A forcefully rejected connection is usually a firewall. Can you sniff it and determine if a TCP connection is actually happening, and data is exchanged (indicating auth failure/some other failure), or if you get an immediate RST on the connection attempt (inidicating firewall/service not avail/wrong server)?