SAP Netweaver Application Server Java
Skip to end of metadata
Go to start of metadata

It can happen that SAP cloud connector cannot establish a secure tunnel to the SAP cloud platform.

The normal tunnel establishment records similar entries with INFO severity level in the ljs_trace.log file:

ljs_trace.log
#INFO
#com.sap.core.connectivity.tunnel.client.handshake.ClientProtocolHandshaker#notification-client-3-1       
#Sending handshake request for tunnel: account:///c012345abc/centos and host connectivitynotification.ap1.hana.ondemand.com:443|

#INFO
#com.sap.core.connectivity.tunnel.core.impl.context.TunnelRegistryImpl#notification-client-3-1       
#Registered tunnel channel [id: 0xb80c2c8b, L:/xx.xx.52.129:53096 - R:connectivitynotification.ap1.hana.ondemand.com/157.133.97.47:443] for tunnel id "account:///c012345abc/centos" and client id "1C9480707A4011E8C764DF2EC0A83481"|

#INFO
#com.sap.core.connectivity.tunnel.client.notification.NotificationClient#notification-client-3-1        
#Successfully established tunnel channel to notification service: [id: 0xb80c2c8b, L:/xx.xx.52.129:53096 - R:connectivitynotification.hanatrial.ondemand.com/157.133.97.47:443]|


However, when connection establishment fails, you need to look for the cloud connector log file ljs_trace.log for details:

Connection timed out

ljs_trace.log
#ERROR#com.sap.scc.rt#http-bio-8443-exec-7#          #Tunnel Connect Failed
java.net.ConnectException: Connection timed out: no further information: connectivitynotification.ap1.hana.ondemand.com/157.133.97.47:443
	at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
	at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:717)
	at io.netty.channel.socket.nio.NioSocketChannel.doFinishConnect(NioSocketChannel.java:224)
	at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:289)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:545)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:485)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:399)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:371)
	at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
	at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
	at java.lang.Thread.run(Thread.java:745)|

In this case, the SAP cloud connector cannot reach the notification server due to a timeout

The accessibility of the notification server can be checked with networking tools:

tracert tool

On Windows OS check route with tracert tool:

tracert -d <hostname>

C:\Tools\tracert -d connectivitynotification.ap1.hana.ondemand.com

Tracing route to connectivitynotification.ap1.hana.ondemand.com [157.133.97.47]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  xx.xx.xx.1
  2    31 ms    31 ms    27 ms  xx.xx.xx.169
  3    39 ms    38 ms    45 ms  xx.xx.xx.209
  4     *       79 ms    87 ms  xx.xx.xx.225
  5     *       92 ms    86 ms  xx.xx.xx.96
  6    71 ms    43 ms    31 ms  xx.xx.xx.6
  7    50 ms    49 ms    53 ms  xx.xx.xx.6
  8    82 ms    91 ms    99 ms  xx.xx.3.159
  9     *       54 ms    53 ms  xx.xx.204.37
 10   170 ms     *      189 ms  xx.xx.47.10
 11   193 ms   161 ms   166 ms  xx.xx.50.165
 12   270 ms   247 ms   259 ms  xx.xx.115.102
 13   212 ms   251 ms   248 ms  xx.xx.114.18
 14     *        *        *     Request timed out.
 15     *      440 ms   436 ms  xx.xx.48.30
 16     *      467 ms     *     xx.xx.7.202
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19   453 ms   426 ms   466 ms  157.133.97.47

Trace complete.


nmap tool

On Windows or Linux systems check route with nmap tool:

nmap -sn -traceroute <host name>

C:\Tools>nmap -sn --traceroute connectivitynotification.ap1.hana.ondemand.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-29 09:33 W. Europe Daylight Time
Nmap scan report for connectivitynotification.ap1.hana.ondemand.com (157.133.97.47)
Host is up (0.41s latency).

TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   0.00 ms   xxxxxxxxxxxxxxxxxxxxxxxxx.corp (xx.xx.xx.1)
2   0.00 ms   xxxxxxxxxxxxxxxxxxxxxxxxx.corp (xx.xx.xx.169)
3   0.00 ms   xxxxxxxxxxxxxxxxxxxxxxxxx.corp (xx.xx.xxx.209)
4   0.00 ms   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (xx.xx.139.225)
5   ... 6
7   21.00 ms  xx.xx.3.6
8   0.00 ms   xx.xx.3.159
9   17.00 ms  xx.xx.204.37
10  117.00 ms xx.xx.47.10
11  121.00 ms xxxxxxxxxxxxxxxxxxxxxxxx.NET (xx.xx.50.165)
12  237.00 ms xxxxxxxxxxxxxxxxxxxxxxxx.NET (xx.xx.15.102)
13  237.00 ms xxxxxxxxxxxxxxxxxxxxxxxx.NET (xx.xx.114.18)
14  ...
15  406.00 ms xxxxxxxxxxxxxxxxxxxxxxxx.NET (xx.xx.48.30)
16  503.00 ms xx.xx.7.202
17  ... 18
19  400.00 ms 157.133.97.47

Nmap done: 1 IP address (1 host up) scanned in 17.77 seconds

The nmap tool can be downloaded from https://nmap.org/ site.


traceroute tool

On Linux system execute command traceroute -n <host name> command:

[root@boxes ~]$ traceroute -n connectivitynotification.ap1.hana.ondemand.com


curl tool

From the Cloud Connector machine check the connectivity service availability with curl tool.

The connectivity service URLs are listed in Connectivity help page

For example connectivity service links in NEo environment for Rot location:

Europe (Rot)

(hana.ondemand.com)

connectivitynotification.hana.ondemand.com155.56.210.83
connectivitycertsigning.hana.ondemand.com155.56.210.43
connectivitytunnel.hana.ondemand.com155.56.210.84


curl -v connectivitynotification.hana.ondemand.com:443
>curl -v connectivitynotification.hana.ondemand.com:443
* Rebuilt URL to: connectivitynotification.hana.ondemand.com:443/
* Trying 155.56.210.83...
* TCP_NODELAY set
* Connected to connectivitynotification.hana.ondemand.com (155.56.210.83) port 443 (#0)
> GET / HTTP/1.1
> Host: connectivitynotification.hana.ondemand.com:443
> User-Agent: curl/7.55.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host connectivitynotification.hana.ondemand.com left intact
curl: (52) Empty reply from server


>curl -v connectivitycertsigning.hana.ondemand.com:443
* Rebuilt URL to: connectivitycertsigning.hana.ondemand.com:443/
* Trying 155.56.210.43...
* TCP_NODELAY set
* Connected to connectivitycertsigning.hana.ondemand.com (155.56.210.43) port 443 (#0)
> GET / HTTP/1.1
> Host: connectivitycertsigning.hana.ondemand.com:443
> User-Agent: curl/7.55.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host connectivitycertsigning.hana.ondemand.com left intact
curl: (52) Empty reply from server


>curl -v connectivitytunnel.hana.ondemand.com:443
* Rebuilt URL to: connectivitytunnel.hana.ondemand.com:443/
* Trying 155.56.210.84...
* TCP_NODELAY set
* Connected to connectivitytunnel.hana.ondemand.com (155.56.210.84) port 443 (#0)
> GET / HTTP/1.1
> Host: connectivitytunnel.hana.ondemand.com:443
> User-Agent: curl/7.55.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host connectivitytunnel.hana.ondemand.com left intact
curl: (52) Empty reply from server


Use the same proxy settings in curl command as in cloud connector:

curl -v --proxy "proxy:8888" --proxy-user "proxyUser:proxyPassword" connectivityhost:443

In case a proxy has to be used in cloud connector, useof proxy

The tunnel establishment can be traced with Wireshark (www.wireshark.org) or tcpdump tools as well.


  • No labels