So it works OK over one PVN but not another? The SAS log errors suggest the TCP socket you are trying is blocked. This is most likely a port rule issue. Try testing the port via the problematic PVN.

For test purposes, be more explicit about your SIGNON rather than default to variables since they may not contain what you think.

Try

options netencralg=ssl;
%let testrem=<spawner-host-FQDN> <spawner-port-number>;
SIGNON testrem USER=_PROMPT_ password=_PROMPT_;

Also, turn on trace logging on the spawner so that you can see if a connection is made and a server is spawned. This will help you know if the client was able to get to the spawner or not and if it did, whether it was able to spawn a server. If the spawner does not show a connection being made, then the firewall is preventing access or there is no route from the client to the spawner.

Hello I tried, the Code Provided By you To SIGNON to the Spawner,

Which i start the login process on the client the screen keeps on roiling and on the server i can see in Netstat that the coneection with client server is established on Spawner port, but after 1-2 minutes the netstat status becomes  FIN_WAIT1 and then the connection is closed

Sever - Client Connection Established then closed :-

Port opened between Server and Client :-

And then i receive below Error on the client 

ERROR: A communication subsystem partner link setup request failure has occurred.
ERROR: Cannot read TCP socket. System message is ''.
ERROR: Remote signon to TOOLREMO canceled.
NOTE ETL: Log Remote Session :ERROR: A communication subsystem partner link setup request failure has occurred.
NOTE ETL: Log Remote Session :ERROR: Cannot read TCP socket. System message is ''.
NOTE ETL: Log Remote Session :ERROR: Remote signon to TOOLREMO canceled.

________________________________________________________________________________________________________

also i checked with my network team the are Saying the firewall is able to establish a telnet connection between Server and client over the Spawner port but it will Only allow the packets/communications which are secured will SSL as soon as it will detect any unencrypted communication it will terminate the connection.

i am thinking maybe is the client is not able to negotiate the encryption algorithm used be the Spawner. can you help me to understand how exactly the encryption negotiations actually works in SAS Spawner and client so that i can check with the Network team.

Manny thanks Already for all the help 🙂 

So I take it you did not see a connection in the log put out by the spawner? I did not see a spawner log in your response.

The data sent to the spawner will not be encrypted at the start since it has to negotiate encryption first. If the firewall does not like that, SSH tunneling will be your only answer to getting through the firewall.

Hello Thanks for your Reply, The Firewall will only allow SSL Connections after some research i have created an SSL Tunnel with the help of S Tunnel in between the Sever and client.

The Tunnel works as follow:-

in the the SAS Client Signon Statement the locolhost and a local port on with STunnel client is listening when the connection is made the Stunnel will forward the connection to the remote host on the port SAS Spawner is listening. with this tunnel the TCP socket error is gone and it seems client is able to make through the Firewall.

But now i am getting the Below Error :-

 ERROR: A communication subsystem partner link setup request failure has occurred.
ERROR: Network request failed (rc 0x1EE3BC10) - SSL Error: Invalid subject name in partner's
certificate. Subject name must match machine name.
ERROR: Remote signon to TOOLREMO.14555 canceled.
NOTE ETL: Log Remote Session : dwhmgr 26685
ERROR: A communication subsystem partner link setup request failure has occurred.
NOTE ETL: Log Remote Session : dwhmgr 26685
ERROR: Network request failed (rc 0x1EE3BC10) - SSL Error: Invalid subject name in partner's
NOTE ETL: Log Remote Session : dwhmgr 26685certificate. Subject name must match machine name.
NOTE ETL: Log Remote Session : dwhmgr 26685ERROR: Remote signon to TOOLREMO.14555 canceled.

______________________________________________

Client Address Statement :-

I checked the certificate File and the CN name is correctly pointing towards the hostname of the server

i Think may be this Error is because i am passing localhost as a Server name to the SAS SIGNON Statement thats'why it is not able to verify the server certificate Please correct me if i am wrong.

I already try passing the remote name in options in cline with options SSLSNIHOSTNAME=XXXXXXXX.net; and systemoption=SSLREQCERT="allow";(To bypass if verification fails) But nothing helped.

please help me understand is there a way to skip the Certificate CN verification step ?

I suggest you open a Tech Support track for your problem as you will likely get faster help.