While I have installed a large number of cloud connectors over the years this week I encountered a problem I had never experienced. It goes to show that even though you may know a lot on a subject you can never stop learning. Given this, I thought I would document my learnings in this blog – also detailing the process I went through.
Before installing the Cloud Connector I always try and get the firewall rules in place early – this is one of the main reasons that stops connectivity from the Cloud Connector to the SAP Cloud Platform subaccount. The below table represents the specific firewall rules that need to be in place from the server where the Cloud Connector is installed.
The IP address range required for connectivity to SAP Cloud Platform is the following:
A full list of pre-requisites can be found here https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e23f776e4d594fdbaeeb1196d47bbcc0.html
So, for a customer this week I commenced the job of setting up the technical environment so installed the Cloud Connector for the Non-Production landscape on a server in the DMZ. It is recommended to install this on a server in the DMZ but I have seen some customers install this within their on-premise landscape. I downloaded the latest version from here and proceeded to install it.
Figure:1 Cloud Connector Install files from tools.hana.ondemand.com
After installing the cloud connector the first task is to hook this up to the SAP Cloud Platform. If everything is in place it should just connect. So, using a generic S userid for the customer I tried to connect to the SAP Cloud Platform DEV subaccount and was met with the following error.
Figure:2 Cloud Connector connectivity error
Not a good result – I am used to connectivity being established straight away so was not pleasantly surprised. OK, problem solving hat needs to come out.
Check: 1 SAP Cloud Connector Logs
The first port of call is the Cloud Connector logs.
Figure:3 Cloud Connector Log and Trace files
You can view the log files directly using the glasses icon or download it by using the download / export icon – highlighted above. When you download this it will save as a ZIP file called scclogs. You need to extract this and you will find the ljs_trace log file.
Figure:4 SCC logs for Cloud Connector
When I check the logs I always try and locate any errors that occur. You can simply search for ERROR or you can read the file and try to understand what is taking place. When I did this I found an ERROR occurring. The two main messages I found were the following:
- Tunnel account:///subaccount is inoperative.
- Preparation of tunnel certificate for firstname.lastname@example.org account failed.
Figure:5 SCC logs – Detailed error messages
I had not seen these error messages before so did not really know at this point what the issue was however I just had to work through the problem solving process.
Check: 2 – Firewall Rules
So, usually when I get any errors when trying to connect to SAP Cloud Platform subaccounts I get straight on to the network guys to correct the IP addresses in the firewall however the response that came back was that this had been maintained correctly. This was the response:
I have cross checked the firewall rule and could see that the following connections are allowed in firewall.
Source: 10.NNN.NNN.6, 10.NNN.NNN.7 and 10.NNN.NNN.8
Destination: 188.8.131.52, 184.108.40.206 and 220.127.116.11
Port: 443 (https)
OK, so looked like the correct rules were in place.
Check: 3 – Double Check of Firewall Rules ?
OK, you might say why are you performing a double check of the firewall rules. Hmm. I can only say that I want to know for myself that everything is in place so want to share another way of checking that these are in place.
First, check whether you can ping the IP addresses from the Cloud connector server. As you can see below you can ping the 3 addresses for the Cloud Platform to see if there is a response.
You can check this using the command prompt on a Windows machine.
Figure:6 Firewall check – ping the IP addresses
As you can see above all 3 IP addresses successfully pinged so I knew that all was good with the firewall – well from an IP address point of view.
If you do happen to have problems pinging the IP addresses then you need to talk to your network team as this means the hosting server cannot connect to SAP Cloud Platform and usually means the IP addresses have not been allowed in the firewall.
Check: 4 – Triple Check of Firewall Rules
Next I triple check the firewall rules ? C’mon, stick with me here. The check this time is for the Port – 443. You can check this by using the Telnet command as detailed below.
Figure:7 Firewall check – telnet check
When you enter this command the cursor should jump to the top and nothing else should appear.
If this is not set up properly errors will occur and if they do (similar to the ping test) then you need to talk to your network team as this means the hosting server cannot connect to the SAP Cloud Platform port (443).
Now I had proven once and for all that the firewall rules were in place and this exhausted my knowledge on network aspects within the server ?. Had to cover a new angle now.
Check: 5 SAP Notes via SAP Support Portal
The next check is to find any OSS Notes that may be relevant for the errors. Given this was a new version of the Cloud Connector I thought that there may have been a new issue introduced. I was not confident about this line of thinking because the versions of the Cloud Connector have always been very stable. I had to cross this off the list though. I searched using the support portal.
Unfortunately, when I searched I did not use the text that was shown on the popup window – if I had I would have sorted this out quicker. I carried out multiple searches and found all of the following notes that were in the same area but did not cover the problem exactly.
I progressed on – now checking the recently introduced Guided Answers.
Check: 6 Guided Answers
The next option was Guided Answers and in all honesty I should have gone straight to this. This was launched recently and not every single issue is included at the moment however this is a great offering which can only get better over time. I definitely recommend everyone to check these out.
Figure:8 Guided Answers
As you can see above there are a large amount of options included around Installation, Connection issues, trace options, High Availability and performance. Brilliant!
I started working through this by first choosing [Connection issue to Cloud Platform] which is the exact problem I was having. This went straight to a detailed page that included the following information.
Unfortunately none of these items was going to help me here so I did mark the [This did not solve my issue] option at the end of the guided answer.
When I did this it asked me what I wanted to do next. I thought this was really useful. Overall, the guided answers are really great and will be my go to for all SAP Cloud Platform issues into the future.
Figure:8 Guided Answers – Next Steps
I was really close to opening an incident but thought I would give Twitter a try – maybe someone had experienced this issue before. It was worth a try and of course another reason to Tweet was good! ?
For more information on Guided Answers check out the following blog.
Check: 7 Tweet of course!
I decided to post on Twitter the fact that I was having issues with connectivity and what do you know one of my followers thought he had seen this before. BOOM! He sent through the following OSS note and I checked it and it made sense. Geez, I love twitter!
The symptom described exactly matched the error on the popup.
The SAP Cloud Connector cannot connect to SAP Cloud Platform, the following message appears in the SAP Cloud Connector Administration UI:
500 Host ap1.hana.ondemand.com unknown (check your network and proxy settings)
The resolution described in the note talked about updating the hosts file on the server where the SAP Cloud Connector was installed. So I proceeded to update the hosts file.
Figure:9 Hosts file updated via OSS Note 2496689
While the note mentioned the old AP1 region IP addresses it actually solved the issue. I was seriously happy about this.
NOTE: In Linux OS the hosts file path is /etc/hosts
Once the connectivity issues were resolved I spent some time thinking about the learnings I had throughout this process – there definitely were some.
- Check out the Guided Answers earlier! This is seriously helpful so I would go here first. The Guided Answers home page is here. Don’t forget if the particular option is not included then you can provide direct feedback.
- Provide a better search when checking for notes in the SAP Support Portal.
I carried out a subsequent search and I entered the text which was from the popup window
and BOOM! Found the note straight away. Big learning lesson here to enter the most obvious
- Think about the architecture. The Cloud Connector was installed in the DMZ so talk to the network team about what normally needs to be in place for servers that are placed there. I now know that when servers are in the DMZ, IP addresses have to be specifically added to the hosts file to allow connectivity.
While frustrating at first, this was a really good experience as I learnt something new. Will definitely be checking this next time I install the Cloud Connector.
I hope those that experience issues with connectivity can use this blog to assist them.
Thanks for reading!