OK, because your initial posts weren't clear on this.

Do you have splunktcp:9997 (or splunktcp-ssl)  input enabled? I think I only saw a http input. Or maybe you enabled plain tcp:9997 input instead of splunktcp?

inputs.conf file from $SPLUNK_HOME/etc/apps/search/local

[splunktcp://9997]
disabled = false

Forget my ignorance, but should I add this stanza to $SPLUNK_HOME/etc/system/local/inputs.conf file as well? 

From the technical point of view - you don't have to.

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Wheretofindtheconfigurationfiles

It's just that if you don't keep your configs "tidy", they can get confusing quickly with settings being spread all over the place 🙂

Hmm... but if you have splunktcp input and you can see TLS handshake over the wire then UF must be applying some TLS settings and trying to negotiate secure connection.

No needs for that. It's enough that this stanza is in place somewhere. Of course, the best practices is that you have own apps which contains those configurations and are easily manager, stored (e.g. into git) and deployed to needed HF's and UF's.

Is this only UF-HF pair which is not working or are there several or are another working?

Probably you have followed this https://docs.splunk.com/Documentation/Splunk/8.2.3/Forwarding/Configureanintermediateforwarder when you have configured this? And you have done needed restarts after configuration changes?

What kind of errors you have on your UF's & HF's internal logs? Can those give any hints?

Can you give (again) output of the next commands:

From UF:

splunk btool outputs list

From. HF:

splunk btool inputs list splunktcp

r. Ismo

From UF

[syslog]
maxEventSize = 1024
priority = <13>
type = udp
[tcpout]
ackTimeoutOnShutdown = 30
autoLBFrequency = 30
autoLBVolume = 0
blockOnCloning = true
blockWarnThreshold = 100
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256
compressed = false
connectionTTL = 0
connectionTimeout = 20
defaultGroup = default-autolb-group
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
ecdhCurves = prime256v1, secp384r1, secp521r1
forceTimebasedAutoLB = false
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_introspection|_internal|_telemetry)
forwardedindex.filter.disable = false
heartbeatFrequency = 30
indexAndForward = false
maxConnectionsPerIndexer = 2
maxFailuresPerInterval = 2
maxQueueSize = auto
readTimeout = 300
secsInFailureInterval = 1
sendCookedData = true
sslQuietShutdown = false
sslVersions = tls1.2
tcpSendBufSz = 0
useACK = false
useClientSSLCompression = true
writeTimeout = 300
[tcpout-server://172.23.11.216:9997]
[tcpout:default-autolb-group]
disabled = false
server = 172.23.11.216:9997
sslPassword = password

From UF

[splunktcp]
_rcvbuf = 1572864
acceptFrom = *
connection_host = ip
host = $decideOnStartup
index = default
route = has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
[splunktcp://9997]
_rcvbuf = 1572864
connection_host = 10.24.118.91
disabled = false
host = $decideOnStartup
index = discol

I've only just added connection_host setup , but it didn't make any difference. 

Logfile:

11-17-2021 09:31:50.643 +0000 WARN TcpOutputProc [18893 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=172.23.11.216 inside output group default-autolb-group from host_src=ldcrapnvvip10 has been blocked for blocked_seconds=47000. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

11-17-2021 09:32:26.647 +0000 ERROR TcpOutputFd [18894 TcpOutEloop] - Read error. Connection reset by peer
11-17-2021 09:32:26.648 +0000 ERROR TcpOutputFd [18894 TcpOutEloop] - Read error. Connection reset by peer
11-17-2021 09:32:26.648 +0000 WARN AutoLoadBalancedConnectionStrategy [18894 TcpOutEloop] - Applying quarantine to ip=172.23.11.216 port=9997 _numberOfFailures=2

Do you have any IPS or something like that in between those two components?

Because it looks awfully similar to an over-zealous "protection" solution which resets "bad" TLS connections. Notice that each side blames the other one for the connection closing.

I've seen this myself - an IPS/NGFW/whatever notices some "strange" communication (from his point of view) and sends RST to both sides.

The thing is that the network isn't being managed by me. I was just told to take advantage of HF (UF doesn't have access to the internet) and make everything up and running.

But according to the customer, who is managing the network, there is nothing that could block communication between HF and UF.

I'm not saying I'm 100% sure of this in this case because I cannot be since I don't know the infrastructure. But I've also seen such behaviour and the customer was also saying he didn't have any firewalls in place. But after all it turned out he did 😄

But just to be on the safe side - run tcpdump on both ends of the connection, restart the UF so it tries to connect to HF and compare pcaps from both ends.

If you have your proper 3-way handshake and then suddenly two RST-s which apparently "noone" sent - you have your answer.

My bad. It's typo. The second output is from HF. 

Anyway I'm pasting it here again: 

[splunktcp]
_rcvbuf = 1572864
acceptFrom = *
connection_host = ip
host = $decideOnStartup
index = default
route = has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
[splunktcp://9997]
_rcvbuf = 1572864
connection_host = 10.24.118.91
disabled = false
host = $decideOnStartup
index = discol

Hi @slipinski,

please try telnet on port 9997.

Ciao.

Giuseppe

@gcusello  I successfully did.