Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ashok_kumar
New Contributor

Activating Reduntency ISP Emails are bouncing!!!!!!

Hi Friends,

                      In our environment we are using Fortigate 200D v5.0,build3608 (GA Patch 7)we have working with 1 ISP and that one connected to the Port of WAN1.Static IP ranges provided by the ISP and for Exchange server already registered with that IP to the Message labs.

Now for the redundancy purpose taken another ISP.connecting the same to WAN 2 port its working,rerouted some traffics via wan2 ,but emails are bouncing.Could you please help me on this.

 

Many Thanks..

Ashok

ashok kumar

Network Engineer

CCNP/MCSA

 

ashok kumar Network Engineer CCNP/MCSA
8 REPLIES 8
emnoc
Esteemed Contributor III

It would help to tell us what type of bounce message? but let's assume a hard bounce, have you looked at the status message/reason?

 

I would guess the src-ip from ISP#2  has no proper PTR and foreign email server are dropping any mail sent from that address. So when you failover to the ISP#2 you have internet access but the email services based on this address and PTR  DNS records are not correct.

 

Also if you have any DNS SFP records  entries, you will need to adjust these to include this address also.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ashok_kumar
New Contributor

Hi,

         Internally emails are getting.But receiving from out side fro eg sending from Yahoo..or gmail..or other company emails...getting your bounce message.

 

Primary connection have static ip and fail over link has Dynamic ip address.

ashok kumar

Network Engineer

CCNP/MCSA

 

ashok kumar Network Engineer CCNP/MCSA
Somashekara_Hanumant

Hi Ashok,

 

To identify the reason, we would require full internet headers of the bounce email and also bounce text message

 

and kindly provide the below command output

 

get router info routing-table all

get router info routing-table database

 

and also mention on which ISP VIP is configured

 

Regards,

Somu

EMEA Technical Support
ashok_kumar
New Contributor

Hi Somu,

                  Sure i'll get back to you asap.Right now we are shut down the WAN2 port bcoz of email bouncing.Its peak time.I'll post the updates once the wan2 will got up.

Many Thanks

Ashok

ashok kumar

Network Engineer

CCNP/MCSA

 

