Watchguard firewall causing migrationwiz migration to office 365 from SBS 2011 standard to fail?z

BeGentleWithMe-INeedHelp
BeGentleWithMe-INeedHelp used Ask the Experts™
on
I am doing my first sbs 2011 Standard to office 365 hosted exchange migration.

I am using migration wiz and 4 of 5 mailboxes failed. one talked of actively refiusing the connection.

It reminded me - there's a watchguard firewall at the sbs 2011 location.  I remember once someone else having a problem with too much data going to /. from 1 place that the watchguard shut it off - there's a setting to limit amount of data to / from 1 external location that was on by default.

Anyone know where that is?  Could that be why they are failing the migration?

can you tell me where to look to disable that if it's on. and maybe where to look to see if that feature was activatted in the last 48 hours?

THANKS!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Saif ShaikhServer engineer

Commented:
Migration wiz uses endpoint i.e. autodiscover from your local SBS server for migration. I don't think it can be a firewall issue since port 443 and 25 should already be opened.

You can test autodiscover using testexchangeconnectivity.com to see if autodiscover test passes on onpremise.

Can you paste the error of the failed mailboxes in here for review.
I'm running them again.  But here's some.  1 user got 1000 errors of this, another got a lower number.  but they passed the password veriification.

Active Directory is unavailable. Try again later

The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> No connection could be made because the target machine actively refused it 75.127.196.xxx:443

The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 75.127.196.xxx:443

This is one I hadn't seen before:

Inconsistent get item response (0 items returned but more are available)

it's an older 2011 standard SBS so is there maintenance I should be doing first?

The autodiscver test:

      The Microsoft Connectivity Analyzer is attempting to test Autodiscover for x@y.com
       Autodiscover was tested successfully.
Saif ShaikhServer engineer

Commented:
I see this:

The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> No connection could be made because the target machine actively refused it 75.127.196.xxx:443

So basically target machine i.e. SBS server has refused request on port 443.

Can you check what IP: 75.127.196.xxx is. Is this the IP of your firewall. If yes then make sure to open port 443 for IP: 75.127.196.xxx
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

Saif ShaikhServer engineer

Commented:
Kindly follow Migration Wiz article for firewall requirement: "How do I set up router ports for OWA traffic when performing an On-Premises Exchange to On-Premises Exchange migration?"

https://help.bittitan.com/hc/en-us/articles/115008107167
Based on your details and issues to date, I tend not to think that it is the firewall.   HOWEVER, if your port 80 and 443 rules are proxies, I could see where this could intermittently get in the way depending on the contents of the mailbox.  Especially if you have Deep Packet Inspection turned on.  

This could be a complex issue to resolve and even more so without me knowing what your config looks like.  But a relatively simple (but less secure) way to deal with this would be to create an unfiltered packet filter outbound from the machine running the migration wizard.   Because 365 has so many sub URLs, I would just add HTTP and HTTPS rules (not HTTP-Proxy and HTTPS-Proxy) from the IP of the migrationwiz server to Any-External.   Because it is a packet filter and pretty specific in nature, it should come in higher than your default proxy rules and take precedence (assuming yout auto-order is on as it should be).   I would also turn on logging for that rule so that you can prove that it is being used.     Once you can launch the wizard and see that traffic traversing the new packet filter rules, run your migration test again.  If it succeeds, you are good to go.   If it does not succeed, you can be pretty sure that it is not the firewall causing the issue.  

Good luck.
~Jon
Server engineer
Commented:
I was researching on the error which you received :

This is one I hadn't seen before:

Inconsistent get item response (0 items returned but more are available)

As per Bittitan reference article: https://help.bittitan.com/hc/en-us/articles/115008263948-Inconsistent-get-item-response-0-items-returned-but-more-are-available-

Answer:
This error occurs when the Source server is overloaded and MigrationWiz is unable to get consistent responses from the Exchange server. To prevent additional issues, MigrationWiz stops the migration.

Resolve this issue by investigating the health of the Source server. To help reduce the load on the server, lower the number of concurrent migrations.

This error can also occur because the number of items in a single folder is quite large, and causes the Source server to return only partial responses.

 
If this error persists, using the Advanced Support option DisableEWSDataConsistencyCheck=1 will bypass the consistency check, but may result in missing items.
thanks saif.  I lowered the concurrent migrations to 1 and it's working.
Saif ShaikhServer engineer

Commented:
Glad I could help...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial