3369433 - How to troubleshoot Cloud Connector related issues when creating connection in SAP Datasphere

This KBA helps troubleshoot Cloud Connector issues and issues with creating connections for data flows and replication flows in SAP Datasphere.

SAP Datasphere

The attempt to connect Datasphere results in an error message during the validation of the connection.

List of available connections + prerequisites in SAP Help Portal Documentation: Preparing Connectivity for Connections
Furthermore please check our SAP Datasphere connection Guided Answer

In case you need to report a case to SAP, please provide SAP Cloud Connector information according to KBA 3449529 - Datasphere Support - needed Cloud Connector information.

Configure Cloud Connector before connecting to on-premise sources and using them in various use cases. In the Cloud Connector administration, connect the SAP Datasphere subaccount to your Cloud Connector, add a mapping to each relevant source system in your network, and specify accessible resources for each source system.

It's necessary for the following features:

• Data flows
• Replication flows
• Model import from: SAP BW/4HANA Model Transfer connections (Cloud Connector is required for the live data connection of type tunnel that you need to create the model import connection)
• SAP S/4HANA On-Premise connections (Cloud Connector is required for the live data connection of type tunnel that you need to search for the entities in the SAP S/4HANA system)
• Remote tables (only for SAP HANA on-premise via SAP HANA Smart Data Access)

How to start - check the following SAP Help Portal Documentations, Guided Answers and KBAs.

• Configure Cloud Connector
• Set Up Cloud Connector in SAP Datasphere
• Add IP address to IP Allowlist
• Finding SAP Datasphere IP addresses
• Troubleshooting SAP HANA Smart Data Access via Cloud Connector
• check Cloud Connector Issues Guided Answer
• review the Cloud Connector's log - KBA 2452568 - Log and Trace files for SAP Cloud Connector

If there is an issue in Remote Tables, the issue could be related to DP Agent. Therefore, please see the KBA 3196950 - How to troubleshoot DP Agent related issues when creating connection in Datasphere.

You can also use the following checkpoints to analyze the connection issues. The main checkpoint are listed on the screenshot, the explanation can be found below.

• Subaccount registered at Datasphere Administration->Data Source should be identical to the subaccount registered in Cloud Connector
  
  
• Location ID defined in Cloud Connector should be the name as the Location ID created at Datasphere Administration->Data Source
  
  
• Cloud Connector's IP is maintained in Dataspshere -> Configuration->Trusted Cloud Connector IPs
• Outbound IPs exposed at About Dialog->HANA IP Addresses and Outbound IP address need to be whitelisted
  
  DI connectivity tunnel IP might not be exposed here, in case of getting issue described in Connection Issue with Connection to SAP BTP Guided Answer, the IP address from the SCC log file (ljs_trace.log (<2.17)/scc_core.trc (>=2.17) should be exposed
  
  
• Terminating proxy is used between BTP and SCC
  SCC does not support such proxy, see question "Can I use a TLS-terminating firewall between Cloud Connector and SAP BTP?"
  
  Such error can be identified easily in SCC log with TLS/SSL Trace switched on (see KBA 2452568 - Log and Trace files for SAP Cloud Connector). If there is such a proxy in between, certificate reached SCC is not the same as the one sent from BTP. These two certifications are not issued by the same issuer.
• None mapping virtual host and/or virtual port defined in SCC and Datasphere
  Virtual host and port defined in SCC and Datasphere should be identical. Otherwise, SCC can’t find the system mapping and will populate error described in KBA 2667924 - Access denied to resource ... on system ... In case this was a valid request, ensure to expose the resource correctly in your cloud connector.. 
  
  
• Wrong network protocol used for system, please follow the protocol indicated from SAP Help Portal Documentation: Configure Cloud Connector
• In case TLS (SSL=true) is defined in connection in Datasphere, associated system mapping in SCC should not use TLS
• Insufficient access control please follow the resource mapping as described in SAP Help Portal Documentation: Configure Cloud Connector document
• ABAP system
  
  • Wrong login order defined in ABAP system resulting in login error, see KBA 3047235 - Error "You were not automatically logged on to the remote data source. Please ask your administrator to verify the SAML Single Sign On configuration" encountered when save the tunnel type BW live data connection in SAP Analytics Cloud (SAC)
    
    
  • None matching server type. If application server is defined in connection in Datasphere, none load balancing ABAP system mapping should be used in SCC
      

  • For Cloud Connector version 2.15 or higher, if you use Principal Propagation with principal type "X.509 Certificate", ensure that the system still authenticates with Basic Authentication: 
    On the screen "Edit System Mapping" in the Cloud Connector, at the place where you maintain the mapping between internal host/port and virtual host/port for your SAP BW/4HANA backend system, do not set selection box "System Certificate for Logon".
    This setting lets you use the system certificate for trust but prevents its usage for user authentication.