ashok kumar Network Engineer CCNP/MCSA
ashok_kumar
New Contributor

Dear Somu,

FG200D-MSS-DMM-HO # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP        O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area        * - candidate default S*      0.0.0.0/0 [1/0] via 84.235.124.10, ppp1 C       2.88.13.68/32 is directly connected, ppp1 S       10.60.0.0/16 [10/0] via 10.60.10.254, port1 C       10.60.10.0/24 is directly connected, port1 C       10.60.11.0/24 is directly connected, lan C       10.60.15.0/24 is directly connected, MSS-DMM-UP C       10.60.16.0/24 is directly connected, MSS-DAMMAM C       10.60.17.0/24 is directly connected, MSS-DMM-MOBILE C       10.60.20.0/24 is directly connected, Executive-Group S       10.62.10.0/24 [10/0] via 10.60.10.2, port1 S       10.63.10.0/24 [10/0] via 10.60.10.2, port1 S       10.64.10.0/24 [10/0] via 10.60.10.2, port1 S       10.65.10.0/24 [10/0] via 10.60.10.2, port1 S       10.66.10.0/24 [10/0] via 10.60.10.2, port1 S       10.67.10.0/24 [10/0] via 10.60.10.2, port1 C       84.235.124.10/32 is directly connected, ppp1 C       192.168.8.0/24 is directly connected, Software_SW C       192.168.17.0/24 is directly connected, MSS-GUEST FG200D-MSS-DMM-HO # FG200D-MSS-DMM-HO # get router info routing-table database Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP        O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area        > - selected route, * - FIB route, p - stale info S    *> 0.0.0.0/0 [1/0] via 84.235.124.10, ppp1 S       0.0.0.0/0 [10/0] via 188.117.105.241, wan1 inactive C    *> 2.88.13.68/32 is directly connected, ppp1 S    *> 10.60.0.0/16 [10/0] via 10.60.10.254, port1 C    *> 10.60.10.0/24 is directly connected, port1 C    *> 10.60.11.0/24 is directly connected, lan C    *> 10.60.15.0/24 is directly connected, MSS-DMM-UP C    *> 10.60.16.0/24 is directly connected, MSS-DAMMAM C    *> 10.60.17.0/24 is directly connected, MSS-DMM-MOBILE C    *> 10.60.20.0/24 is directly connected, Executive-Group S       10.61.0.0/16 [10/0] is directly connected, MSS_VPN_P1 inactive S    *> 10.62.10.0/24 [10/0] via 10.60.10.2, port1 S    *> 10.63.10.0/24 [10/0] via 10.60.10.2, port1 S    *> 10.64.10.0/24 [10/0] via 10.60.10.2, port1 S    *> 10.65.10.0/24 [10/0] via 10.60.10.2, port1 S    *> 10.66.10.0/24 [10/0] via 10.60.10.2, port1 S    *> 10.67.10.0/24 [10/0] via 10.60.10.2, port1 S       10.71.0.0/24 [10/0] is directly connected, MSS_VPN_P1 inactive C    *> 84.235.124.10/32 is directly connected, ppp1 S       192.168.4.0/24 [10/0] is directly connected, MSS_VPN_P1 inactive S       192.168.8.0/24 [10/0] via 10.60.10.254, port1 C    *> 192.168.8.0/24 is directly connected, Software_SW C    *> 192.168.17.0/24 is directly connected, MSS-GUEST FG200D-MSS-DMM-HO # FG200D-MSS-DMM-HO # get router info routing-table database Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP        O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area        > - selected route, * - FIB route, p - stale info S    *> 0.0.0.0/0 [1/0] via 84.235.124.10, ppp1 S       0.0.0.0/0 [10/0] via 188.117.105.241, wan1 inactive C    *> 2.88.13.68/32 is directly connected, ppp1 S    *> 10.60.0.0/16 [10/0] via 10.60.10.254, port1 C    *> 10.60.10.0/24 is directly connected, port1 C    *> 10.60.11.0/24 is directly connected, lan C    *> 10.60.15.0/24 is directly connected, MSS-DMM-UP C    *> 10.60.16.0/24 is directly connected, MSS-DAMMAM C    *> 10.60.17.0/24 is directly connected, MSS-DMM-MOBILE C    *> 10.60.20.0/24 is directly connected, Executive-Group S       10.61.0.0/16 [10/0] is directly connected, MSS_VPN_P1 inactive S    *> 10.62.10.0/24 [10/0] via 10.60.10.2, port1 S    *> 10.63.10.0/24 [10/0] via 10.60.10.2, port1 S    *> 10.64.10.0/24 [10/0] via 10.60.10.2, port1 S    *> 10.65.10.0/24 [10/0] via 10.60.10.2, port1 S    *> 10.66.10.0/24 [10/0] via 10.60.10.2, port1 S    *> 10.67.10.0/24 [10/0] via 10.60.10.2, port1 S       10.71.0.0/24 [10/0] is directly connected, MSS_VPN_P1 inactive C    *> 84.235.124.10/32 is directly connected, ppp1 S       192.168.4.0/24 [10/0] is directly connected, MSS_VPN_P1 inactive S       192.168.8.0/24 [10/0] via 10.60.10.254, port1 C    *> 192.168.8.0/24 is directly connected, Software_SW C    *> 192.168.17.0/24 is directly connected, MSS-GUEST FG200D-MSS-DMM-HO #

ashok kumar

Network Engineer

CCNP/MCSA

 

ashok kumar Network Engineer CCNP/MCSA
ashok_kumar
New Contributor

Delivery has failed to these recipients or groups:

Ashok kumar (ashokkumarpk@hotmail.com) A problem occurred while delivering this message to this email address. Try sending this message again. If the problem continues, please contact your helpdesk.

