One of the most irritating and annoying things in the basis area is when the network gives issues. For whatever reason.
This blog will give hints and tips on how to recognize network issues and options to analyze them.
SAP notes on network performance
Main OSS note is: 1100926 – FAQ: Network performance.
Main SAP wiki on network performance can be found via this link.
Detailed analysis notes:
Specific issues with application to database server issues:
Check if database is the issue, or network:
Network issues on Azure:
Check by ST06: start the LAN check by Ping:
Or directly via transaction OS01:
SAP GUI network issues
If the user is far away from the server, network issues can be cause of slow transactions for the end user.
SAP GUI slow connection can be set on creation of GUI entry, or by right clicking on the GUI entry and then selecting the network option:
FIORI and web developments
FIORI tiles and web developments might be slow with users further away from the server. If the application has many round trips built in the increase network latency will definitely kill the end user performance.
Read more in this blog on how you can simulate a distant user in Chrome to analyze the issue.
TLS stands for Transport Layer Security (full background you can read in this blog). It determines the security protocol used for the web part of the ABAP server.
Questions that will be explained in this blog:
- How can I enable TLS v1.2 for my ABAP server?
- How can I check TLS v1.2 is properly setup?
- Can I disable TLS v1.0 and v1.1?
Setup of TLS v1.2 on ABAP
The setup of TLS v1.2 is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients.
Settings to enable TLS v1.2 and still allowing v1.0 and v1.1 for older clients:
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_26 = SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_27 = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_28 = SAPSSL_CLIENT_SNI_ENABLED=TRUE
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE
Set up of TLS v1.2 on HANA
For setup of TLS v1.2 on HANA follow the instructions in OSS note 2829919 – How to enable TLS 1.2 for all Hana ports.
How to check TLS v1.2 usage?
The TLS version usage per browser is a different process to check. Read this blog to find the exact instructions per browser.
The end result is as follows:
Can I switch off TLS v1.0 and v1.1?
Yes, you can switch off TLS v1.0 and v1.1. This is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients. Please also read the warning in this note: the advantage is very low, the risk that you will get issues is high.
So switching off in live system is tricky. Switching it off starting new system landscape is simple and a good idea to do.
TLS v1.3 is currently not supported for ABAP. See OSS note 2765639 – Is TLS 1.3 supported in NetWeaver AS ABAP?.
More background can be found in OSS note 510007 – Additional considerations for setting up SSL on Application Server ABAP.
In some cases you need detailed information on TCP/IP ports for SAP. This blog will also refer to notes from SAP with regards to network issues.
TCP/IP ports for SAP
All ports for SAP are listed on the SAP help site https://help.sap.com/viewer/ports.
When is this list important?
- When you have to setup firewall rules
- When you are doing changes: for example, changing from http to https, installation of web dispatcher, switch towards SNC
Other relevant TCP/IP related OSS notes: