Share via

I'm unable to connect a server to AzureArc -existing connection was forcibly closed by the remote host

Jason Kopp 40 Reputation points
2026-04-03T19:07:42.61+00:00

AZCMAGENT CHECK says I'm only connecting to login.microsoft.com. The rest aren't reachable. The TLS is 1.2 and the OS is 2022.

When I'm trying to connect I get this error:
wsarecv: An existing connection was forcibly closed by the remote host." Proxy Status="proxy is not used" Request URL="https://gbl.his.arc.azure.com/discovery?location=centralus&api-version=2.1"

My other servers on the same subnet are able to connect without issue. Anyone else come across this and figure out a resolution?

Azure Arc
Azure Arc

A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.

Answer accepted by question author
  1. Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator
    2026-04-03T19:32:01.5366667+00:00

    Hello @Jason Kopp

    This is a known Azure Arc onboarding failure mode and your symptoms line up very closely with a machine‑specific TLS / cipher suite hardening issue, not a subnet or generic firewall problem.

    From your description:

    • azcmagent check reaches login.microsoft.com
    • It Cannot reach his.arc.azure.com / gbl.his.arc.azure.com
    • Error: wsarecv: An existing connection was forcibly closed by the remote host Proxy Status="proxy is not used"
    • Same subnet → other servers connect fine
    • OS = Windows Server 2022, TLS = 1.2 enabled

    This combination rules out:

    • Azure outage
    • Subscription / tenant issue
    • Subnet‑level firewall routing
    • Missing TLS 1.2

    It strongly indicates the remote Azure Arc service is closing the TLS handshake for this server only.

    Over‑restricted TLS cipher suite configuration on the failing server — usually due to:

    • Security baseline / hardening
    • Custom SSL cipher order
    • Domain GPO overriding local defaults

    Azure Arc endpoints (including his.arc.azure.com) require modern TLS 1.2 / TLS 1.3 cipher suites. If none of the acceptable ciphers are offered by the client, Azure closes the connection, which surfaces as:

    wsarecv: An existing connection was forcibly closed by the remote host

    Other servers on the same subnet work because cipher suites are evaluated per machine, not per subnet.

    A single server can:

    • Have a stricter GPO
    • Miss required cipher suites
    • Run a hardened image

    Even with identical networking.

    To confirm:

    On the failing Windows Server 2022, run:

    Get-TlsCipherSuite | Select-Object Name

    Ensure at least one of these exists:

    TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    These are the cipher families Azure Arc endpoints are known to accept on modern Windows hosts.

    As a workaround try the below following resolutions:

    If any are missing, enable them (no reboot required in most cases):

    Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

    If SSL Cipher Suite Order is managed via GPO, compare with a working Arc-connected server and update the policy to include the above ciphers.

    Retest After enabling:

    azcmagent check
azcmagent connect ...

    You should now see:

    • his.arc.azure.com
    • gbl.his.arc.azure.com reachable over HTTPS

    So, this issue was caused by an overly restrictive TLS cipher suite configuration on the affected Windows Server 2022 host. Azure Arc endpoints rejected the TLS handshake and forcibly closed the connection. Restoring supported TLS 1.2 / 1.3 cipher suites resolved the connectivity issue.

    Kindly let us know if the solution provided worked for you.

    If you need any further assistance, please feel free to reach out.

    If you found the comment helpful, please consider clicking "Upvote it".

    Thanks,

    Suchitra.

Answer accepted by question author
  1. Q&A Assist
    2026-04-03T19:08:00.19+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error and behavior indicate a TLS/cipher or server-side connectivity issue specific to this machine, even though others on the same subnet work.

    Use the following checks and remediations on the problematic Windows Server 2022 host:

    1. Verify required Azure Arc endpoints
      • Run azcmagent check and confirm all required Arc endpoints (not just login.microsoft.com) are reachable. Error AZCM0026 in the agent indicates endpoint or network configuration issues.
      • If any endpoints are unreachable, fix DNS, firewall, or proxy rules so that outbound HTTPS (TCP 443) to Azure Arc endpoints is allowed.
    2. Check Windows TLS configuration and cipher suites
      • On Windows Server 2022 with Connected Machine agent 1.56 or later, ensure the required TLS 1.2/1.3 cipher suites are enabled. Run: 
             Get-TlsCipherSuite | Format-List Name
      • Confirm at least these are present:
        • TLS_AES_256_GCM_SHA384
        • TLS_AES_128_GCM_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    3. Enable missing cipher suites (no reboot method first)
      • If any of the above are missing, enable them with PowerShell: 
             Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
     Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
     Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
     Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      • On domain-joined machines, ensure Group Policy (GPO) is not overriding local cipher suite settings. If GPO manages SSL Cipher Suite Order, update it to include these suites.
    4. Check for overly restrictive cipher suite policy / GPO
      • Compare this server’s cipher suite configuration with a working Arc-connected server on the same subnet.
      • If this server has a hardened or custom cipher list that removes common TLS 1.2/1.3 suites, Azure endpoints may close the connection, producing wsarecv: An existing connection was forcibly closed by the remote host.
      • Temporarily relax cipher restrictions (restore a standard recommended set) and retry azcmagent connect to confirm.
    5. Validate registry-based cipher configuration (if used)
      • If cipher suites are managed via registry, check:
        • HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
      • Ensure the Functions value includes the required cipher suites (each on its own line). After editing manually, reboot the machine.
    6. If TLS/cipher checks pass but issue persists
      • Run azcmagent connect with verbose logging to capture more detail: 
             azcmagent connect ... --verbose
      • Check azcmagent logs (for Linux this is journalctl -u azcmagent -f; on Windows, use the documented log locations) for more specific TLS or network errors.
      • If all required endpoints are reachable and cipher suites are correct but the remote host still closes the connection, collect a network trace and engage Microsoft Support as suggested for “no matching cipher” scenarios.

    These steps align with the documented guidance for Azure Arc networking and Windows TLS configuration issues that cause forcibly closed TLS connections.

    References:

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.