Link to home
Start Free TrialLog in
Avatar of nobs
nobs

asked on

SMTP Diag error

Our domain currently hosts its external DNS only for forward lookups. We have an ISA firewall 2006, Within our domain we have an exchange server 2003 and of course our internal DNS. A few days ago mail stopped working no one can send or receive. When i looked into the server event viewer, i see  this error  "Message delivery to the host '98.137.54.237' failed while delivering to the remote domain  'rocketmail.com' for the following reason:
 The remote server did not respond to a connection attempt."

When i ran SMTP DIAG i get the following results


C:\Documents and Settings\Administrator.NXUBA\Desktop\SmtpDiag>smtpdiag administ
rator@nxuba.gov.za motseperl@telkom.co.za

Searching for Exchange external DNS settings.
Computer name is NXUBA-MX1.
VSI 1 has the following external DNS servers:
There are no external DNS servers configured.

Checking SOA for telkom.co.za.
Checking external DNS servers.
Checking internal DNS servers.
SOA serial number match: Passed.

Checking local domain records.
Checking MX records using TCP: nxuba.gov.za.
Checking MX records using UDP: nxuba.gov.za.
Both TCP and UDP queries succeeded. Local DNS test passed.

Checking remote domain records.
Checking MX records using TCP: telkom.co.za.
Checking MX records using UDP: telkom.co.za.
Both TCP and UDP queries succeeded. Remote DNS test passed.

Checking MX servers listed for motseperl@telkom.co.za.
Connecting to cntrra20-gtw04.telkom.co.za [198.54.206.131] on port 25.
Connecting to the server failed. Error: 10060
Failed to submit mail to cntrra20-gtw04.telkom.co.za.
Connecting to cntrra20-gtw03.telkom.co.za [198.54.206.132] on port 25.
Connecting to the server failed. Error: 10060
Failed to submit mail to cntrra20-gtw03.telkom.co.za.


Our ISA server has a public IP  ( 196.25.x.x )and private IP ( 192.168.x.x). This server is running our external DNS ( no reverse lookups).  and our MX record is added there and what i have noticed our MX point to the IP of the server ( 196.25.x.x)
Avatar of jar3817
jar3817

That error (10060) is a connection timeout I believe, so your system is trying to connect to the remote server and never gets a response. Check your ISA rules and make sure you're allowing tcp/25 out.

Try telnetting to some remote server on that port to test:

telnet gmail-smtp-in.l.google.com 25
Avatar of Chris Dent
This is your MX:
telkom.co.za. 86400 IN MX 1 cntrra20-gtw04.telkom.co.za.
telkom.co.za. 86400 IN MX 1 cntrra20-gtw03.telkom.co.za.

cntrra20-gtw03.telkom.co.za. 86400 IN A 198.54.206.132
cntrra20-gtw04.telkom.co.za. 86400 IN A 198.54.206.131

Open in new window

From what you've said, those addresses are not correct?

All published name servers for your zone agree about those addresses.

Chris
I think you issue is something else, because I can telnet that SMTP server. You should check your ISA server, try to restart ISA and Exchnage servers and check. submit any other logs on the Exchange / ISA servers.

There is one thing though:

>smtpdiag administrator@nxuba.gov.za motseperl@telkom.co.za

If you're running that inside your network there's no reason it should work if the advertised mail servers reside within your network.

You'd need NAT loopback, or some other mechanism to prevent them getting horribly confused.

Chris
Avatar of nobs

ASKER

Ok i need to explain something, that administrator@nxuba.gov.za, is our local account, that telkom one is the email of our service provider i was using while running smtp diag
Avatar of nobs

ASKER

our mail server is mail.nxuba.gov.za

Are you running that command on your mail server? There are a number of reasons it might fail on connection to telkom's servers. Possibilities include:

1. Outbound firewall doesn't permit connections to TCP/25 outside the network
2. Antivirus software is preventing outbound connections on TCP/25
3. Unable to route to destination host

The top two are most likely. For instance, if you were to run that command from your workstation I'd be less than surprised if it failed. If you ran it from your mail server I'd be more surprised, but then I'd have to ask if you were using a Smart Host or sending directly.

Chris
do you have an AV / firewall installed on the Exchange server?
Avatar of nobs

ASKER

using DNS to route mail
Avatar of nobs

ASKER

Yes its nod32, from my workstation i can telnet to the exchange server on port 25, and i get a response,

And SMTPDiag was run on your mail server?

