We help IT Professionals succeed at work.

Messagelabs Route issue

NCL2012
NCL2012 asked
on
5,038 Views
Last Modified: 2012-06-12
Hi,
Symantec Cloud is my email filter. I switched my ISPs last year and got new public IP addresses. I've added that route to my "inbound routes". However, I'm unable to promote it as my primary route. Symantec's towers try to connect to my old IP and failover to my new current IP - that is how it is working right now.

I'm in a dead lock with Symantec because they tell me that my firewall is not accepting SMTP connections. I have the correct access rules on my 1841 which acts as a firewall. (I even had Cisco verify this). I don't understand how they are able to deliver my emails if my server is not accepting connections on port 25. My emails are being delivered fine. However, I would like to promote the current route as the primary so it works properly.

How can I resolve this issue?
Comment
Watch Question

Sudeep SharmaTechnical Designer
CERTIFIED EXPERT

Commented:
@NCL2012,

I might sound little stupid here by asking you a very basic question but what routes are been allowed on the Firewall for MessageLabs (ML)?

Depending on the region your server is there are many IP subnets which need to added to the Firewall to let ML connect.

To get the complete IP range login to ClientNet and download it. Here is the direct link
http://images.messagelabs.com/EmailResources/ImplementationGuides/Subnet_IP.pdf

Sudeep

Author

Commented:
No, that's a valid question. However, that document was the source of my ACL. All the subnets there are included in my ACL.

Also, I'm able to see the connections being established from some IPs on the same subnet that Syamantec tells me is unable to connect.
Sudeep SharmaTechnical Designer
CERTIFIED EXPERT

Commented:
OK, now let talk about your internal email server. How is that configured?

Does it have the Public IP address but pasing through Firewall or Firewall has NAT to your Mail server internal IP address?

Sudeep

Author

Commented:
Latter. Firewal has NAT to internal IP
Sudeep SharmaTechnical Designer
CERTIFIED EXPERT

Commented:
Can you capture the network packets on your firewall (if you firewall has the ability to do that)

After analysing the captured network packets we would be able to some conclusion what's happening.

Further, what you could try is ask the ML support to show that the traffic is getting blocked at your firewall or your firewall is not accepting the connections.

Ask them to share the screen using TeamViewer or GotoMeeting or anything that they have.

When sharing the screen which them ask them to provide the routes as well from the ML mail server to your mail server so that you can compare it with other networks.

It could be the routing issue. (in case you have multiple ISPs).

Author

Commented:
Not to insult your intelligence - I worked with TAC on packet captures and debugs -  we both confirmed that we can see packets come in and get out from the ranges that Symantec claims to have issues with.

I have the pertinent output from sh nat translations:
sh ip nat translations | inc 172.16.1.15:25
tcp 174.47.99.114:25   172.16.1.15:25     216.82.241.196:52168 216.82.241.196:52168
tcp 174.47.99.114:25   172.16.1.15:25     216.82.254.211:10365 216.82.254.211:10365
tcp 174.47.99.114:25   172.16.1.15:25     ---                ---

This is all Syamantec will tell me:

Please see tracert results from our technicians showing that your firewall is not open to all our IP ranges


Host                                                                                                                     Loss%  Last   Avg  Best  Wrst StDev
 1. 10.0.190.252                                                                                                           0.0%   0.4   0.3   0.3   0.4   0.0
 2. unassigned.messagelabs.net                                                                                             0.0%   0.5   0.5   0.4   0.7   0.1
 3. v190.ag1.Mesa-AZ1.symsaas.net                                                                                          0.0%   0.7   0.7   0.6   1.2   0.1
 4. ae0-51.er1.az1.us.messagelabs.net                                                                                      0.0%   0.8   0.9   0.8   1.1   0.1
 5. ge-9-40.car1.Phoenix1.Level3.net                                                                                       0.0%   1.9 17.6 1.6 170.6  48.5
6. ae-2-5.bar1.Phoenix1.Level3.net                                                                                        0.0%   2.1   4.6   1.9  39.3   8.0
 7. ae-8-8.ebr1.Dallas1.Level3.net                                                                                         0.0%  39.7  26.4  25.4  39.7   2.8
 8. ae-14-14.ebr2.Chicago2.Level3.net                                                                                      0.0%  83.9  47.9  44.3  83.9   7.8
 9. ae-2-52.edge4.Chicago3.Level3.net                                                                                     33.3%  44.8  44.8  44.5  46.7   0.5
10. TIME-WARNER.edge4.Chicago3.Level3.net                                                                                  0.0%  67.8  47.9  44.6  85.7   8.9
11. brk1-ar3-xe-2-0-0-0.us.twtelecom.net                                                                                   0.0%  48.1  49.5  48.1  65.6   4.2
12. ???

As further discussed, you have 2 inbound routes at this time. 69.21.173.203 and 174.47.99.114.

We are fully unable to connect to 69.21.173.203, so every email fails over to 174.47.99.114. The issue we are seeing today is that we are unable to reach 174.47.99.114 from a number of towers.

