Many Connection under Current Session (Default SMTP Virtual Server)

A lot of sessions are opened under Current Session (Default SMTP Virtual Server) in Exchange Server 2003.
Over 150 sessions are opened currently in Default SMTP Virtual Server ( Within Exchange Front-End Server) to be delivered locally to the Back-End Servers.

Is this normal?
We are getting a lot of pending messages from the Exchange Online Protection (EOP)...emails are delivered with delays.Current Session (Default SMTP Virtual Server)
LVL 1
ManzourAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
I suggest you to restart your server and check again.

Also note 2003 is obsolete technology in 2015. It will be good to move to Exchange 2010 minimum.
0
Simon Butler (Sembee)ConsultantCommented:
I usually that sort of behaviour when there is something between Exchange and the internet scanning the SMTP traffic (Cisco PIX/ASA comes to mind) or AV software scanning something it shouldn't be. The inbound traffic isn't terminated correctly and the sessions stay open until they time out.

Simon.
0
ManzourAuthor Commented:
Sorry, but I'm not sure what I need to do!
We checked the Firewall...it's accepting all SMTP traffic from the EOP...

But why the number of open sessions (inbound) is huge on the Exchange Front-End server? Why the connected time is a lot?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

ManzourAuthor Commented:
Amit, we already restarted the server few times! I know it's an old tech...we are moving to Ex2013 on November.
0
Simon Butler (Sembee)ConsultantCommented:
I didn't mean just checking the firewall is allowing the traffic, because that is obviously happening. What I meant was that some firewalls will scan the traffic, therefore interfering with the connection.

Simon.
0
ManzourAuthor Commented:
Is it possible that the issue with the Exchange Front-End Server? I never seen that many open sessions at once!
0
ManzourAuthor Commented:
New:
I found out that the issue started on 6/23....that's when we have the delay in email delivery.

From the event logs exact date of the issue...I found this event ID: 9661 Source: MSExchangeIS
"http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=6.5.7638.0&EvtID=9661&EvtSrc=MSExchangeIS&LCID=1033"

It seems someone modified something? What do you think? Please help!
EventID-9661.JPG
0
Simon Butler (Sembee)ConsultantCommented:
That doesn't mean it was changed.
If you go further back then you should find it was the same before. I think that entry is updated when the IMF filter is updated.

Furthermore, IMF wouldn't cause the problems you are seeing. If you suspect it is the cause, then disable IMF, because you have an external SMTP scan.

Simon.
0
ManzourAuthor Commented:
Yeah, you're right. It was the same before.

I'm not sure where else to look!!

Network admin says is not a firewall issue since it accepts traffic from the EOP and pass it to the Front-End server!
0
Simon Butler (Sembee)ConsultantCommented:
Not really much else I can suggest.
I have seen this problem caused by the firewall so many times - despite what the admin might say. Many of them will do SMTP scanning now which causes these kinds of problems.

The issue isn't that the firewall isn't passing the traffic through - this is the firewall interfering with the traffic.
The Cisco PIX/ASA for example, is so notorious it gets its own MS KB article.
https://support.microsoft.com/en-us/kb/320027

Simon.
0
ManzourAuthor Commented:
Most likely I believe the Firewall as you have mentioned.

By the way, we are using Checkpoint for the Firewall
0
ManzourAuthor Commented:
0
Simon Butler (Sembee)ConsultantCommented:
That article shouldn't apply to you. With Exchange 2003 TLS is either ON or Off. There is no opportunist TLS.

Simon.
0
ManzourAuthor Commented:
Hopefully last question...

Is there any different between a Firewall issue and a routing issue regarding the email delay?

They are saying it might be a routing issue not a Firewall issue!
0
Simon Butler (Sembee)ConsultantCommented:
They could be the same, as many firewalls do routing function as well.
However routing issues could be outside of your network.

Simon.
0
ManzourAuthor Commented:
I'm really confused now!!!
I called Microsoft  (EOP Support Team), at the beginning said it's a Firewall issue, then they said it's Exchange /Windows 2003 issue and they referred me to this article again: https://community.office365.com/en-us/f/158/t/356882 .

Now, how I can approve it  to the team it's not an Exchange issue? Is there a way to get the logs from the Exchange showing all accepted and rejected connection from EOP?

The network team change the routing to ASA 5540 Cisco Firewall and it doesn't show any drop connection from EOP...all are accepted.

Here is the pending error from the EOP:
Pending Error on EOP
0
Simon Butler (Sembee)ConsultantCommented:
"ASA 5540 Cisco Firewall "

If that is the firewall, then I bet it is the SMTP scanning functionality. Last time I tried to disable it, I got in such a mess I had to get Cisco to do it. Even then it took them three attempts.

The log you have posted is classic Cisco behaviour and I would not be looking any further than the Cisco ASA.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ManzourAuthor Commented:
Even though we reroute the traffic through the Checkpoint and still  having the same issue?

In the article (https://community.office365.com/en-us/f/158/t/356882) it says:
Starting June 24, we began disabling RC4 on Exchange Online Protection.  Affected scenarios include connectors with Require or Force TLS.  Most connections in and out of EOP are typically opportunistic, meaning they will fall back to non-TLS if the remote side does not support modern ciphers. We have seen just a few scenarios where unpatched and out-of-support mail servers, firewalls, and Operating Systems either needed to be patched or updated.  Usually, these can be either NDRs or message delays.
June 24th is exactly when we started having the issue!!
0
Simon Butler (Sembee)ConsultantCommented:
Do you have require TLS enabled on the SMTP virtual server?
If you do, then you will need to disable it. If you need to use TLS for email transfer then you are going to have to upgrade to a later version of Exchange that supports the modern standards.

Simon.
0
ManzourAuthor Commented:
NO, I don't. How do disable it? I think MS tried, but didn't work. It seems they are not familiar with Windows/Exchange 2003!!

I really appreciate your help.
0
ManzourAuthor Commented:
Another question, is it possible to configure an  SMTP Server on Windows 2008 Server to route the traffic from EOP to Exchange Front-End? How if it is possible?
0
Simon Butler (Sembee)ConsultantCommented:
The first thing to do is telnet in to the Exchange 2003 server on port 25 and issue the command ehlo. It will reply with some verbs. If StartTLS is one of them, then TLS is enabled. You would need to get it turned off. That may well require modifying the IIS metabase. If you have a call with Microsoft on this issue then you need to press them to resolve it.

You could use a Windows 2008 server as a relay host. You would just need to configure IIS SMTP on the server then configure the accepted domains and the relay settings, using the Exchange 2003 server as the relay host.

Simon.
0
ManzourAuthor Commented:
It is working right now after installing the Hotfixes. Thank you so much for your input. Later on we will redirect the traffic through the ASA 5540 firewall...at least now we know we what to do if we have issue with the email flow.

Question regarding the IIS SMTP, for the Outbound Security, what should I use? Basic authentication or Integrated Windows Authentication?  Which account...On Exchange Server or on EOP?

Thanks again Simon for your help.
0
Simon Butler (Sembee)ConsultantCommented:
Outbound Security would be whatever the smart host that you are using supports.

Simon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.