SSPI Unable to Connect to vCenter with Connection Reset Error
search cancel

SSPI Unable to Connect to vCenter with Connection Reset Error

book

Article ID: 423211

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Connecting to a vCenter Server from SSPI fails with the following error :

/usr/local/bin/govc: Post "https://vcenter-fqdn/sdk":

read tcp SSPI-IP:34310 -> vCenter-server-IP:443: read: connection reset by peer

Common observations include:

  • DNS resolution for the vCenter FQDN is successful from SSPi 

  • TCP connectivity to port 443 is reachable from SSPI

Environment

SSP 5.x

Cause

This behavior can be commonly caused by the below :

  • Incorrect destination zone configuration on a firewall
  • Application-based firewall rules that allow TLS but not HTTPS application traffic
  • Asymmetric routing or partial policy enforcement
  • Misconfigured security policies on perimeter or internal firewalls

Resolution

Follow the steps below to validate connectivity and isolate the root cause :

1. Application-Level HTTPS Connectivity Test

Validate basic HTTPS connectivity from the SSPI VM to the vCenter Server.

Command:

   curl -vk https://vCenterFQDN

Expected Result:

  • TLS handshake completes

  • HTTPS response is received

If the connection resets after handshake completion, proceed to the next steps.

2. TLS Handshake Verification :

To performs a complete TLS handshake with the vCenter HTTPS endpoint and provides low-level visibility into each phase of the negotiation.

openssl s_client -connect vCenter-FQDN:443 -debug -state -showcerts

This confirms:

  • TLS handshake fully completed

  • Cipher negotiation succeeded

  • Certificate exchange completed

  • No interruption during TLS negotiation

  Explicit TLS 1.2 validation

Below command explicitly validates TLS connectivity using TLS 1.2, which is commonly required by SSPI and vCenter integrations.

  openssl s_client -connect vCenterFQDN:443 -tls1_2

Successful output confirms TLS version compatibility between SSPI and vCenter.

3. Review vCenter Logs

Check the following logs to confirm vCenter services are healthy and not rejecting the connection:

  • /var/log/vmware/rhttpproxy/rhttpproxy.log

  • /var/log/vmware/vpxd/vpxd.log

4.  Packet Capture Analysis :

Capture traffic on the SSPI VM to observe if the connection is terminated.

sudo tcpdump -i any host vCenter-FQDN and port 443 -nnvv

If you observe below output :

vCenterIP.443 > SSPI-IP.50280: Flags [R.], seq 1842, ack 644, win 548, length 0 

 note  : 

  • A TCP RST packet was sent from  vCenter endpoint to the SSPI VM.

  • This confirmed the connection was being actively reset on the server-side network path, not by the SSPI VM.

5. Firewall and Micro-Segmentation Validation

Validate the following network components with assistance of Firewall Team :

  • Destination zone configuration on perimeter or internal firewalls

  • Any third-party firewall policies

  • NSX micro-segmentation rules

  • vCenter Server IPs and node pool IPs are not blocked or partially allowed

Ensure : 

  • HTTPS application traffic is explicitly permitted

  • No policy allows TLS handshake but resets application data

Powered by Wolken Software