locked
451 4.4.0 primary target IP address responded with "421.4.4.2 unable to connect."attempted failover to alternate host, but that RRS feed

  • Question

  • 451 4.4.0 primary target IP address responded with "421.4.4.2 unable to connect."attempted failover to alternate host, but that did not succeed.Either there are no alternate hosts, or delivery failed to all alternate hosts.

     

    Did Anyone really found a good fix for this issue ?

     

    I am using exchange 2007, everything is working good but with certain companies the emil will get delayed and I can see in the queue the error above. It hapens only with them and they happen to be a hosting company-- so more domains ara afected.

     

    Thursday, June 14, 2007 2:19 AM

All replies

  • Not yet
    Friday, June 15, 2007 5:58 PM
  •  mao_redi wrote:

    451 4.4.0 primary target IP address responded with "421.4.4.2 unable to connect."attempted failover to alternate host, but that did not succeed.Either there are no alternate hosts, or delivery failed to all alternate hosts.

     

    Did Anyone really found a good fix for this issue ?

     

    I am using exchange 2007, everything is working good but with certain companies the emil will get delayed and I can see in the queue the error above. It hapens only with them and they happen to be a hosting company-- so more domains ara afected.

     

    Saturday, June 7, 2008 7:53 AM
  •  

    I am currently having the same issue as described here where we are able to send email to some external domains, but not others. Users sending to affected domains are receiving delay reports and eventually NDR reports when the message timeout expires. In the message queue status flips between active (but not doing anything) and retry with a error of “451 4.4.0 primary target IP address responded with "421.4.4.2 unable to connect."attempted failover to alternate host, but that did not succeed.Either there are no alternate hosts, or delivery failed to all alternate hosts”

     Below is information on our environment as well as what I have tried so far. Called Microsoft this morning, details regarding that are also below.

    Our Enviroment

    3 Domain controllers, 2 of which are GCs. (10.2,10.9, 10.19) (GC 10.2, 10.9) All DCs are 2003 SP2 or 2003R2 SP2.

    Active directory is 2003

    Original Exchange Server (MAIL1) was decommissioned 2 weekends ago.  This was running Exchange 2003 SP2 on Server 2003R2 (10.8)

    MAIL2 was created on VMWare as a temporary holding area and all roles and mailboxes were moved before the original was taken down. This server is Server 2003R2 SP2 running Exchange 2003 SP2. (10.221)

    The new mail server, the one I’m having the issues with is named MAIL1 and is sitting on 10.8, same as the original server.  This is a newly built Server 2008 machine fully patched running Exchange 2007 SP1. Contains 2x quad core 2.0ghz with 4gb of memory and 2 73gb 15k rpm SAS drives.

    Cisco PIX 515e between internal network and the internet, however no issues were experienced under Exchange 2003.

    Our Issue

    We are receiving delayed reports when sending to certain domains. After 2 days, the messages expire and users receive a NDR report. We are able to receive mail in from at least one of the affected domains, but I haven’t really been able to confirm this. (user said they have received 1 message in).

    The affected domains are

    Erie.gov

    Univerahealthcare.org

    Univerahealthcare.com

    Ticketmaster.com

    Twcny.rr.com

    Rochester.rr.com

    After verifying as many settings as I could, and researching any articles I could find on the internet and making sure my event logs were clean I called in Microsoft this morning. The Support Rep checked all the settings on both servers. Found one issue on the send connector|properties|network where she unchecked “use external dns lookup settings on the transport server”. Also I did not have revere lookup zones set up in DNS. Configured these, however they did not correct my issue. She ran the Best practice analyzer which did not come up with any related issues. Then ran the mail flow analyzer (both tools available in the Toolbox in the management console) to troubleshoot the messages. The analyzer reported that it could not connect to the destination server on port 25. She then tried to manually create a session.

    First performed a NSLOOKUP on a “bad” domain. And got MX Records for the site

    1.)    NSLOOKUP

    2.) Set q=mx

    3.) --enter domain here—

    4.) Quit

    Next with the IP in hand for the SMTP server,

    1.)    Telnet (IP ADDRESS) 25

    All that was returned was a black screen with a cursor. When you try to type anything in, nothing is displayed, as well as nothing is returned.

    Below is an example of a working domain and what you SHOULD get back.

    C:\Users\dwilde>nslookup

    Default Server:  dc1.REMOVED.local

    Address:  192.168.10.2

     

    > set q=mx

    > microsoft.com

    Server:  dc1.REMOVED.local

    Address:  192.168.10.2

     

    Non-authoritative answer:

    microsoft.com   MX preference = 10, mail exchanger = mail.global.frontbridge.com

     

    mail.global.frontbridge.com     internet address = 213.199.154.22

    C:\ telnet 213.199.154.22 25

    220 mail56-dub.bigfish.com ESMTP Postfix EGGS and Butter

    ehlo domain.com

    250-mail56-dub.bigfish.com

    250-PIPELINING

    250-SIZE 150000000

    250-ETRN

    250-STARTTLS

    250 8BITMIME

    mail fromBig Smilewilde@test.com

    250 Ok

    rcpt to:test@microsoft.com

    250 Ok

    data

    354 End data with <CR><LF>.<CR><LF>

    message

    .

    250 Ok: queued as AACA443005D

    quit

    221 Bye

     

    Connection to host lost.

     

    We then tried to make the connection from the 2003 virtual exchange server, it connected and displayed banners as it should. No problem. She then informed me that I needed to get in touch with the receivers IT Department and verify that my external IP I was sending mail through was not blocked. As I did not have any contacts over there, I moved the virtual 2003 exchange server to 10.8, where the exchange 2007 server was having issues. Attempted the connection again and it succeeded. Then switched IPs back. Now if a different server on the same IP is not having any issues, then the trouble (in theory) should be with the original server itself (the 2007 one), and not the firewall or on the receivers end. After playing with that for a while, she had me install Network Monitor v3.1 on the exchange 2007 server, waited til the messages stuck in the out queue went to retry, started the monitor, told them to retry and waited for it to time out. The 5.5mb log file was then emailed. And after 4 hours on the phone she needed to analyze the log and was going to call me back with one of their network engineers on the line.

    An hour later I got a call back from the same rep with a network engineer on the line. He went through the network settings on my exchange server and domain controllers and also verified all DNS settings. Found that my mail server did not have a ptr record, so forced that to register. No change with the issue.  Next after some debate as to why I was not able to get a network monitor on the receiving end of where the email was going, he settled for running a capture on the exchange server end. 3 captures were performed.

    The first was on the Exchange 2007 server with one of the known “Bad” addresses. The connection failed.

    The second was also on the exchange 2007 server with a known good address (Microsoft.com). The connection succeeded.

    The third and final test was on an XP SP3 laptop to a known “Bad” address. The connection succeeded.

     

    Log files were sent over to MS to be analyzed. They are calling me back 6/25 at 8:00am EST.

     

    With everything we did today I’m thinking the issue has to be with Server 2008 or Exchange 2007 (ok, d’uh, but let me explain). It doesn’t seem to be a DNS issue, it doenst seem to be a Firewall issue, etc. I’m wondering if MS made some sort of modification like they love to do when they release new versions of software that just doesn’t happen to play nice with something else out there. (Like that time they released SP1 for Server 2003 that changed a bunch of stuff in TS that Citrix didn’t seem to really like)

     

    If  you attempt to do this process to a domain for which you have messages stuck in the queue that will not send, then you are having the same issue that I am. I would be more than happy to share what I know and my findings from Microsoft to anyone experiencing this issue. Feel free to email me at dwilde@lake-shore.org.

     

    If anyone wants to post/email their domains they can’t send mail to I would be interested to see if we are all having the same problem with the same domains, or if it’s a per case type of thing.

     

    Dave Wilde -MCSE, CCNA. CCA

    Wednesday, June 25, 2008 4:10 AM
    • Proposed as answer by A. Woroniecki Wednesday, April 6, 2016 3:00 PM
    Wednesday, June 25, 2008 2:16 PM
  • I'm haveing the same error as you David to only certain domains. Unfortunalty when when I try to run the same command in windows 2003 with sp2 I get the following reponse.

     

    C:\Documents and Settings\Administrator>netsh interface tcp set global autotunin
    glevel=disabled
    The following command was not found: interface tcp set global autotuninglevel=di
    sabled.

     

    I have tried turning off the TCP Offload on the NIC and still I get the same error popping up.

     

    Is there a way we can acomplish the same resulting in windows 2003? 

     

     

    Thursday, June 26, 2008 1:12 PM
  • the issue in Server 2008 is caused by a new "Feature" from MS. It probibly isnt the same issue in Server 2003.

     

    Check your NIC drivers. thats something that MS had me try.

     

    Also, from the box with the error, try the steps i had listed above where you try to telnet on port 25 into a problem domain's server. then try with another server/workstation (verify that only the exc server is blocked).

     

    If another server/workstation works and the server doesnt, try stealing the IP of the problematic exchange server and try again.

     

    thats all i can think of off the top of my head. if you need any more info feel free to contact me at DWilde@lake-shore.org.

     

    Dave Wilde -MCSE, CCNA, CCA

    Monday, July 7, 2008 1:00 PM
  •  

    Ok I have installed all the latest drivers for the NIC, I have loaded the update rollups 1,2 and 3 and still the same problem exists. This is very irritating as I see that even g-mail.com is taking a long time to go through. It’s not getting the error but the queue is just taking exceptionally long.

     

    I'm lost at what to try now.

     

    Wednesday, July 9, 2008 6:50 AM
  • Try the steps i have listed above to see if you are able to connect to the mail server manually.

     

    From the affected server, try telnetting into one of the affected domains using port 25.

     

    for gmail it would be

    telnet 209.85.147.27 25

     

    when you do this a banner should appear.

     

     

    Thursday, July 10, 2008 3:14 PM
  •  

    I was bale to do nslookups from the affected server to all the domains having problems.

    I could then telnet to them and send mail via telnet from the affected server.

     

    e.g. NSLOOKUP 

    > absamail.co.za
    Server:  dnscache1.is.co.za
    Address:  168.210.2.2

    Non-authoritative answer:
    Name:    absamail.co.za
    Address:  196.41.6.130

     

     

    Telnet

    helo
    250 ironport2.vox.co.za
    mail from: wybo@srk.co.za
    250 sender <wybo@srk.co.za> ok
    rcpt to: metalcut@absamail.co.za
    250 recipient <metalcut@absamail.co.za> ok
    data
    354 go ahead
    test
    test
    test
    .
    250 ok:  Message 126664238 accepted

     

    we then contacted the end user of the mail he had recieved the mail. This shows that we can send mails to those domains from that server. It just keeps on comming up with that error on some of them.

    Friday, July 11, 2008 5:32 AM
  • I've got same problem too. My Exch 2007 ( run on Win 2k3 64 bit) can not send messages to gmail, yahoo, hotmail .... I tried to use nslookup and telnet to port 25 on affected domains but it only show a blank screen. Any help is hightly appreciated.

     

    Saturday, July 12, 2008 4:42 AM
  •  

    Looks Like I resolved the 421.4.4.2 problem.

     

    But I ended up with another problem.

     

    To resolve the 421.4.4.2 problem I did the following

     

    1) first clear all the queues, so you have no out going mail.

    2) I installed the 3 rollup packs for exchange 2007 with sp1 to all my exchange box's

    3) I then rebooted all the servers after the reinstall

    4) tested sending a basic text message and the mail went through.

     

    yay...... :-( clients then came back to the office and started to send larger mails > 200kb. These mails seem to clog the queue and I dont have answer as to why.

     

    If I suspend the lager mails the smaller ones go through quite nicely. The lager ones keep my queues back up.

     

    So the hunt to resolve stuck queues now continues.

    Monday, July 14, 2008 8:58 AM
  • I had the same problem. Then tried to telent to port 25 and could not. My AntiVirus was blocking Mass Mailing worms from sending emails. Which really meant that it is blocking port 25. I change the setting and the emails started flowing.
    • Proposed as answer by MyITGuy Tuesday, December 22, 2009 4:04 AM
    Monday, November 30, 2009 10:08 PM
  • In our case, a Cisco ASA had the inspect ESMTP option enabled(service policy, on firewall page ). Disabling this feature corrected the connection to many servers.
    Tuesday, October 18, 2011 4:35 AM
  • Seeing as how a solution was never proposed, and I JUST had this EXACT issue not even 2 hours ago, I'll tell you what we found that fixed it.

    Just last night, we installed McAffee AntiVirus on this Exchange server.  Don't ask, it was the customer's insistance they used software they had already purchased! ;)  Anyway, once it was installed, mail flowed for a while, but then they started getting the error the Original Poster referred to.

    McAfee has a feature which watches for Mass Mailing worms, exactly the same as what TimKoenig suggests.  Once it decides too much mail has been flowing, it locks down Port 25, not allowing any more outbound email.

    Find this option in your McAfee settings:

    Find this settings under McAfee's Options

    Make sure the "BLOCK" option is UNCHECKED then click apply.  Once you do that, you can go back in to the Queue Viewer, right click on any messages you choose, and "RETRY" - they should send instantly.  Repeat until your queue is empty and all mail has been sent.


    Don't forget, if you find the help you need, click the "Propose as Answer" link at the bottom of the post containing the solution!
    NuAngel.net

    Thursday, October 25, 2012 7:04 PM
  • Perfect Garrett !! I'm sure glad you posted.
    Friday, December 28, 2012 12:17 AM