vsslproxy: reencrypt(185) - connect failed to - Kemp Load Master, Microsoft Exchange 2016 (Web Services) and Palo Alto Firewall - Challenge-ACK Resets Affecting Client Connectivity

0

We had been experiencing issues where connections via the Kemp Load Master to our Microsoft Exchange cluster were showing this error in the logs of the Kemp.

Jul 16 12:47:19 kemp-lb-01 vsslproxy: reencrypt(185) - connect failed to 172.20.159.181:443 (errno 110)

We had sporadic client connection issues, i.e. from normally Microsoft Outlook for Mac, but more commonly Mac Mail, we also had our monitoring platforms reporting that the Exchange Web Services was down periodically for no reason.

It turned out to be our Palo Alto firewall that was dropping connections where a "challenge-ACK" was being used, although it was only doing this intermittently. An update in PanOS 8.0.7 (and later) essentially disabled allow-challenge-ack by default, so if you are experiencing the issue you would need to manually turn it on if needed.

The issue is described in more detail here.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boBJCAY

https://www.networkdefenseblog.com/post/wireshark-tcp-challenge-ack

Essentially enabling: "allow-challenge-ack" on our Palo Alto Firewall resolved the issue, stopping the firewall from resetting the connections. We also were able to adjust the polling interval of the availability checks to something closer to the default, which before had to be set artificially high to get round that some of the probes would be lost and the Real Servers would be deamed down, even when they were not.

0 comments