HP OpenVMS Systems

ask the wizard
Content starts here

Basics of troubleshooting IP routing?

» close window

The Question is:

We are using our vms server as an e-mail server in our organization.  All is
 cool and we are able to send/receive e-mail all over the world except - we
 have a First Class by Centrinity e-mail server on our DMZ that we can receive
 e-mail from but cannot se
nd to (e-mail bounces).  Obviously we have connectivy (we can ping ...) since
 we are able to receive from this server.  Please find configs below.
  Digital TCP/IP Services for OpenVMS Alpha Version V4.2 - ECO 3
  on a AlphaServer 4100 5/533 4MB running OpenVMS V6.2-1H3
SMTP Configuration
Initial interval:   0 00:30:00.00       Address_max:    16       NOEIGHT_BIT
Retry interval:     0 01:00:00.00       Hop_count_max:  16       RELAY
Maximum interval:   3 00:00:00.00                                TOP_HEADERS
Timeout             Initial       Mail    Receipt       Data  Terminate
  Send:                   5          5          5          3         10
  Receive:                5
Alternate gateway:
General gateway:    not defined
Substitute domain:  not defined
Zone:               not defined
Postmaster:         UCX_SMTP
Generic queue       Queues   Participating nodes
UCX$SMTP_HAMWN1_00     1     HAMWN1 is our firewall which acts as a relay for our e-mail - all
 e-mail flows through the firewall.  I have already contacted our firewall
 support and they have no clue!
If you have anything to offer please do so.  Thanks.

The Answer is :

  With firewalls, basic connectivity tests such as ping are only marginally
  useful as routing diagnostics -- firewalls are very deliberately designed
  and deliberately intended to (adversely) effect network connectivity and
  network routing integrity.  Various firewalls can also be configured to
  ignore or to filter ICMP (ping) traffic.  Many firewalls are further
  configured for bi-directional filtering, as well -- with various email
  worms and with the common use of tunnels, clients located inside the
  firewall are not necessarily trustworthy.
  You will want to ask your firewall folks to consider some of the following
  debugging -- most obviously, briefly open the firewall and see if this
  permits the necessary access.  Check for any authentication requirements
  on the outgoing connections.  Send SMTP mail to the firewall.  Also ask
  your firewall folks to check any logs that might be created by the SMTP
  traffic routing through firewall package.  Check the DNS/bind information
  and configuration, and check for any routing-based "mis-filtering" that
  might be occuring in addition to the expected activities of the firewall.
  You will also want to use tools such as TCPTRACE, in an attempt to see
  where the IP routing disconnection occurs.
  You will also want to check the IP logs (particularly any SMTP logging)
  on the OpenVMS host.
  As a very simple and direct test of connectivity, you could telnet
  directly to the SMTP port on the target host.
  Having all SMTP mail traffic -- including internal email -- flow through
  the firewall server seems slow and potentially somewhat risky, and it
  introduces additional and arguably unnecessary loading and delays onto
  the firewall.
  Please contact the organization that supports your network for assistance
  with configuring the IP routing and the firewall.

answer written or last revised on ( 29-NOV-2001 )

» close window