In order to promote 174.47.99.114 to primary and also to ensure you are receiving all mail, you need to be open to accepting all of our IP Ranges.

Specifically related to the mail issue right now is the 216.82 range, as all 4 towers that are queued up with mail for you currently are in that range. It would seem almost as though that was changed in the firewall today as an accepted range.

We also discussed the following ranges having issues reaching your server:
195.245
117.120
85.158
194.106
Sudeep SharmaTechnical Designer
CERTIFIED EXPERT

Commented:
They would just say Firewall they would not talk about the routes etc.

Did you check with your ISP? And ofcourse by any chance you have two ISP?

Which router do you have?

Further I am also unable to traceroute your both IP addresses so you must speak to your ISP if they are blocking anything which they should not.

Below are the results from http://www.tracert.org/traceroute/
Traceroute results for 174.47.99.114

1  75.125.232.57 (75.125.232.57)  4.824 ms  0.530 ms  0.641 ms
 2  te1-4.dsr02.hstntx1.networklayer.com (207.218.245.5)  0.528 ms  0.493 ms  0.364 ms
 3  po15.dsr02.hstntx2.networklayer.com (70.87.253.117)  1.197 ms po16.dsr01.hstntx2.networklayer.com (70.87.253.101)  0.906 ms  0.881 ms
 4  ae16.bbr01.sr02.hou02.networklayer.com (173.192.18.232)  3.350 ms  0.586 ms  0.614 ms
 5  xe-9-3-0.bar2.Houston1.Level3.net (4.59.126.13)  0.876 ms xe-9-3-0.bar1.Houston1.Level3.net (4.78.14.49)  1.449 ms  1.394 ms
 6  ae-7-7.ebr1.Atlanta2.Level3.net (4.69.137.142)  22.810 ms  22.885 ms ae-0-11.bar2.Houston1.Level3.net (4.69.137.134)  1.308 ms
 7  ae-7-7.ebr1.Atlanta2.Level3.net (4.69.137.142)  23.024 ms  22.995 ms  23.148 ms
 8  ae-3-3.ebr2.Chicago1.Level3.net (4.69.132.73)  40.406 ms  34.831 ms  29.172 ms
 9  ae-5-5.ebr2.Chicago2.Level3.net (4.69.140.194)  32.936 ms  37.272 ms  34.220 ms
10  ae-2-52.edge4.Chicago3.Level3.net (4.69.138.166)  30.667 ms ae-5-5.ebr2.Chicago2.Level3.net (4.69.140.194)  33.353 ms  40.117 ms
11  ae-2-52.edge4.Chicago3.Level3.net (4.69.138.166)  31.131 ms  30.832 ms  31.126 ms
12  brk1-ar3-xe-0-0-0-0.us.twtelecom.net (66.192.253.154)  56.153 ms TIME-WARNER.edge4.Chicago3.Level3.net (4.53.98.46)  33.343 ms  33.598 ms
13  brk1-ar3-xe-0-0-0-0.us.twtelecom.net (66.192.253.154)  56.633 ms  56.749 ms  56.142 ms
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *

Open in new window


Traceroute results for 69.21.173.203

 1  75.125.232.57 (75.125.232.57)  8.912 ms  0.654 ms  0.590 ms
 2  te1-4.dsr02.hstntx1.networklayer.com (207.218.245.5)  0.890 ms  0.437 ms  0.369 ms
 3  po16.dsr01.hstntx2.networklayer.com (70.87.253.101)  1.182 ms po15.dsr02.hstntx2.networklayer.com (70.87.253.117)  1.140 ms  1.142 ms
 4  ae16.bbr01.sr02.hou02.networklayer.com (173.192.18.232)  0.776 ms  0.577 ms  0.617 ms
 5  ae7.bbr02.sr02.hou02.networklayer.com (50.97.18.241)  0.903 ms  0.794 ms  0.979 ms
 6  ae1.bbr01.tl01.atl01.networklayer.com (173.192.18.135)  31.938 ms  31.111 ms  31.058 ms
 7  atlngamqbrd01.network.tds.net (198.32.132.28)  31.812 ms  31.583 ms  31.681 ms
 8  atlngamqbrd01.network.tds.net (198.32.132.28)  31.384 ms  43.111 ms  32.184 ms
 9  mtjltndst52-tg0-7-4-0.network.tds.net (64.50.238.217)  49.142 ms  39.869 ms nwblwihed11-lag11-166.network.tds.net (64.50.229.58)  50.657 ms
10  nwblwihed11-lag11-166.network.tds.net (64.50.229.58)  62.336 ms  49.557 ms nwblwiedg05-gi0-1.network.tds.net (216.170.132.151)  47.412 ms
11  h69-11-136-52.nwblwi.dedicated.static.tds.net (69.11.136.52)  55.848 ms  55.828 ms  55.898 ms
12  * * h69-11-136-52.nwblwi.dedicated.static.tds.net (69.11.136.52)  55.929 ms
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Open in new window

Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
This fixed the issue
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.