Quarantine notification process appears to be failing. Logs may show 421 4.4.1 Connection timed out

Article:TECH161742  |  Created: 2011-06-07  |  Updated: 2014-04-08  |  Article URL http://www.symantec.com/docs/TECH161742
Article Type
Technical Solution


Issue



It is not clear if the Spam Quarantine Notifications are being sent properly.

  • When viewing the Notifications list of the Schedule Tasks you see that the task has failed.
  • You may see an adminstrator alert indicating that the Scheduled Task has failed.
  • When viewing the Control Center logs you see errors references time outs ten minutes after the process is scheduled to start, and possibly recurring every ten minutes for an extended amount of time.
  • Spam Quarantine Notifications are only being sent to some end users.

 


Error



 

You may receive the following Alert Notification:
 
======================= ALERT NOTIFICATION ================================
The following Scheduled Tasks have Failed :   Task : Spam Quarantine Notifications
Host : mail.domain.com (ip address of host)
Last Run Time : Friday, Dec 03, 2010 08:00:00 AM EET
  
Details about this failure have been logged to BrightmailLog.log.
  
Access this Control Center console log on the Logs page of the Symantec Brightmail Gateway Control Center.
  
The following error can be found in the Control Center BrightmailLog.log files:
  
[BrightmailScheduler_Worker-6] ERROR - Cannot notify the user that he or she has new spam messages.
com.brightmail.common.BrightmailException: 421 4.4.1 Connection timed out
; nested exception is:
     com.sun.mail.smtp.SMTPSendFailedException: 421 4.4.1 Connection timed out 

 A database error may also be found for a lost connection due to the excessive mail delivery delay:

Jan 09 2013 14:04:51 [BrightmailScheduler_Worker-6] ERROR - Notification poller error. A user could not be notified of new spam messages.
com.symantec.smg.controlcenter.internal.dataaccess.DataAccessException: An unexpected database error has occurred. Please contact your system administrator. ; nested exception is:
com.mysql.jdbc.CommunicationsException: Communications link failure due to underlying exception:

** BEGIN NESTED EXCEPTION **

java.io.EOFException
MESSAGE: Can not read response from server. Expected to read 172 bytes, read 48 bytes before connection was unexpectedly lost.

STACKTRACE:

java.io.EOFException: Can not read response from server. Expected to read 172 bytes, read 48 bytes before connection was unexpectedly lost.

...


Environment



Microsoft Exchange


Cause



When the Control Center sends Spam Quarantine Notifications, it attempts to send all messages in one connection session. During this session, the Control Center will issue a keepalive command called NOOP.

Exchange has a security related configuration that cause a 5 second delay to the response of a NOOP command. Exchange also has a configurable session limit of 10 minutes. Due to the 5 second delay after NOOP commands, a maximum of 120 messages can be sent before Exchange issues a "421 4.4.1 Connection timed out".

 


Solution



The Control Center will often reconnect after receiving the "421 4.4.1 Connection timed out" and will continue to deliver notifications, so it is possible that nothing needs to be done. However, if there is a problem with notification delivery and tarpitting is taking effect (there is an extended delay after the NOOP command), then the first step should be to disable tarpitting of the receive connector of Exchange server where Control Center makes SMTP connection to.

More on the feature that causes this behavior, called Message Throttling or Tarpitting by Microsoft, can be found in the following links:

Note: The non-Symantec links above are provided as convenience to Symantec customers. Symantec is not responsible for content on third party sites.

 

 





Article URL http://www.symantec.com/docs/TECH161742


Terms of use for this information are found in Legal Notices