Solution to Exchange 2010 move requests continuously restart when going across a VPN

By:Christine Fettinger

Finally found a solution to an Exchange 2010 migration issue that’s been plaguing me for weeks. It was preventing me from moving mailboxes from the old Exchange 2007 server to the new Exchange 2010 server that was located at another site and connected by a site-to-site VPN.

Every time I would create a new Move-Request, the completion percentage would climb slowly for about 5 minutes and then reset back to 0%. About a minute or so later, the mailbox move would restart, and this loop would run continuously until the Move-Request was cancelled.

Using the Exchange Trace logs (run the command ‘Extra’ to launch) we determined that the mailbox itself was fine and that it appeared to be caused by a networking error. By running packet captures at the same time, we found that a TCP Reset command occurred at the same time that the Trace logs showed a MAPI error and stopped the move. The packet captures also showed that the TCP Reset was not sent by the other server, but by the SonicWALL devices controlling the VPN.

After examining the SonicWALL configurations thoroughly, we noticed a firewall rule setting called TCP Connection Inactivity Timeout that happened to be set to 5 minutes. Exactly the amount of time the Move-Request ran before resetting. After changing this setting to 15 minutes on each VPN related firewall rule we attempt another Move-Request. No resets, no errors, move complete!

It appears that in Exchange 2010, the first part of a mailbox move will open a TCP connection to the other server but not actively transmit until it finishes some other process. This inactive time also seems to be longer as the size of the mailbox goes up. I’ve been in contact with Microsoft about the exact details but I have not received anything definitive yet about what is occuring during this inactive time.