Drakin030
asked on
While using VPN. The destination server for this recipient could not be found in Domain Name Service (DNS). Please verify the email address and retry. If that fails, contact your administrator.
I had recently setup a Cisco ASA 5510 for a remote location that has it's own Exchange server.
Through the ASA I setup VPN connectivity. The users use Cisco VPN client to connect to the network.
When the user works from home and tries to send email they get these as kick backs.
The destination server for this recipient could not be found in Domain Name Service (DNS). Please verify the email address and retry. If that fails, contact your administrator. <exchangeserver.domain.loc
While inside the office the email works fine.
The users had used a Windows VPN session in the past and that worked fine. So it's after we setup VPN through the ASA did this problem start happening.
Through the ASA I setup VPN connectivity. The users use Cisco VPN client to connect to the network.
When the user works from home and tries to send email they get these as kick backs.
The destination server for this recipient could not be found in Domain Name Service (DNS). Please verify the email address and retry. If that fails, contact your administrator. <exchangeserver.domain.loc
While inside the office the email works fine.
The users had used a Windows VPN session in the past and that worked fine. So it's after we setup VPN through the ASA did this problem start happening.
ASKER
In the DNS options, the DNS server is set to the correct internal DNS server.
After connection to the VPN I ran an ipconfig /all and it displayed that DNS server.
After connection to the VPN I ran an ipconfig /all and it displayed that DNS server.
ok.....
from the client can you open a command prompt and try
nslookup
set type=mx
gmail.com
The client should be able to see the mx records for gmail. This should just test that the DNS traffic is functioning on the client machine....
from the client can you open a command prompt and try
nslookup
set type=mx
gmail.com
The client should be able to see the mx records for gmail. This should just test that the DNS traffic is functioning on the client machine....
ASKER
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
U:\>nslookup
*** Can't find server name for address 192.168.10.5: Non-existent domain
*** Can't find server name for address 192.168.1.50: Non-existent domain
*** Can't find server name for address 192.168.1.19: Non-existent domain
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.10.5
> set type=mx
> gmail.com
Server: UnKnown
Address: 192.168.10.5
Non-authoritative answer:
gmail.com MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.googl
.com
gmail.com MX preference = 10, mail exchanger = alt2.gmail-smtp-in.l.googl
.com
gmail.com MX preference = 50, mail exchanger = gsmtp147.google.com
gmail.com MX preference = 50, mail exchanger = gsmtp183.google.com
gmail.com nameserver = ns2.google.com
gmail.com nameserver = ns4.google.com
gmail.com nameserver = ns3.google.com
gmail.com nameserver = ns1.google.com
gmail-smtp-in.l.google.com
gmail-smtp-in.l.google.com
gsmtp147.google.com internet address = 209.185.147.27
gsmtp183.google.com internet address = 64.233.183.27
ns1.google.com internet address = 216.239.32.10
ns2.google.com internet address = 216.239.34.10
ns3.google.com internet address = 216.239.36.10
ns4.google.com internet address = 216.239.38.10
>
**10.5 = DNS/Exchange server**
(C) Copyright 1985-2001 Microsoft Corp.
U:\>nslookup
*** Can't find server name for address 192.168.10.5: Non-existent domain
*** Can't find server name for address 192.168.1.50: Non-existent domain
*** Can't find server name for address 192.168.1.19: Non-existent domain
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.10.5
> set type=mx
> gmail.com
Server: UnKnown
Address: 192.168.10.5
Non-authoritative answer:
gmail.com MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.googl
.com
gmail.com MX preference = 10, mail exchanger = alt2.gmail-smtp-in.l.googl
.com
gmail.com MX preference = 50, mail exchanger = gsmtp147.google.com
gmail.com MX preference = 50, mail exchanger = gsmtp183.google.com
gmail.com nameserver = ns2.google.com
gmail.com nameserver = ns4.google.com
gmail.com nameserver = ns3.google.com
gmail.com nameserver = ns1.google.com
gmail-smtp-in.l.google.com
gmail-smtp-in.l.google.com
gsmtp147.google.com internet address = 209.185.147.27
gsmtp183.google.com internet address = 64.233.183.27
ns1.google.com internet address = 216.239.32.10
ns2.google.com internet address = 216.239.34.10
ns3.google.com internet address = 216.239.36.10
ns4.google.com internet address = 216.239.38.10
>
**10.5 = DNS/Exchange server**
Possibly a bit of a ballache, but by any chance do any of your users use RPC/HTTPS - might be worth setting up to see if the fault can be replicated outside the VPN tunnel?