Are you able to reproduce the same fault to any other recipient?

Chris
Avatar of nobs

ASKER

have a look at the domain config, am sending you proper details for this domain
http://www.intodns.com/nxuba.gov.za
Avatar of nobs

ASKER

For all the domains it gives me the same response, i just copied the last one i tried
Avatar of nobs

ASKER

Yes smtpdiag i ran it on the mail server

It could be dropping you because you have no PTR record for 196.25.190.98. That is mandatory these days.

Most of the time that means you have to ask your ISP to add the PTR record for you. That needs to match up to the name used by your SMTP server when it connects. For Exchange 2003 that'll be the same name it shows when you run "telnet YourMailServer 25".

Chris

> For all the domains it gives me the same response,

While you do need the PTR record not everyone will drop a connection because of it, I urge you to check AV software and outbound firewalls, make sure they actually allow the outbound connection.

Chris
Avatar of nobs

ASKER

WE are running ISA Server 2006, and the Mail Publishing rule is there, could something have changed

Publishing grants Inbound access, not outbound as far as I know. When did this stop working? To be honest, Antivirus software would be the first thing I checked, it's annoying.

Chris
Avatar of nobs

ASKER

I ran a netstat -a on my ISA firewall.. here are the results

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    nxuba-pr1:domain       nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:epmap        nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:microsoft-ds  nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:1047         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:1048         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:1050         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:1052         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:pptp         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:2280         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:ms-wbt-server  nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:msfw-control  nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:8080         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:1063         nxuba-mx1.nxuba.local:microsoft-ds  ESTABLISHED
  TCP    nxuba-pr1:1101         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:1260         nxuba-mx1.nxuba.local:ldap  CLOSE_WAIT
  TCP    nxuba-pr1:remote-winsock  nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:ms-wbt-server  nxuba-mx1.nxuba.local:46974  ESTABLISHED
  TCP    nxuba-pr1:8080         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:8080         nxuba-7889dcfde:56154  ESTABLISHED
  TCP    nxuba-pr1:8080         nxuba-7889dcfde:56187  ESTABLISHED
  TCP    nxuba-pr1:8080         corpservices.nxuba.local:51360  ESTABLISHED
  TCP    nxuba-pr1:8080         led.nxuba.local:3288   TIME_WAIT
  TCP    nxuba-pr1:8080         led.nxuba.local:3394   TIME_WAIT
  TCP    nxuba-pr1:8080         led.nxuba.local:3413   TIME_WAIT
  TCP    nxuba-pr1:8080         led.nxuba.local:3488   TIME_WAIT
  TCP    nxuba-pr1:8080         led.nxuba.local:4020   ESTABLISHED
  TCP    nxuba-pr1:8080         sijila-ss.dns:1684     ESTABLISHED
  TCP    nxuba-pr1:8080         sijila-ss.dns:1686     ESTABLISHED
  TCP    nxuba-pr1:8080         sijila-ss.dns:1688     ESTABLISHED
  TCP    nxuba-pr1:8080         sijila-ss.dns:1692     ESTABLISHED
  TCP    nxuba-pr1:8080         sijila-ss.dns:1694     ESTABLISHED
  TCP    nxuba-pr1:8080         sijila-ss.dns:1696     ESTABLISHED
  TCP    nxuba-pr1:8080         bulumko-pc.nxuba.local:57669  ESTABLISHED
  TCP    nxuba-pr1:8080         bulumko-pc.nxuba.local:57671  ESTABLISHED
  TCP    nxuba-pr1:8080         bulumko-pc.nxuba.local:57694  ESTABLISHED
  TCP    nxuba-pr1:8080         bulumko-pc.nxuba.local:57695  ESTABLISHED
  TCP    nxuba-pr1:8080         bulumko-pc.nxuba.local:57696  ESTABLISHED
  TCP    nxuba-pr1:8080         bulumko-pc.nxuba.local:57699  ESTABLISHED
  TCP    nxuba-pr1:8080         bulumko-pc.nxuba.local:57700  ESTABLISHED
