ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Your FlexResponse Action for Release From Email Quarantine Failed


Article ID: 237219


Updated On:


Data Loss Prevention Network Prevent for Email Messaging Gateway Data Loss Prevention


You are using DLP Network Prevent for Email with Symantec Messaging Gateway, have tried to implement the DLP FlexResponse plugin for releasing quarantined mails.

In the incident (history tab), you see an error as follows:

FlexResponse Action Failed [Email Quarantine Connect Approve Action] failed with message: Connection reset.


This is usually logged in the Tomcat (localhost) logs, on the Enforce Server:

15 Mar 2022 20:32:09,773- Thread: 248 SEVERE [
EmailQuarantineConnectPlugin] Connection reset

Cause: Connection reset


You may also see this error in the Tomcat log:

14 Mar 2022 20:24:54,182- Thread: 128 SEVERE [com.vontu.incidentresponse.action.invoker.ActionInvoker] (RESPONSE_ACTION.12)
 FlexResponse Action [Email Quarantine Connect Approve Action] failed with message:
 PKIX path building failed:
 unable to find valid certification path to requested target.



While PKIX errors can indicate the Certificate itself is bad (misconfigured DN value in the Cert, missing Intermediate or Root certificates), there is another common cause for this particular error:

SSL Packet inspection will break the HTTPS handshake being performed as part of the Quarantine Release request from Enforce to SMG, and exceptions to that usually need to be made.


Release : 15.8

Component : 

DLP Network Prevent for Email

Symantec Messaging Gateway


Verify whether Enforce is going through a proxy, and whether that proxy is allowing (whitelisting) your Enforce Server <=> SMG certificate handshake.

If not, be sure to whitelist traffic between these servers. 

Additional Information

You might have configured a proxy on Enforce Server for AIP integration (15.8 and above) or for the integration of the DLP Cloud Services. In these cases, check your Cloud Proxy Settings in the System > Settings > General page.