Exchange 2013 Edge servers is refusing TLS connenctions

Hello Experts,

I have a client that is running into some issue with Edge servers and TLS connections. Apparently, one of the Edge servers is refusing TLS connections, therefore some clients are getting NDRs stating that the edge server is not refused a TLS connection.

The client has the following infrastructure:

Primary Site:

1 External firewall, 2 External GTM F5 HLB, 2 internal CAS Exchange servers behind a load balancer F5, 3 Mailbox servers in a DAG, multiple DCs, 2 CAS proxy servers to handle ActiveSync and OWA, 2 Edge servers to allow incoming email from External F5 HLB

Secondary site

Same as above. All Exchange servers runs Exchange 2013 SP1, each site has one external firewall, 2 External F5 HLB, 2 internal HLB, 2 Edge servers,

Incoming email flow below

All external email comes goes to our external DNS and MX provider [Message Labs], from there goes through to the external firewall, from the firewall goes to external GTM load balancers, from there to our Edge servers, and finally from the edge servers to the Exchange 2013 MBX servers

During last week, we had a major incident where the primary site went down, so we had to redirect all traffic at the firewall to go to the secondary site. After that, one of the edge servers on the primary site was not accepting TLS connections, and was rejecting emails

Our F5 specialist has one of the edge servers disabled on the F5 so that is the problem child, but if you run the command on the edge servers it states that the subscriptions would need to be broken or run the command on the hub transport.

At the moment, all external traffic is handle at the DR site, but we need to flip back the traffic to primary site, however we have concerns because one of the edge servers at the primary site can reject TLS connections and reject emails

Can someone please provide me with an action plan to look at this issue on the edge servers?

No changes applied to any of the exchange servers, this is first time this issue happened, some users got the NDR, but unfortunately I can't get those NDRs as they were deleted by the clients

Can you please also create a workspace for server logs analysis if required?

How can we handle this TLS issue on the Exchange 2013 edge servers?

Do you believe is related to subscription file on all edge servers?

Again, this was working well until last week when we had the network incident

By the time this incident happened, we sent email test from telnet at the edge servers, and email was successfully delivered to MBX servers and users.

 As of today, because all incoming email is rerouted to the DR, all incoming email flows OK, the edge servers are the DR site are behaving well, my concern is that we need to flip back services to primary site this weekend, and the problematic edge server is located at the primary site
Jerry SeinfieldAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nathan HawkinsTechnical Lead - Network SecurityCommented:
Edge server subscriptions dont just disappear, so if the edge server was working before and nothing has changed to it, then there is no reason to believe it will start to not work correctly. Again, Im emphasizing that IF nothing has CHANGED. If something has changed to the edge server...what is it? You mentioned that the F5 engineer has made some changes. That should not impact your edge servers or their subscriptions as all the F5's are doing is balancing load. The pool members are monitored so if a pool member is monitored to be down no load will be sent to it... Thats it. Im saying all of this to still emphasize that it sounds like nothing the F5 engineer did changed anything to the edge transport servers unless there actually was a change made to the edge transport servers?

With all of that said, the F5's can simply keep the "problem edge transport server" down until you are confident its working correctly, so cutting traffic back to the main site shouldnt be an issue, because all load will go to the remaining edge transport servers.

The TLS issue is not the Edge transport servers fault... All it does is act as a landing point in your DMZ for SMTP traffic (nothing more) and send the mail it receives to the backend Mailbox servers you have. So if you are having TLS issues... Its with the backend Mailbox servers.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jerry SeinfieldAuthor Commented:
Where should I look at the backend mailbox servers?
Jerry SeinfieldAuthor Commented:
I've requested that this question be deleted for the following reason:

no comments
Nathan HawkinsTechnical Lead - Network SecurityCommented:
Yes. You will need to look at the backend servers. Please do so and let us know what you find...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.