on 03-28-2014 7:08 PM
Hello, we are having a problem opening connections to our systems in the support portal and would appreciate any help and direction. This is probably a problem with our SAPRouter or firewall configuration but have been unable to identify where that problem is, and we are working closely with our network folks to try to correct. We are able to download OSS notes through SNOTE and all of the RFC's work correctly but we can't seem to keep a connection open to allow SAP support to login to our systems. The connection appears to open for about three minutes but then gives the error "Host did not respond 1-9 times" then the connection shows cancelled after about 18min. We have had a high priority incident open with SAP for the last couple of weeks but haven't got much response from them. SAP has the IP addresses of our SAPRouter and VPN correct and the routestring is correct.
SAPRouter = 216.253.195.169
VPN = 216.253.195.170
Routestring = /H/colo-sap-router.insummit.com/S/3299
We are able to ping SAP(194.117.106.129) from the saprouter server successfully. A few things I have read indicate that a simple test is that you should be able to telnet to SAP(ip above) on the configured port, 3299 but this we are not able to do and we've told this to SAP, we can telnet to port 21 but not 3299.
SAPRouter is on a Windows 2008 server OS using VPN. Attached is our saprouttab file.
Also attached is a trace.out file, and dev_rout file.
Here are the firewall ACLs:
access-list Outside extended permit ip host 216.253.195.169 host 147.204.100.142
access-list Outside extended permit ip host 147.204.2.5 host 216.253.195.169
access-list Outside extended permit ip host 216.169.212.169 host 147.204.100.142
!
access-list Outside extended permit ip host 194.117.106.129 any
access-list Outside extended permit ip any host 194.117.106.129
access-list Outside extended permit ip host 194.117.106.128 any
access-list Outside extended permit ip host 216.253.195.169 194.117.106.128 255.255.255.252
access-list Outside extended permit ip host 194.117.106.128 host 216.253.195.169
access-list Outside extended permit ip 194.117.106.128 255.255.255.252 host 216.253.195.169
access-list Outside extended permit ip host 194.117.106.129 host 216.253.195.169
access-list Outside extended permit ip host 216.169.212.169 194.117.106.128 255.255.255.252
Here are the routes:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.5.0.1 10.5.0.222 266
10.5.0.0 255.255.255.0 On-link 10.5.0.222 266
10.5.0.222 255.255.255.255 On-link 10.5.0.222 266
10.5.0.255 255.255.255.255 On-link 10.5.0.222 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
194.117.106.128 255.255.255.252 216.253.195.170 216.253.195.169 21
216.253.195.168 255.255.255.248 On-link 216.253.195.169 276
216.253.195.169 255.255.255.255 On-link 216.253.195.169 276
216.253.195.175 255.255.255.255 On-link 216.253.195.169 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.5.0.222 266
224.0.0.0 240.0.0.0 On-link 216.253.195.169 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.5.0.222 266
255.255.255.255 255.255.255.255 On-link 216.253.195.169 276
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
194.117.106.128 255.255.255.252 216.253.195.170 1
0.0.0.0 0.0.0.0 10.5.0.1 Default
And here is the VPN tunnel info:
6 IKE Peer: 194.39.131.167
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
show ipsec sa peer 194.39.131.167
peer address: 194.39.131.167
Crypto map tag: cryptomap1, seq num: 15, local addr: 216.253.195.170
access-list encrypt_123_to_SAP extended permit ip host 216.253.195.169 194.117.106.128 255.255.255.252
local ident (addr/mask/prot/port): (216.253.195.169/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (194.117.106.128/255.255.255.252/0/0)
current_peer: 194.39.131.167
#pkts encaps: 459156, #pkts encrypt: 459156, #pkts digest: 459156
#pkts decaps: 65825, #pkts decrypt: 65825, #pkts verify: 65825
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 459156, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.253.195.170, remote crypto endpt.: 194.39.131.167
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 90CB4EA0
current inbound spi : 769BBB0D
inbound esp sas:
spi: 0x769BBB0D (1989917453)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20480, crypto-map: cryptomap1
sa timing: remaining key lifetime (kB/sec): (4373965/4063)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x90CB4EA0 (2429243040)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20480, crypto-map: cryptomap1
sa timing: remaining key lifetime (kB/sec): (4373954/4063)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Again, any help and suggestions is greatly appreciated.
Thanks,
Brent
Issue resolved, ended up being a firewall configuration problem with open ports.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Brent ,
I see your problem is critical !!!!
But you can have a net viewer session with SAP .
Its simple and effective way of analysing issue in run time .
SAP SMP Netviewer Instructions DE - YouTube
Please check above Links
Regards,
Abhishek
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I believe you need to also allow ping (ICMP) for SAP's IP address. You can verify that SAP can connect to your system by using the Service Connector.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ok, sorry about that. Yes, I know that the tunnel is established and they have even stated that they see our VPN tunnel up and running from their side; and we can see that they've established connections with us. Below is netstat output
Active Connections
Proto Local Address Foreign Address State
TCP 10.5.0.222:3299 sapsmd:59355 ESTABLISHED
TCP 10.5.0.222:3299 sapsmd:59357 ESTABLISHED
TCP 10.5.0.222:3389 sap-becton:1350 ESTABLISHED
TCP 216.253.195.169:2930 194.117.106.129:sapdp99 ESTABLISHED
TCP 216.253.195.169:2932 194.117.106.129:sapdp99 ESTABLISHED
In that case I don't have anything to add. In the past when establishing new remote connections I always had a direct contact in Walldorf who I worked with to make the remote connection work. Sometimes I even made the network admins (at SAP and at my customer) speak to each other, it usually didn't take longer than 30 minutes to get the remote connection up and running.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.