Skip to Content

Things that happen in support messages that I don’t like…

After some years working in support solving messages everybody will have a list of things that do occur over and over again and that never seem to get better.
Today I will start with the most anoying one (at least to me):

No remote connection possible!

Imagine you experience a heart attack. What you usually need is somebody trained to help you in that situation and do at least the primary steps to save your life.
At best this person is a paramedic so you can be rather sure that you’re in good hands.
Now imagine you have this person at your front door, when the heart attack occurs but when he wants to enter the room where you’re lying at the floor you just tell him:
“You cannot enter! Our companys security policy denies access by people not working for us… Please tell me how I can save myself!”

Althought this situation might be overbooked it is basically what I (and many of my collegues) face every day.
Customers facing a complete system down situtation are not able to provide TELNET access to their database servers. They are just not prepared to do so.
Of course TELNET is not state of the art concerning security on connections over the internet, no question about that.
But it’s possible to make up something like logging on to a remote connection server via Windows Terminal Services (for example) and from there via SSL to the target machine. So there are options to make this access secure.

And even if customers make the (correct!) decision that for this special situation the potential risk of beeing hacked while the TELNET connection is open is – by far – less costly than having a whole shift of workers leaving early due to the system down situation, even than it’s often just not possible to use the connection.
The companys firewalls block the TELNET port, the SAP service connection is not maintained or (this is the real classic): people ignore the description how to set up such a service connection and forget to allow port 23 (TELNET) on their SAPROUTER. So the infamous “route permission denied” error is just right on its way.

My recommendation: make plans how support should access your systems when they are down!
Set the connections up.
Have them tested – just open a support message and ask for somebody to logon!
This may save you precious HOURS the next time the database won’t come up.

As there are plenty of SAP notes describing the various remote connections I won’t fail to list the most important ones:

#35010 – Service connections: Composite note (overview)

Specific connection types:
Telnet Connection: Note 37001
R/3 Support: Note 812732
SAP-DB Connection: Note 202344
WTS Connection: Note 605795

Official statement concerning SSH-connections:
#789026 – Remote Connection: SSH
For semi-automatic line-opening see:
#797124 – LOP – Line Opener Program

By the way: the connection types listed in the overview (35010) note are exclusive. Whatever remote access tool or technology you are using usually in your company – when it’s not on the list, support cannot use it. So better don’t waste time and ask for such things to be tried.

Best regards

You must be Logged on to comment or reply to a post.
  • Hi Lars:

    Actually, I have been lucky enough to get my customer messages fixed in a very short time...Even the company where I was working allowed access to SAP "paramedics" pretty fast...

    But I haven't heard the same from others...Security is a big issue for some companies...I have to fight my way to get access to SDN on my current project...So I'm sure that giving access to SAP "paramedics" is not an option here...



    • Hi Blag,

      thanks for the comment.
      Of course security is very important - no question about that.
      And SAP cares much about this - each and every support consultant is bound by his contract and sometimes even by additional compliance regulations for specific customer systems.
      Still it should be carefully weighted what does more harm to the company - longer downtime or a security _risk_.

      Well I guess a good strategy might also be to have skilled and trained staff in-house - at least this will improve the efficiency of a "help-through-the-phone"-session a lot... 😉

      KR Lars

  • I agree in that it is annoying not having a remote connection to solve system problems.  But perhaps SAP should offer this remote setup service when they sell/install the software?  Part of the roadmap.
    • Hi Kenneth,

      hmm... that's a point. As I'm not a business guy I can only guess but I would bet that it just don't pays to offer such a service. I mean, what would you be willing to pay for something like this? Knowing how easy it usually is not too much I guess...

      Personally I think this is something the people that actually run the system should take care of. Like of backups, monitoring and support package installation.
      best regards

  • Kishore Balakrishnan send me an email with a question that may be interesting for others as well, so I post it here.
    Dear Lars

         Is there any way for customer to see what SAP paramedics are upto -
    every step

         If this is possible, then customer would not have much issue in
    letting the paramedics to help them

    Best Regards, Kishore.

    And my answer was:

    Dear Kishore,

    best would be to place such questions in the BLOG somments section in SDN so
    that it and my answer is available to to whole community.

    Basically there is a way to find out the steps the SAP supporters will take:
    ask them!
    Talk to them and ask for how the analyze the error.
    There is no automatic action protocol or something like that. But due to
    internal regulations support consultants are held to discuss any changes to
    the system with the customer first.
    So it is actually possible like it's possible to find out what a paramedic
    does - asking.

    Best regards,


  • I mostly agree, but in these cases a webex session could be very helpful. In critical system down situations you will (should) call the customer anyway.
    Setting up a webex session is very simple AND the customer and support can solve the problem together. So no security problem arises and the customer (some of them) will learn how to solve similar problems in the future.

    SAP seems to be very restrictive with using tools like webex. However, as always good blog!

    Best regards, Michael

    • Hello Michael,

      thanks for the comment.
      There is one reason for WebEx not being allowed in support activity: its connnections aren't tracked and logged via the saprouter connection facility that is used for all other connections.

      As SAP needs to be able to exactly tell when and  who tried to log on to which system, it's simply a legal topic to avoid this.

      But of course we (SAP) ARE aware of how useful a direct and friction-free connection to the customer system can be.
      And so, the NetViewer connection has become one of the most important remote connection types for support.
      It's easy to use and very secure and efficient for both customer and SAP support consultants.

      Best regards and thanks for the nice closing comment!