Network packets send and receive more on exchange server
Dear Experts,
We have MS Exchange Server 2003 SP 2 on Windows server 2003 R2 SP 2,
mostly users microsoft exhange server option to configue outlook and some remote users they use POP3 settings,just i will give some breif information about our e-mail flow, if users sends e-mails to external it come to exchange and exchange forwards to our ISP mail server and from there it reach to external reciepients.incomming of e-mails from outside if some sends e-mail from out side it will comes to our SMTP Filtering server we are using Trend Micro IMSS Software after it filters our policy if it is legitimate e-mail it will forward exchange.
now we have issue on our exchange server , the network packets send and recieve is very high due to that our server gets hang and every time we have to restart the server than it will work for next 2 days
for your referene i attache the snapshot of Network status, and if you need any more information please let me know.please help us to resolve this issue.
exchange.JPG
We have MS Exchange Server 2003 SP 2 on Windows server 2003 R2 SP 2,
mostly users microsoft exhange server option to configue outlook and some remote users they use POP3 settings,just i will give some breif information about our e-mail flow, if users sends e-mails to external it come to exchange and exchange forwards to our ISP mail server and from there it reach to external reciepients.incomming of e-mails from outside if some sends e-mail from out side it will comes to our SMTP Filtering server we are using Trend Micro IMSS Software after it filters our policy if it is legitimate e-mail it will forward exchange.
now we have issue on our exchange server , the network packets send and recieve is very high due to that our server gets hang and every time we have to restart the server than it will work for next 2 days
for your referene i attache the snapshot of Network status, and if you need any more information please let me know.please help us to resolve this issue.
exchange.JPG
Also make sure you have recipient filtering enabled and tarpitting configured.
See http://support.microsoft.com/default.aspx/kb/895853?p=1 and http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
Shaun
See http://support.microsoft.com/default.aspx/kb/895853?p=1 and http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
Shaun
ASKER
Dear Shaun,
i checked the queues are not full of spam,in our Relay settings we allowed hole network 192.168.1.0 255.255.255.0 and ip address of our exchange is the correct way to allow the relaying,for your reference i attached the snapshot of relay settings.
i Check on mxtoolbox.com and our exchange external ip is not blacklisted.
we another smtp server which we are using for POP3 Users.on this server only SMTP Service enable and in isa server we published as smtp server.this server only we are using to send e-mail for POP3 Users.
so shall we remove from relay setting the network 192.168.1.0 255.255.255.0 and keep only our exchange server ip address and other 2 smtp servers ip.
exchange1.JPG
i checked the queues are not full of spam,in our Relay settings we allowed hole network 192.168.1.0 255.255.255.0 and ip address of our exchange is the correct way to allow the relaying,for your reference i attached the snapshot of relay settings.
i Check on mxtoolbox.com and our exchange external ip is not blacklisted.
we another smtp server which we are using for POP3 Users.on this server only SMTP Service enable and in isa server we published as smtp server.this server only we are using to send e-mail for POP3 Users.
so shall we remove from relay setting the network 192.168.1.0 255.255.255.0 and keep only our exchange server ip address and other 2 smtp servers ip.
exchange1.JPG
it would be best to limit relay but you may have devices configured on lan that requires relay? use wireshark to see network activity - best thing you can do.
shaun
shaun
ASKER
i dont know how to use the wireshark, and i downloaded it and i dont want to spend a lot of time studying it
pls let me know the steps i should do on the wireshark to know exactly where is my problem
pls let me know the steps i should do on the wireshark to know exactly where is my problem
you just select network card and it will start scrolling through list of packets being sent or received. take a look and see if there are lots of smtp conversations being had? if so right click a smtp packet and right click and select follow tcp stream to see more of the smtp conversation.
this will give you a feel for 'realtime' activity on the server.
shaun
this will give you a feel for 'realtime' activity on the server.
shaun
ASKER
we are able to run wireshark software ,we caputred the network traffic and we didn't understand from where the traffic is generating,here i attached file captured file can you please check this file and let us know from where traffic is generating.please the extension from .txt to .pcap to open this file.
28-03-2010.txt
28-03-2010.txt
You have captured on average 10packets per second, thats not huge.
I don't see any SMTP conversation happening at all in those 5 minutes so you aren't looking at a relay issue here or anything like that.
