cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Massive traffic between Exchange Servers 2019

MartinRoyWRX
Copper Contributor

‎Jul 13 2022 07:02 AM

‎Jul 13 2022 07:02 AM

Massive traffic between Exchange Servers 2019

Hello all,

 

We are in a large company with over 50 Exchange Servers (on-premise not on cloud). My site have two Exchange 2019 Servers and we are using a satellite (25mb/s 600ms Latence) link to connect with the rest of the Exchange Servers.

 

Since over 6 months ago, we started to see massive traffic between our Exchange Servers and the rest of the company Exchange Server (Inbout around 12Gb/day and Outbound 75Gb/day). The traffic start at 18h00 and stop around 8h00 the day after. 

MartinRoyWRX_0-1657720429997.png

 

This traffic is killing our satellite link, we have a ticket opened with microsoft for over 6 months, but no clue of the reason of this.

 

We have done a message tracking for a day and the maximum size is 3Gb of inbound and outbound and mostly internal email (not going througt the satellite link). So our emails are not the cause of this issue.

 

If anyone can relate or give us a potential solution.

 

Regards,

Martin

Labels:
1,932 Views
0 Likes
2 Replies
Reply
2 Replies
Neill Tinlin

‎Jul 14 2022 01:00 AM

‎Jul 14 2022 01:00 AM

Re: Massive traffic between Exchange Servers 2019

@MartinRoyWRX 

 

First question would be if you can identify the ports the traffic is using which might give a head-start on identifying what is going on.

0 Likes
Reply
MartinRoyWRX

‎Jul 14 2022 03:46 AM - edited ‎Jul 14 2022 03:47 AM

‎Jul 14 2022 03:46 AM - edited ‎Jul 14 2022 03:47 AM

Re: Massive traffic between Exchange Servers 2019

@Neill Tinlin 

 

Thank you for you reply, Microsoft Engineers ask me to do an netsh trace with our two Exchange servers.

 

Btw they are on core edition and I wasnt able to do the scenario=netconnection since it is not available on core edition.

MartinRoyWRX_0-1657795260511.png

 

This is what they answer back:

I  found major traffics were seen on below TCP ports:
TCP port,444, 389, 443, 3268

There were around  :

**22348 packets for tcp port 389

**47369 packets for tcp port 3268

**34073 packets for tcp port  443
**30537  packets for tcp port 444

**26094 packets for tcp port 6068
**369    Packets for tcp port 25

**7472  Packets for port 42906 and 6064

 

Conclusion :

>> Tcp port 389 is being used by LDAP and 3268 is being used by Microsoft global catalog (LDAP), so traffic on these ports are  fine because these are being used by active directory.

>>However we see huge traffic on tcp port 443 , 6068 and 444, need to find which application on exchange server is using these ports.

 

Check tasklist /svc at the time of  issue to figure out which applications has maximum handles and check the ports that are being used by those applications.

 

But when I analyse the content that they send me, most of the communication are between local computers or servers on our site, so they don't use the satellite link.

 

The only thing that we have is a Veeam agent installed on that server. We also use Enterprise Vault for archiving our Email (older then 6 months).

 

Martin

0 Likes
Reply