I have 3 ISA servers in play, 2 as ISA2004 and a new ISA2006 which has Exch2007 behind it.
I have an outstanding email issue where I am unable to send emails to ONE domain only which is routing via ISA2006.
From a ISA2004 box, I can open telnet randsomservername.com 25 and get a valid smtp handshake. I am also able to open a telnet test to our new client and get a valid smtp header.
From the ISA2006 box, I can open telnet randsomserver.com 25 and get a valid smtp header. I do the same telnet command, but to our new client and the host returns the "421 Service not available, closing transmission channel".
Is this a ISA issue that it works on ISA2004 but not ISA2006, and only fails for one client. Any ideas what im missing. Ive spent close to a working day to break this issue backwards from exchange through mailmarshal through to the ISA2006 issue.
< Message edited by firstname.lastname@example.org -- 24.Sep.2008 4:06:17 AM >
Greetings Tom, thanks for the reply. I'll hopefully clarify a little.
I have a isa2006ee server running w2k3, exchange 2007 server running server 2008 with mailmarshal on w2k3.
Outbound emails are routed from exchange through mailmarshall through to isa2006. (this is a new exchange2007/isa2006 install to convert my company away from mdaemon) I was informed that one of our clients (another domain) wasnt receiving emails and I further found that these emails were stuck on mailmarshals outbound routes.
During the diag process, I found using just pure CMD and Telnet, I wasn’t able to open a successful connection to this domain from the server hosting mailmarshall. (to any other domain works okay). I tried this same process on the isa2006 server and got the same 421 Service not available fault.
On one of the other isa2004 servers, I tried the same telnet to this domain and any other domain, and the connection worked as expected.
On the isa2006, I swapped the primary IP with another spare to see if this domain that I was trying to send emails to, had some sort of IP blocking going on, but this action gave back the same 421 failed result.
So in the end I have a is2004 and isa2006 server where the isa2004 will work as expected to any domain, and then the isa2006 will work to any domain except one. Unfortunately this one domain is a new and large client for the company I work for. :o/
The issue affecting this connection has been resolved. Not by me, nor do I know how.
The server in question is "envoy.telecom.co.nz".
I was all prepared on the weekend to build another server to see if it was something that had gone amiss during the build/config of the isa2006 install. On arrival, for the weekend rebuild, I did the same Telnet test, and all the emails were/are flowing as one should except. why did it stop, i'm sorry, I have yet to find out.
With Google and "421 service not available", I was never able to find a solution and im sorry that im not able to provide an answer to someone else that has found this posting.
As you have probably seen many times, being stuck in the middle with lots of finger pointing is never a fun place to be.
I can say though, its not ISA that was ever at fault.
In fact, in my 10 years of experience with the ISA firewall, over 95% of the time it's not the ISA firewall's fault. It's typically some Cisco CLI or *IX junkie who messed up a configuration with a typo.