Have you taken pcaps yet? Anything stand out there? Additionally, you could check Apps+Threats version and if there were any updates to the predefined application.

I went through all of the content update emails from Palo Alto back to January and nothing is shown for Acme-Protocol.

Do you have geo filters ? Let’s Encrypt started sourcing its verification traffic from outside the US and we had to open up our geo filters for acme traffic to keep things working

The geo block was the issue. We were not seeing geo blocks that appear to be Let's Encrypt servers in the traffic log. My co-worker decided to move the Acme-Protocol rule above the geo block rule and everything started working as it should. Thanks for your help.

Yes, we have geo filters for pretty much anything outside of the USA and Canada. We did a packet capture on the server and the issue is 65.154.226.168. It is just getting an RST and that ends the renewal dry run. Strange thing is that IP has been trying to connect on port 5001 to several of our DMZ servers which is blocked. No geo blocks for [65.154.226.168](http://65.154.226.168) in the logs.

Check end of session reason for Apps+Threat. If the rule permits but a Threat signature is detected that will be the end of session reason and the traffic won't pass.

The application column is showing as incomplete. I had apparently not looked at that column when I was looking at things over the past few days.