intermittent issues with proxy server error (80000000) in Outlook 2010. SSL Offloading on LTM.

Question

Hello, we are having intermittent issues with the following error in Outlook 2010:&nbsp;
There is a problem with the proxy server's security certificate, . Outlook is unable to connect to this server. (80000000).&nbsp;
This begun recently since we enabled Outlook Anywhere for all our clients (in preparation for upgrade to Exchange 2016).&nbsp;
According to this thread on MS it is suggested that it could be related to the Server SSL profile on the VS:&nbsp;
error-message-on-ol2010-problem-with-proxy-certificate-80000000&nbsp;
We are using LTM VS with SSL offloading on the F5 (only using HTTP to the backend CAS array), LTM version 12.1.2. Exchange server 2010.&nbsp;
When checking the MS docs the 0x80000000 error suggests "FLAG_SECURITY_CHANNEL_ERROR". See https://support.microsoft.com/en-us/kb/923575&nbsp;
Anybody with a clue?&nbsp;

leonardo_souza · Answer

Better you open a case with F5 support, as will be difficult to help you with the troubleshoot without having access to qkview/full logs/tcpdumps/etc...&nbsp;

network_center1 · Answer

Hi, we have the same problem, since we migrate to Exchange 2016.
A case is open with F5, that's difficult to reproduce the error because it's very random.&nbsp;
Thank's to update, if you solved it.&nbsp;

apm_user_138559 · Answer

Hi, no solution yet, as you say very difficult to troubleshoot - since the error is intermittent..
Still taking logs, and tcpdumps - just waiting for it to happen on my test user (which have had the problem maybe once or twice / week..)&nbsp;
But will update here if I find a solution - please share if you find it first ;)&nbsp;

matthew_sabin_1 · Answer

We're also seeing this occasional error - with increasing frequency.
I followed an Exchange-support-site recommendation to confirm that the cert on the f5 and the local name of the exchange server agree, and they do, so we're at a loss on what to look at next.&nbsp;
Were you able to resolve the issue?&nbsp;

apm_user_138559 · Answer

In the end after a lot of tcp dumping and reproducing, F5 support claims it is a regression on the client side (Microsoft). They have an article describing it:&nbsp;
K10433354: TLS handshakes from some clients may intermittently fail when using Diffie-Hellman ciphers&nbsp;
Since we have support for better ciphers than those with problems, we decided to create a new SSL client profile and assign it to the VIP for MSX. This is our ciphers list in that profile:&nbsp;
DEFAULT:!EDH:!DH:!DHE:!RSA:@STRENGTH&nbsp;
After that we have had no more problems with those errors. Hope it helps.&nbsp;

Forum Discussion

intermittent issues with proxy server error (80000000) in Outlook 2010. SSL Offloading on LTM.

5 Replies

Recent Discussions

no available managed rule groups for Israel il-central-1

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

SSL Offload with HTTP/2.0

HTTPS offload rewriting

FTPS Offload via iRules

SSL Offloading for specific IPs or range of IPs

F5 SSL Offload behind Nginx Reverse Proxy