239.32.10
ns2.google.com  internet address = 216.239.34.10
ns3.google.com  internet address = 216.239.36.10
ns4.google.com  internet address = 216.239.38.10
>

**10.5 = DNS/Exchange server**
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21867401
Possibly a bit of a ballache, but by any chance do any of your users use RPC/HTTPS - might be worth setting up to see if the fault can be replicated outside the VPN tunnel?

Just a though....
0
 

Author Comment

by:Drakin030
ID: 21867501
RPC/HTTP is not used. I guess I could set it up, but if a user connects to the VPN would it not default back to the VPN tunnel over the internet? (If that makes sense)

I'd still like to try and figure out why I'm getting these responses...>Could the traffic be blocked maybe?
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21867547
I think traffic is probably being blocked by the VPN, but not sure why this would happen.  

Thats why the RPC/HTTPS suggestion....just to see if the fault still occurs, in which case the VPN can be ruled out...

It depends on your VPN client config - you can either tunnel all traffic from a machine down a VPN or be a little more selective and only tunnel traffic for a particular network.  Because you generally use a hostname in Outlook for RPC/HTTPS, it should reconcile this as traffic for "outside" the tunnel...

0
 

Author Comment

by:Drakin030
ID: 21869009
Doesn't that require a certificate on the mail server?

I'd still rather not go that route as a final answer, just because I'd rather then not use RPC/HTTP.

It's just a handful of users and VPN should work fine.

If it's traffic being blockes, then what ports should I have open?
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21872727
Yes....RPC over HTTP uses a certificate, and while I wouldn't recommend it for long term use, you can use a self signed SSL cert to test with.  This is the same cert that would be used if users use OWA....

I agree though that a VPN is possibly the best way forward....

The ports used by Outlook/Exchange are listed here, although ensure you only open these ports over the VPN, rather than publicly......

http://outlookexchange.blogspot.com/2006/07/ports-used-by-exchange.html



0
 

Author Comment

by:Drakin030
ID: 21875014
I didn't know that you could actualy open ports for JUST VPN users.

Not 100% sure on how to do that but I'm going to do some research. I'll also give your RPC/HTTP a stab if this ends up taking to long.
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21875117
Some VPN's are capable of restricting the type of traffic permitted to enter a network based on port.....I know this is possible in Linux, but I'm not too familiar with the ASA and whether this is possible......

For example it is possible to permit inbound DNS and SMTP traffic through the VPN but deny FTP etc.....

0
 

Author Comment

by:Drakin030
ID: 21901776
Still nothing, anyone got any ideas? I tried forwarding all traffic for the VPN network through the firewall. Still no luck.
0
 

Accepted Solution

by:
Drakin030 earned 0 total points
ID: 21983504
Turns out the issue was that these users had there email setup via pop/smtp and not Exchange.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question