on 08-13-2018 9:06 AM
Hi.
I am trying to connect to a client's SAP box via SAProuter and after a 100 tries I just can't get it right.
Can anyone give some guidance of things I can check?
I know the settings below is not ideal as it allows all connections, but we just wanted to exclude as many as possible things that can go wrong.
First the details:
I can open a telnet session via port 3299
My saprouttab file:
# Allow Outbound connections to SAProuter will use SNC
KT "p:CN=[TheCertificateNameThatTheyGenerated], OU=0000446700, OU=SAProuter, O=SAP, C=DE" [TheirSAPRouterIP] 3299
P * * * *
The client's saprouttab file:
KP "p:CN= [TheCertificateNameThatWeGenerated]" * *<br>KT "p:CN= [TheCertificateNameThatWeGenerated]" [OurSAPRouterIP] *
P * * * *
When I run niping:
niping -c -H /H/MySAPRouterIP/S/3299/H/ClientSAPRouterIP/S/3299
connect to server o.k.
*** ERROR => NiBufIProcMsg: hdl 1 received rc=-93 (NIEROUT_INTERN) from peer [nibuf.cpp
2042]*** ERROR => NiTClientLoop: NiTReadLoop (rc=-93) [nixxtst.cpp 2935]
******************************************************************************<br>* LOCATION SAProuter 40.4 on 'sapservername'<br>* ERROR internal error<br>*<br>* TIME Thu Aug 9 18:36:59 2018* RELEASE 745<br>* COMPONENT NI (network interface)<br>* VERSION 40* RC -93<br>* MODULE /bas/745_REL/src/base/ni/nirout.cpp<br>* LINE 3541<br>* DETAIL NiRClientHandle: route expected<br>* COUNTER 85<br>******************************************************************************
I start my saprouter with:
saprouter -K p:CN=soterionauswoodside -r -G log.txt
Our devrout file:
*** ERROR
=> NiBufIProcMsg: hdl 18 received rc=-17 (NIESNC_FAILURE) from peer
[nibuf.cpp 2042]
Their devrout file:
command line arg 0: ./saproutercommand line arg 1: -rcommand line arg 2: -Rcommand line arg 3: /usr/sap/saprouter/saprouttabcommand line arg 4: -Gcommand line arg 5: log.txtmain: pid = 22075, ppid = 18173, port = 3299, parent port =
0 (0 = parent is not a saprouter)reading routtab: '/usr/sap/saprouter/saprouttab'*** ERROR => SNC field without SNC active, skip line 1
[nirout.cpp 10855]*** ERROR => SNC field without SNC active, skip line 2
[nirout.cpp 10855]Thu Aug 9 18:05:58
2018*** ERROR => route from C12/-1 '[IPAddress]' expected
[nirout.cpp 3539]Thu Aug 9 18:07:43
2018*** ERROR => NiRExRouteCon: NiBufIRouteGetNext failed
(rc=-2) [nirout.cpp 3976]*** ERROR => NiRClientHandle: NiRExRouteCon for C10/-1
'[IPAddress]' failed (rc=-2) [nirout.cpp
3488]Thu Aug 9 18:08:52
2018***
ERROR => NiSncIIgnoreOpcode: got SNC-request without SNC active
[nisnc.c 484]
Hi Patricio,
Can you try this?
# Allow Outbound connections to SAProuter will use SNC
KT "p:CN=[TheCertificateNameThatTheyGenerated], OU=0000446700, OU=SAProuter, O=SAP, C=DE" [TheirSAPRouterIP] *
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
Your niping test command is incomplete.
It goes up to the second saprouter, not to the box behind it.
Try with something like:
niping -c-H /H/MySAPRouterIP/S/3299/H/ClientSAPRouterIP/S/3299/H/SAPServer/S/32XX
(where "XX" in the last port definition is the instance number of the SAP system running on "SAPServer")
In addition, the syntax of the saprouttab file is:
P <source> <destination> <port> <optional password>
So, you might need to remove the last asterisk from your saprouttab rules.
And just a small comment, the port being defined as "*" does not open all ports. For security reasons, the saprouter only allows the port range 3200 - 3299 if the port is defined as "*".
In case it helps, there is a PDF file attached to the SAP Note 30289 (S-user required) with the complete documentation of the saprouter.
Cheers!
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Appreciate your answer, but no luck yet. The reason I omitted the sapserver at the end of the niping command is just to first test whether the 2 saprouters can communicate. But even if I add it in, I still get the same error about
NiRClientHandle route expected error
I've also removed the last * from the P command, but it did not change anything.
Hi!
Can you capture and provide level 2 traces from both saprouters?
You can execute "saprouter -t" on both saprouters to switch the trace level to 2 dynamically.
Then, execute the niping test with the complete, final router string (including the final server) and execute "saprouter -t" again to reduce the trace level to 1.
We would need both "dev_rout" trace files and a screenshot from the niping test.
What command do you use to start saprouter? Can you please add the -K switch?
saprouter -r -S 3299 -K "p:<Your Distingushed Name>"
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Did you install the certificate response from SAP as well?
From the bellow output it doesn't look like running the saprouter with -K switch. Can you please attach the logs again?
command line arg 0: ./saproutercommand line arg 1: -rcommand line arg 2: -Rcommand line arg 3: /usr/sap/saprouter/saprouttabcommand line arg 4: -Gcommand line arg 5: log.txtmain
Based on the log there is clearly something with SNC - so either problem is with a certificate or SNC activation (-K switch).
When you run the saprouter with -K switch the logs will be different. Please post them that we can analyze further! 🙂
Good luck!
I can mention that the client said they are NOT using SNC.
I am not sure what command the client is using to start their SAProuter. Mine is with the -K.
The contents from the log.txt field are as follow:
Thu Aug 09 10:05:26 2018 INIT LOGFILE
Thu Aug 09 10:05:26 2018 READ ROUTTAB ./saprouttab o.k.
Thu Aug 09 10:06:00 2018 CONNECT FROM C9/- host ourSAProuterIP/52739
Thu Aug 09 10:06:00 2018 CONNECT TO S9/17 host theirSAProuterIP/3299 (theirSAProuterIP)
Thu Aug 09 10:06:00 2018 ESTABLISHED S9/17
Thu Aug 09 10:06:00 2018 DISCONNECT S9/17 host theirSAProuterIP/3299 (theirSAProuterIP)
Thu Aug 09 10:08:53 2018 CONNECT FROM C10/- host ourSAProuterIP/52748
Thu Aug 09 10:08:53 2018 CONNECT TO S10/18 host theirSAProuterIP/3299 (theirSAProuterIP) (p:CN=theirCertificateName, OU=0000446700, OU=SAProuter, O=SAP, C=DE)
Thu Aug 09 10:08:53 2018 CONNECT ERR S10/18 NIESNC_FAILURE on 'SAProuter 40.4 on 'sapservername''
Thu Aug 09 10:08:53 2018 DISCONNECT S10/18 host theirSAProuterIP/3299 (theirSAProuterIP)
Do I need to regenerate the dev_rout contents?
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.