cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SFTP Channels Failed - Proxy Error

Go to solution
vishnu_pallamreddy
Contributor

on ‎03-07-2016 7:40 AM

0 Kudos

Hi All,

In production, all SFTP Channels are failed with the below error:

Actually in every SFTP channel we are using Proxy Server and Proxy port.

Could any one please confirm the issue with the Proxy Server or is there any issue for this?

Message could not be forwarded to the JCA adapter. Reason: com.jcraft.jsch.JSchException: ProxyHTTP: java.io.IOException: proxy error: Proxy Error ( The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. )


MP: exception caught with cause javax.resource.ResourceException: com.jcraft.jsch.JSchException: ProxyHTTP: java.io.IOException: proxy error: Proxy Error ( The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. )


Adapter Framework caught exception: com.jcraft.jsch.JSchException: ProxyHTTP: java.io.IOException: proxy error: Proxy Error ( The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. )


Delivering the message to the application using connection SFTP_http://sap.com/xi/XI/SFTP failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: javax.resource.ResourceException: com.jcraft.jsch.JSchException: ProxyHTTP: java.io.IOException: proxy error: Proxy Error ( The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. ).

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

engswee
Active Contributor
‎03-07-2016 8:04 AM
0 Kudos

Hi Vishnu

Did the SFTP channels work before and only just suddenly begin failing? It's weird that the error is referring to SSL requests which is not relevant to SFTP (which uses SSH) - as such I don't think it's related to the SFTP adapter and most likely an issue with the proxy server.

Anyway, can you share screenshot of your SFTP channel configuration?

Regards

Eng Swee

Show replies
Show replies
vishnu_pallamreddy
Contributor
‎03-07-2016 9:19 AM
0 Kudos

Hi Yeoh,

From yesterday itself the channels are failing.

we are using same proxy in almost all SFTP channels.

engswee
Active Contributor
‎03-07-2016 9:24 AM
0 Kudos

Hi Vishnu

The ports used in your config (22 for SFTP and 8080 for proxy) are quite common and seems right.

If there's no change on PI side and it just happened suddenly, it really sounds like it's related to the network proxy side. You will need to check with the network team on this.

Regards

Eng Swee

Answers (2)

Answers (2)

iaki_vila
Active Contributor
‎03-07-2016 9:14 AM
0 Kudos

Hi Vishnu,

I think the problem is in the SFTP server, regarding SFTP threads on internet seems to be a normal issue. The issue could be raised if you PI environment used a proxy and there the port change was done or the problem was on SFTP server enviroment and they did this change. If you check this links, to use a non standard SFTP port on the endpoint the should do some changes:

How to allow SSL on non-standard port

https://support.microsoft.com/en-us/kb/283284

Summing up, you should talk with your basis/network team and the endpoint basis team.

Regards.

https://support.microsoft.com/en-us/kb/283284

Show replies
Show replies
vishnu_pallamreddy
Contributor
‎03-07-2016 10:20 AM
0 Kudos

Hi All,

I have contacted my network team, they said like the proxy server is up and normal.

But the messages are not going through i am getting same error.

former_member190536
Participant
‎03-07-2016 10:31 AM
0 Kudos

hi vishnu,

May be Network team changed the ports, ask them to double check with this port.

and also check any proxy settings has been changed.

former_member186851
Active Contributor
‎03-07-2016 10:46 AM
0 Kudos

Vishnu,

Might be there should be some change in proxy or firewall.

And From the Server PI is not allowed to hit the SFTP.

Did you check with Basis as well if any connectivity issues are there to this SFTP server.

vishnu_pallamreddy
Contributor
‎03-07-2016 11:12 AM
0 Kudos

Hi All,

I have checked with Network, they are saying like no changes have performed on Proxy.

we are again checking on port.

Once got confirmation I will update,

nitindeshpande
Active Contributor
‎03-07-2016 12:49 PM
0 Kudos

Hello Vishnu,

Can you go to the OS level of your PI server and check if the ping and telnet to Proxy server is working or no?

If it is working, then please check if ping and telnet to the SFTP server is working or no? I feel the issue is with the connection from PI server to your proxy server.

Regards,

Nitin

vishnu_pallamreddy
Contributor
‎03-07-2016 6:10 PM
0 Kudos

Hi Nithin,

What is the procedure to go to PI OS level?

and what are the commands to ping and telnet to the proxy server or SFTP Server.

former_member186851
Active Contributor
‎03-07-2016 6:18 PM
0 Kudos

Vishnu,

OS Level can be accessed by Basis,Its like accessing the PI Server.

there you can do a ping or telnet to SFTP server to check if the connections are fine.

JaySchwendemann
Active Contributor
‎03-08-2016 10:08 AM
0 Kudos

As far as I understand accessing the sFTP server directly (whether through ping  or telnet) will not work from PI as it needs to route traffic through  said proxy.

