3503678 - Error "Timed out waiting for tunnel to open for tunnelId account RFC_COMMUNICATION_FAILURE" In S/4HANA On-Premise Connection - SAP Datasphere

This KBA applies to SAP Datasphere connections to ABAP-based On-Premise systems (e.g., S/4HANA, ECC, or BW) via SAP Cloud Connector.

The following error occurs for feature data flow and replication flow when validating connection in SAP Datasphere.

Connection "<connection_name>" couldn’t be established.
- Data flows can’t be used because of errors in the connection.
- Replication flows can’t be used because of errors in the connection.

Data Flows: Cause: ABAP connector(Axino) ABAP connection check FAILED: request failed: rc=1, msg="Message: Opening connection to backend failed: Timed out waiting for tunnel to open for tunnelId account:///XXX-XXX-XXX-XXX-XXX/<LOCATION_ID>\nCode: RFC_COMMUNICATION_FAILURE"
Please refer to SAP Note 2849542 for more information.

Replication Flows: Cause: ABAP connector(Axino) ABAP connection check FAILED: request failed: rc=1, msg="Message: Opening connection to backend failed: Timed out waiting for tunnel to open for tunnelId account:///XXX-XXX-XXX-XXX-XXX/<LOCATION_ID>\nCode: RFC_COMMUNICATION_FAILURE"
Please refer to SAP Note 2849542 for more information.

SAP Datasphere

Validate the connection

Cause 1:

The on-premise firewall or proxy does not allow access to required SAP domains.

Cause 2:

SSL/TLS Handshake Failure (Certificate or Version Issues).

May found below log in scc trace:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause 3:

Cloud connector certificate expired.

Solution 1:

Follow Configure Cloud Connector - Prerequisites | SAP Help Portal

• If you are using egress firewalling, add the following domains (wildcard) to the firewall/proxy allowlist in your on-premise network:
  • *.hanacloud.ondemand.com
  • *.k8s-hana.ondemand.com

Solution 2:

• Update the Cloud Connector to the latest version. Refer to KBA 2539713 - Upgrade to a new version of the Cloud Connector.
• Ensure the Java Virtual Machine (JVM) used is supported and up to date.
• If certificate path errors are present, review KBA 3391743 - PKIX path building: unable to find valid certification path to requested target while adding/refreshing BTP sub-account from SCC leading to TLS termination.
• In case issue persists, report case under BC-MID-SCC component.

Solution 3:

Upgrade `SAP Cloud Connector` and SAP JVM to address this matter. For further details and guidance, you can refer to the following KBA.  

• 3556127 - [Rollout Update] Information about Datasphere Cloud Connector Certificate Notification

Refresh the certificate for Datasphere subaccount in SCC. In case any issue see KBA 3517554 - Unable to update Subaccount certificate for Datasphere in SAP Cloud Connector

• Configure Cloud Connector | SAP Help Portal
• KBA 2539713 - Upgrade to a new version of the Cloud Connector
• KBA 3391743 - PKIX path building: unable to find valid certification path to requested target while adding/refreshing BTP sub-account from SCC leading to TLS termination 

KBA , DS-DI-CON , Connections , Problem