Hi Friends,
In our environment we are using Fortigate 200D v5.0,build3608 (GA Patch 7)we have working with 1 ISP and that one connected to the Port of WAN1.Static IP ranges provided by the ISP and for Exchange server already registered with that IP to the Message labs.
Now for the redundancy purpose taken another ISP.connecting the same to WAN 2 port its working,rerouted some traffics via wan2 ,but emails are bouncing.Could you please help me on this.
Many Thanks..
Ashok
ashok kumar
Network Engineer
CCNP/MCSA
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It would help to tell us what type of bounce message? but let's assume a hard bounce, have you looked at the status message/reason?
I would guess the src-ip from ISP#2 has no proper PTR and foreign email server are dropping any mail sent from that address. So when you failover to the ISP#2 you have internet access but the email services based on this address and PTR DNS records are not correct.
Also if you have any DNS SFP records entries, you will need to adjust these to include this address also.
PCNSE
NSE
StrongSwan
Hi,
Internally emails are getting.But receiving from out side fro eg sending from Yahoo..or gmail..or other company emails...getting your bounce message.
Primary connection have static ip and fail over link has Dynamic ip address.
ashok kumar
Network Engineer
CCNP/MCSA
Hi Ashok,
To identify the reason, we would require full internet headers of the bounce email and also bounce text message
and kindly provide the below command output
get router info routing-table all
get router info routing-table database
and also mention on which ISP VIP is configured
Regards,
Somu
Hi Somu,
Sure i'll get back to you asap.Right now we are shut down the WAN2 port bcoz of email bouncing.Its peak time.I'll post the updates once the wan2 will got up.
Many Thanks
Ashok
ashok kumar
Network Engineer
CCNP/MCSA
Dear Somu,
FG200D-MSS-DMM-HO # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [1/0] via 84.235.124.10, ppp1 C 2.88.13.68/32 is directly connected, ppp1 S 10.60.0.0/16 [10/0] via 10.60.10.254, port1 C 10.60.10.0/24 is directly connected, port1 C 10.60.11.0/24 is directly connected, lan C 10.60.15.0/24 is directly connected, MSS-DMM-UP C 10.60.16.0/24 is directly connected, MSS-DAMMAM C 10.60.17.0/24 is directly connected, MSS-DMM-MOBILE C 10.60.20.0/24 is directly connected, Executive-Group S 10.62.10.0/24 [10/0] via 10.60.10.2, port1 S 10.63.10.0/24 [10/0] via 10.60.10.2, port1 S 10.64.10.0/24 [10/0] via 10.60.10.2, port1 S 10.65.10.0/24 [10/0] via 10.60.10.2, port1 S 10.66.10.0/24 [10/0] via 10.60.10.2, port1 S 10.67.10.0/24 [10/0] via 10.60.10.2, port1 C 84.235.124.10/32 is directly connected, ppp1 C 192.168.8.0/24 is directly connected, Software_SW C 192.168.17.0/24 is directly connected, MSS-GUEST FG200D-MSS-DMM-HO # FG200D-MSS-DMM-HO # get router info routing-table database Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info S *> 0.0.0.0/0 [1/0] via 84.235.124.10, ppp1 S 0.0.0.0/0 [10/0] via 188.117.105.241, wan1 inactive C *> 2.88.13.68/32 is directly connected, ppp1 S *> 10.60.0.0/16 [10/0] via 10.60.10.254, port1 C *> 10.60.10.0/24 is directly connected, port1 C *> 10.60.11.0/24 is directly connected, lan C *> 10.60.15.0/24 is directly connected, MSS-DMM-UP C *> 10.60.16.0/24 is directly connected, MSS-DAMMAM C *> 10.60.17.0/24 is directly connected, MSS-DMM-MOBILE C *> 10.60.20.0/24 is directly connected, Executive-Group S 10.61.0.0/16 [10/0] is directly connected, MSS_VPN_P1 inactive S *> 10.62.10.0/24 [10/0] via 10.60.10.2, port1 S *> 10.63.10.0/24 [10/0] via 10.60.10.2, port1 S *> 10.64.10.0/24 [10/0] via 10.60.10.2, port1 S *> 10.65.10.0/24 [10/0] via 10.60.10.2, port1 S *> 10.66.10.0/24 [10/0] via 10.60.10.2, port1 S *> 10.67.10.0/24 [10/0] via 10.60.10.2, port1 S 10.71.0.0/24 [10/0] is directly connected, MSS_VPN_P1 inactive C *> 84.235.124.10/32 is directly connected, ppp1 S 192.168.4.0/24 [10/0] is directly connected, MSS_VPN_P1 inactive S 192.168.8.0/24 [10/0] via 10.60.10.254, port1 C *> 192.168.8.0/24 is directly connected, Software_SW C *> 192.168.17.0/24 is directly connected, MSS-GUEST FG200D-MSS-DMM-HO # FG200D-MSS-DMM-HO # get router info routing-table database Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info S *> 0.0.0.0/0 [1/0] via 84.235.124.10, ppp1 S 0.0.0.0/0 [10/0] via 188.117.105.241, wan1 inactive C *> 2.88.13.68/32 is directly connected, ppp1 S *> 10.60.0.0/16 [10/0] via 10.60.10.254, port1 C *> 10.60.10.0/24 is directly connected, port1 C *> 10.60.11.0/24 is directly connected, lan C *> 10.60.15.0/24 is directly connected, MSS-DMM-UP C *> 10.60.16.0/24 is directly connected, MSS-DAMMAM C *> 10.60.17.0/24 is directly connected, MSS-DMM-MOBILE C *> 10.60.20.0/24 is directly connected, Executive-Group S 10.61.0.0/16 [10/0] is directly connected, MSS_VPN_P1 inactive S *> 10.62.10.0/24 [10/0] via 10.60.10.2, port1 S *> 10.63.10.0/24 [10/0] via 10.60.10.2, port1 S *> 10.64.10.0/24 [10/0] via 10.60.10.2, port1 S *> 10.65.10.0/24 [10/0] via 10.60.10.2, port1 S *> 10.66.10.0/24 [10/0] via 10.60.10.2, port1 S *> 10.67.10.0/24 [10/0] via 10.60.10.2, port1 S 10.71.0.0/24 [10/0] is directly connected, MSS_VPN_P1 inactive C *> 84.235.124.10/32 is directly connected, ppp1 S 192.168.4.0/24 [10/0] is directly connected, MSS_VPN_P1 inactive S 192.168.8.0/24 [10/0] via 10.60.10.254, port1 C *> 192.168.8.0/24 is directly connected, Software_SW C *> 192.168.17.0/24 is directly connected, MSS-GUEST FG200D-MSS-DMM-HO #
ashok kumar
Network Engineer
CCNP/MCSA
Delivery has failed to these recipients or groups:
Ashok kumar (ashokkumarpk@hotmail.com) A problem occurred while delivering this message to this email address. Try sending this message again. If the problem continues, please contact your helpdesk.
