"An existing connection was forcibly closed by the remote host due to time-out" message when connecting to a remote endpoint from CA PAM

book

Article ID: 220600

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Sometimes when accessing a Windows endpoint from CA PAM, message:

An existing connection was forcibly closed by the remote host due to time-out

is thrown and connection is dropped. RDP port 3389 is open on the server side and there are no other users who might be accessing the system when this happens

In the event logs of the Windows endpoint, the following message appears:

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.

 

Cause

This may be caused by the order of the supported TLS ciphers in the remote Windows endpoint and in CA PAM.

The way the product works, when connecting to a remote endpoint using TLS, it starts going over the list of ciphers in order.

The ordering of the different ciphers negotiated can be seen and modified by accessing the PAM server and going to Configuration --> Security --> Cryptography.

The problem may happen, for instance, if none of the ciphers present in the CA PAM server is active in the remote Windows endpoint, or if, even though active, it falls to the end of the list of ciphers. In this latter case what will happen is that it will try to connect using the different ciphers in order, and it may timeout before it has been able to negotiate the right cipher as most of the connection timeout time will have been spent attempting negotiation with the preceding ciphers in the list.

Environment

CA PAM Server versions 3.4.X and above

 

Resolution

Check with a software like IISCrypto  or directly in Windows documentation the list of ciphers supported by your Windows endpoint. If necessary move the coincidental ciphers in the Windows and CA PAM list so that the match occurs early in the list, and if they are not installed in Windows, just install them as needed