0

In our ansible playbook we are sometimes getting an Connection Timeout error on Microsoft MS Exchange 2016 server. This issue happend almost every time on the first ansible run, when i run the playbook again most of the times the error doesn`t appear again. Sometimes this error occurs on

The error message:

{'unreachable': True, 'msg': "ntlm: HTTPSConnectionPool(host='192.168.7.80', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7340e0ffefe0>, 'Connection to 192.168.7.80 timed out. (connect timeout=610)'))", 'changed': False}

After running winrm enumerate winrm/config/listener i got this output, which indicates that the winrm is in fact running and listening.

Listener
    Address = *
    Transport = HTTPS
    Port = 5986
    Hostname = localhost
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = 1A7437413E2933672F89774565DCB8E9ED5BFE74
    ListeningOn = 127.0.0.1, 192.168.7.80, 192.168.11.2, ::1, fe80::5efe:192.168.7.80%4, fe80::5efe:192.168.11.2%6, fe80::21fb:e665:29b8:c0ac%2, fe80::2526:d87f:f326:ee7b%5

This is the ansible inventory configuration

windows:
      vars:
        ansible_user: ansible
        ansible_connection: winrm
        ansible_winrm_scheme: https
        ansible_winrm_server_cert_validation: ignore
        ansible_winrm_transport: ntlm
        ansible_winrm_connection_timeout: 600
        ansible_connection_timeout: 120
        ansible_connect_timeout: 120
        ansible_winrm_cert_key_pem: ~/.ssh/vs_ansible_cert_KEY_windows.pem
        ansible_winrm_port: 5986
        ansible_os_family: Windows
        any_errors_fatal: true
        max_fail_percentage: 0
        ca_files_location: ca-certificates
      children:
        dmz_email_servers:
          hosts:
            ms_exchange_16:
              ansible_host: 192.168.7.80
        ...

Network connectivity tests:

  • ping 192.168.7.80 - Fails (no response)
  • nc -zv 192.168.7.80 5986 - Succeeds (TCP connection established)

This suggests that WinRM port is accessible but the ICMP traffic is blocked.

Testing using curl shows intermittent connection behavior:

  • Sometimes the connection hangs at "Trying 192.168.7.80:5986..."
  • Other times it connects immediately and returns a proper 405 response
  • The certificate is self-signed with CN=localhost

This suggests the issue might be at the TCP connection level rather than with WinRM authentication.

Martin Kollár
  • 1

0 Answers0