Two 2010 Exchange servers -- error message

Hi,
In my Queue Viewer, I see the following error next to  a queue called "hub version 14":

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

My two servers are
Mail 1 and Mail2

If I am on Mail 1 and I do "Telnet localhost 25" then ehlo, I get a set of SMTP verbs.
If I am on Mail 1 and I do a "Telnet Mail 2 25"  then ehlo, I get a set of SMTP verbs but not all of the ones I got when I tried the localhost telnet.
Please see screen shots for two different lists.
Is this normal or does this show that my firewall is blocking some traffic and causing my initial errror above?
telnetLocalHost.jpg
telnetMail2.jpg
LVL 1
nachtmskAsked:
Who is Participating?
 
Will SzymkowskiSenior Solution ArchitectCommented:
The server that your are not showing X-EXPS and GSSAPI make sure that on the Default Receive Connector has Exchange Server Authentication checked off. Then restart the Exchange Services.

Will.
0
 
Ben HartCommented:
Have you verified service status on both servers?  Have there been any changes made to receive connectors?  If so was the transport service bounced afterwards?

Have a look here:
http://www.petenetlive.com/KB/Article/0000791.htm
0
 
Ben HartCommented:
Actually that link above.. the section on ESMTP Inspection on Cisco ASA's sounds like your issue.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
nachtmskAuthor Commented:
Hi Ben,
No changes made to Connectors.
Yeah, I saw that pentenetlive.com article. I asked Rackspace about it but they said it wasn't the cause.

not sure what you mean by 'verified service status'
Thanks
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
This is issue usually happens when authentication has been modified in the receive connectors on your Exchange servers. Check to ensure that authentication is correct. Also what SP version and RU are you on?

You can also reference this technet which outlines some steps you can take to correct your issue.
Email Messages stuck in Queue

Will.
0
 
nachtmskAuthor Commented:
Will,
I'm on SP3. Not sure how to tell what RU it is.
I'll look at the link you sent.
When you say "check that authentication is correct", not sure how to go about that or what you mean exactly.

Thanks
0
 
nachtmskAuthor Commented:
Will,
ok, I looked at that article and it suggested something I have been suspected:

"Note If there is a firewall located between the two servers, the Extended SMTP verbs X-ANONYMOUSTLS, X-EXPS, and GSSAPI must be able to pass."

But is it talking about two exchange servers on the same domain or is it talking about two totally different exchange servers (run by different organizations) -- or both?

Thanks,
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
The RU version is visible in Programs and Features under Updates. Also for authentication/permissions you can find this on the properties of each receive connector (authentication tab and permission groups tab).

Will.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
If you look at your second screenshot X-EXPS and GSSAPI is not present which is the issue. They are however present on the first screenshot.

But is it talking about two exchange servers on the same domain or is it talking about two totally different exchange servers (run by different organizations) -- or both

This is to allow internal routing to other Exchange servers.

Will.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Did you recently do an Exchange 2003 migration to 2010?
0
 
nachtmskAuthor Commented:
Will,

I upgraded from Exchange 2003 but that was a few years ago. The servers have been running fine ever since with the occasional issue.
This issue just came up and I had changed nothing on the servers. That's why I've been looking at other possibilities that might be causing the problem.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Have you checked both Exchange servers to ensure that authentication methods are the same? based on the screenshot they are not. Please check this.

In the exchange consle under server configuration:
   select hub transport.
   Right click  the client server and select properties.
   Select the authentication tab

Ensure that both servers are set correctly.

Will.
0
 
Ben HartCommented:
I do not know if the extended SMTP verbs with the Cisco ASA platforms are solely on inter-domain exchange servers or not.  But we ran into that exact issue here when we migrated to 2010 from 2003.

It's an easy and relevant thing to inquire about.
0
 
nachtmskAuthor Commented:
Ok, I think this is solved.
I created two new Receive connectors, one on each box. I configured them to only listen to each other.
I have a few other receive connectors on each box, but I was afraid to touch them, I didn't want to break anything. Someone told me that Exchange will use the  most restrictive connector first, so I created these two new connects with strong restrictions.
It's a production environment so I don't want to muck around too much, Some of my receive connectors have "Exchange Server Auth" turned on and some of them have it turned off. These two new connectors both have it turned on.
Thanks for all of the help and suggestions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.