File Export is failing while on the Access Tunnel

Hello,

I am testing CF Access with a SAP app inside the local network. ( app is running on https )

It has been working great, in fact end users are happy that they don’t need to use the VPN.

There is an option within SAP app that you can export data to MS Excel. This export feature is erroring out while users connected via Tunnel.

I wonder if someone else also experienced similar issue and is there any proposed solution.

Thanks in Advance.
-Muhammad

Hi @muhammad.shoaib,

Can you share the error logs? Are you seeing the error from the tunnel on the end user side, or on the SAP app side?

Hi @chungting … I am seeing the error on the SAP app side. The error message says “502 Bad Gateway”. I have attached the screen shot of the Request and Response from the HAR file.

I highly appreciate any tips / clues where to look for to resolve this issue.

@muhammad.shoaib thank you for sharing this. Do you also have logs from cloudflared and the configuration to run them? That will help me understand the cause of the 502 error.

I will restart cloudflared into debug and capture the logs later tonight.

Below is the configuration … ( I am running cloudflared as a k8 POD, just an FYI )

# Name of the tunnel you want to run
tunnel: cf-access-tunnel-prod
loglevel: warn
tracetransport-loglevel: warn
credentials-file: /etc/cloudflared/xx-yy-zz.json
# Serves the metrics server under /metrics and the readiness server under /ready
metrics: 0.0.0.0:2000
no-autoupdate: true
ingress:
- hostname: sapapp.mycompany.com
  service: https://a.b.c.d
  originRequest:
    connectTimeout: 10s
    noTLSVerify: true

- service: http_status:404

Hi @chungting

I have enabled debug by updating the following two in the configuration and captured the logs.

loglevel: debug
tracetransport-loglevel: debug

Cloudflared complained that it can’t connect to the origin, right at the time when user tries to export EXPORT.XLS (line 13).
Although the connection was stable and if you navigate in the app to do something else it works just fine.

I highly appreciate your help or any tips what to look for next.

