Hi, I'm facing a very persistent issue with the SPICE console connection to my VM (MX Linux) on Proxmox VE 8.4.1. The connection via the .vv file downloaded from the web interface consistently fails, even though the spiceproxy service is running. However, a direct SPICE connection, after manually editing the .vv file to bypass the proxy, works perfectly.
My Setup:
The spiceproxy is running, is referenced by the Proxmox Web UI in the .vv file, and apparently expects a TLS connection (tls-port=61000). However, the connection fails with Connection reset by peer. The standard qm set parameters (spice_proxy, vga,tls) for controlling this behavior are not recognized or available on my system, despite being on the latest PVE version. This significantly complicates debugging and configuration.
My Questions to the Community:
My Setup:
- Proxmox VE Version: pve-manager/8.4.1/2a5fa54a8503f96d (running kernel: 6.8.12-11-pve)
- VM ID: 103 (MX Linux)
- VM Configuration (cat /etc/pve/qemu-server/103.conf):
Code:agent: 1 # args: -spice port=5903,addr=0.0.0.0 <- This line was most recently removed. boot: order=scsi0;ide2;net0 cores: 2 cpu: host ide2: none,media=cdrom memory: 4096 meta: creation-qemu=9.2.0,ctime=1749361604 name: MxLinux net0: virtio=BC:24:11:84:2B:EC,bridge=vmbr0,firewall=1 numa: 0 ostype: l26 scsi0: local-lvm:vm-103-disk-0,iothread=1,size=64G scsihw: virtio-scsi-single smbios1: uuid=436abd75-3411-496c-844d-84ec8b8929f0 sockets: 1 spice_enhancements: videostreaming=all vga: qxl vmgenid: 968208b9-7935-4561-af29-1812bf6bbc84
- Client OS: Windows, using virt-viewer.
- Proxmox Host IP: 192.168.178.100
- Client IP: 192.168.178.222
- Connection with unmodified .vv file (downloaded from PVE Web UI) fails.
- Content of the .vv file (example after args removal):
Code:[virt-viewer] host-subject=CN=proxmox.tiny ca=-----BEGIN CERTIFICATE-----\nMIIxxxR/XWPvUnBGtoclllQxxxxxcWg6k\nuQ==\n-----END CERTIFICATE-----\n proxy=http://192.168.178.100:3128 tls-port=61000 toggle-fullscreen=Shift+F11 release-cursor=Ctrl+Alt+R host=pvespiceproxy:6848903a:103:proxmox::8033f3114966764abfa3cf7bd9c0d9596bd02af2 password=xxx type=spice secure-attention=Ctrl+Alt+Ins title=VM 103 - MxLinux delete-this-file=1 - Error message in spiceproxy.service logs: Connection reset by peer (from client IP 192.168.178.222).
Code:Jun 10 22:00:18 proxmox spiceproxy[1113]: problem with client ::ffff:192.168.178.222; Connection reset by peer - Error message in virt-viewer: "Could not establish connection to graphic server" (or similar - I use german).
- Content of the .vv file (example after args removal):
- Connection after manual .vv file editing works perfectly.
- I manually edit the downloaded .vv file to bypass the proxy:
Code:[virt-viewer] #proxy=http://192.168.178.100:3128 #tls-port=61000 #host=pvespiceproxy:6848903a:103:proxmox::8033f3114966764abfa3cf7bd9c0d9596bd02af2 host=192.168.178.100 port=5903 # ... Rest of the file ... - With this modified file, the connection is immediate and stable.
- I manually edit the downloaded .vv file to bypass the proxy:
- Firewall Check:
- Proxmox Datacenter firewall was completely deactivated during tests.
- The "Connection reset by peer" error still occurred.
- This confirms that the firewall is not the cause of the proxy connection failure.
- A rule for port 5903 was already present.
- qm set --spice_proxy none:
- Command failed with: Unknown option: spice_proxy.
-
Bash:
admin@proxmox:~$ sudo qm set 103 --spice_proxy none Unknown option: spice_proxy 400 unable to parse option - This option is also missing in the Datacenter -> Options -> Console Type menu in the Web UI.
- qm set --vga qxl,tls=1:
- Command failed with: vga.tls: property is not defined in schema and the schema does not allow additional properties.
-
Bash:
admin@proxmox:~$ sudo qm set 103 --vga qxl,tls=1 400 Parameter verification failed. vga: invalid format - format error vga.tls: property is not defined in schema and the schema does not allow additional properties - This indicates that the tls option for vga is not directly configurable on my system via qm set.
- Removal of args: -spice port=5903,addr=0.0.0.0:
- Performed using sudo qm set 103 --delete args.
- Had no impact on the generation of proxy lines in the .vv file. These are still generated.
- datacenter.cfg:
- Contains no entries related to proxy, spice_proxy, or console_proxy.
-
Bash:
keyboard: de<br>
- spiceproxy.service Status:
- Service is active (running) and enabled.
-
Code:
admin@proxmox:~$ sudo systemctl status spiceproxy ● spiceproxy.service - PVE SPICE Proxy Server Loaded: loaded (/lib/systemd/system/spiceproxy.service; enabled; preset: enabled) Active: active (running) since Tue 2025-06-10 07:28:11 CEST; 14h ago Process: 1111 ExecStart=/usr/bin/spiceproxy start (code=exited, status=0/SUCCESS) Main PID: 1112 (spiceproxy) Tasks: 2 (limit: 76924) Memory: 56.6M CPU: 1.840s CGroup: /system.slice/spiceproxy.service ├─1112 spiceproxy └─1113 "spiceproxy worker"
- spiceproxy Configuration Files Search:
- find /etc|/usr/share|/var/lib -name "*spiceproxy*" did not find any direct *.conf files containing configuration. Only systemd unit files, man pages, and Perl modules.
- Detailed journalctl Logs for spiceproxy:
- Only show Connection reset by peer, no further details on the root cause of the failure.
-
Code:
Jun 10 22:00:18 proxmox spiceproxy[1113]: problem with client ::ffff:192.168.178.222; Connection reset by peer
The spiceproxy is running, is referenced by the Proxmox Web UI in the .vv file, and apparently expects a TLS connection (tls-port=61000). However, the connection fails with Connection reset by peer. The standard qm set parameters (spice_proxy, vga,tls) for controlling this behavior are not recognized or available on my system, despite being on the latest PVE version. This significantly complicates debugging and configuration.
My Questions to the Community:
- Why does qm set report spice_proxy and vga,tls parameters as unknown, even though I'm running PVE 8.4.1? Could this indicate a faulty installation or missing packages?
- What could be the cause of the Connection reset by peer in spiceproxy when the firewall is off? Is this a classic TLS/certificate issue, and if so, how can I debug it without direct qm set options?
- Are there any other undocumented or alternative ways to configure spiceproxy (especially regarding TLS and internal ports) or to prevent its inclusion in the .vv file generation, given that qm set options are failing?
- Are there any known bugs in PVE 8.4.1 related to spiceproxy or .vv file generation under these circumstances?