    (For details: SAP Help Documentation: Configure Identity Propagation for HTTPS - Configure Identity Propagation - Point 3 "Access ICF Services":
    Option "To access ICF services via the logon method Basic Authentication (logon with user/password) and identity propagation") 

    Additionally, on backend side, make sure that all services listed above allow Basic Authentication and Logon through SSL Certificate as logon method. 
    This can be checked in transaction SICF on the ABAP backend system - KBA 3383634 - SAP Datasphere - SAP BW/4HANA Model Import via "Import Entities" Wizard  

      
    

Below you will find a list of possible issues and its solutions:

CASE A

Problem Description: validating the newly configured connection in Datasphere.
Data Flows: Cause: Error occurred when connecting to Hana database. Error: [10]: authentication failed. Code:1300004
Replication Flows: Cause: Error occurred when connecting to Hana database. Error: [10]: authentication failed. Code:1300004

Cause: wrong user name and/or password under credentials

Solution: make sure to use a valid user/password combination

...................................................................................................................

CASE B 

Problem Description:
Data Flows: Cause: ABAP connector(Axino) ABAP connection check FAILED: request failed: rc=1, msg="Message: Opening connection to backend failed: Opening connection to <virtual host>:<virtual port> denied. Expose the system in your Cloud Connector in case it was a valid request.\nCode: RFC_COMMUNICATION_FAILURE"
Replication Flows: Cause: ABAP connector(Axino) ABAP connection check FAILED: request failed: rc=1, msg="Message: Opening connection to backend failed: Opening connection to <virtual host>:<virtual port> denied. Expose the system in your Cloud Connector in case it was a valid request.\nCode: RFC_COMMUNICATION_FAILURE"

a)

Cause: Virtual host and/or virtual port defined in the connection are not identical to the virtual host and/or virtual port defined in the system mapping.

Solution: Validating system mapping defined in SCC. Please note that:

• When using Derived Virtual Host and Port from Connection Details as Virtual Destination in connection, virtual port for ABAP systems is calculated as sapgw<port>
• When message server is chosen in the connection, load balancing system mapping in SCC can’t use msg<SID> as message server virtual port, as it is not supported by datasphere, only numeric virtual port is supported for ABAP system mappings

b)

Cloud Connector trace: +0000#DEBUG#org.apache.tomcat.util.net.jsse.JSSESupport#https-jsse-nio2-8443-exec-8#        #Error trying to obtain a certificate from the client
javax.net.ssl.SSLPeerUnverifiedException:peer not authenticated

Solution: follow KBA 2523326 - javax.net.ssl.SSLPeerUnverifiedException:peer not authenticated: SAP Cloud Connector issue 

...................................................................................................................

CASE C

Problem Description: You are trying to connect Datasphere with ABAP/BW system but you are getting an error message when validating the connection. The error message is the following or similar:

ABAP connector(Axino) ABAP connection check FAILED: request failed: rc=1, msg="Message: Client 003 is not available in this system\nCode: RFC_LOGON_FAILURE".  

Cause: You are mapping your source system with wrong virtual host. 

Solution:  Check the client parameter of your source system and map to the correct virtual host.
If there is no virtual host with the matching client parameter, then create a new one. You can refer SAP Help Portal Documentation: Configure Cloud Connector .

...................................................................................................................

CASE D

Problem Description: You are trying to connect Datasphere with ABAP/BW system but you are getting an error message when validating the connection. The error message is the following or similar:

Data Flows: Cause: ABAP connector(Axino) ABAP connection check FAILED: request failed: rc=1, msg="An Error occurred: Could not invoke function \"RFC_FUNCTION_SEARCH\" | rfcSDKError[Number:000, RFC_ABAP_EXCEPTION, NO_FUNCTION_FOUND, , , 000, , , , ] or FAILED “RFC_COMMUNICATION_FAILURE”.

Cause: ABAP Source system is missing prerequisites for Data Flows and Replication Flows features. You can refer to KBA 2890171 - SAP Data Intelligence / SAP Datasphere - ABAP Integration.

Make sure to have following Function Modules in your ABAP Source system:

• RFC_FUNCTION_SEARCH
• RFC_GET_FUNCTION_INTERFACE
• LTAPE_GRAPH_VERSION
• DHAPE_GRAPH_VERSION

In case you find a missing function module, apply the latest DMIS 2018 support package.
Function LTAPE_GRAPH_VERSION is part of DMIS addon

SAP Note 2890171 - SAP Data Intelligence - ABAP Integration

For ABAP Connection in Datasphere the DMIS addon is a must.
As mentioned in SAP Note 2596411 - Note Analyzer for ABAP-based Migration and Replication Technology (DMIS2011/DMIS2018/DMIS2020/S/4HANA) 
"In general, corrections for the ABAP Integration are delivered via SAP Notes. To check whether all available SAP Notes are installed, you can use the Note Analyzer tool - for more details, see SAP Note 2596411."
Once DMIS Addon is installed, the connectivity problem will get resolved.

In case the problem still exists, record a cloud connector trace (KBA 2452568 - Log and Trace files for SAP Cloud Connector) and open a support ticket providing us all necessary information from the KBA 2891554 - How to create a Support User in SAP Datasphere.

...................................................................................................................

CASE E

Problem Description: Data flows: Cause: ABAP Connector (Axino) ABAP connection check FAILED: request failed: rc=1, msg:"could not detect ABAP Pipeline Engine"

cloud connector, cc, axino, di, proxy, firewall, ip address, RFC_COMMUNICATION_FAILURE, FUNCTION, GRAPH , KBA , DS-DI-CON , Connections , How To