Exchange 2003 SP2 High Bandwidth Use
We had our Exchange 2003 SP setup for quite a while now. Everything worked just fine until a few days ago. All of a sudden our Internet speeds started to drop very fast. I started up a network monitor (by PRTG) and ran the monitor with Exchange Information Store service running and without. With Exchange running the bandwidth is maxing out. With Exchange off the bandwidth runs normal.
Any suggestions?
Any suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I stopped the SMPT service with no chance. I, again, stopped MS Info Store and again the bandwidth went nuts.
Did you block port 25 outbound as I suggested?
Stopping the SMTP service means you can't see the queues.
Any mail being sent by the server doesn't show up in the queues. Stopping port 25 from the server outbound means Exchange stops sending and the queues will fill up if there is anything being sent.
Stopping the SMTP service means you can't see the queues.
Any mail being sent by the server doesn't show up in the queues. Stopping port 25 from the server outbound means Exchange stops sending and the queues will fill up if there is anything being sent.
ASKER
Blocked port 25 from my FireWall. Will test and post back.
Thanks.
ASKER
Blocking port 25 seems to have stopped the high bandwidth use. All Exchange services are running. However, Exchange queue is still empty.
Okay - so is port 25 blocked just for the IP of the Exchange server or all internal IP's?
Is your IP popping up on any blacklists?
www.mxtoolbox.com/blacklists.aspx / www.blacklistalert.org
Is your IP popping up on any blacklists?
www.mxtoolbox.com/blacklists.aspx / www.blacklistalert.org
ASKER
Its blocked from the hardware FireWall (WatchGuard). We are not using the built in SBS FireWall.
MXToolbox.com came back clean for the domain name and IP address.
MXToolbox.com came back clean for the domain name and IP address.
Okay - but is it blocked for all IP's inside your LAN or did you just block the internal IP of your server?
ASKER
In the FireWall Outgoing Traffic I blocked port 25 only for the server's IP address. All the internal IP addresses are open to port 25.
Okay - thanks. Just as a side note, it would be safer to block port 25 outbound for all internal IP's apart from the server.
Do you normally send mail via a smarthost or via DNS?
Do you normally send mail via a smarthost or via DNS?
ASKER
I send email from the DNS. We do not use a smarthost.
Okay - now I am confused.
So are you outbound queues still empty?
So are you outbound queues still empty?
ASKER
Yep, still empty.
ASKER
Here is a screenshot.
Capture.JPG
Capture.JPG
ASKER
I think I am missing something. I just sent an email through Exchange and it went through. I was also able to reply to it, which also came through.
Okay. Strange to say the least.
Can you log traffic outbound on your firewall for port 25? If you can, please enable the logging, then open up port 25 for the server and check the logs.
Can you log traffic outbound on your firewall for port 25? If you can, please enable the logging, then open up port 25 for the server and check the logs.
Eh? Very odd.
ASKER
I am enabeling outbound log for port 25 now.
ASKER
Logs on the FireWall do not show anything for port 25.
Okay - is your bandwidth being chewed up again?
ASKER
No... Its been steady ever since I blocked port 25 on the WatchGuard FireWall.
Good - so what has changed?
If you blocked the port and now have opened it again and the traffic has not gone crazy again - something presumably has changed?
If you blocked the port and now have opened it again and the traffic has not gone crazy again - something presumably has changed?
ASKER
Port 25 is still blocked from the FireWall.
Blocked for what?
ASKER
Outgoing.
Okay - I asked you to log port 25 outbound and then open the port. Did you not do that?
ASKER
I just opened it. Lets see what the logs say.
ASKER
I am stumped! Outgoing port 25 enabled. Logs are clear of port 25. Bandwidth is steady.
ASKER
Outgoing port 25 opened*
Well that's good and bad!
I would suggest monitoring it for 24 hours to see what, if anything, happens and at least if the bandwidth does increase, and it seems to be port 25 outbound, then you should be able to examine the logs to see the source / destination.
Of course if it suddenly starts going crazy, then I'm never too far away to assist.
I would suggest monitoring it for 24 hours to see what, if anything, happens and at least if the bandwidth does increase, and it seems to be port 25 outbound, then you should be able to examine the logs to see the source / destination.
Of course if it suddenly starts going crazy, then I'm never too far away to assist.
ASKER
Thanks! I will monitor it until tomorrow evening and post back the results.
Might also be worth logging all outbound traffic on the firewall in case it isn't port 25.
What anti-spam are you using on the server? Does it have good logs? Wondering if you are being hammered externally as it doesn't seem to be an issue outbound with SMTP traffic.
What anti-spam are you using on the server? Does it have good logs? Wondering if you are being hammered externally as it doesn't seem to be an issue outbound with SMTP traffic.
ASKER
Does SBS have any good port monitoring utilities?
I am using VIPRE Security for Exchange. Not sure if it had logging though.
I am using VIPRE Security for Exchange. Not sure if it had logging though.
Nothing in SBS that I am aware of and I don't know VIPRE (yet).
You can download Wireshark and capture some traffic when your bandwidth is going crazy, assuming that it does again.
You can download Wireshark and capture some traffic when your bandwidth is going crazy, assuming that it does again.
ASKER