ASHOKUMARPK@REDIFFMAIL.COM (ASHOKUMARPK@REDIFFMAIL.COM) A problem occurred while delivering this message to this email address. Try sending this message again. If the problem continues, please contact your helpdesk.
The following organization rejected your message: server-12.tower-194.messagelabs.com.
Diagnostic information for administrators:
Generating server: mail.almojilservices.com
ashokkumarpk@hotmail.com server-12.tower-194.messagelabs.com Remote Server returned '553-you are trying to use me [server-12.tower-194.messagelab 553-s.com] as a relay, but I have not been configured to 553-let you [2.88.13.68, unknown] do this. Please visit 553-www.symanteccloud.com/troubleshooting for more details 553-about this error message and instructions to resolve 553 this issue. (#5.7.1)'
ASHOKUMARPK@REDIFFMAIL.COM server-12.tower-194.messagelabs.com Remote Server returned '553-you are trying to use me [server-12.tower-194.messagelab 553-s.com] as a relay, but I have not been configured to 553-let you [2.88.13.68, unknown] do this. Please visit 553-www.symanteccloud.com/troubleshooting for more details 553-about this error message and instructions to resolve 553 this issue. (#5.7.1)'
Original message headers:
Received: from MSS-EXCH.almojilservices.com (10.60.10.26) by
mail.almojilservices.com (10.60.10.25) with Microsoft SMTP Server (TLS) id
15.0.847.32; Mon, 13 Apr 2015 15:38:17 +0300
Received: from MSS-EXCH.almojilservices.com (10.60.10.26) by
MSS-EXCH.almojilservices.com (10.60.10.26) with Microsoft SMTP Server (TLS)
id 15.0.847.32; Mon, 13 Apr 2015 15:38:16 +0300
Received: from MSS-EXCH.almojilservices.com ([fe80::8c50:c50:751b:1e3d]) by
MSS-EXCH.almojilservices.com ([fe80::8c50:c50:751b:1e3d%12]) with mapi id
15.00.0847.030; Mon, 13 Apr 2015 15:38:16 +0300
From: Ashok Kumar <ashok.kumar@almojilservices.com>
To: "ASHOKUMARPK@REDIFFMAIL.COM" <ASHOKUMARPK@REDIFFMAIL.COM>
CC: Ashok kumar <ashokkumarpk@hotmail.com>
Subject: Test
Thread-Topic: Test
Thread-Index: AdB15rHXkhTU1bC/TYCdtnUrcUyx/w==
Date: Mon, 13 Apr 2015 12:38:15 +0000
Message-ID: <8f0c2182adea4cf7a2de7c72f8807ca0@MSS-EXCH.almojilservices.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.11.30]
Content-Type: multipart/related;
boundary="_004_8f0c2182adea4cf7a2de7c72f8807ca0MSSEXCHalmojilservicesc_";
type="multipart/alternative"
MIME-Version: 1.0
Return-Path: ashok.kumar@almojilservices.com
ashok kumar
Network Engineer
CCNP/MCSA
You have a hard bounce and not something like a soft bounce which could be a remote grey-listing policy. it seems like your trying to relay mail and that reote server is not configured to allow your address.
Your address that your using, you might want to run it thru RBL to check if it's flagged.
e.g
[link]http://www.anti-abuse.org/[/link]
So your SMTP policy for allowing email traffic out is probably right for ISP#2 WAN#2 interface.
PCNSE
NSE
StrongSwan
Yes Exchange Server internal IP is 10.X.X.X and its map ie VIP to Public Ip 188.X.X.X which one provided by WAN 1 ISP
Wan 2 have only dynamic IP ,so requesting via through wan1 its ok....but it goes through wan 2 it will bouncing.So if WAN 2 is not active everything fine.
ashok kumar
Network Engineer
CCNP/MCSA
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.