Version 2: Google Cloud's Agent for SAP troubleshooting guide

This guide shows you how to resolve issues with version 2 of Google Cloud's Agent for SAP.

Logging

Check the logs in the directory that is specific to your operating system.

To view the logs for Google Cloud's Agent for SAP, navigate to the following paths:

Linux

/var/log/google-cloud-sap-agent.log

Windows

C:\Program Files\Google\google-cloud-sap-agent\logs\google-cloud-sap-agent.log

Common issues

Issue: Insufficient IAM permissions

Issue: Google Cloud's Agent for SAP logs show insufficient IAM permissions error.

Cause: The service account does not have the required IAM permissions to access the Cloud Monitoring API.

Resolution: In Google Cloud console, on the VM instance details page, note the name of the VM service account. For example: [email protected]. On the IAM & Admin home page, ensure that the service account includes the following IAM roles:

Feature Required IAM roles
SAP Host Agent metrics collection
Process Monitoring metrics collection
Workload Manager evaluation metrics collection
SAP HANA monitoring metrics collection

For more information about the authentication required for Google Cloud's Agent for SAP, see Authentication and access.

To confirm the permissions that the Cloud Monitoring agent requires, see the following Monitoring documentation:

Issue: Incorrect access scopes for the VM service account

Issue: If you limit the access scopes on your host VM instance, then Google Cloud's Agent for SAP logs might show insufficient IAM permissions error.

Cause: Google Cloud's Agent for SAP requires minimum Cloud API access scopes on the host VM instance. This error occurs when the service account does not have the required access scopes.

Resolution: Access scopes are the legacy method of specifying permissions for your VM instance. Compute Engine recommends configuring your VM instances to allow all access scopes to all Cloud APIs and using only the IAM permissions of the VM service account to control access to Google Cloud resources.

To resolve this issue, as a best practice, set the all cloud-platform access scope on the VM instance, then securely limit the service account's API access with IAM roles. For example:

  • https://www.googleapis.com/auth/cloud-platform

If you do limit the access scopes of your VM instance, then you must ensure that the host VM instance has the following access scopes:

  • https://www.googleapis.com/auth/source.read_write
  • https://www.googleapis.com/auth/compute
  • https://www.googleapis.com/auth/servicecontrol
  • https://www.googleapis.com/auth/service.management.readonly
  • https://www.googleapis.com/auth/logging.admin
  • https://www.googleapis.com/auth/monitoring
  • https://www.googleapis.com/auth/trace.append
  • https://www.googleapis.com/auth/devstorage.full_control

If you have enabled the collection of the Process Monitoring metrics, Workload Manager evaluation metrics, or the SAP HANA monitoring metrics, then the access scopes of the host VM instance must also have write access to publish metric data to your Google Cloud project:

  • https://www.googleapis.com/auth/monitoring.write

To change the access scopes, you need to stop your VM instance, make the changes, and then restart the VM instance. For instructions, see the Compute Engine documentation. You don't need to make any changes to permissions for IAM roles for this issue.

Issue: Missing or incorrect SAP Host Agent

Issue: Google Cloud's Agent for SAP logs show missing or incorrect SAP Host Agent error.

Cause: SAP Host Agent or the required minimum patch level for the SAP Host Agent is not installed. For Google Cloud's Agent for SAP to work, your SAP system must have the SAP Host Agent installed and the required minimum patch level for the Host Agent is maintained.

Resolution: To resolve this issue, install the required version of the SAP Host Agent. For instructions to install the SAP Host Agent, see the SAP documentation.

For version requirements for the SAP Host Agent, see the following SAP Notes:

Issue: Installation of Google Cloud's Agent for SAP failed

Issue: Installation of the agent fails when the package manager install command (yum, zypper, or googet) is executed.

Cause: Installation of the agent fails because the host server that is running the agent has been created without a public IP address.

Resolution: To resolve this issue, set up a NAT gateway that gives the host server outbound access to the internet. For information about how to set up a NAT gateway, see the deployment guide for your SAP system. For example, for SAP NetWeaver, see:

Issue: Collection of the SAP HANA monitoring metrics failed

Issue: While upgrading from the monitoring agent for SAP HANA, after you install Google Cloud's Agent for SAP, you see an error message similar to the following:

tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead

Cause: Google Cloud's Agent for SAP cannot start the collection of the SAP HANA monitoring metrics because the target SAP HANA instances use SSL certificates that are specified with Common Name (CN).

