I inherited an odd issue with our exchange environment related to POP3 traffic unique to a single server.
We have a DAG based on 3 Server 2012/Exchange 2013 (Only server 1 and 2 handle traffic, number 3 is there to keep a copy of DBs in another location) machines. We also have an automated system that sends messages via POP3 for our customer service. For several weeks now authentication sporadically fails when email is flowing via one of the active servers, but works all the time on the primary server. As a fix the previous Admin limited POP3 to only the "good" server, whereas general user access is distributed via an F5 appliance between both servers.
Over the weekend, by a mistake, the F5 appliance was miss-configured and we had live POP3 traffic hitting the "bad" server for several hours and therefore I have some log files that I could use to try to properly fix the issue once and for all. The logs list "timeout" issues, however I just checked and the Authenticated time-out is set to 1800 seconds (!), whereas the Unauthenticated time-out is set to 60 seconds.
In any event the failed message is as follows (Logs from Exchange2. The primary server where the DBs are mounted is Exchange1):
2015-05-17T15:39:43.114Z,000000000002CBC5,2,172.16.1.12:110,172.16.1.101:52183,Customerservice,60098,10,56,pass,*****,"R=""-ERR Logon failure: unknown user name or bad password."";Msg=Proxy:CORP-EXCH01. domain.com:9955:SSL;ErrMsg=ProxyTimeout:PreAuthTimeout"
And within a brief moment the same action succeeds:
Again, when sending traffic only to Exchange1 this works all the time so I am sure this is not a user/password issue. Although, could this be something on the side of the Domain Controllers?
I have a case open with Microsoft but until now we did not have "live" log files to go off yet.