2021-10-20T18:50:13Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA POST http://localhost:8080/sap(xxxxxxxxxxxxxxxxxx==)/bc/gui/sap/its/webgui/batch/json?~RG_WEBGUI=X&sap-statistics=true HTTP/2.0
2021-10-20T18:50:13Z DBG Inbound request CF-RAY=xxxxxxxxxxxxxxxxxx-SEA Header="map[Accept:[multipart/mixed] Accept-Encoding:[gzip] Accept-Language:[en-US,en;q=0.9] Cdn-Loop:[cloudflare] Cf-Access-Authenticated-User-Email:[[email protected]] Cf-Access-Jwt-Assertion:[xxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-kM-h7A] Cf-Connecting-Ip:[1.1.1.1] Cf-Ipcountry:[US] Cf-Ray:[xxxxxxxxxxxxxxxxxx-SEA] Cf-Visitor:[{\"scheme\":\"https\"}] Cf-Warp-Tag-Id:[xxxxxxxxxxxxxxxxxx] Content-Length:[342] Content-Type:[application/json;charset=UTF-8] Cookie:[] 
2021-10-20T18:50:13Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Request content length 342
2021-10-20T18:50:13Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Status: 200 OK served by ingress 2
2021-10-20T18:50:13Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Response Headers map[Cache-Control:[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Content-Encoding:[gzip] Content-Length:[25798] Content-Type:[multipart/mixed; boundary=SAP_RESTGUI_BATCH_STEP; charset=utf-8] Expires:[Sat, 6 May 1995 12:00:00 GMT] Pragma:[no-cache] Sap-Perf-Fesrec:[103613.000000] Sap-Statistics:[itstotal=103,itsgendiag=1,itsgenhtml=18,itsrestgui=12,itsagiparse=6,itsagiunparse=0,itsext=84,icftotal=103,icfauth=0,icfext=25,icmtotal=109,icmreqrcv=0,icmext=109,wdtotal=110,wdreqrcv=0,wdext=110] X-Xss-Protection:[1; mode=block]]
2021-10-20T18:50:13Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Response content length 25798
2021-10-20T18:50:20Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA POST http://localhost:8080/sap(xxxxxxxxxxxxxxxxxx==)/bc/gui/sap/its/webgui/batch/json?~RG_WEBGUI=X&sap-statistics=true HTTP/2.0
2021-10-20T18:50:20Z DBG Inbound request CF-RAY=xxxxxxxxxxxxxxxxxx-SEA Header="map[Accept:[multipart/mixed] Accept-Encoding:[gzip] Accept-Language:[en-US,en;q=0.9] Cdn-Loop:[cloudflare] Cf-Access-Authenticated-User-Email:[[email protected]] Cf-Access-Jwt-Assertion:[xxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-kM-h7A] Cf-Connecting-Ip:[1.1.1.1] Cf-Ipcountry:[US] Cf-Ray:[xxxxxxxxxxxxxxxxxx-SEA] Cf-Visitor:[{\"scheme\":\"https\"}] Cf-Warp-Tag-Id:[xxxxxxxxxxxxxxxxxx] Content-Length:[114] Content-Type:[application/json;charset=UTF-8]  Cookie:[]
2021-10-20T18:50:20Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Request content length 114
2021-10-20T18:50:20Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Status: 200 OK served by ingress 2
2021-10-20T18:50:20Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Response Headers map[Cache-Control:[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Content-Encoding:[gzip] Content-Length:[1668] Content-Type:[multipart/mixed; boundary=SAP_RESTGUI_BATCH_STEP; charset=utf-8] Expires:[Sat, 6 May 1995 12:00:00 GMT] Pragma:[no-cache] Sap-Perf-Fesrec:[59550.000000] Sap-Statistics:[itstotal=59,itsgendiag=1,itsgenhtml=4,itsrestgui=1,itsagiparse=3,itsagiunparse=0,itsext=54,icftotal=59,icfauth=0,icfext=25,icmtotal=60,icmreqrcv=0,icmext=60,wdtotal=61,wdreqrcv=0,wdext=61] X-Xss-Protection:[1; mode=block]]
2021-10-20T18:50:20Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Response content length 1668
2021-10-20T18:50:20Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA POST http://localhost:8080/sap(xxxxxxxxxxxxxxxxxx==)/bc/gui/sap/its/webgui/186/data/xxxxxxxxxxxxxxxxxx~filesavedialog?FileName=Z%3A%5CEXPORT.XLSX&FileEncoding= HTTP/2.0
2021-10-20T18:50:20Z DBG Inbound request CF-RAY=xxxxxxxxxxxxxxxxxx-SEA Header="map[Accept:[*/*] Accept-Encoding:[gzip] Accept-Language:[en-US,en;q=0.9] Cdn-Loop:[cloudflare] Cf-Access-Authenticated-User-Email:[[email protected]] Cf-Access-Jwt-Assertion:[xxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-kM-h7A] Cf-Connecting-Ip:[1.1.1.1] Cf-Ipcountry:[US] Cf-Ray:[xxxxxxxxxxxxxxxxxx-SEA] Cf-Visitor:[{\"scheme\":\"https\"}] Cf-Warp-Tag-Id:[xxxxxxxxxxxxxxxxxx] Content-Length:[0] Content-Type:[application/x-www-form-urlencoded] Cookie:[]
2021-10-20T18:50:20Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Request content length 0
2021-10-20T18:50:20Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=xxxxxxxxxxxxxxxxxx-SEA ingressRule=2 originService=https://a.b.c.d
2021-10-20T18:50:21Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA POST http://localhost:8080/sap/bc/gui/sap/its;sap-fesr-only/webgui;~sysid=QAS;~service=3200 HTTP/2.0
2021-10-20T18:50:21Z DBG Inbound request CF-RAY=xxxxxxxxxxxxxxxxxx-SEA Header="map[Accept:[*/*] Accept-Encoding:[gzip] Accept-Language:[en-US,en;q=0.9] Cdn-Loop:[cloudflare] Cf-Access-Authenticated-User-Email:[[email protected]] Cf-Access-Jwt-Assertion:[xxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-kM-h7A] Cf-Connecting-Ip:[1.1.1.1] Cf-Ipcountry:[US] Cf-Ray:[xxxxxxxxxxxxxxxxxx-SEA] Cf-Visitor:[{\"scheme\":\"https\"}] Cf-Warp-Tag-Id:[xxxxxxxxxxxxxxxxxx] Content-Length:[1867] Content-Type:[application/x-www-form-urlencoded;charset=utf-8] 
Cookie:[]
2021-10-20T18:50:21Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Request content length 1867
2021-10-20T18:50:21Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Status: 204 No Content served by ingress 2
2021-10-20T18:50:21Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Response Headers map[Cache-Control:[no-store, no-cache, must-revalidate] Content-Length:[0] Content-Type:[text/html] Sap-Perf-Fesrec:[0000.000000] Sap-Server:[true]]
2021-10-20T18:50:21Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Response content length 0
2021-10-20T18:50:31Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA POST http://localhost:8080/sap/bc/ui2/flp;sap-fesr-only HTTP/2.0
2021-10-20T18:50:31Z DBG Inbound request CF-RAY=xxxxxxxxxxxxxxxxxx-SEA Header="map[Accept:[*/*] Accept-Encoding:[gzip] Accept-Language:[en-US,en;q=0.9] Cdn-Loop:[cloudflare] Cf-Access-Authenticated-User-Email:[[email protected]] Cf-Access-Jwt-Assertion:[xxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-kM-h7A] Cf-Connecting-Ip:[1.1.1.1] Cf-Ipcountry:[US] Cf-Ray:[xxxxxxxxxxxxxxxxxx-SEA] Cf-Visitor:[{\"scheme\":\"https\"}] Cf-Warp-Tag-Id:[xxxxxxxxxxxxxxxxxx] Content-Length:[568] Content-Type:[application/x-www-form-urlencoded;charset=utf-8] 
Cookie:[]
2021-10-20T18:50:31Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Request content length 568
2021-10-20T18:50:31Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Status: 204 No Content served by ingress 2
2021-10-20T18:50:31Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Response Headers map[Cache-Control:[no-store, no-cache, must-revalidate] Content-Length:[0] Content-Type:[text/html] Sap-Perf-Fesrec:[0000.000000] Sap-Server:[true]]
2021-10-20T18:50:31Z DBG CF-RAY: xxxxxxxxxxxxxxxxxx-SEA Response content length 0
ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=xxxxxxxxxxxxxxxxxx-SEA ingressRule=2 originService=https://a.b.c.d

Here are some possible reasons:

  1. Is your origin a HTTPS service? If not, your ingress rule should be http://a.b.c.d.
  2. Do you have firewall rules? Can cloudflared egress to a.b.c.d, and is a.b.c.d allowing ingress from cloudflared?
  3. Is a.b.c.d the right hostname/address? Does cloudflared resolve a.b.c.d to the right IP?