Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Maybe SMG bug? Results for "sanofi.com" ;; connection timed out; no servers could be reached

Created: 30 Jul 2013 | 3 comments

Hi

The our 10.0.2-4's SMG can not query the domain sanofi.com MX. But the DNS server are all working to get answers as well. The other DNS query also works in SMG hosts.

Too long the answer? SMG BUG?

When i run a nslookup utility on mailgw, i got this error msg:

Results
Results for "sanofi.com"
;; connection timed out; no servers could be reached

current Sanofi.com MX:

Non-authoritative answer:
sanofi.com      MX preference = 5, mail exchanger = xspz10p119t.sanofi.com
sanofi.com      MX preference = 5, mail exchanger = xspz10p120b.sanofi.com
sanofi.com      MX preference = 5, mail exchanger = xspz10p851w.sanofi.com
sanofi.com      MX preference = 5, mail exchanger = xspz10p852b.sanofi.com
sanofi.com      MX preference = 10, mail exchanger = frascmrext01.sanofi-aventis
.com
sanofi.com      MX preference = 10, mail exchanger = frascmrext02.sanofi-aventis
.com
sanofi.com      MX preference = 10, mail exchanger = frascmrext03.sanofi-aventis
.com
sanofi.com      MX preference = 10, mail exchanger = resscmrext01.sanofi-aventis
.com
sanofi.com      MX preference = 10, mail exchanger = resscmrext02.sanofi-aventis
.com
sanofi.com      MX preference = 10, mail exchanger = resscmrext03.sanofi-aventis
.com
sanofi.com      MX preference = 5, mail exchanger = xspz10k428f.sanofi.com
sanofi.com      MX preference = 5, mail exchanger = xspz10k458s.sanofi.com
sanofi.com      MX preference = 5, mail exchanger = xspz10f562b.sanofi.com
sanofi.com      MX preference = 5, mail exchanger = xspz10f564t.sanofi.com

xspz10p119t.sanofi.com  internet address = 205.137.77.29
xspz10p120b.sanofi.com  internet address = 205.137.77.43
xspz10p851w.sanofi.com  internet address = 193.202.95.86
xspz10p852b.sanofi.com  internet address = 193.202.95.87

Operating Systems:

Comments 3 CommentsJump to latest comment

Art_P's picture

The nslookup utility is a tool used *by* SMG, but it is not an SMG tool; that is, it is a basic linux tool that belongs to the underlying OS. In other words, by repeating the issue in nslookup, you are showing that the issue is not related to SMG, but is a problem somewhere else.

SMG and nslookup can both resolve much larger MX pools than what you have posted. Since the error is a timeout, I would imagine that you should start investigating your network.

It would be best to test directly from the Scanner(s) using the command line. If your Scanners can communicate on UDP port 53 to the internet, or if you have access to other DNS servers, you can test directly to other servers from within the nslookup utility command shell:

smg> nslookup
> server
Default server: 127.0.0.1
Address: 127.0.0.1#53
> set type=mx
> sanofi.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
sanofi.com      mail exchanger = 5 XSPZ10F562B.sanofi.com.
... (snipping the remainder of the nslookup response for brevity)

> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> sanofi.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
sanofi.com      mail exchanger = 5 XSPZ10P120B.sanofi.com.
... (snipping the remainder of the nslookup response for brevity)

In the above example my commands are bolded and nslookup responses are italicized (I snipped the response since you have already posted it). I switched to Google's public DNS for testing using nslookup's server command (> server 8.8.8.8). You can have nslookup try and resolve from any DNS server in this way.

If you find a useful post, please use the "thumbs up" feature to mark the post as helpful. If your question has been answered, please select the "Mark as solution" for the post that best answered your question. Thank you.

pap.laszlo's picture

Hi!

In SMG nslookup tool, all other query will run fast. Only the sanofi.com lookup is the problem, because  never return any results. Temporarily i set the static route for this domain.

I thing, the SMGs integrated DNS forwarder (dns server 127.0.0.1) make a mistake.

Art_P's picture

The SMG local cache (DNS at 127.0.0.1) is a very simple implementation. It just forwards unknown queries and caches the answers for future requests. In my post, I mentioned how to query other servers (using the server command in nslookup's command line). You would be querying the localhost, and then switch to your configured internal DNS servers and query them to see what differences exist. You can then query external DNS servers for further testing if wanted.

If you see issues when directly querying the DNS servers you have configured for SMG, then the issue is something other than SMG. If you see errors when trying to query the local cache (127.0.0.1), but you see no errors when directly querying your configured DNS servers, then I would capture a log of that information and contact support. If you are using a tool like PuTTY to connect to the SMG appliance via SSH, you can use that tool to log the transactions.

If you find a useful post, please use the "thumbs up" feature to mark the post as helpful. If your question has been answered, please select the "Mark as solution" for the post that best answered your question. Thank you.