Aria Orchestrator SOAP Host Unreachable - "Remote host terminated the handshake"
search cancel

Aria Orchestrator SOAP Host Unreachable - "Remote host terminated the handshake"

book

Article ID: 438440

calendar_today

Updated On:

Products

VCF Automation

Issue/Introduction

  • Execution of Aria Orchestrator (vRO 8.x) workflows interacting with a third-party SOAP endpoint fails.

  • The workflow logs throw the exception: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake.

  • The target SOAP endpoint is confirmed to be completely unreachable from the Aria Automation / Orchestrator appliance.

  • Aria Automation custom forms relying on data from SOAP hosts may fail and show the error: Remote host terminated the handshake.

Environment

  • Aria Automation 8.x
  • Aria Automation Orchestrator 8.x
    • SOAP Plugin

Cause

While the exception explicitly references an SSL handshake termination, an underlying Layer 3 (Routing) or Layer 4 (Firewall) traffic drop can manifest similarly. If the TCP connection is dropped by an external firewall or routed to a black hole before the TLS Client Hello can be properly acknowledged, the Java runtime may report a terminated handshake. Because vRO 8.x executes within a containerized Kubernetes overlay (prelude namespace), network isolation must be tested directly from the executing pod, not just the base OS appliance.

Resolution

To confirm and isolate the network block, execute the following diagnostic steps from the Aria Automation / Orchestrator control plane.

  1. Establish an SSH connection to the Aria Automation / Orchestrator appliance as root.

  2. Open an interactive shell inside the vco-server-app container where the Rhino JS engine processes outbound requests:

Bash
 
kubectl -n prelude exec -it deployment/vco-app -c vco-server-app -- /bin/bash

  1. Utilize cURL to test DNS resolution and Layer 4 TCP connectivity to the target host and port:

Bash
 
curl -v telnet://<soap_host_fqdn>:<port>

  1. Evaluate the resulting output to dictate the required infrastructure routing changes:

    • Could not resolve host: The Kubernetes CoreDNS service cannot resolve the target FQDN. Exit the pod and verify the appliance's upstream DNS configuration by executing vracli network dns. Ensure the external domain is resolvable.

    • Connection timed out: Traffic is egressing the pod but being dropped silently by an external physical or virtual firewall. Engage the network team to allow outbound traffic from the Aria appliance IP addresses to the external SOAP host IP on the required port.

    • Connection refused: The Layer 3 routing is intact and the target IP is reached, but the endpoint is actively rejecting the connection. Verify the third-party SOAP service is online and listening on the designated port.

Powered by Wolken Software