Home > SAFE DR > Veeam Cloud Connect jobs fail with "Authentication failed because the remote party has closed the transport stream" error

Veeam Cloud Connect jobs fail with "Authentication failed because the remote party has closed the transport stream" error

After upgrade of Veeam Backup & Replication on the Veeam Cloud Connect service provider's backup server to version 10, tenant jobs may start failing with the following error: "Authentication failed because the remote party has closed the transport stream". At the same time, the Svc.VeeamCloudConnect.log log file displays the following error: "A call to SSPI failed, see inner exception".

The issue can be spotted in the following logs:

Job.log (on the tenant side)

 

[15.06.2020 11:00:00] <01> Error    Authentication failed because the remote party has closed the transport stream. (System.IO.IOException)
[15.06.2020 11:00:00] <01> Error       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
...
[15.06.2020 11:00:00] <01> Error       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
[15.06.2020 11:00:00] <01> Error       at Veeam.Backup.Core.CSocketInvokerClient.InvokeImpl(TcpClient client, CSocketInvokerParams args, Int32 threadId)
[15.06.2020 11:00:00] <01> Error       at Veeam.Backup.Core.CSocketInvokerClient.TryInvoke(CSocketInvokerParams invokerParams)

Cause

Windows updates related to a new .Net Framework enforce a security check and do not allow to establish a secure connection between Veeam backup servers on the tenant side and service provider side using a weak Diffie-Hellman Ephemeral (DHE) key.

Solution

Install recommended Windows updates on the tenant Veeam Backup & Replication server or Veeam Agent for Microsoft Windows machines. For details, see https://support.microsoft.com/en-us/help/3061518/ms15-055-vulnerability-in-schannel-could-allow-information-disclosure.