Hello, we are having a problem opening connections to our systems in the support portal and would appreciate any help and direction. This is probably a problem with our SAPRouter or firewall configuration but have been unable to identify where that problem is, and we are working closely with our network folks to try to correct. We are able to download OSS notes through SNOTE and all of the RFC's work correctly but we can't seem to keep a connection open to allow SAP support to login to our systems. The connection appears to open for about three minutes but then gives the error "Host did not respond 1-9 times" then the connection shows cancelled after about 18min. We have had a high priority incident open with SAP for the last couple of weeks but haven't got much response from them. SAP has the IP addresses of our SAPRouter and VPN correct and the routestring is correct.
SAPRouter = 216.253.195.169
VPN = 216.253.195.170
Routestring = /H/colo-sap-router.insummit.com/S/3299
We are able to ping SAP(194.117.106.129) from the saprouter server successfully. A few things I have read indicate that a simple test is that you should be able to telnet to SAP(ip above) on the configured port, 3299 but this we are not able to do and we've told this to SAP, we can telnet to port 21 but not 3299.
SAPRouter is on a Windows 2008 server OS using VPN. Attached is our saprouttab file.
Also attached is a trace.out file, and dev_rout file.
Here are the firewall ACLs:
access-list Outside extended permit ip host 216.253.195.169 host 147.204.100.142
access-list Outside extended permit ip host 147.204.2.5 host 216.253.195.169
access-list Outside extended permit ip host 216.169.212.169 host 147.204.100.142
!
access-list Outside extended permit ip host 194.117.106.129 any
access-list Outside extended permit ip any host 194.117.106.129
access-list Outside extended permit ip host 194.117.106.128 any
access-list Outside extended permit ip host 216.253.195.169 194.117.106.128 255.255.255.252
access-list Outside extended permit ip host 194.117.106.128 host 216.253.195.169
access-list Outside extended permit ip 194.117.106.128 255.255.255.252 host 216.253.195.169
access-list Outside extended permit ip host 194.117.106.129 host 216.253.195.169
access-list Outside extended permit ip host 216.169.212.169 194.117.106.128 255.255.255.252
Here are the routes:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.5.0.1 10.5.0.222 266
10.5.0.0 255.255.255.0 On-link 10.5.0.222 266
10.5.0.222 255.255.255.255 On-link 10.5.0.222 266
10.5.0.255 255.255.255.255 On-link 10.5.0.222 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
194.117.106.128 255.255.255.252 216.253.195.170 216.253.195.169 21
216.253.195.168 255.255.255.248 On-link 216.253.195.169 276
216.253.195.169 255.255.255.255 On-link 216.253.195.169 276
216.253.195.175 255.255.255.255 On-link 216.253.195.169 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.5.0.222 266
224.0.0.0 240.0.0.0 On-link 216.253.195.169 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.5.0.222 266
255.255.255.255 255.255.255.255 On-link 216.253.195.169 276
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
194.117.106.128 255.255.255.252 216.253.195.170 1
0.0.0.0 0.0.0.0 10.5.0.1 Default
And here is the VPN tunnel info:
6 IKE Peer: 194.39.131.167
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
show ipsec sa peer 194.39.131.167
peer address: 194.39.131.167
Crypto map tag: cryptomap1, seq num: 15, local addr: 216.253.195.170
access-list encrypt_123_to_SAP extended permit ip host 216.253.195.169 194.117.106.128 255.255.255.252
local ident (addr/mask/prot/port): (216.253.195.169/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (194.117.106.128/255.255.255.252/0/0)
current_peer: 194.39.131.167
#pkts encaps: 459156, #pkts encrypt: 459156, #pkts digest: 459156
#pkts decaps: 65825, #pkts decrypt: 65825, #pkts verify: 65825
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 459156, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.253.195.170, remote crypto endpt.: 194.39.131.167
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 90CB4EA0
current inbound spi : 769BBB0D
inbound esp sas:
spi: 0x769BBB0D (1989917453)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20480, crypto-map: cryptomap1
sa timing: remaining key lifetime (kB/sec): (4373965/4063)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x90CB4EA0 (2429243040)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20480, crypto-map: cryptomap1
sa timing: remaining key lifetime (kB/sec): (4373954/4063)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Again, any help and suggestions is greatly appreciated.
Thanks,
Brent