3503678 - Error "Timed out waiting for tunnel to open for tunnelId account RFC_COMMUNICATION_FAILURE" In S/4HANA On-Premise Connection - SAP Datasphere

This KBA applies to SAP Datasphere connections to ABAP-based On-Premise systems (e.g., S/4HANA, ECC, or BW) via SAP Cloud Connector.

The following error occurs for feature data flow and replication flow when validating connection in SAP Datasphere.

Connection "<connection_name>" couldn’t be established.
- Data flows can’t be used because of errors in the connection.
- Replication flows can’t be used because of errors in the connection.

Data Flows: Cause: ABAP connector(Axino) ABAP connection check FAILED: request failed: rc=1, msg="Message: Opening connection to backend failed: Timed out waiting for tunnel to open for tunnelId account:///XXX-XXX-XXX-XXX-XXX/<LOCATION_ID>\nCode: RFC_COMMUNICATION_FAILURE"
Please refer to SAP Note 2849542 for more information.

Replication Flows: Cause: ABAP connector(Axino) ABAP connection check FAILED: request failed: rc=1, msg="Message: Opening connection to backend failed: Timed out waiting for tunnel to open for tunnelId account:///XXX-XXX-XXX-XXX-XXX/<LOCATION_ID>\nCode: RFC_COMMUNICATION_FAILURE"
Please refer to SAP Note 2849542 for more information.

SAP Datasphere

Validate the connection

Cause 1:

The on-premise firewall or proxy does not allow access to required SAP domains.

Cause 2:

SSL/TLS Handshake Failure (Certificate or Version Issues).

May found below log in scc trace:

#INFO#System.out#tunnel-client-357-7#          #fatal, |
#INFO#System.out#tunnel-client-357-7#          #description = certificate_unknown|
#INFO#System.out#tunnel-client-357-7#          #tunnel-client-357-7, WRITE: TLSv1.2 Alert, length = 2|
#INFO#System.out#tunnel-client-357-7#          #tunnel-client-357-7, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem|
#ERROR#com.sap.core.connectivity.tunnel.client.notification.NotificationClientEventHandler#Thread-301#          #Unexpected exception while establishing tunnel connection for tunnel: account:///xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx javax.net.ssl.SSLException: SSLEngine closed already

Cause 3:

Cloud connector certificate expired.

Solution 1:

Follow Configure Cloud Connector - Prerequisites | SAP Help Portal

• If you are using egress firewalling, add the following domains (wildcard) to the firewall/proxy allowlist in your on-premise network:
  • *.hanacloud.ondemand.com
  • *.k8s-hana.ondemand.com

Solution 2:

• Update the Cloud Connector to the latest version. Refer to KBA 2539713 - Upgrade to a new version of the Cloud Connector.
• Ensure the Java Virtual Machine (JVM) used is supported and up to date.
• If certificate path errors are present, review KBA 3391743 - PKIX path building: unable to find valid certification path to requested target while adding/refreshing BTP sub-account from SCC leading to TLS termination.

Solution 3:

Upgrade `SAP Cloud Connector` and SAP JVM to address this matter. For further details and guidance, you can refer to the following KBA.  

• 3556127 - [Rollout Update] Information about Datasphere Cloud Connector Certificate Notification

• Configure Cloud Connector | SAP Help Portal
• KBA 2539713 - Upgrade to a new version of the Cloud Connector
• KBA 3391743 - PKIX path building: unable to find valid certification path to requested target while adding/refreshing BTP sub-account from SCC leading to TLS termination 

KBA , DS-DI-CON , Connections , Problem