Symptoms: When attempting to download .exe or .tgz files (e.g., tkgi-windows-amd64-1.24.0-build.22.exe) using a Concourse pipeline or the om download-product command, the process fails with a "connection reset by peer" error. Manual downloads via a web browser may still work correctly.

Error Example: could not download product: could not download product file: failed to make HEAD request: Head "https://downloads2.broadcom.com/...": read tcp [IP_ADDRESS]->[IP_ADDRESS]:443: read: connection reset by peer 

This issue typically occurs because the automated pipeline's network path is being blocked by a firewall or security appliance that does not have the necessary Broadcom download server IP addresses and domains whitelisted.

In addition, certain file types (i.e. *.exec and *.tgz) could be blocked.

Another possibility is a network proxy that blocks necessary connections (see required IP addresses and domains in Resolution section). You can test for that possibility by using the --noproxy option to the curl command.

To resolve this connectivity issue, ensure your network security software and firewalls permit outbound HTTPS (port 443) traffic to the following destinations:

1. Required IP Addresses:

   • 141.202.253.110
   • 192.19.232.137
   • 162.159.140.167
   • 172.66.0.165 

2. Required Domains:

   • downloads.broadcom.com
   • downloads2.broadcom.com
   • packages.broadcom.com

3. Registry Token (if applicable):  For Tanzu and Artifactory-based downloads, ensure you are using a valid registry token generated from the Broadcom Support Portal. As of Jan. 26, 2026, old tokens have expired and a new single registry token is required for entitled repositories.

References:

• Public IP address list for VMware Update Manager (IP Addresses of dl.broadcom.com)
• IP Address of the Broadcom server for obtaining DX software packages