ASHOKUMARPK@REDIFFMAIL.COM (ASHOKUMARPK@REDIFFMAIL.COM) A problem occurred while delivering this message to this email address. Try sending this message again. If the problem continues, please contact your helpdesk.

The following organization rejected your message: server-12.tower-194.messagelabs.com.

Diagnostic information for administrators:

Generating server: mail.almojilservices.com

ashokkumarpk@hotmail.com server-12.tower-194.messagelabs.com Remote Server returned '553-you are trying to use me [server-12.tower-194.messagelab 553-s.com] as a relay, but I have not been configured to 553-let you [2.88.13.68, unknown] do this. Please visit 553-www.symanteccloud.com/troubleshooting for more details 553-about this error message and instructions to resolve 553 this issue. (#5.7.1)'

ASHOKUMARPK@REDIFFMAIL.COM server-12.tower-194.messagelabs.com Remote Server returned '553-you are trying to use me [server-12.tower-194.messagelab 553-s.com] as a relay, but I have not been configured to 553-let you [2.88.13.68, unknown] do this. Please visit 553-www.symanteccloud.com/troubleshooting for more details 553-about this error message and instructions to resolve 553 this issue. (#5.7.1)'

Original message headers:

Received: from MSS-EXCH.almojilservices.com (10.60.10.26) by
 mail.almojilservices.com (10.60.10.25) with Microsoft SMTP Server (TLS) id
 15.0.847.32; Mon, 13 Apr 2015 15:38:17 +0300
Received: from MSS-EXCH.almojilservices.com (10.60.10.26) by
 MSS-EXCH.almojilservices.com (10.60.10.26) with Microsoft SMTP Server (TLS)
 id 15.0.847.32; Mon, 13 Apr 2015 15:38:16 +0300
Received: from MSS-EXCH.almojilservices.com ([fe80::8c50:c50:751b:1e3d]) by
 MSS-EXCH.almojilservices.com ([fe80::8c50:c50:751b:1e3d%12]) with mapi id
 15.00.0847.030; Mon, 13 Apr 2015 15:38:16 +0300
From: Ashok Kumar <ashok.kumar@almojilservices.com>
To: "ASHOKUMARPK@REDIFFMAIL.COM" <ASHOKUMARPK@REDIFFMAIL.COM>
CC: Ashok kumar <ashokkumarpk@hotmail.com>
Subject: Test
Thread-Topic: Test
Thread-Index: AdB15rHXkhTU1bC/TYCdtnUrcUyx/w==
Date: Mon, 13 Apr 2015 12:38:15 +0000
Message-ID: <8f0c2182adea4cf7a2de7c72f8807ca0@MSS-EXCH.almojilservices.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.11.30]
Content-Type: multipart/related;
        boundary="_004_8f0c2182adea4cf7a2de7c72f8807ca0MSSEXCHalmojilservicesc_";
        type="multipart/alternative"
MIME-Version: 1.0
Return-Path: ashok.kumar@almojilservices.com

ashok kumar

Network Engineer

CCNP/MCSA

 

ashok kumar Network Engineer CCNP/MCSA
emnoc
Esteemed Contributor III

  You have a hard bounce and not something like a soft bounce which could be a remote grey-listing policy. it seems like your trying to relay mail and that reote server is not configured to allow your address.

 

  Your address that  your using, you might want to run it thru RBL to check if it's flagged.

e.g

[link]http://www.anti-abuse.org/[/link]

 

So your SMTP policy for allowing email traffic out is probably right for  ISP#2 WAN#2 interface.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ashok_kumar
New Contributor

Yes Exchange Server internal IP is 10.X.X.X and its map ie VIP to Public Ip 188.X.X.X which one provided by WAN 1 ISP

Wan 2 have only dynamic IP ,so requesting via through wan1 its ok....but it goes through wan 2 it will bouncing.So if WAN 2 is not active everything fine. 

ashok kumar

Network Engineer

CCNP/MCSA

 

ashok kumar Network Engineer CCNP/MCSA
Labels
Top Kudoed Authors