Resolution: To resolve this issue, complete the following steps:

  1. For the SAP HANA instances that you want to monitor using Google Cloud's Agent for SAP, you must switch to using a Subject Alternate Name (SAN) SSL certificate instead of SSL certificates that are specified with Common Name (CN).

  2. Establish an SSH connection with your host VM instance or Bare Metal Solution server.

  3. Open the configuration file of Google Cloud's Agent for SAP:

    /etc/google-cloud-sap-agent/configuration.json
  4. In the hana_monitoring_configuration section, set the parameter enabled to true.

  5. In the hana_monitoring_configuration.hana_instances section, perform the following for each SAP HANA instance that uses the TLS/SSL protocol for secure communication:

    1. Specify the parameter enable_ssl and set its value to true.

    2. Specify the parameter host_name_in_certificate and set the SAP HANA host name, as specified in the TLS/SSL certificate, as its value.

    3. Specify the parameter tls_root_ca_file and set the path, where the TLS/SSL certificate is stored, as its value.

  6. Save the configuration file.

  7. Restart Google Cloud's Agent for SAP for the new settings to take effect:

    sudo systemctl restart google-cloud-sap-agent
  8. Verify that the agent is collecting the SAP HANA monitoring metrics. For instructions, see View the other metrics.

  9. Uninstall the monitoring agent for SAP HANA.

Issue: Connection refused error

Issue: SAP Host Agent logs show the connection refused error.

Cause: Google Cloud's Agent for SAP cannot start up because the port 18181 is not available. Google Cloud's Agent for SAP listens for requests on port 18181. This port must be available for the agent to start up.

Resolution: To resolve this issue, make sure that the port 18181 is available for Google Cloud's Agent for SAP. If another service is using port 18181, then you might need to restart that other service or otherwise reconfigure it to use another port.

Issue: For the OS images SLES 15 SP4 for SAP and later, Google Cloud's Agent for SAP is not running

Issue: When you use the SLES "for SAP" OS images, Google Cloud's Agent for SAP is preinstalled for you. But, for the OS images SLES 15 SP4 for SAP and later, the preinstalled Agent for SAP does not start on its own.

To verify that the agent is running or not, perform the following steps:

  1. Connect to your host VM instance or Bare Metal Solution server.
  2. Run the following command:

    systemctl status google-cloud-sap-agent

    If the agent is not running, then the output contains inactive (dead). For example:

    google-cloud-sap-agent.service - Google Cloud Agent for SAP
     Loaded: loaded (/usr/lib/systemd/system/google-cloud-sap-agent.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
    

Cause: The Agent for SAP doesn't start on its own because of a problem with the OS packaging.

Resolution: To resolve the issue, perform the following steps:

  1. Connect to your host VM instance or Bare Metal Solution server.
  2. Run the following commands:

    sudo sed -i 's~ /usr/sap~ -/usr/sap~g' /usr/lib/systemd/system/google-cloud-sap-agent.service
    sudo systemctl restart google-cloud-sap-agent
  3. Verify that the agent is running:

    systemctl status google-cloud-sap-agent

    You should see an output similar to the following:

    google-cloud-sap-agent.service - Google Cloud Agent for SAP
      Loaded: loaded (/usr/lib/systemd/system/google-cloud-sap-agent.service; disabled; vendor preset: disabled)
      Active: active (running) since Wed 2023-07-12 03:07:23 UTC; 7s ago
    Main PID: 6117 (google_cloud_sa)
       Tasks: 6
      Memory: 8.8M (max: 1.0G limit: 1.0G available: 1015.1M)
      CGroup: /system.slice/google-cloud-sap-agent.service
               └─ 6117 /usr/bin/google_cloud_sap_agent startdaemon
    

Getting support for Google Cloud's Agent for SAP

If you need help resolving a problem with Google Cloud's Agent for SAP, then gather the required diagnostic information and contact Cloud Customer Care. For more information, see Version 2: Google Cloud's Agent for SAP diagnostic information.