[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

primary target ip address responded with 421 connection dropped

Posted on 2011-03-20
48
Medium Priority
?
1,294 Views
Last Modified: 2012-05-11
Need help fixing this

 Have an exchange2007 and exchange2010,  and created a smarthost to exchange2007 as it is the one connected to internet.

I was not having this isse before creating smart host.
Please let me what is wrong
error.docx
0
Comment
Question by:MAS
  • 23
  • 12
  • 9
  • +1
47 Comments
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35178429
have you specified the smarthost by ip or by dns? also, have you checked to ensure the smarthost has allowed you to relay emails through it?

Best check is to start a command prompt on your server, and then do

telnet {smarthost} 25

If there is a response then you are half way there already else call your smarthost provider and ask him to check your access.

btw telnet client is not installed by default on windows 2008 servers. You will need to install it from Program features in control panel.

0
 
LVL 28

Author Comment

by:MAS
ID: 35178496
It is working but few domains are showing this error as in the screenshot
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35178658
If E2k7 and E2k10 are in the same Org then you don't need a smart host from E2k10 to E2k7. exchange will learn about other exchange servers through AD and will send via SMTP to them if they are E2k7/E2k10 otherwise it will look for a routing group connector to send to E2k3
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 28

Author Comment

by:MAS
ID: 35178672
They are in different forest.
0
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 668 total points
ID: 35178710
Ok, so have you allowed E2k10 to relay through E2k7?
Why don't you send direct to the Internet from E2k10?

Here is a good article about relaying:
http://exchangepedia.com/2007/01/exchange-server-2007-how-to-allow-relaying.html
0
 
LVL 28

Author Comment

by:MAS
ID: 35179136
here some users are in E2k7 and some are in E2010.

So only we can receive mails only E2k7 and email to E2010 is relaying through E2k7

In this what shall I do, What is the recommended solution?

BTW I am in a process of removing one AD from the network and will keep only one. Slowly migrating all the users.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35185560
Swap inbound MX record when you have 50% of users on E2k10.

You can have e2k10 as an outbound server to the Internet now Or is t sharing the SMTP namespace with E2k7?
0
 
LVL 28

Author Comment

by:MAS
ID: 35186993
E2010 is sharing namespace with 2007
0
 
LVL 28

Author Comment

by:MAS
ID: 35187005
or If you knwo how to move mailboxes from one exch2010forest to another exch2007forest then this is solved. As I can completely move the mailboxes over night from one to another an remove the mail relay.

I really appreciate if you can help to move from forest to another
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35187549
Have you had a look at remote move requests?
http://technet.microsoft.com/en-us/library/dd351280.aspx
0
 
LVL 28

Author Comment

by:MAS
ID: 35275352
Now I removed exchange 2007 now only 2010 but still mails sitting in queue with this error.
attached the screenshot, can you help please to sort this issue
error.docx
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35277345
Did you create a new Send connector for E2k10 to use?

Does the send connector have a valid FQDN that matches the SMTP cert?
You can try turning TLS sending off for the send connector with
Set-sendConnector "<send connector name>" -ignoreStartTLS:$true

If the above fails to work then try turn off tcpip auto tuning with:
Netsh interface tcp set global autotuninglevel=disabled
0
 
LVL 28

Author Comment

by:MAS
ID: 35339697
still the same I just ran the second command .

or you want me to wait
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35339736
do you have any antivirus software running on your exchange server? try disabling it and see if it helps

http://autoexec.gr/forums/thread/27617.aspx
0
 
LVL 8

Assisted Solution

by:Nivlesh
Nivlesh earned 664 total points
ID: 35339737
also  from http://social.technet.microsoft.com/Forums/en/exchange2010/thread/2c90e6dd-c631-447a-904e-bbf97167fe36

"Well I just solved the issue and it was one of the following (sorry it isn't specific, i just threw all that I could try at this point)

I disabled all filtering on the SMTP instance on the old box - took off IMF, blocklist, eveything. Also disabled max number of connections/recipients.

Under the message delivery options I disabled all such items for message/content filtering that I could and I also unchecked the box that blocks all messages to user not listed in AD.

Restarted the virtual SMTP connector on the old box and it the queue on the new box was empty by the time i ran the ExTA again! PF instances are now clear!"
0
 
LVL 28

Author Comment

by:MAS
ID: 35339753
I have only forefront running in exchange
0
 
LVL 4

Expert Comment

by:azeempatel
ID: 35931062
0
 
LVL 28

Author Comment

by:MAS
ID: 35932674
This is for exchange 2003.

I am having exchange 2010 with all roles installed in one server.

That even this problem is only for few domains.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35932881
Did you try:
Set-sendConnector "<send connector name>" -ignoreStartTLS:$true
0
 
LVL 28

Author Comment

by:MAS
ID: 35933018
When I try that I am getting the below error

The DomainSecureEnabled parameter can't be set to $True if the IgnoreSTARTTLS parameter is set to $True.
    + CategoryInfo          : NotSpecified: (Internet:ADObjectId) [Set-SendConnector], DataValidationException
    + FullyQualifiedErrorId : C497310C,Microsoft.Exchange.Management.SystemConfigurationTasks.SetSendConnector
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35933205
Do you have just one Send Connector or ones per individual smtp domain you are sending to (partners or sister companies)?
0
 
LVL 28

Author Comment

by:MAS
ID: 35936783
I use to have two send connectors but I deleted that long back i.e.2 months back. Now only one send connector.

