Watchguard firewall causing migrationwiz migration to office 365 from SBS 2011 standard to fail?z

I am doing my first sbs 2011 Standard to office 365 hosted exchange migration.

I am using migration wiz and 4 of 5 mailboxes failed. one talked of actively refiusing the connection.

It reminded me - there's a watchguard firewall at the sbs 2011 location.  I remember once someone else having a problem with too much data going to /. from 1 place that the watchguard shut it off - there's a setting to limit amount of data to / from 1 external location that was on by default.

Anyone know where that is?  Could that be why they are failing the migration?

can you tell me where to look to disable that if it's on. and maybe where to look to see if that feature was activatted in the last 48 hours?

THANKS!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Saif ShaikhServer engineer Commented:
Migration wiz uses endpoint i.e. autodiscover from your local SBS server for migration. I don't think it can be a firewall issue since port 443 and 25 should already be opened.

You can test autodiscover using testexchangeconnectivity.com to see if autodiscover test passes on onpremise.

Can you paste the error of the failed mailboxes in here for review.
BeGentleWithMe-INeedHelpAuthor Commented:
I'm running them again.  But here's some.  1 user got 1000 errors of this, another got a lower number.  but they passed the password veriification.

Active Directory is unavailable. Try again later

The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> No connection could be made because the target machine actively refused it 75.127.196.xxx:443

The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 75.127.196.xxx:443

This is one I hadn't seen before:

Inconsistent get item response (0 items returned but more are available)

it's an older 2011 standard SBS so is there maintenance I should be doing first?

The autodiscver test:

      The Microsoft Connectivity Analyzer is attempting to test Autodiscover for x@y.com
       Autodiscover was tested successfully.
Saif ShaikhServer engineer Commented:
I see this:

The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> No connection could be made because the target machine actively refused it 75.127.196.xxx:443

So basically target machine i.e. SBS server has refused request on port 443.

Can you check what IP: 75.127.196.xxx is. Is this the IP of your firewall. If yes then make sure to open port 443 for IP: 75.127.196.xxx
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Saif ShaikhServer engineer Commented:
Kindly follow Migration Wiz article for firewall requirement: "How do I set up router ports for OWA traffic when performing an On-Premises Exchange to On-Premises Exchange migration?"

https://help.bittitan.com/hc/en-us/articles/115008107167
Jon SnydermanCommented:
Based on your details and issues to date, I tend not to think that it is the firewall.   HOWEVER, if your port 80 and 443 rules are proxies, I could see where this could intermittently get in the way depending on the contents of the mailbox.  Especially if you have Deep Packet Inspection turned on.  

This could be a complex issue to resolve and even more so without me knowing what your config looks like.  But a relatively simple (but less secure) way to deal with this would be to create an unfiltered packet filter outbound from the machine running the migration wizard.   Because 365 has so many sub URLs, I would just add HTTP and HTTPS rules (not HTTP-Proxy and HTTPS-Proxy) from the IP of the migrationwiz server to Any-External.   Because it is a packet filter and pretty specific in nature, it should come in higher than your default proxy rules and take precedence (assuming yout auto-order is on as it should be).   I would also turn on logging for that rule so that you can prove that it is being used.     Once you can launch the wizard and see that traffic traversing the new packet filter rules, run your migration test again.  If it succeeds, you are good to go.   If it does not succeed, you can be pretty sure that it is not the firewall causing the issue.  

Good luck.
~Jon
Saif ShaikhServer engineer Commented:
I was researching on the error which you received :

This is one I hadn't seen before:

Inconsistent get item response (0 items returned but more are available)

As per Bittitan reference article: https://help.bittitan.com/hc/en-us/articles/115008263948-Inconsistent-get-item-response-0-items-returned-but-more-are-available-

Answer:
This error occurs when the Source server is overloaded and MigrationWiz is unable to get consistent responses from the Exchange server. To prevent additional issues, MigrationWiz stops the migration.

Resolve this issue by investigating the health of the Source server. To help reduce the load on the server, lower the number of concurrent migrations.

This error can also occur because the number of items in a single folder is quite large, and causes the Source server to return only partial responses.

 
If this error persists, using the Advanced Support option DisableEWSDataConsistencyCheck=1 will bypass the consistency check, but may result in missing items.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BeGentleWithMe-INeedHelpAuthor Commented:
thanks saif.  I lowered the concurrent migrations to 1 and it's working.
Saif ShaikhServer engineer Commented:
Glad I could help...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.