OK, bear with me while I try to explain the setup before the problem.

I'm working with a friend to solve his email issue, and it's a strange one.

His internet connection enters his business, then is split to two separate routers, each with their own external IP assigned.

One of them is a Cisco, which routes some traffic from his business to their head office in Edmonton (via VPN tunnel), the other is a Linksys which handles all the rest of the outbound internet traffic and also houses a VPN tunnel between both of his stores.

General internet traffic is routed through the Linksys, and anything from his business apps and inventory software is routed through the Cisco.

With me so far? OK, good. The VPN tunnel between the two stores (on the Linksys) works fine, and all machines can be reached at either end from within either store. The VPN tunnel from his store to their Edmonton office also works fine, with data going to the proper place.

Here's where it gets weird.

Using Outlook, he retrieves his email from an offsite mail server. If he sets his gateway to the Cisco, it works, but it is slow as it routes to Edmonton through the VPN, and out through their proxy server. If he sets his gateway to the Linksys, the email server wont allow him to download any emails with attachments, but other emails work fine, and all other internet traffic works.

There is no setting within the Linksys to filter email, and I've even tried turning off all filtering, disabling the VPN between sites, and running traces between his laptop and the server to confirm that it's not a path issue.

Cisco = email works, but slow (plus he pays for throughput on the headoffice network)
Linksys = fast, but messages with attachments cant be retrieved.

I've tried hardcoding the IP entries for the server, setting exceptions on the Linksys, sending test messages out through both routers and checking the headers to compare the paths, etc.

I'm running out of ideas here.. any thoughts anyone?

*bump*
I'm still researching this one, but I"m hoping to get some other ideas here.. any input from anyone would be appreciated!

I'm not sure if it matters, but do you know the models of the 2 routers? It may help a little..

Don't know a lot but had some issues with network slowness here...Is the PC's NIC set to a different setting then the router it is connected to? (ie. PC-10/100 half duplex, Router-10/100 full duplex). Is there any switches between the router and pc? And when you say he cannot retrieve them, do you mean they just aren't there or are there and just won't open?

Good Luck!

OH! and what about other users, if any, do they experience it or is it just him?

There's two differences here, that need to be mentioned.

First, the Linksys router is an RV042, but I"m not 100% on the router. Reason is that I'm not allowed to touch the Cisco, head offices orders. Haha.. I'm fine with that since I dont feel like dealing with lawyers and such.

The computer is a laptop, with a hardcoded IP address, and it's running Vista, and Outlook 2007 as a mail client. The owner also uses the laptop at home, so the primary IP is DHCP, secondary is static. If it doesnt get find a DHCP server, it defaults to the hardcoded one. No problem there.

He's the only laptop, the only one who occasionally works wirelessly, and the only one using Outlook.

If the email message has no attachment, it downloads and opens fine. When it has ANY attachment (any size), it will start to download the messages, then hang. If you disconnect, his mail server @ the ISP will lock the account for 15 mins. As a result, he's been using Webmail ONLY for the last few weeks.

If he connects through the Cisco, through a tunnel to head office, and then out their proxy, his email works fine.

It only fails when he's connected to the Linksys router, which goes straight to the ISP and the mail server. This really makes me think Linksys, but with a different router in its place, the mail still fails. Which makes me think Routing issue... but at the ISP.

I wonder if the mail server has different IP's for clients on their network, and for clients outside their network... that could explain it. If it's trying to reach an internal address through an external route, it should give an unable to reach host error.. but instead it works fine unless there's an attachment.

DOH! I'll keep on this.

You mentioned that he gets his email from an outside mail server. It doesn't run through either VPN if set properly correct? It goes out and seeks the mail server through his ISP correct?

If this is the case, make sure he has TNEF enabled. It's the MS-specific file attachment method. It's a real pain in the ass, but it should be turned on by default. Look up TNEF and it will tell you how to enable it.

I know that SMTP has no bearing on incoming messages, but as a general rule with ISP's now I set the SMTP port to 587(SMTP_Auth) instead of default due to ISP's blocking port 25 to help curb spammers.

Is it an IMAP or pop3 server?
I doubt if it would be an exchange server, but there is that possibility.

We need a little more info about how his email account is actually setup.

Thanks for the reply Nil8, I'll answer your questions here..



You mentioned that he gets his email from an outside mail server. It doesn't run through either VPN if set properly correct? It goes out and seeks the mail server through his ISP correct?

Yes, that is correct.

