It can happen that SAP cloud connector cannot establish a secure tunnel to the SAP cloud platform.
The normal tunnel establishment records similar entries with INFO severity level in the ljs_trace.log file:
#INFO #com.sap.core.connectivity.tunnel.client.handshake.ClientProtocolHandshaker#notification-client-3-1 #Sending handshake request for tunnel: account:///c012345abc/centos and host connectivitynotification.ap1.hana.ondemand.com:443| #INFO #com.sap.core.connectivity.tunnel.core.impl.context.TunnelRegistryImpl#notification-client-3-1 #Registered tunnel channel [id: 0xb80c2c8b, L:/xx.xx.52.129:53096 - R:connectivitynotification.ap1.hana.ondemand.com/157.133.97.47:443] for tunnel id "account:///c012345abc/centos" and client id "1C9480707A4011E8C764DF2EC0A83481"| #INFO #com.sap.core.connectivity.tunnel.client.notification.NotificationClient#notification-client-3-1 #Successfully established tunnel channel to notification service: [id: 0xb80c2c8b, L:/xx.xx.52.129:53096 - R:connectivitynotification.hanatrial.ondemand.com/157.133.97.47:443]|
However, when connection establishment fails, you need to look for the cloud connector log file ljs_trace.log for details:
Connection timed out
#ERROR#com.sap.scc.rt#http-bio-8443-exec-7# #Tunnel Connect Failed java.net.ConnectException: Connection timed out: no further information: connectivitynotification.ap1.hana.ondemand.com/157.133.97.47:443 at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method) at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:717) at io.netty.channel.socket.nio.NioSocketChannel.doFinishConnect(NioSocketChannel.java:224) at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:289) at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:545) at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:485) at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:399) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:371) at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112) at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137) at java.lang.Thread.run(Thread.java:745)|
In this case, the SAP cloud connector cannot reach the notification server due to a timeout
The accessibility of the notification server can be checked with networking tools:
tracert tool
On Windows OS check route with tracert tool:
tracert -d <hostname>
C:\Tools\tracert -d connectivitynotification.ap1.hana.ondemand.com Tracing route to connectivitynotification.ap1.hana.ondemand.com [157.133.97.47] over a maximum of 30 hops: 1 2 ms 2 ms 2 ms xx.xx.xx.1 2 31 ms 31 ms 27 ms xx.xx.xx.169 3 39 ms 38 ms 45 ms xx.xx.xx.209 4 * 79 ms 87 ms xx.xx.xx.225 5 * 92 ms 86 ms xx.xx.xx.96 6 71 ms 43 ms 31 ms xx.xx.xx.6 7 50 ms 49 ms 53 ms xx.xx.xx.6 8 82 ms 91 ms 99 ms xx.xx.3.159 9 * 54 ms 53 ms xx.xx.204.37 10 170 ms * 189 ms xx.xx.47.10 11 193 ms 161 ms 166 ms xx.xx.50.165 12 270 ms 247 ms 259 ms xx.xx.115.102 13 212 ms 251 ms 248 ms xx.xx.114.18 14 * * * Request timed out. 15 * 440 ms 436 ms xx.xx.48.30 16 * 467 ms * xx.xx.7.202 17 * * * Request timed out. 18 * * * Request timed out. 19 453 ms 426 ms 466 ms 157.133.97.47 Trace complete.
