cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Cloud Connector is unable to handshake with notification server

Go to solution
alicifci
Explorer

on ‎07-10-2018 2:54 PM

Hi all,

We are struggling with a problem with the connection from the SAP Cloud Connector (SCC) tot SAP Cloud Foundry.

The connection to subaccounts in the SAP Cloud Foundry are disconnected after a couple of days. The connection is back when we do a restart of the Cloud Connector.

I did a research in the log. What I see is that Cloud Connector resolves the connectivitynotification.cf.eu10.hana.ondemand.com URL with a different IP address. When this happen's the ping/pong failes. When this occures the connection is lost and don't come back until a restart of the SAP Cloud Connector.

When the URL is resolved to IP 18.185.180.20:443 it's working fine. The logrecord is like following: #Successfully connected channel: [id: xxxxxxx, L:/xxxxx:xxxx - R:connectivitynotification.cf.eu10.hana.ondemand.com/18.185.180.20:443]. Starting handshake with tunnel server for tunnel ID: account:///xxxxxxxxxx|

When the URL is resolved to IP 5x.9x.13x.23x:443 the connection fails. The logrecord is then like: #Unable to handshake with notification server connectivitynotification.cf.eu10.hana.ondemand.com/5x.9x.13x.23x:443

We are trying to fix this with a workaround. In the firewall we added a fixed IP address to the URL connectivitynotification.cf.eu10.hana.ondemand.com = 18.185.180.20:443.

The question is: why the URL connectivitynotification.cf.eu10.hana.ondemand.com is resolved to so much different IP addresses? I see in the Iij_trace.log of the cloud connector at least 4 IP addresses.

- 18.18x.18x.2x
- 54.9x.13x.23x
- 35.15x.14x.21x
- 155.5x.21x.8x
- 18.19x.8.24x

Is someone able to explain this to me?

What is the best solution for fixing this problem?

Best regards,

Ali Cifci

Senior SAP Consultant

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alicifci
Explorer
‎12-06-2018 9:03 AM

Because the IP addresses of SAP are dynamic, you must allow outgoing connections to ANY in you're firewall.

That setting solved our issue.

Show replies
Show replies

Answers (2)

Answers (2)

eidahanafiahahmad
Explorer
‎03-25-2021 1:09 AM
0 Kudos

Have you found out what is the problem?

Show replies
Show replies
former_member213660
Participant
‎07-10-2018 5:35 PM
0 Kudos

HI Ali

Here you can find a table with all the host-names per region and the ip addresses that match them: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e23f776e4d594fdbaeeb1196d47...

So, for the connectivitynotification.cf.eu10.hana.ondemand.com, the IP Addresses are:

52.58.143.196 and 35.157.143.217.

So, for the SCC be able to properly reach it, the machine where the SCC is installed should be able to perform a tracerout to the port 443 for these two ip addresses.

Thanks,

Augusto

Show replies
Show replies
alicifci
Explorer
‎07-11-2018 9:04 AM
0 Kudos

Hi Augusto,

Tracert to 52.58.143.196 and 35.157.143.217 is not possible at the moment. I asked our network administrator to fix this in the firewall.

Thanks for your reply, I let you know if this is the solution.

Ali Cifci

alicifci
Explorer
‎07-11-2018 11:40 AM
0 Kudos

When I ping to connectivitynotification.cf.eu10.hana.ondemand.com from the Cloud Connector I get this repsonse:

Pinging cf-proxy-hcp-live-eu10-757849102.eu-central-1.elb.amazonaws.com [18.197.8.241] with 32 bytes of data: Request timed out.
Request timed out.
Request timed out.

We added IP addresses 52.58.143.196 and 35.157.143.217 to our firewall. Can it be that this (18.197.8.241) is a proxy of the SAP Cloud Foundry that lies in front of the SAP Cloud Foundy self?

former_member213660
Participant
‎07-11-2018 5:45 PM

Hi Ali

Have you configured your proxy settings in your cloud connector?

Take a look here: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/db9170a7d97610148537d5a84bf...

Thanks,

Augusto

alicifci
Explorer
‎07-12-2018 10:09 AM
0 Kudos

Hi Augusto,

I talked with ou're network guy. He told me that we don't use any proxy for outgoing connections. We just opened the connection to 52.58.143.196 and 35.157.143.217 in the firewall.

The use of a proxy is optional.

former_member213660
Participant
‎07-12-2018 5:27 PM

Hi Ali,

The cloud connector will not be able to work if the machine where it is installed is not able to perform a tracerout to the IP Addresses mentioned here: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e23f776e4d594fdbaeeb1196d47...

So, if the traceroutes are not reaching the IP Addresses of your account, you need to engage your network team to analyze it.

Augusto

alicifci
Explorer
‎07-13-2018 12:11 PM
0 Kudos

Hi Augusto,

Can it be that our customer needs to whitelist the IP address of the Cloud Connector, in the SAP Cloud Platform environment?

I am also not able to do a tracert to connectivitynotification.cf.eu10.hana.ondemand.com from my own laptop. I can not check te configuration of the Cloud Platform by my self. It's an account of the customer.

If I summarize it: the connection from the SAP Cloud Connector to connectivitynotification.cf.eu10.hana.ondemand.com is open in our firewall. But if I do a ping to connectivitynotification.cf.eu10.hana.ondemand.com I get another IP back. That is IP address 18.185.180.20. Ping and tracert to 52.58.143.196 and 35.157.143.217 is not possible.

Ask a Question