Announcement

Collapse
No announcement yet.

Intermittant Exchange Login Failures

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Intermittant Exchange Login Failures

    I work in a Security team and am assisting some Exchange admins solve a problem with Exchange. Here's the deal...

    LAN to LAN traffic
    W2K3 Server SP1
    Exchange 2003 SP2
    WinXP client

    1) Start Outlook on the client
    2) Client machine tries to establish the connection. After that the user is informed that the server was unavailable. Then select "retry" and the client can connect after a few seconds delay.

    - Server load is under 30%
    - No errors at all recorded in the Exchange server logs
    - Firewall logs show successful connection. No drops or out of states.
    - I am told that RPC over HTTPS is not enabled on the server.
    - Client and server are in the same domain, just different VLANs

    So I ran Wireshark to capture the traffic. I am attaching a portion of it in a .txt format file. I have replaced the first two octets with XXX.XXX.

    XXX.XXX.42.38 is the server
    XXX.XXX.118.162 is the client


    Any thoughts on this would be appreciated.


    DC
    Attached Files
    David Casey CISSP/CISM/SnortCP | Sr. Security Analyst | SBS 2003 R2 | ISA 2006

  • #2
    Re: Intermittant Exchange Login Failures

    Hi Paladium,

    Good information post!!

    Could it be general network traffic between the two hosts or do you have any filtering between the two vlans?

    Do you experience the same issues with a different XP host?

    Have you tried running exchange in cache mode to see if it makes a difference?

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Intermittant Exchange Login Failures

      Thanks for the quick reply Michael!

      There are multiple clients experiencing this issue, across several VLAN's. Nothing consistent at all. Everything between clients and servers bounces through a firewall. The firewall (Check Point VSX) shows CPU idol time near 85%, so its not stressed at all, and there are no failures/drops/rejects/or out of states in the logs.

      I ran Wireshark on my machine last night and saw the exact same MAPI protocol errors, just as in the capture from another host that I used in this original post.

      It is becoming an increasingly noticeable problem, meaning many people now know about this and its raising the importance of the issue.

      They are not running in cache mode. I do not know why. I am asking them why, but they "seem" to all be out to lunch at the moent...

      Some more background on this MAY be helpful. Here goes:

      About two weeks ago the servers and clients were all on the same subnet, including public facing servers (my team pushed them to split things up for security reasons). So they split the segment into three VLANs. ReIP'd and changed gateways accordingly. They now have a user segment, server segment, and public facing server segment. All segments are required to bounce off the firewall, as you would expect.

      So it "seems" that there may be a latency problem but I have no way of measuring that other then packet capturing the data and looking at the response times.


      Frustrating...


      David
      David Casey CISSP/CISM/SnortCP | Sr. Security Analyst | SBS 2003 R2 | ISA 2006

      Comment


      • #4
        Re: Intermittant Exchange Login Failures

        If you perform a pathpint to the server are you getting decent responce times back?

        I would configure a workstation on the server Vlan and see what connectivity is like - Just to make sure the issue is not with the Checkpoint firewall.

        Michael
        Michael Armstrong
        www.m80arm.co.uk
        MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment


        • #5
          Re: Intermittant Exchange Login Failures

          Reading through the log I noticed some fragmented packets, could be an MTU issue during authentication.

          Is there an option for MTU size on the firewall, and do you have ICPM disabled?

          I ran Wireshark on my machine last night and saw the exact same MAPI protocol errors, just as in the capture from another host that I used in this original post.
          can you point that out in the log, I missed it
          "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

          Comment


          • #6
            Re: Intermittant Exchange Login Failures

            As it turns out... a recent update to a software package installed a dns element that registered itself on the host... which also happened to be a DC. I don't have the details, but dns on the DC was screwed up. Or so I'm told...

            Thanks to all for the ideas and thoughts on this. Great community here!


            DC
            David Casey CISSP/CISM/SnortCP | Sr. Security Analyst | SBS 2003 R2 | ISA 2006

            Comment


            • #7
              Re: Intermittant Exchange Login Failures

              If you ever do find out, let us know, as now i am just plain curious.
              Last edited by Lior_S; 27th March 2007, 22:23.
              "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

              Comment

              Working...
              X