2659632 - Integration Center can't connect to an external SFTP due to IP restrictions

You are using Integration Center to connect to an SFTP not hosted by SAP and it is returning the error below:

"Cannot connect to sftp://ZZZZZZ@XXX.XXXXXXX.XXX.XX:PPPPP
Could not connect to SFTP server XXX.XXXXXXX.XXX.XX from IP Address YYY.YYY.YYY.YY. Please check to see if IP Address YYY.YYY.YYY.YY is added into allow list by your SFTP server. Contact your IT for more information".

Error message's subtitle:
ZZZZZZ = Username
XXX.XXXXXXX.XXX.XX = SFTP URL
PPPPP = Port
YYY.YYY.YYY.YY = IP Address of successfactors Datacenter

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

• SAP SuccessFactors HXM Suite
• Integration Center

When checking the event log of the failed Integration Center execution, you will find the error message mentioned above.

Sample of Event Log of the error:

You are trying to connect from SuccessFactors Integration Center process to a private or public SFTP server but the SuccessFactors IP is not added into allow list on the public/private server. In other words, when a process in the Integration Center tries to connect on a server outside SAP's datacenter, it gets refused by the SFTP server.

Check with your Local IT team to add into allow list the IP Address of SuccessFactors datacenter. And also check with them if your SFTP is using the Port configured on your Integration (Destination Settings) on Integration Center.

This KBA has a list of all SuccessFactors Data Centers: 2395508 - IP addresses to be added into allow list when customer's own SFTP is used with Integration Center.

In order to authorize this connection, please follow the steps:

1. Request the SFTP Vendor to check the two public data center IP addresses and confirm that both IPs are not on their server(s): IP Auto Ban List.  The SAP data center addresses can be added to the SFTP server Auto-Ban list when there are multiple communications failures.
2. If the SFTP vendor restricts access by IP address, customer must request the SFTP vendor to ADD the two SAP public data center IP addresses on their server(s): IP Allow List.

Note: in case the SuccessFactors Datacenter is DC2 and DC2 Preview hosted Instances, there is a Firewall which blocks traffic to external SFTPs. For this case, please check this KBA: 2553334 - DC2 Integration Center Connectivity to Customers or Third Party SFTP

Note2: in case of new SAP SuccessFactors (like DC41, DC55, DC60 and others) customers will have to request allowlistings to connect with external SFTP Vendors. When using an external SFTP site, the SFTP port 22 is closed by default and the export data jobs won’t work. This will impact data export jobs scheduled in Provisioning and the Integration Center. Please check the KBAs 3097292 and 2911175

Frequently Asked Questions (FAQ):

1 - My IT Local team already added into allow list the IP address of SuccessFactors Data Center, but the issue was not fixed yet. What else can I do?
You need to collect at least the logs from your SFTP server which contains the connections being refused or accepted by your server and provide to SuccessFactors support team to progress on the investigation.

2 - Is there a possibility of the issue is located on the Integration Center or on SAP's Data Center?
Yes, just if SuccessFactors Datacenter is DC2 or DC2 Preview. For all the other Datacenters there is no Outbound allow list from Integration Center as it only tries to access the SFTP server, but there is a blocking action on SFTP side.

Public SFTP; SFTP owned by customer; Cannot connect to SFTP; allow list by your SFTP server, ftp, connection, error, connectivity, successfactors, sf, success factors, firewall, block, blocking, 3rd party sftp, vendor sftp, third party sftp, customer sftp , KBA , LOD-SF-INT-INC , Integration Center , LOD-SF-INT , Integrations , How To