nmap tool
On Windows or Linux systems check route with nmap tool:
nmap -sn -traceroute <host name>
C:\Tools>nmap -sn --traceroute connectivitynotification.ap1.hana.ondemand.com Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-29 09:33 W. Europe Daylight Time Nmap scan report for connectivitynotification.ap1.hana.ondemand.com (157.133.97.47) Host is up (0.41s latency). TRACEROUTE (using proto 1/icmp) HOP RTT ADDRESS 1 0.00 ms xxxxxxxxxxxxxxxxxxxxxxxxx.corp (xx.xx.xx.1) 2 0.00 ms xxxxxxxxxxxxxxxxxxxxxxxxx.corp (xx.xx.xx.169) 3 0.00 ms xxxxxxxxxxxxxxxxxxxxxxxxx.corp (xx.xx.xxx.209) 4 0.00 ms xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (xx.xx.139.225) 5 ... 6 7 21.00 ms xx.xx.3.6 8 0.00 ms xx.xx.3.159 9 17.00 ms xx.xx.204.37 10 117.00 ms xx.xx.47.10 11 121.00 ms xxxxxxxxxxxxxxxxxxxxxxxx.NET (xx.xx.50.165) 12 237.00 ms xxxxxxxxxxxxxxxxxxxxxxxx.NET (xx.xx.15.102) 13 237.00 ms xxxxxxxxxxxxxxxxxxxxxxxx.NET (xx.xx.114.18) 14 ... 15 406.00 ms xxxxxxxxxxxxxxxxxxxxxxxx.NET (xx.xx.48.30) 16 503.00 ms xx.xx.7.202 17 ... 18 19 400.00 ms 157.133.97.47 Nmap done: 1 IP address (1 host up) scanned in 17.77 seconds
The nmap tool can be downloaded from https://nmap.org/ site.
traceroute tool
On Linux system execute command traceroute -n <host name> command:
[root@boxes ~]$ traceroute -n connectivitynotification.ap1.hana.ondemand.com
curl tool
From the Cloud Connector machine check the connectivity service availability with curl tool.
The connectivity service URLs are listed in Connectivity help page
For example connectivity service links in NEo environment for Rot location:
Europe (Rot) | connectivitynotification.hana.ondemand.com | 155.56.210.83 | |
connectivitycertsigning.hana.ondemand.com | 155.56.210.43 | ||
connectivitytunnel.hana.ondemand.com | 155.56.210.84 |
curl -v connectivitynotification.hana.ondemand.com:443
>curl -v connectivitynotification.hana.ondemand.com:443
* Rebuilt URL to: connectivitynotification.hana.ondemand.com:443/
* Trying 155.56.210.83...
* TCP_NODELAY set
* Connected to connectivitynotification.hana.ondemand.com (155.56.210.83) port 443 (#0)
> GET / HTTP/1.1
> Host: connectivitynotification.hana.ondemand.com:443
> User-Agent: curl/7.55.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host connectivitynotification.hana.ondemand.com left intact
curl: (52) Empty reply from server
>curl -v connectivitycertsigning.hana.ondemand.com:443
* Rebuilt URL to: connectivitycertsigning.hana.ondemand.com:443/
* Trying 155.56.210.43...
* TCP_NODELAY set
* Connected to connectivitycertsigning.hana.ondemand.com (155.56.210.43) port 443 (#0)
> GET / HTTP/1.1
> Host: connectivitycertsigning.hana.ondemand.com:443
> User-Agent: curl/7.55.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host connectivitycertsigning.hana.ondemand.com left intact
curl: (52) Empty reply from server
>curl -v connectivitytunnel.hana.ondemand.com:443
* Rebuilt URL to: connectivitytunnel.hana.ondemand.com:443/
* Trying 155.56.210.84...
* TCP_NODELAY set
* Connected to connectivitytunnel.hana.ondemand.com (155.56.210.84) port 443 (#0)
> GET / HTTP/1.1
> Host: connectivitytunnel.hana.ondemand.com:443
> User-Agent: curl/7.55.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host connectivitytunnel.hana.ondemand.com left intact
curl: (52) Empty reply from server
Use the same proxy settings in curl command as in cloud connector:
curl -v --proxy "proxy:8888" --proxy-user "proxyUser:proxyPassword" connectivityhost:443
In case a proxy has to be used in cloud connector, useof proxy
The tunnel establishment can be traced with Wireshark (www.wireshark.org) or tcpdump tools as well.