We've had support issues with SCRAM-SHA authentication when using Half-Secure XDCR replication – an example is .   The issues are caused by customer's monitoring software capturing the "401" responses (that are normal part of the SCRAM-SHA protocol) from the XDCR target nodes, and thinking that the 401's are part of an attack, resetting or killing good connections being used by XDCR.

So, need to document that monitoring software or firewall software may see these 401 responses when half-secure replication is being used, and that they should be allowed as normal.   The documentation should be updated in these places (or updated in one place and referenced):

1) Enable Half-Secure Replications (Understanding Half-Secure Replications)

https://docs.couchbase.com/server/current/manage/manage-xdcr/enable-half-secure-replication.html#understanding-half-secure-replications

2) Managing XDCR Data Encryption (Configuring XDCR with data encryption)

https://docs.couchbase.com/server/current/rest-api/rest-xdcr-data-encrypt.html#configuring-xdcr-with-data-encryption

3) Cross Data Center Replication (XDCR) (XDCR Security) 

https://docs.couchbase.com/server/current/learn/clusters-and-availability/xdcr-overview.html#xdcr-security

The additional info about SCRAM-SHA and half-secure XDCR replication should convey the info below: