cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Telnet says connection refused even after the firewall port is open

Former Member

on ‎10-02-2015 11:32 AM

0 Kudos

Hello Gurus,

We are facing issues while connecting to SAP systems.

Gateway , dispatcher and message server ports are configured in services file.

Network team says all ports are open.

I am able to telnet Dispatcher and Message server ports, but gateway ports are giving connection refused error..

Network team says if there is connection refused error , then that means that the server is rejecting the connection , and it is not an issue with ports.

If it is an issue with port, it will give timeout error. Hence in this case, they are saying it is not a network issue

Can you please throw some light on this issue?

Is there any other place where I need to check or any other ways which will help me troubleshoot the issue.

Thanks,

Sowmya

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎10-02-2015 2:53 PM
0 Kudos

Hi All,

I need few more clarification.

I am able to connect to the system after connecting to customer network. I can see gateway connections open in smgw - i can see some active sessions in gateway with status connected. Does that mean that gateway port is opened?

My colleague from some other company is unable to access the systems. Issue is a bit more complicated here. He is able to access few SAP systems and few systems are not accesible.

And for those SAP systems , the only difference i can see is Gateway ports are giving connection refused if I do a telnet of it. and the local network team checked my colleague's settings . everything is fine... I want to trace all the ports which he is trying to , I was thinking about niping test , but it even times out in my laptop when I test it , though i am able to login into the system.

Is there any other detail testing mechanism ? I tried tracert also . it is giving time out even for a system which I am able to connect to . Can I rely on these tools?

Is there any other way to test?

Thanks

Sowmya

Show replies
Show replies
isaias_freitas
Advisor
Advisor
‎10-02-2015 4:07 PM
0 Kudos

Hello,

SAP GUI login uses the Dispatcher port (32<Instance Number>), not the Gateway port (33<Instance Number>).

Telnet / niping is the way to test the connectivity to a target server / port.

Regards,

Isaías

Former Member
‎10-02-2015 4:12 PM
0 Kudos

Hello Isaias,

Thanks for your reply. telnet for dispatcher port is working fine .  Yeah as you said , it will not use gateway port.  But I could not see any other differences when I compare the ports of two SAP systems , One system which I am able to connect and the other one which I am not able to connect.

KR,

Sowmya

former_member199290
Participant
‎10-02-2015 4:54 PM
0 Kudos

Hi Sowmya:

As Isaias mentioned Telnet/niping are the tools that you can check to test basic connectivity checks. niping should work from your laptop atleast if connectivity is fine from your end.

I would suggest once you perform the connectivity test using niping, go ahead and advise your colllegue to do the same and provide you the results.

Following link provides simple example where you can start niping -s on the server side. Client request can sent from your machine and then later on your colleagues machine. Check and compare the results.

Testing Basic Functions - SAProuter - SAP Library

isaias_freitas
Advisor
Advisor
‎10-02-2015 5:16 PM
0 Kudos

But in this case they would need to open one more port at the firewall, as "niping -s" is starting a niping server.

Niping will use the port "3298" by default, when started as a server.

I would say that this is not actually "required".

You can test from the client computers only, using:

    niping -c -H <hostname/IP of SAP server> -S <SAP port to test> -O

-> the last character is the uppercase letter "o", not the number zero

For example, to test the Dispatcher port of an SAP instance number 15:

   niping -c -H <hostname> -S 3215 -O

Regards,

Isaías

former_member199290
Participant
‎10-02-2015 5:34 PM
0 Kudos

Agreed Isaias. Pretty much like Telnet test.

isaias_freitas
Advisor
Advisor
‎10-02-2015 6:20 PM
0 Kudos

Yep .

Former Member
‎10-02-2015 2:43 PM
0 Kudos

Thanks all for your inputs. I will check and feedback 🙂

Show replies
Show replies
Former Member
‎10-02-2015 2:13 PM
0 Kudos

Hello Sowyma,

Simple way for you to prove it is by running your telnet commands on the server where the SAP system is running. Not from another server but on the server that you are trying to connect to. That proves beyond any shadow of a doubt that the services are running and listening on the defined ports.

eg: taking instance number 14 as an example.

telnet localhost sapdp14

telnet localhost sapms<SID>

telnet localhost sapgw14

You can run a 'grep' on the /etc/services file for each of the above and then perform a 'netstat -an | grep <your port number from services file>

eg: netstat -an | grep 3314

You would get an output that should show the IP addresses on which this port is being listened upon with a "LISTEN" in the output.

Hope this helps you a bit in your adventure.

KR,

Amerjit

Show replies
Show replies
isaias_freitas
Advisor
Advisor
‎10-02-2015 2:16 PM
0 Kudos

bxiv
Active Contributor
‎10-02-2015 2:37 PM
0 Kudos

Just to add in 2 cents (as I used to admin a Cisco ASA and dealt with other firewalls) a firewall is a 'stateful' device it has to log all connections coming into it and what it is being translated/routed to (aka the destination).

Your network team should be able to show you the logs/trace on the device to prove or disprove how it is handling the traffic.

Also on another note firewalls are also not just set to use layer 3 or 4  they can interfere as far as layer 7, and I have seen issues with SIP protocols and timeout issues due to firewalls mis-handling the traffic and causing VoIP phone outages.

Former Member
‎10-02-2015 2:52 PM
0 Kudos

Hey Billy,

You meant to reply to me ?

Irrespective of the above, the info is good to know.

Cheers,

A.

bxiv
Active Contributor
‎10-05-2015 6:02 PM
0 Kudos

Was trying to keep the information in the same threads for everyone's benefit in knowing; pulling up the logs or syslog for a firewall is even easier than setting traces in systems.

Now if the network team has purposely gone in and disabled logging or changed some log related settings it can make things difficult; however if you have a network team that disabled logging on a company firewall, it might be worth asking if you want to work there. 

JPReyes
Active Contributor
‎10-02-2015 12:25 PM
0 Kudos

Hi Sowmya,

Have you checked that the system number of the gateway is correct?,,,  Go to SMGW -> Parameters and check the instance "gateway service", if you have an standalone gateway check that is running.

Regards, Juan

Show replies
Show replies
Former Member
‎10-02-2015 12:34 PM
0 Kudos

Hello Juan,

gateway process is up and running and I can see gateway sessions with status connected in smgw as well.

Can you let me know if connection refused error in telnet is a port issue or an authentication issue from the server side?

Our network team says that the port is open , and if port is not open ,  the error will be time out and not connection refused.

Thanks,

Sowmya

isaias_freitas
Advisor
Advisor
‎10-02-2015 1:29 PM
0 Kudos

Hello,

If the gateway is running and the port number is correct, it must be something at the network.

Regards,

Isaías

Former Member
‎10-02-2015 1:54 PM
0 Kudos

Hello Isaias,

Thanks, Can you please let me know if there is any other way for me to prove it is a network issue?

alwina_enns
Employee
Employee
‎10-02-2015 1:58 PM
0 Kudos

Hello Sowmya,

could you please check in gateway trace dev_rd, which ip address and port number the gateway is using and ensure, that you are trying to connect with telnet to the correct one?

Regards,
Alwina

isaias_freitas
Advisor
Advisor
‎10-02-2015 2:15 PM
0 Kudos

Hello,

Access the SAP server itself, at operating system level, and perform the same telnet command (to the Gateway port).

It will work.

Then, go to your workstation and try a telnet to the Dispatcher and to the Gateway.

The telnet to the Dispatcher will work (which means that your workstation can reach the server through the network).

The telnet to the Gateway will fail.

This should be proof enough .

Regards,

Isaías

Former Member
‎10-02-2015 2:17 PM
0 Kudos

hehehe .... thinking the same at the same time 🙂

isaias_freitas
Advisor
Advisor
‎10-02-2015 2:19 PM
0 Kudos

yes! hehehe

Ask a Question