Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1225
  • Last Modified:

Exchange 2007 - Connection Dropped on attachments to some domains

We have been running exchange 2007 for almost two years and I've been having this problem off and on for a while.  For some reason our exchange cannot send attachments larger than 1mb to a handful of domains.  The emails get hung in the queue with error "421 4.4.2 Connection Dropped"  Here's what I've done so far...

Checked Check Point firewall logs...nothing
Ensured certificates are not expired
I can telnet to port 25 on the mail servers in question and send helo commands
Tried disabling trend mailscan on smtp server
Tried disabling trend officescan on smtp server
If I send the same attachments from Gmail to the problem servers, it goes through
If I send the same attachments from my exchange to my gmail, it goes through
called the receiving party and made sure my ip address and domain are whitelisted on their spam filters
used mx toolbox to ensure my domain is blacklisted anywhere

I've seen other posts talk about a TCP offload engine setting for the NIC, however I'm running a Dell Poweredge 1950 with Broadcom BCM5708C NetXtreme II and I don't see any such setting for my NIC.  I think this is related to HP servers only.

Please throw me a bone here...I'm about to start pulling out my hair!!
0
exp_exch1
Asked:
exp_exch1
  • 7
  • 6
  • 3
1 Solution
 
AkhaterCommented:
as a start can you confirm that this is configuration is done crrectly

http://www.amset.info/exchange/dnsconfig.asp
0
 
exp_exch1Author Commented:
I went through the link and double-checked each setting.  Everything appears to be configured correctly.  My ISP (charter-fiber) manages our external DNS.   I put in a trouble ticket with them yesterday concerning this issue.  The only problem they found was a missing SPF record.  The SPF record has been added, but did not fix the problem.
0
 
exp_exch1Author Commented:
Here's some more info... I enabled logging on the send connector.  Here is the transmission log to one of my problem domains.

     attempting to connect
220 lsh0101.uslec.net ESMTP    
EHLO mail.mydomain.com    
250-lsh0101.uslec.net    
250-AUTH=LOGIN CRAM-MD5 PLAIN    
250-AUTH LOGIN CRAM-MD5 PLAIN    
250-STARTTLS    
250-PIPELINING    
250 8BITMIME    
STARTTLS    
220 ready for tls    
     Sending certificate
CN=mail.mydomain.com, OU=Domain Validated, OU=Thawte SSL123 certificate, OU=Go to https://www.thawte.com/repository/index.html, O=mail.mydomain.com     Certificate subject
E=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, S=Western Cape, C=ZA     Certificate issuer name
xxxxx    Certificate serial number
xxxxx     Certificate thumbprint
mail.mydomain.com     Certificate alternate names
     Received certificate
F0AD9C90F702C18C54DDB6E35A51254DB1593858     Certificate thumbprint
EHLO mail.mydomain.com    
250-lsh0101.uslec.net    
250-AUTH=LOGIN CRAM-MD5 PLAIN    
250-AUTH LOGIN CRAM-MD5 PLAIN    
250-PIPELINING    
250 8BITMIME    
8420537     sending message
MAIL FROM:<esquist@mydomain.com>    
RCPT TO:<bcquist@theirdomain.com>    
RCPT TO:<jefisher@theirdomain.com>    
     attempting to connect
250 ok    
250 ok    
250 ok    
DATA    
354 go ahead    

Thats the last thing I see to this mail server....nothing else.  
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
exp_exch1Author Commented:
No one has any ideas??  Increasing to 500 points
0
 
AkhaterCommented:
Well at this point I would wait for the problem to happen and, once you have an email waiting in the queue

in your exchange 2007 management console -> tool box run the troubleshooting assistant and select "mails are backing off in a queue"

0
 
exp_exch1Author Commented:
There is one in the queue right now.  Another strange symptom is most of the problem domains are law offices...go figure.  I have run the mail flow troubleshooter quite a few times last week.  The only complaint it had previosly was a missing internal PTR record for my SMTP server.  That was corrected.  

I ran the troubleshooter again for good measure. No Root causes. No Mail Flow issues, and no warnings.
0
 
AkhaterCommented:
the troubleshooter gave you no warnings when you have an email sitting in the queue with retry state ? that's unusual


one more question if you go the the queue what is the "last error" of the message ? only " "421 4.4.2 Connection Dropped"" or anything more ?

0
 
AkhaterCommented:
and one more question any anti-virus installed on the server?
0
 
AkhaterCommented:
also regarding the TCP offline Engine for Braodcom


1) Uninstall IE7 (otherwise step 3 fails)
2) Install Broadcom drivers from Dell site
3) Install Microsoft SNP patch - see KB912222
4) Run Broadcom Advanced Control Suite (part of what was installed in setp
1), select first NIC, scroll to Resource Allocations tab, deselect TCP
Offload Engine. Repeat for second NIC.
5) Re-install IE7 if required.

>>copied from http://www.eggheadcafe.com/conversation.aspx?messageid=29501050&threadid=29473569<<
0
 
exp_exch1Author Commented:
The complete error message in the queue viewer is the following :  451 4.4.0 Primary target IP address responded with: "421 4.4.2 Connection Dropped." Attempted to failover to alternate host, but that did not succeed. Either there are no alternate hosts, or the delivery failed to alternate hosts.

YES - I am running AV on the server.  Trend Officescan and Trend ScanMail for Exchange.  I have tried turning both of these off.

Awesome.  I will be trying the broadcom suggestion tonight!!!  Thanks
0
 
AkhaterCommented:
updates on this ?
0
 
igentics1Commented:
I have exactly the same problem in my organisation. I can send attachments to other domains without a problem but when sending to one specific destination I get this error. Attachments upto 1mb go through but nothing more. We have control of both ends as they are a client (which makes us look rather stupid!).

I've tried disabling IPV4 checksum offloading and other advanced NIC options as well as run all the troubleshooting assistants but so far not a clue.

Any help would be appreciated. Thanks
0
 
exp_exch1Author Commented:
I tried the suggestion from Akhater a few weeks ago and problem still not fixed.  My smtp server is running IE6.  

My latest workaround has helped alleviate the problem a little bit.  I created a new send connector specifically for these problem domains.  My new send connector points to an SMTP server running linux behind my firewall.  It seems to have fixed some domains, but not solved the problem completely.  Still welcoming ideas... :-)
0
 
igentics1Commented:
I've setup a similar workaround using a new SMTP connector but I've narrowed down the problem to our ISP. When using the new SMTP connector, which routes email via a smarthost (IIS server) and out to the internet over a different WAN connection, emails successfully sent to the problematic domains without any problem. The only change as far as I can see is the DSL connection used to route the traffic once it leaves our office.

I'm not in contact with our ISP as I suspect a black hole router may exist at one of the nodes in our route to the destination mail server.
0
 
igentics1Commented:
Sorry, I meant send connector not "SMTP connector"!
0
 
exp_exch1Author Commented:
Problem solved by increasing the TCP_window size on my check point firewall.  Check point support walked me through doing a "kernel debug" to locate the TCP window errors.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 7
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now