The traffic is mostly local ARP, STP, LDAP and a few normal broadcasts so nothing I can see that would show a problem.
When was the last time you rebooted your server? The count you have provided a picture for will keep incrementing until a reboot occurs. It may not be iindicative of a fault, but rather that the server has not been rebooted for a while.
Shaun
I don't see any SMTP conversation happening at all in those 5 minutes so you aren't looking at a relay issue here or anything like that.
The traffic is mostly local ARP, STP, LDAP and a few normal broadcasts so nothing I can see that would show a problem.
When was the last time you rebooted your server? The count you have provided a picture for will keep incrementing until a reboot occurs. It may not be iindicative of a fault, but rather that the server has not been rebooted for a while.
Shaun
ASKER
latest captured file.
ASKER
we didn't restart the server since 3 days today we disable the network card and enabled,now i am capturing again i will send you updated capture file.
ASKER
please find the attached updated captured file & snap shot send & receive packets.
networkexchg.JPG
Latest2.txt
networkexchg.JPG
Latest2.txt
Do you see any problems on this connection? There are 18packets per sec on average with latest results.
Again, very little SMTP traffic
Shaun
Again, very little SMTP traffic
Shaun
ASKER
here i attached the today (29-03-2010)captured file and network status snapshot,
currently we don't see problem with this connection but after may be 1 day outlook stops working,
is the send and receive packets which shows is it normal or abnormal ?
29.03.2010.txt
29-03-2010.JPG
currently we don't see problem with this connection but after may be 1 day outlook stops working,
is the send and receive packets which shows is it normal or abnormal ?
29.03.2010.txt
29-03-2010.JPG
I don't think it is abnormal, you have avg packets per second at around 10-20per second, thats within acceptable limits.
What happens with Outlook?
Shaun
What happens with Outlook?
Shaun
ASKER
just outlook gets hang when we do send and recieve and at taskbar it popups message retreving data from the server and that's it,even tried to restart the MS Exchnage information store service but it fails it gives message service didn't start in timely fashion and close.so i have to restart the server to restart the service and after restart outlook works fine.
What size is th database? Any errors/warnings in the event log on the Exchange server?
Shaun
Shaun
ASKER
Database Size is 29.7 GB and some times these errors occured in eventlog , Event id:1194,1023,9665,2104
What else is on the server? How much memory / CPU do you have?
Could you post the full event error messages, not just ID's.
Shaun
Could you post the full event error messages, not just ID's.
Shaun
ASKER
atatched to you the application log file
pls rename the ext to *.evt
for memory i have 4 gb, 2 dual core xeon processor (pls see the photo)
for installed application, there is nothing. only exchange server + CA backup client + normal sw
pls see the photo
app-03-04-2010.txt
exchange-memory.JPG
exch-prog.JPG
pls rename the ext to *.evt
for memory i have 4 gb, 2 dual core xeon processor (pls see the photo)
for installed application, there is nothing. only exchange server + CA backup client + normal sw
pls see the photo
app-03-04-2010.txt
exchange-memory.JPG
exch-prog.JPG
Can you make sure that your anti virus software has the exchange database location excluded from on-access and any scheduled full scans.
Also ensure the server is completely up to date with Service Packs and any patches, both OS and Exchange.
Shaun
Also ensure the server is completely up to date with Service Packs and any patches, both OS and Exchange.
Shaun
ASKER
we are using Trend Micro Office scan 10.0 and exchange logs,Exchange Database and other exchange files excluded in Real Time scan and scheduled scan.
Windows server pack 2 with all windows security updates and exchange service pack 2.
Windows server pack 2 with all windows security updates and exchange service pack 2.
ASKER
Dear Shaun,
any thing else to check ?
any thing else to check ?
You might want to download the Exchange best practices analyser and run this, see if anything crops up?
Shaun
Shaun
ASKER
yes we run the Exchange best practices analyzer and it found 3 errors ,SystemPages' value is set too high ,3GB not set,'HeapDeCommitFreeBlock
but still sending packets are more than receiving.
but still sending packets are more than receiving.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check on mxtoolbox.com --> queues that you are not blacklisted.
Use wireshark or network monitor 3.3 to see what traffic is occuring on your server network card.
Shaun