You could go two ways:

  1. Command line from PI server
    1. telnet to your  proxy with port 8080 and see if  something meanyingful is responded.
    2. go full nelson and try ssh'ing via proxy to the target host, see here: http://backdrift.org/transparent-proxy-with-ssh
  2. Putty from your client PC
    1. If your PC is in the SAME network segment than the PI server (read: it uses the same proxy, it is behind the same firewall) you could approach by installing putty, which includes a comfortable GUI with proxy support, on that PC and see if connection works

HTH

Cheers

vishnu_pallamreddy
Contributor
‎03-08-2016 4:14 PM
0 Kudos

Hi All,

Issue resolved.

my network team done some changes to proxy server.

Now they reverted the changes. messages going through now.

engswee
Active Contributor
‎03-09-2016 1:06 AM
0 Kudos

Good to know that the prime suspects owned up to what they did! Glad all is well now.

vishnu_pallamreddy
Contributor
‎03-09-2016 6:30 PM
0 Kudos

Hi Yeoh,

I have one issue here.

some times messages are successful but most of the cases failing.

with same error.

Message could not be forwarded to the JCA adapter. Reason: com.jcraft.jsch.JSchException: ProxyHTTP: java.io.IOException: proxy error: Proxy Error ( The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. )


What is the importance of proxy server in SFTP channel?

Is proxy server can fluctuate? why I am asking is, messages are failing and successful.


Is there any load balancing conditions for Proxy Server.

vishnu_pallamreddy
Contributor
‎03-10-2016 3:57 AM
0 Kudos

Hi Yeoh,

One more question?

is there any back end configuration for Proxy Server in in PI?

I mean for pgp and sftp key based authentication we need to instal certificates right?

in the same manner we need to import or instal any certificate for to proxy server in PI C channels?

nitindeshpande
Active Contributor
‎03-10-2016 5:07 AM
0 Kudos

Hi Vishnu,

The importance of proxy server, no matter of the adapter is to route your message through the proxy server instead of your PI server.

This is done for the security purpose and not directly expose your PI server to the external world.

For the error above, Network port of your proxy server must be opened to receive the connection from your PI server. Also if there is response coming back through your proxy server, then you need to allow the port of proxy server in your PI server.

Regards,

Nitin

vishnu_pallamreddy
Contributor
‎03-10-2016 6:21 AM
0 Kudos

Hi Nithin,

when I do IPCONFIG to my host it is showing 4 IP addresses are preferred.

is it possible to find on which IP adress the message is going or coming?

I have 4 server nodes. every time only on one server node i am getting issue.

actuially we are using Alias proxy server in channel.

if we use direct server name in channel it is successful all the times.

if we use alias server it successful 2 3 times on different node and again failing on first server node.

is it true, the server node is mapped with any IP address?

nitindeshpande
Active Contributor
‎03-10-2016 6:35 AM
0 Kudos

Hi Vishnu,

You are doing a IPCONFIG on your proxy server or on your PI server. Sorry i am bit confused.

If your proxy server has 4 nodes, and the message getting through sometimes on some server nodes and sometimes not is completely issue with the server nodes processing them. If it was a SAP system for this problem there should be SAP Web dispatcher installed or a 3rd party Load balancer to resolve this issue.

I guess you can use 3rd party load balancer for your proxy server, as it is not a SAP system.

But all this is related to proxy server side and nothing to do with the SAP PI system, as the problem is in proxy server side.

I hope you have only one server for SAP PI system (Primary Application Server). If you have additional servers which are called Secondary application Server, for better processing in SAP PI. Then also you can go for SAP web dispatcher to have proper load balancing.

Regards,

Nitin

vishnu_pallamreddy
Contributor
‎03-10-2016 7:08 AM
0 Kudos

Hi Nithin,

I am doing IPCONFIG on PI Host, it is showing 4 IP adressses are preferered.

we are doing IPCONFIG on our PI dispatcher only.

it is showing 4 Ip address.

So for every IP we need to maintani host files in Proxy Server right?

nitindeshpande
Active Contributor
‎03-10-2016 7:18 AM
0 Kudos

Hello Vishnu,

Can you please paste the screenshot of your IPconfig?

Regards,
Nitin

former_member186851
Active Contributor
‎03-07-2016 8:55 AM
0 Kudos

Hello Vishnu,

Any change happened in network side?

I guess something proxy setting must be changed.

We had the same problem while browsing,proxy setting was changed and it was not updated.

so check with the network for proxy changes and update the same.

And also check the certificate validity as well.

But as Engg suggested I also think its not exactly because of SSL seems to be proxy change or some proxy setting.

Show replies
Show replies
vishnu_pallamreddy
Contributor
‎03-08-2016 6:54 AM
0 Kudos

Hi raghu,

where can we check whether the certificates are expired or not?

and what certificates we need to check?

former_member186851
Active Contributor
‎03-08-2016 8:27 AM
0 Kudos

Hello Vishnu,

In the NWA or in the path were the certificates have been deployed .

The certificates corresponding to SFTP server authentication only

Ask a Question