ansible proxy jump

Ansible can proxy through a jump host / bastion host to connect to systems, but there's something to watch out for that can cause a rather vague connection failure of failed to connect to host via ssh citing kex_exchange_identification Connection closed by remote host and Connection closed by UNKNOWN port 65535. Worse, the error can seem intermittent by failing for some hosts sometimes, but not all the time (if a host fails, and is re-run in different or smaller batch, it may succeed).

ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q proxyuser@proxyhost"'

In fact, the error can occur when running batches of hosts that use the ssh proxy. By default, the max number of unauthenticated connections through the proxy host is 10.  Because ansible batches systems in parallel, it may try to authenticate a bunch of sessions simultaneously. Check for MaxStartups in /etc/ssh/sshd_config of the proxy host.

# exceprt from: man sshd_config
MaxStartups
  Specifies the maximum number of concurrent unauthenticated connections
  to the SSH daemon. Additional connections will be dropped until
  authentication succeeds or the LoginGraceTime expires for a
  connection. The default is 10:30:100.

  Alternatively, random early drop can be enabled by specifying the
  three colon separated values start:rate:full (e.g. "10:30:60").
  sshd(8) will refuse connection attempts with a probability of
  rate/100 (30%) if there are currently start (10) unauthenticated
  connections. The probability increases linearly and all connection
  attempts are refused if the number of unauthenticated connections
  reaches full (60).

Just change the value to something more fitting for the number of hosts in the job run (MaxStartups 150), and roll the sshd service.