If this is the case, make sure he has TNEF enabled. It's the MS-specific file attachment method. It's a real pain in the ass, but it should be turned on by default. Look up TNEF and it will tell you how to enable it.

I'll do some further reading on TNEF, and test enabling it, but it since the mail never downloads to the PC, it's just not a problem of not being able to open the attachments. It's actually preventing the message from downloading at all.

I know that SMTP has no bearing on incoming messages, but as a general rule with ISP's now I set the SMTP port to 587(SMTP_Auth) instead of default due to ISP's blocking port 25 to help curb spammers.

Is it an IMAP or pop3 server?
I doubt if it would be an exchange server, but there is that possibility.

It is a POP3 server. I find it particularly strange that it would work through the one connection, but not the other.

Well, the reason for it working on one VPN and not the other is entirely up to their network's firewall.
Most VPN clients are restricted at or near the firewall logically in the network to keep them from accessing things they don't need to access as outside users that are tunneling in.
Sometimes this includes blocking ports, such as 110(pop3), to keep a potential security breach from causing major havok. It's good security policy.
It could also be that the DNS server isn't resolving the name of his email server, but I think you mentioned trying just the IP.

Have you tried no vpn connections & checking email or do they have to stay up and active all the time?

I hate to say this, but it might not be a bad idea to call his email provider.

I'm not in the mindset to logically think about this issue. Let me marinate on it for a day or two and see if anything clicks.

Well, the reason for it working on one VPN and not the other is entirely up to their network's firewall.
Most VPN clients are restricted at or near the firewall logically in the network to keep them from accessing things they don't need to access as outside users that are tunneling in.

The VPN from the Cisco to Edmonton cannot be disabled, and all outbound traffic through the Cisco router is passed to Edmonton, and out their proxy, and back to the ISP mail server. This one works fine. The Linksys has a VPN tunnel to another Linksys at the other store location, and it only routes info destined to those machines. Everything else is just handed out to the ISP gateway. So mail traffic through the Linksys doesnt touch the VPN at all.

Sometimes this includes blocking ports, such as 110(pop3), to keep a potential security breach from causing major havok. It's good security policy.
It could also be that the DNS server isn't resolving the name of his email server, but I think you mentioned trying just the IP.

I can successfully ping and tracert the mail server from either connection. The only failure is messages with attachments coming through the Linksys router. If we try to pick up email from the Cisco, it works just fine, even though it's passing through a proxy server, then a VPN

Have you tried no vpn connections & checking email or do they have to stay up and active all the time?

The Edmonton VPN has to stay up all the time, and I cant touch that connection anyways. The Linksys vpn tunnel can be taken offline, and I did do that to test already.. no difference. :(

I hate to say this, but it might not be a bad idea to call his email provider.

ISP already denied responsibility, as it works through one router and not the other, he claims it's a config issue at my end, and I'm inclined to believe it. I just cant seem to locate it!

I'm not in the mindset to logically think about this issue. Let me marinate on it for a day or two and see if anything clicks.

:)

I hope this makes sense.

http://i128.photobucket.com/albums/p176/lukifer122/issue.jpg

-Luke

Update: Still no progress on this.

Linksys tech support = teh sux0r.

Sadly, this issue is still going on. I havent had any luck solving this, if anyone has any ideas, I'm open to hearing them!!!!

I've heard of some people having issues with bandwidth in Canada, one of the ISPs is bottlenecked--that might explain the slow retrieval times.

Off to find the posts. BBIAB.

Edit--Rogers (http://forums.worldofwarcraft.com/thread.html?topicId=2518019717&sid=1) is the ISP, this link heads right to the World of Warcraft forum thread regarding extremely high latencies in game. Dunno who your ISP is though.

Hopefully this helps.

Edit #2: What brand is the switch?

I'm guessing the Linksys has more restraints imposed on it by the firewall system as it is outward facing to the internet whilst the other router is the VPN to head office.

Have you looked at the firewall setup to see if downloading attachments is barred in some way at that point? It would make sense for the corporate (stop downloading of stuff from the internet) but would mess up this guy's way of working.

If this is the case place an exception rule in the firewall rules chain that allows him to download attachments and files before the general cut-out rule.

:)

I've tried that already Matthew... there doesnt seem to be any kind of filters in place on the linksys, and as far as I know, it doesnt support stripping attachments. I can ping the mail server and trace to it, and can receive emails without attachments just fine.. tooo weird.


Both routers actually face the internet; each have a unique IP, but both share the same physical connection.
The only difference between the two gateways is the Cisco routes all traffic up to head office, then out through their proxy, whereas the Linksys goes straight out to the internet.

