Exchange 2007 problem over site-to-site VPN with Cisco ASA

January 15, 2009 · Filed Under Exchange Server 2007, Networking · Comment 

I’m currently working to get a new warm DR site up and running with Active Directory, Exchange Server 2007 SCR and Data Protection Manager 2007.  After installing and configuring the Hub Transport server in the DR site, I sent a test message using bmail to my mailbox to test SMTP connectivity and routing between sites.  I certainly didn’t expect to find what I did.

When looking at the queue for delivery to the AD site where the primary Exchange installation is (and where my mailbox is homed at), I noticed it was in a retry state with the following error message:

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

So not the most explicit reason for the routing failures, but something at least.  I first thought that perhaps I had somehow changed the settings on the “Default” receive connector on one or both ends of the connection (i.e. the Hub Transport at the DR site and one or more of the Hub Transports at the main site).  On the “Default” receive connectors, you’d want to ensure that you’ve not changed any of the authentication methods on the Authentication tab.  Specifically, Exchange Server authentication and Integrated Windows authentication need to be selected as they are by default.

The settings were as they should have been, but yet routing between AD sites was still stuck.  The problem, as it turns out, was the Cisco ASA 5510 device providing the site-to-site VPN connectivity between the two locations.  It seems there’s a bug in the ASA version 7.1 code base that causes the ESMTP inspection process to remove some information that is not required by the relevant RFCs.  Unfortunately, Exchange Server 2007 requires that information for ESMTP hostname validation.  From the Cisco WIKI article on the bug:

The Extended Simple Mail Transport Protocol (ESMTP) inspect feature masks the hostname and causes an error when a mailserver is configured to ensure the HELO reply is a valid hostname.

So…the solution is fairly simple once you identify the relatively obscure cause…simply turn off ESMTP inspection on the ASA device.  You can do this by following the CLI steps outlined in the WIKI article or by using the ASA GUI (Configuration > Security Policy > Service Policy Rules > Edit Service Policy Rule), select the Rule Actions tab and then select the Protocol Inspection tab as seen in the figure below.  Uncheck ESMTP, save and you’re good to.  Mail flows and all is well.

  • Share/Save/Bookmark

Tags: , , ,