Just a though....
Just a though....
ASKER
RPC/HTTP is not used. I guess I could set it up, but if a user connects to the VPN would it not default back to the VPN tunnel over the internet? (If that makes sense)
I'd still like to try and figure out why I'm getting these responses...>Could the traffic be blocked maybe?
I'd still like to try and figure out why I'm getting these responses...>Could the traffic be blocked maybe?
I think traffic is probably being blocked by the VPN, but not sure why this would happen.
Thats why the RPC/HTTPS suggestion....just to see if the fault still occurs, in which case the VPN can be ruled out...
It depends on your VPN client config - you can either tunnel all traffic from a machine down a VPN or be a little more selective and only tunnel traffic for a particular network. Because you generally use a hostname in Outlook for RPC/HTTPS, it should reconcile this as traffic for "outside" the tunnel...
Thats why the RPC/HTTPS suggestion....just to see if the fault still occurs, in which case the VPN can be ruled out...
It depends on your VPN client config - you can either tunnel all traffic from a machine down a VPN or be a little more selective and only tunnel traffic for a particular network. Because you generally use a hostname in Outlook for RPC/HTTPS, it should reconcile this as traffic for "outside" the tunnel...
ASKER
Doesn't that require a certificate on the mail server?
I'd still rather not go that route as a final answer, just because I'd rather then not use RPC/HTTP.
It's just a handful of users and VPN should work fine.
If it's traffic being blockes, then what ports should I have open?
I'd still rather not go that route as a final answer, just because I'd rather then not use RPC/HTTP.
It's just a handful of users and VPN should work fine.
If it's traffic being blockes, then what ports should I have open?
Yes....RPC over HTTP uses a certificate, and while I wouldn't recommend it for long term use, you can use a self signed SSL cert to test with. This is the same cert that would be used if users use OWA....
I agree though that a VPN is possibly the best way forward....
The ports used by Outlook/Exchange are listed here, although ensure you only open these ports over the VPN, rather than publicly......
http://outlookexchange.blogspot.com/2006/07/ports-used-by-exchange.html
I agree though that a VPN is possibly the best way forward....
The ports used by Outlook/Exchange are listed here, although ensure you only open these ports over the VPN, rather than publicly......
http://outlookexchange.blogspot.com/2006/07/ports-used-by-exchange.html
ASKER
I didn't know that you could actualy open ports for JUST VPN users.
Not 100% sure on how to do that but I'm going to do some research. I'll also give your RPC/HTTP a stab if this ends up taking to long.
Not 100% sure on how to do that but I'm going to do some research. I'll also give your RPC/HTTP a stab if this ends up taking to long.
Some VPN's are capable of restricting the type of traffic permitted to enter a network based on port.....I know this is possible in Linux, but I'm not too familiar with the ASA and whether this is possible......
For example it is possible to permit inbound DNS and SMTP traffic through the VPN but deny FTP etc.....
For example it is possible to permit inbound DNS and SMTP traffic through the VPN but deny FTP etc.....
ASKER
Still nothing, anyone got any ideas? I tried forwarding all traffic for the VPN network through the firewall. Still no luck.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That way, when clients log on they will use the internal DNS (and it's respective forwarders).