  TCP    nxuba-pr1:8080         bulumko-pc.nxuba.local:57701  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50588  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50611  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50612  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50620  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50622  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50623  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50634  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50635  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50636  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50637  ESTABLISHED
  TCP    nxuba-pr1:8080         papama-pc.nxuba.local:50638  ESTABLISHED
  TCP    nxuba-pr1:8080         nxuba-mx1.nxuba.local:49465  ESTABLISHED
  TCP    nxuba-pr1:8080         nxuba-mx1.nxuba.local:51306  ESTABLISHED
  TCP    nxuba-pr1:12367        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:12368        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:12371        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:12372        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:12373        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:12374        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:12376        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:12380        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:smtp         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:smtp         drone061.ral.icpbounce.com:47904  ESTABLISHED
  TCP    nxuba-pr1:smtp         snt0-omc4-s4.snt0.hotmail.com:msft-gc-ssl  TIME_
WAIT
  TCP    nxuba-pr1:smtp         link.lativeaw.com:56126  TIME_WAIT
  TCP    nxuba-pr1:smtp         bgp.lativeaw.com:41148  TIME_WAIT
  TCP    nxuba-pr1:smtp         router.lativeaw.com:43796  TIME_WAIT
  TCP    nxuba-pr1:smtp         submission.lativeaw.com:36755  TIME_WAIT
  TCP    nxuba-pr1:smtp         netwall.lativeaw.com:35283  TIME_WAIT
  TCP    nxuba-pr1:smtp         72.9.233.98:48462      TIME_WAIT
  TCP    nxuba-pr1:smtp         web2.releaseasource.info:42136  TIME_WAIT
  TCP    nxuba-pr1:smtp         web3.releaseasource.info:56824  TIME_WAIT
  TCP    nxuba-pr1:smtp         web4.releaseasource.info:41520  TIME_WAIT
  TCP    nxuba-pr1:smtp         web5.releaseasource.info:42910  TIME_WAIT
  TCP    nxuba-pr1:smtp         mailgate.wmint.net:42690  ESTABLISHED
  TCP    nxuba-pr1:smtp         mailgate.wmint.net:42705  ESTABLISHED
  TCP    nxuba-pr1:smtp         web2.miomirr.com:42681  TIME_WAIT
  TCP    nxuba-pr1:smtp         web3.miomirr.com:59219  ESTABLISHED
  TCP    nxuba-pr1:smtp         web10.miomirr.com:41611  TIME_WAIT
  TCP    nxuba-pr1:smtp         web11.miomirr.com:33212  TIME_WAIT
  TCP    nxuba-pr1:smtp         web12.miomirr.com:40719  TIME_WAIT
  TCP    nxuba-pr1:smtp         web13.miomirr.com:33029  TIME_WAIT
  TCP    nxuba-pr1:smtp         web14.miomirr.com:33691  TIME_WAIT
  TCP    nxuba-pr1:smtp         smtp-1.emailconnection.co.za:34875  ESTABLISHED
  TCP    nxuba-pr1:smtp         rbgcon05.fnb.co.za:41878  TIME_WAIT
  TCP    nxuba-pr1:smtp         mail.samwumed.org:21369  TIME_WAIT
  TCP    nxuba-pr1:smtp         196.25.145.211:1456    TIME_WAIT
  TCP    nxuba-pr1:smtp         xtinmta06-42.exacttarget.com:21467  ESTABLISHED
  TCP    nxuba-pr1:smtp         web6.releaseasource.info:38059  ESTABLISHED
  TCP    nxuba-pr1:smtp         mail5094c.mkt515.com:30779  ESTABLISHED
  TCP    nxuba-pr1:smtp         mail-fx0-f51.google.com:42751  TIME_WAIT
  TCP    nxuba-pr1:http         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:pop3         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:1775         nxuba-pr1.nxuba.local:0  LISTENING
  TCP    nxuba-pr1:7158         server783.teamviewer.com:https  ESTABLISHED
  TCP    nxuba-pr1:11227        93.184.220.90:http     ESTABLISHED
Avatar of nobs

ASKER

I did check the anti-virus, it stopped working few days ago,,, and nothing has happened it just stopped working, no updates were applied nothing

Netstat won't help I'm afraid. It'll show us connections and listening ports, but not why something might be blocked on the way out.

You're going to have to trace it, you have logging on the ISA server don't you? It's been a long time since I touched one of those, if you need specifics I'll try and get you some help with that.

