This article provides information about IP Allowlisting for connections between Trading Partners and CIC, along with two approaches to solving errors caused by Trading Partner IP Allowlisting.
CIDR Block for IP Allowlist
To help ensure scalability, Cleo Integration Cloud uses an expanded list of allowed IP addresses.
The IP Allowlist for CIC includes a CIDR Block of 256 addresses:192.245.195.0/24
As a best practice, CIC customers’ trading partners need to add the CIDR block to their allowed IP address list. If a customer’s trading partner does not support allowlisting by CIDR Block, or has restrictions on the number of allowable IP addresses, this may lead to connectivity issues.
Connectivity Errors Related to IP addresses
If an existing trading partner has not yet accepted the CIDR block, then you might experience an increase in connectivity errors when transferring data to the trading partners. Any outbound protocol transfer could potentially be affected, where the trading partner's server/network is allowlisting IPs (but have not allowlisted the CIDR block IP range.)
To verify a connectivity error is related to an IP address issue.
- Check the Job Log of an errored transaction.
- Look for the “Hint”
- If a trading partner needs to allow the CIDR Block, the following message is logged:
Hint: "Trading partner may be whitelisting and not accepting the newer CIC 192.245.195.0/24 CIDR block."
- If a trading partner needs to allow the CIDR Block, the following message is logged:
Trading partners might also experience connectivity errors when attempting to connect inbound to CIC if the IP address their resolver selects at random from CIC IP addresses is not allowlisted for outbound connections. The specific error signatures for these connection failures will vary, depending on the software trading partners are using. But as with outbound connection failures:
- Automatic retries from the trading partner are likely to eventually resolve the error, and
- Expanding the allowlist according to one of the recommendations below will completely resolve the errors.
Because allowlisting from trading partners to CIC blocks the connection at the source, there is no evidence of a connection attempt within CIC itself.
Managing Errors due to allowlisting and IP acceptance
Automatic Retries
In the instance of a connectivity error due to a partner that has not accepted the full CIDR block, automatic retries ensure that the transfer process will eventually execute. However, this is only possible once the Job is run from an existing IP address that the trading partner already allows.
While the condition of these errors can be addressed through the automatic retry mechanism, this is not a recommended approach as you will still see an influx of connectivity issues. Please see the following options to address the error type described above.
Two Approaches to Solving Errors Caused by Trading Partner IP Allowlisting
BEST PRACTICE – The One-and-Done Approach
- Allowlist the original four addresses in the 44/8 network:
- 44.224.240.12
- 44.226.68.8
- 44.233.112.35
- 44.233.41.247
- plus the CIDR block 192.245.195/24
- This is the first and best approach we recommend. Have your trading partners allow the full CIDR block as soon as possible. This approach will remedy any errors tied to allowlisting or allowable IPs, and for new trading partners prevent the issue in advance.
Limited Primary/Failover IP Network (Not Recommended)
- You can request that Cleo configure a subdomain for Limited Primary/Failover IP Network for your tenant by contacting Cleo Support.
- You will need to set this limited network as a subdomain that you can select when you create AS2, OFTP, Partner Mailbox, FTP, and SFTP Endpoints for specific trading partners.
- NOTE: This interface does not operate at the same level of performance or availability SLAs of the primary cluster.
- Cleo recommends only using this method for trading partners operating legacy software that cannot allowlist modern cloud services.
Comments
0 comments
Please sign in to leave a comment.