Forum Discussion

apm_user_138559's avatar
apm_user_138559
Icon for Nimbostratus rankNimbostratus
May 12, 2017

intermittent issues with proxy server error (80000000) in Outlook 2010. SSL Offloading on LTM.

Hello, we are having intermittent issues with the following error in Outlook 2010:

 

There is a problem with the proxy server's security certificate, . Outlook is unable to connect to this server. (80000000).

 

This begun recently since we enabled Outlook Anywhere for all our clients (in preparation for upgrade to Exchange 2016).

 

According to this thread on MS it is suggested that it could be related to the Server SSL profile on the VS:

 

error-message-on-ol2010-problem-with-proxy-certificate-80000000

 

We are using LTM VS with SSL offloading on the F5 (only using HTTP to the backend CAS array), LTM version 12.1.2. Exchange server 2010.

 

When checking the MS docs the 0x80000000 error suggests "FLAG_SECURITY_CHANNEL_ERROR". See https://support.microsoft.com/en-us/kb/923575

 

Anybody with a clue?

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    May 12, 2017

    Better you open a case with F5 support, as will be difficult to help you with the troubleshoot without having access to qkview/full logs/tcpdumps/etc...

     

  • Network_center1's avatar
    Network_center1
    Icon for Nimbostratus rankNimbostratus
    May 24, 2017

    Hi, we have the same problem, since we migrate to Exchange 2016. A case is open with F5, that's difficult to reproduce the error because it's very random.

     

    Thank's to update, if you solved it.

     

  • apm_user_138559's avatar
    apm_user_138559
    Icon for Nimbostratus rankNimbostratus
    May 24, 2017

    Hi, no solution yet, as you say very difficult to troubleshoot - since the error is intermittent.. Still taking logs, and tcpdumps - just waiting for it to happen on my test user (which have had the problem maybe once or twice / week..)

     

    But will update here if I find a solution - please share if you find it first ;)

     

  • Matthew_Sabin_1's avatar
    Matthew_Sabin_1
    Icon for Nimbostratus rankNimbostratus
    Aug 14, 2017

    We're also seeing this occasional error - with increasing frequency. I followed an Exchange-support-site recommendation to confirm that the cert on the f5 and the local name of the exchange server agree, and they do, so we're at a loss on what to look at next.

     

    Were you able to resolve the issue?

     

  • apm_user_138559's avatar
    apm_user_138559
    Icon for Nimbostratus rankNimbostratus
    Aug 16, 2017

    In the end after a lot of tcp dumping and reproducing, F5 support claims it is a regression on the client side (Microsoft). They have an article describing it:

     

    K10433354: TLS handshakes from some clients may intermittently fail when using Diffie-Hellman ciphers

     

    Since we have support for better ciphers than those with problems, we decided to create a new SSL client profile and assign it to the VIP for MSX. This is our ciphers list in that profile:

     

    DEFAULT:!EDH:!DH:!DHE:!RSA:@STRENGTH

     

    After that we have had no more problems with those errors. Hope it helps.