Chris
Avatar of nobs

ASKER

I tried to get a list of SMTP connections to and from a server, this is what i got

C:\Documents and Settings\Administrator>netstat |find "smtp"
  TCP    nxuba-pr1:12553        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:12554        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:12557        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:12559        nxuba-mx1.nxuba.local:smtp  SYN_SENT
  TCP    nxuba-pr1:smtp         vbmtbmm004.vodacombusiness.co.za:8926  TIME_WAIT

  TCP    nxuba-pr1:smtp         snt0-omc4-s4.snt0.hotmail.com:9476  TIME_WAIT
  TCP    nxuba-pr1:smtp         relay.ihostexchange.net:37226  ESTABLISHED
  TCP    nxuba-pr1:smtp         link.lativeaw.com:57620  TIME_WAIT
  TCP    nxuba-pr1:smtp         bgp.lativeaw.com:56842  TIME_WAIT
  TCP    nxuba-pr1:smtp         router.lativeaw.com:47819  ESTABLISHED
  TCP    nxuba-pr1:smtp         www181.123greetings.com:57219  FIN_WAIT_2
  TCP    nxuba-pr1:smtp         nm4.bullet.mail.sp2.yahoo.com:27203  ESTABLISHED

  TCP    nxuba-pr1:smtp         web1.avidicy.com:53212  TIME_WAIT
  TCP    nxuba-pr1:smtp         web2.avidicy.com:56717  TIME_WAIT
  TCP    nxuba-pr1:smtp         web3.avidicy.com:56322  ESTABLISHED
  TCP    nxuba-pr1:smtp         dub0-omc1-s16.dub0.hotmail.com:22607  TIME_WAIT
  TCP    nxuba-pr1:smtp         mail.saintmary.org:6782  TIME_WAIT
  TCP    nxuba-pr1:smtp         seminarsinmind.co.za:33797  TIME_WAIT
  TCP    nxuba-pr1:smtp         relay16.smp.mweb.co.za:60210  TIME_WAIT
  TCP    nxuba-pr1:smtp         mail5094c.mkt515.com:43227  FIN_WAIT_1
  TCP    nxuba-pr1:smtp         mail-fx0-f51.google.com:33660  TIME_WAIT
Avatar of nobs

ASKER

yes i do Chris,,, i can even send you some if you need to look
Avatar of nobs

ASKER

Help is really needed...
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nobs

ASKER

am on ISA server now trying to view the logging file
Avatar of nobs

ASKER

Chris, i extracted some lines from ISA firewall log
Isa-Server-logs.txt

Lovely, thanks for that, it helps a lot.

Looking through, I can't see any requests from your server to a destination of <something>:25. Quite a lot the other way, like this one:

192.168.1.252

I guess that's the internal IP of your mail server?

Given that we see no requests, we have to assume that it's being blocked on the server itself, that is, the request is not making it as far as ISA.

That puts us back at checking for local firewalls, security software, etc. You're certain nothing has been installed recently? And any AV software is definitely not blocking it?

Chris
Avatar of nobs

ASKER

I have totally disabled NOD32 email protection,,,  there is nothing running on this server,, chris  can i send you something on the side, can you send me a test to my email, nobubele@gmail.com
Avatar of nobs

ASKER

Yes that is the internal IP of the exchange server

I'd rather keep it here if possible, taking it off-site breaches the membership rules. Of course, I do appreciate the difficulty of debugging SMTP problems without being able to look, but I'm not sure taking it to mail would be beneficial at this time.

Your server is still happily accepting inbound mail, right?

Perhaps you can show me:

ipconfig /all

And:

route print

Chris
Avatar of nobs

ASKER

Thank you,
The only mail that this server can accept is only local mail, nothing else,,,,  

This is on the exchange server, will send you ISA Server as well


C:\Documents and Settings\Administrator.NXUBA\Desktop\SmtpDiag>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : nxuba-mx1
   Primary Dns Suffix  . . . . . . . : nxuba.local
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : nxuba.local

Ethernet adapter 192.168.1.252:

   Connection-specific DNS Suffix  . : nxuba.local
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0E-0C-4A-70-61
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.252
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
   DNS Servers . . . . . . . . . . . : 192.168.1.252
                                       192.168.1.240
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Not Used:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet
NIC
   Physical Address. . . . . . . . . : 00-40-F4-18-B7-CB
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Autoconfiguration IP Address. . . : 169.254.60.111
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\Administrator.NXUBA\Desktop\SmtpDiag>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0e 0c 4a 70 61 ...... Intel(R) PRO/1000 MT Network Connection - Networ
k Load Balancing Filter Device
0x10004 ...00 40 f4 18 b7 cb ...... Realtek RTL8139 Family PCI Fast Ethernet NIC