The ISP is actually getting his bandwidth through Bigpipe, and we sustain 11-15mbps, with fairly low latency.

Sure there is no software or hardware firewall sitting between the routers and his network? I meant at that level rather than on a router.


I've tried that already Matthew... there doesnt seem to be any kind of filters in place on the linksys, and as far as I know, it doesnt support stripping attachments. I can ping the mail server and trace to it, and can receive emails without attachments just fine.. tooo weird.

Have you tried bypassing the Linksys entirely by plugging it into the switch that the Internet connection, the Linksys, and the Cisco are attached to? If you don't have more then 2 static IP addresses available from the ISP you may need to unhook the Linksys and use its credentials for the test. Anywho.. That should tell you if it is something in the Linksys Router or if it something on the ISP side.

Have you tried bypassing the Linksys entirely by plugging it into the switch that the Internet connection, the Linksys, and the Cisco are attached to? If you don't have more then 2 static IP addresses available from the ISP you may need to unhook the Linksys and use its credentials for the test. Anywho.. That should tell you if it is something in the Linksys Router or if it something on the ISP side.

I'll test that this week when he's back in the office. I'm also going to take another router with me to replace the linksys entirely, and see if that solves it. :)

I still think this is a network level firewall issue.

Well, I know that there are no devices between the wi-lan adapter, and the switch that feeds the linksys and the cisco routers. I traced the wire right from the roof into the switch, and then plugged the routers into the switch myself. :(

Well, I know that there are no devices between the wi-lan adapter, and the switch that feeds the linksys and the cisco routers. I traced the wire right from the roof into the switch, and then plugged the routers into the switch myself. :(

Does he have to log in to the company network over the wireless to use the internet?

The business network is all ethernet in the building, and wireless from there back to the ISP. :)

linksys sucks... i have always had problems with their routers. I just felt like interjecting that, have no idea what could be causing this, besides maybe a setting in outlook? i dunno. Tried updating outlook? what about connecting to a different mail server and downloading an email with attachments? does that work?

Update: I tried replacing the Linksys Router (RV-042) with a cheapo Dlink Di-624 (home wifi router), and the problem persists.

I get the feeling that the ISP is having troubles routing the mail correctly. Could be that they cannot route the same IP through 2 different paths, I dunno.

I've notified the ISP of the issue again, and let them know all the troubleshooting I've done so far to address it, we'll see what they come back with.

-Luke

Update: I tried replacing the Linksys Router (RV-042) with a cheapo Dlink Di-624 (home wifi router), and the problem persists.

I get the feeling that the ISP is having troubles routing the mail correctly. Could be that they cannot route the same IP through 2 different paths, I dunno.

I do not see how they can route one IP address to two devices.

They cant, as no two devices have the same IP.

What I meant was that his laptop has the same internal IP, regardless of whether he connects through the company VPN, or connects through the linksys (or replacement router).

The cisco and the linksys each have a unique external IP, but his laptop IP is the same regardless of which one he connects to.

:) Hope that clears it up.

They cant, as no two devices have the same IP.

What I meant was that his laptop has the same internal IP, regardless of whether he connects through the company VPN, or connects through the linksys (or replacement router).

The cisco and the linksys each have a unique external IP, but his laptop IP is the same regardless of which one he connects to.

:) Hope that clears it up.


Thanks Luke ... This is related to the question I asked earlier ... "Does he have to log in to the company network over the wireless to use the internet?"

If his laptop has the same IP its either a fixed IP in the TCP/IP properties or the DHCP server has assigned it permanently to his laptop ...

I'm going with the DHCP server doing this which implies the same DHCP server is issuing the addy whichever router he connects through ...


I get the feeling that the ISP is having troubles routing the mail correctly. Could be that they cannot route the same IP through 2 different paths, I dunno.

The ISP has nothing to do with the routing once it hits either router. The router does all the work from that point on. His internal IP being the same is only known to the internal network.

I still believe the only difference is that at either a hardware or software level on the corporate network the Linksys, being directly connected to the net, is being subjected to more stringent firewall rules re attachment downloads than when connecting through the VPN.

This would make sense from the first network installation/design point of view: as through the VPN colleagues should need to be able to share documents with each other, but out to the word wide web greater restrictions make for greater safety.

That's my take on what's going on: Somewhere along the line there is a corporate level firewall being the bad boy.

:)

SOLVED!

Removed the Linksys RV042 router, and replaced with D-Link DFL-700, and its all good now.