Thanks
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35936808
Can you try:
Set-sendConnector "<send connector name>" -ignoreStartTLS:$true -DomainSecureEnabled:$false
0
 
LVL 28

Author Comment

by:MAS
ID: 35936929
That command ran without error.
Can I send test email now to the domains which was having issue sending?

Please explain what this command does if you dont mind. As in future I would be able to answer for quesntions in EE
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35936989
Yep, try sending a few test messages.

Basically the command tells the Send Connector to not try and encrypt the connection with TLS (Transport Layer Security). A lot of mail systems out there are not setup for TLS or not setup properly
0
 
LVL 28

Author Comment

by:MAS
ID: 35938839
but it is the same as before.



0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35940232
Same error?
0
 
LVL 28

Author Comment

by:MAS
ID: 35941797
This is the error now
error.png
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35942122
Check the DNS servers the server or the Send connector is using.
0
 
LVL 28

Author Comment

by:MAS
ID: 35943975
local dns servers configured in NIC. and in send connector it is using external dns servers.

external dns servers configured in the properties of the server from mmc
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35944042
On one of the domains you are failing to send to, put it into mxtoolbox.com and check the IP address it is returning. Try the SMTP test on there too, to confirm it is a working SMTP server.

Then use nslookup against both of your external DNS servers (that the Send Connector is using) for the MX records of the failing domain and see if the same IP address is returned for those MX records when using your defined external DNS servers
0
 
LVL 4

Expert Comment

by:azeempatel
ID: 35944174
I always suggest try  to initiate connection manually and send a test mail

http://www.yuki-onna.co.uk/email/smtp.html
0
 
LVL 28

Author Comment

by:MAS
ID: 35950818
I tried the above but for that some domains are ok
but some are only sender ok but recipient hanging.

That means there is some issue from our side?

Please advice
0
 
LVL 4

Expert Comment

by:azeempatel
ID: 35951178
Do you have firwall between the domain from which you are trying to open conenction to the domain for whcih it is getting hanged

If yes then can you open IP to IP connection between there 2 domains for
Domain controllers and Exchange
0
 
LVL 28

Author Comment

by:MAS
ID: 35953678
-->open IP to IP connection between there 2 domains
This I understood

But what about open for domain controller and exchange?
0
 
LVL 4

Expert Comment

by:azeempatel
ID: 35953734
Open IP to IP connection between domain  controllers and Exchnage

Example :
VLAN 1 > Domain1.com
VLAN 2 > Domain 2.com
Then
VLAN1 (IP to IP) VLAN 2
IP to IP means all ports are open between this two vlans
0
 
LVL 28

Author Comment

by:MAS
ID: 35954160
I already have a policy (trust to untrust) to open all the ports from exchange(i.e.ip of exchange) to any host
0
 
LVL 4

Expert Comment

by:azeempatel
ID: 35954251
Re-iterating complete discussion

1. You have 2 domain forest > Domain1.com and domain2.com
2. You have Exch 2007 and 2010
3. Outgoing Msg from Exch 2007 : Exch 2007 > Forefront
    Outgoing Msg from Exch 2010 : Exch 2010 > Exch 2007 > Forefront
4. Vice versa for incoming as per point 3
5. Users from both Exch are able to send messages to each other
6. Exch 2007 is decommissioned.
8. You are facing problem to send mails to outside domains

If some points are missed then please mention
0
 
LVL 28

Author Comment

by:MAS
ID: 35954276
Please check post#35187549 and 35275352

0
 
LVL 4

Expert Comment

by:azeempatel
ID: 35955541
What about other points ?

mail is getting queued from Exch 2010 to outside via Forefront ?

telnet FF on 25 and send mail from valid internal ID to gmail and check.
0
 
LVL 28

Author Comment

by:MAS
ID: 35956881
forefront is installed in the same server of exchange2010.

Now I noticed that the trsaction time of that domains are bad. I check these from 'mxtoolbox'
Could be because of that these issues?

if that is right, one problem solved. I will mail them via gmail to fix it.

and what about 'dns query failed'
I think this is something small issue. Please help to figure it out and will close the question.
0
 
LVL 4

Expert Comment

by:azeempatel
ID: 35957046
It should auto resolve when this transaction time is rectified, since there must also be delay to query for DNS as well hence getting time out.

Wait this this transaction delay is rectified and then proceed with new suggestions.
0
 
LVL 28

Assisted Solution

by:MAS
MAS earned 0 total points
ID: 35957123
for the domains showing 'DNS query failed' I checked in mxtoolbox and found they does not have reverse dns.

This  'DNS query failed' error because they does not have reverse dns?

I think we have reached the solution
0
 
LVL 4

Expert Comment

by:azeempatel
ID: 35957322
If possible you should try adding static entries till the issue is completely resolved.
0
 
LVL 28

Author Comment

by:MAS
ID: 35957640
how to add static entries ?
Please advice
0
 
LVL 4

Assisted Solution

by:azeempatel
azeempatel earned 668 total points
ID: 35957943
I dont know about the forefront, but you see the way we add whitelist entries with domain and IP Addresses OR if you have ISP smart host to use
0
 
LVL 28

Author Closing Comment

by:MAS
ID: 36128459
for the domains showing 'DNS query failed' I checked in mxtoolbox and found they does not have reverse dns.

Second error is due to transaction time delay of the remote domain.

I think we have reached the solution
Many thanks to EE experts
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question