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.252     20
       10.10.10.0    255.255.255.0    192.168.1.254    192.168.1.252      1
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      169.254.0.0      255.255.0.0   169.254.60.111   169.254.60.111     30
   169.254.60.111  255.255.255.255        127.0.0.1        127.0.0.1     30
  169.254.255.255  255.255.255.255   169.254.60.111   169.254.60.111     30
      192.168.1.0    255.255.255.0    192.168.1.252    192.168.1.252     20
    192.168.1.252  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.255  255.255.255.255    192.168.1.252    192.168.1.252     20
      192.168.2.0    255.255.255.0    192.168.1.253    192.168.1.252      1
      192.168.3.0    255.255.255.0    192.168.1.254    192.168.1.252      1
      192.168.4.0    255.255.255.0    192.168.1.254    192.168.1.252      1
      196.25.32.0  255.255.255.224    192.168.1.248    192.168.1.252      1
        224.0.0.0        240.0.0.0   169.254.60.111   169.254.60.111     30
        224.0.0.0        240.0.0.0    192.168.1.252    192.168.1.252     20
  255.255.255.255  255.255.255.255   169.254.60.111   169.254.60.111      1
  255.255.255.255  255.255.255.255    192.168.1.252    192.168.1.252      1
Default Gateway:     192.168.1.254
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
      192.168.2.0    255.255.255.0    192.168.1.253       1
      192.168.3.0    255.255.255.0    192.168.1.254       1
      192.168.4.0    255.255.255.0    192.168.1.254       1
      196.25.32.0  255.255.255.224    192.168.1.248       1
      192.168.1.0    255.255.255.0    192.168.1.254       1
       10.10.10.0    255.255.255.0    192.168.1.254       1

But it's supposed to accept inbound mail isn't it? I only say that because we were seeing inbound mail in the ISA log.

Can you disable "Ethernet adapter Not Used"? It's go an auto-configuration address (169.254...) which suggests it's enabled, but not entirely happy. Doing away with it would be nice :)

Everything else looks pretty normal. Are you able to build other outbound connections? For instance, can you browse the web from that box?

Chris
Avatar of nobs

ASKER

this is from isa server


C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : nxuba-pr1
   Primary Dns Suffix  . . . . . . . : nxuba.local
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : nxuba.local

Ethernet adapter 192.168.1.240:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet
NIC #2
   Physical Address. . . . . . . . . : 00-14-D1-3C-09-48
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.240
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.252
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter 196.25.190.98:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet
NIC
   Physical Address. . . . . . . . . : 00-14-D1-3C-09-4B
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 196.25.190.98
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 196.25.190.97
   DNS Servers . . . . . . . . . . . : 196.25.1.1
                                       196.43.50.190
                                       196.43.1.11
   NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\Administrator>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 14 d1 3c 09 48 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
 #2
0x10004 ...00 14 d1 3c 09 4b ...... Realtek RTL8139 Family PCI Fast Ethernet NIC

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    196.25.190.97    196.25.190.98     20
       10.10.10.0    255.255.255.0    192.168.1.254    192.168.1.240      1
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0    192.168.1.240    192.168.1.240     20
    192.168.1.240  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.255  255.255.255.255    192.168.1.240    192.168.1.240     20
      192.168.2.0    255.255.255.0    192.168.1.254    192.168.1.240      1
      192.168.3.0    255.255.255.0    192.168.1.254    192.168.1.240      1
      192.168.4.0    255.255.255.0    192.168.1.254    192.168.1.240      1
      196.25.32.0    255.255.255.0    192.168.1.248    192.168.1.240      1
    196.25.190.96  255.255.255.248    196.25.190.98    196.25.190.98     20
    196.25.190.98  255.255.255.255        127.0.0.1        127.0.0.1     20
   196.25.190.255  255.255.255.255    196.25.190.98    196.25.190.98     20
        224.0.0.0        240.0.0.0    192.168.1.240    192.168.1.240     20
        224.0.0.0        240.0.0.0    196.25.190.98    196.25.190.98     20
  255.255.255.255  255.255.255.255    192.168.1.240    192.168.1.240      1
  255.255.255.255  255.255.255.255    196.25.190.98    196.25.190.98      1
Default Gateway:     196.25.190.97
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
      192.168.2.0    255.255.255.0    192.168.1.254       1
      192.168.3.0    255.255.255.0    192.168.1.254       1
      192.168.4.0    255.255.255.0    192.168.1.254       1
      192.168.1.0    255.255.255.0    192.168.1.254       1
       10.10.10.0    255.255.255.0    192.168.1.254       1
      196.25.32.0    255.255.255.0    192.168.1.248       1

