Solved

While using VPN. The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator.

Posted on 2008-06-25
15
330 Views
Last Modified: 2010-03-06
I had recently setup a Cisco ASA 5510 for a remote location that has it's own Exchange server.

Through the ASA I setup VPN connectivity. The users use Cisco VPN client to connect to the network.

When the user works from home and tries to send email they get these as kick backs.

The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator. <exchangeserver.domain.local #5.4.0>

While inside the office the email works fine.

The users had used a Windows VPN session in the past and that worked fine. So it's after we setup VPN through the ASA did this problem start happening.
0
Comment
Question by:Drakin030
  • 7
  • 6
15 Comments
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21866684
Within the DHCP scope on the ASA for VPN connections you need to specify your AD DNS server....

That way, when clients log on they will use the internal DNS (and it's respective forwarders).

0
 

Author Comment

by:Drakin030
ID: 21866786
In the DNS options, the DNS server is set to the correct internal DNS server.

After connection to the VPN I ran an ipconfig /all and it displayed that DNS server.
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21867045
ok.....

from the client can you open a command prompt and try

nslookup
set type=mx
gmail.com

The client should be able to see the mx records for gmail.  This should just test that the DNS traffic is functioning on the client machine....
0
Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

 

Author Comment

by:Drakin030
ID: 21867078
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

U:\>nslookup
*** Can't find server name for address 192.168.10.5: Non-existent domain
*** Can't find server name for address 192.168.1.50: Non-existent domain
*** Can't find server name for address 192.168.1.19: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.10.5

> set type=mx
> gmail.com
Server:  UnKnown
Address:  192.168.10.5

Non-authoritative answer:
gmail.com       MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com       MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google
.com
gmail.com       MX preference = 10, mail exchanger = alt2.gmail-smtp-in.l.google
.com
gmail.com       MX preference = 50, mail exchanger = gsmtp147.google.com
gmail.com       MX preference = 50, mail exchanger = gsmtp183.google.com

gmail.com       nameserver = ns2.google.com
gmail.com       nameserver = ns4.google.com
gmail.com       nameserver = ns3.google.com
gmail.com       nameserver = ns1.google.com
gmail-smtp-in.l.google.com      internet address = 72.14.205.114
gmail-smtp-in.l.google.com      internet address = 72.14.205.27
gsmtp147.google.com     internet address = 209.185.147.27
gsmtp183.google.com     internet address = 64.233.183.27
ns1.google.com  internet address = 216.239.32.10
ns2.google.com  internet address = 216.239.34.10
ns3.google.com  internet address = 216.239.36.10
ns4.google.com  internet address = 216.239.38.10
>

**10.5 = DNS/Exchange server**
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21867401
Possibly a bit of a ballache, but by any chance do any of your users use RPC/HTTPS - might be worth setting up to see if the fault can be replicated outside the VPN tunnel?

Just a though....
0
 

Author Comment

by:Drakin030
ID: 21867501
RPC/HTTP is not used. I guess I could set it up, but if a user connects to the VPN would it not default back to the VPN tunnel over the internet? (If that makes sense)

I'd still like to try and figure out why I'm getting these responses...>Could the traffic be blocked maybe?
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21867547
I think traffic is probably being blocked by the VPN, but not sure why this would happen.  

Thats why the RPC/HTTPS suggestion....just to see if the fault still occurs, in which case the VPN can be ruled out...

It depends on your VPN client config - you can either tunnel all traffic from a machine down a VPN or be a little more selective and only tunnel traffic for a particular network.  Because you generally use a hostname in Outlook for RPC/HTTPS, it should reconcile this as traffic for "outside" the tunnel...

0
 

Author Comment

by:Drakin030
ID: 21869009
Doesn't that require a certificate on the mail server?

I'd still rather not go that route as a final answer, just because I'd rather then not use RPC/HTTP.

It's just a handful of users and VPN should work fine.

If it's traffic being blockes, then what ports should I have open?
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21872727
Yes....RPC over HTTP uses a certificate, and while I wouldn't recommend it for long term use, you can use a self signed SSL cert to test with.  This is the same cert that would be used if users use OWA....

I agree though that a VPN is possibly the best way forward....

The ports used by Outlook/Exchange are listed here, although ensure you only open these ports over the VPN, rather than publicly......

http://outlookexchange.blogspot.com/2006/07/ports-used-by-exchange.html



0
 

Author Comment

by:Drakin030
ID: 21875014
I didn't know that you could actualy open ports for JUST VPN users.

Not 100% sure on how to do that but I'm going to do some research. I'll also give your RPC/HTTP a stab if this ends up taking to long.
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 21875117
Some VPN's are capable of restricting the type of traffic permitted to enter a network based on port.....I know this is possible in Linux, but I'm not too familiar with the ASA and whether this is possible......

For example it is possible to permit inbound DNS and SMTP traffic through the VPN but deny FTP etc.....

0
 

Author Comment

by:Drakin030
ID: 21901776
Still nothing, anyone got any ideas? I tried forwarding all traffic for the VPN network through the firewall. Still no luck.
0
 

Accepted Solution

by:
Drakin030 earned 0 total points
ID: 21983504
Turns out the issue was that these users had there email setup via pop/smtp and not Exchange.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question