C:\Documents and Settings\Administrator>
Avatar of nobs

ASKER

Yes i can browse the internet from that box, exchange yes
Avatar of nobs

ASKER

I sent a test from my external account to the local account 3 hrs ago nothing has arrived
Avatar of nobs

ASKER

disabled
Avatar of nobs

ASKER

dns on isa box
dns-on-isa-box.docx

That all looks pretty sane really. From your ISA box, can you run:

telnet 192.168.1.252 25

See if that one connects?

Chris
For a start that config doesn't look kosher for an ISA Server. You appear to be using an external DNS ip address on the external ISA nic and this is not right. ISA should use the same DNS servers for both internal and external name resolution. If the request is for an external address then this should be forwarded by the internal dns servers to external ISP dns servers or to domain-specific dns external servers. Either way, you should have NOTHING set in the external ISA nic dns settings - it should be BLANK. Of course you require an access rules allowing dns outbound from internal to external and another allowing dns from internal & localhost TO internal & localhost.

Keith




Lastly, once you have sorted out your configuration, you can validate it through the ISA best practice analyser.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d22ec2b9-4cd3-4bb6-91ec-0829e5f84063&displaylang=en
Avatar of nobs

ASKER

yes it does,,, connect to Exchange server, that was the configuration on the ISA Server box that was configured by one of the service providers,,,,
This is not a supported configuration regardless of whether it 'appears' to work for you or not.

Ethernet adapter 192.168.1.240:

 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet
NIC #2
 Physical Address. . . . . . . . . : 00-14-D1-3C-09-48
 DHCP Enabled. . . . . . . . . . . : No
 IP Address. . . . . . . . . . . . : 192.168.1.240
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . :
 DNS Servers . . . . . . . . . . . : 192.168.1.252
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter 196.25.190.98:

 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet
NIC
 Physical Address. . . . . . . . . : 00-14-D1-3C-09-4B
 DHCP Enabled. . . . . . . . . . . : No
 IP Address. . . . . . . . . . . . : 196.25.190.98
 Subnet Mask . . . . . . . . . . . : 255.255.255.248
 Default Gateway . . . . . . . . . : 196.25.190.97
 DNS Servers . . . . . . . . . . . : 196.25.1.1
 196.43.50.190
 196.43.1.11

NetBIOS over Tcpip. . . . . . . . : Disabled

But it is your system, so your call obviously.
Avatar of nobs

ASKER

@ keith, what do you suggest i do leave the DNS blank for  external  NIC
In a nutshell - yes. However, many people 'feel' uncomfortable doing so - sort of naked - and so they an put in the internal dns here also. This is a 'must' really if you think about it. The ISA box has no way of deciding which DNS servers to use when it performs a lookup - does it go outside to the 196.x.y.z dns addresses or does it look inside to the 192.168.x.y dns addresses? By default it 'SHOULD' use the nic that is bound first in the binding order - which is why ISA Server requires that you set the internal NIC to be bound first. However, it doesn't always happen and so ISA gets the wrong DNS server for a lookup.

My article explains it reasonable well - at least in my view :) - but is summarised in respect to DNS by:

Internal ISA nic - no default gateway and two or more (where possible) internal dns servers
External ISA nic - gateway and blank dns - or add internal dns servers here also.

DNS Access rules required:
DNS from internal & localhost TO internal & localhost
DNS from internal to external

On your internal dns servers make sure your forwarders are set to your ISP DNS ip addresses and that you have set any domain-specific forwarders.
Absolutely none of your internal clients or servers should have ANY mention of the external DNS ip addresses in their network adapter - TCPIP - advanced settings. ALL should look at the internal DNS only.
Avatar of nobs

ASKER

The ideas Chris gave me taught me more about other things than i know. The solution given might not have helped my situation but it sure assisted me in solving other problems
Thats all that matters