cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAProuter: NiRClientHandle route expected error

former_member449168
Participant

on ‎08-13-2018 9:06 AM

0 Kudos

Hi.

I am trying to connect to a client's SAP box via SAProuter and after a 100 tries I just can't get it right.

Can anyone give some guidance of things I can check?
I know the settings below is not ideal as it allows all connections, but we just wanted to exclude as many as possible things that can go wrong.

First the details:

I can open a telnet session via port 3299

My saprouttab file:

# Allow Outbound connections to SAProuter will use SNC
KT "p:CN=[TheCertificateNameThatTheyGenerated], OU=0000446700, OU=SAProuter, O=SAP, C=DE" [TheirSAPRouterIP] 3299
P * * * *

The client's saprouttab file:

KP "p:CN= [TheCertificateNameThatWeGenerated]" * *<br>KT "p:CN= [TheCertificateNameThatWeGenerated]" [OurSAPRouterIP] *
P * * * *

When I run niping:

niping -c -H /H/MySAPRouterIP/S/3299/H/ClientSAPRouterIP/S/3299

connect to server o.k.
*** ERROR => NiBufIProcMsg: hdl 1 received rc=-93 (NIEROUT_INTERN) from peer [nibuf.cpp 
2042]*** ERROR => NiTClientLoop: NiTReadLoop (rc=-93) [nixxtst.cpp  2935]

******************************************************************************<br>*  LOCATION  SAProuter 40.4 on 'sapservername'<br>*  ERROR  internal error<br>*<br>*  TIME  Thu Aug 9 18:36:59 2018*  RELEASE  745<br>*  COMPONENT  NI (network interface)<br>*  VERSION  40*  RC  -93<br>*  MODULE  /bas/745_REL/src/base/ni/nirout.cpp<br>*  LINE  3541<br>*  DETAIL  NiRClientHandle: route expected<br>*  COUNTER  85<br>******************************************************************************

I start my saprouter with: 

saprouter -K p:CN=soterionauswoodside -r -G log.txt

Our devrout file:

*** ERROR
=> NiBufIProcMsg: hdl 18 received rc=-17 (NIESNC_FAILURE) from peer
[nibuf.cpp  2042]

Their devrout file:

command line arg 0:  ./saproutercommand line arg 1:  -rcommand line arg 2:  -Rcommand line arg 3:  /usr/sap/saprouter/saprouttabcommand line arg 4:  -Gcommand line arg 5:  log.txtmain: pid = 22075, ppid = 18173, port = 3299, parent port =
0 (0 = parent is not a saprouter)reading routtab: '/usr/sap/saprouter/saprouttab'*** ERROR => SNC field without SNC active, skip line 1
[nirout.cpp  10855]*** ERROR => SNC field without SNC active, skip line 2
[nirout.cpp  10855]Thu Aug  9 18:05:58
2018*** ERROR => route from C12/-1 '[IPAddress]' expected
[nirout.cpp  3539]Thu Aug  9 18:07:43
2018*** ERROR => NiRExRouteCon: NiBufIRouteGetNext failed
(rc=-2) [nirout.cpp  3976]*** ERROR => NiRClientHandle: NiRExRouteCon for C10/-1
'[IPAddress]' failed (rc=-2) [nirout.cpp 
3488]Thu Aug  9 18:08:52
2018***
ERROR => NiSncIIgnoreOpcode: got SNC-request without SNC active
[nisnc.c  484]

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

tan_michael
Active Participant
‎08-17-2018 9:36 AM
0 Kudos

Hi Patricio,

Can you try this?

# Allow Outbound connections to SAProuter will use SNC
KT "p:CN=[TheCertificateNameThatTheyGenerated], OU=0000446700, OU=SAProuter, O=SAP, C=DE" [TheirSAPRouterIP] *


Show replies
Show replies
former_member449168
Participant
‎08-22-2018 8:40 AM
0 Kudos

Thanks, will do. I assume that is on my side and not on their side?

isaias_freitas
Advisor
Advisor
‎08-13-2018 9:51 PM
0 Kudos

Hello,

Your niping test command is incomplete.

It goes up to the second saprouter, not to the box behind it.

Try with something like:

niping -c-H /H/MySAPRouterIP/S/3299/H/ClientSAPRouterIP/S/3299/H/SAPServer/S/32XX

(where "XX" in the last port definition is the instance number of the SAP system running on "SAPServer")

In addition, the syntax of the saprouttab file is:

P <source> <destination> <port> <optional password>

So, you might need to remove the last asterisk from your saprouttab rules.

And just a small comment, the port being defined as "*" does not open all ports. For security reasons, the saprouter only allows the port range 3200 - 3299 if the port is defined as "*".

In case it helps, there is a PDF file attached to the SAP Note 30289 (S-user required) with the complete documentation of the saprouter.

Cheers!

Isaías

Show replies
Show replies
former_member449168
Participant
‎08-17-2018 9:21 AM
0 Kudos

Appreciate your answer, but no luck yet. The reason I omitted the sapserver at the end of the niping command is just to first test whether the 2 saprouters can communicate. But even if I add it in, I still get the same error about

NiRClientHandle route expected error

I've also removed the last * from the P command, but it did not change anything.

isaias_freitas
Advisor
Advisor
‎08-18-2018 11:04 PM
0 Kudos

Hi!

Can you capture and provide level 2 traces from both saprouters?

You can execute "saprouter -t" on both saprouters to switch the trace level to 2 dynamically.

Then, execute the niping test with the complete, final router string (including the final server) and execute "saprouter -t" again to reduce the trace level to 1.

We would need both "dev_rout" trace files and a screenshot from the niping test.

BJarkowski
Active Contributor
‎08-13-2018 9:35 AM
0 Kudos

What command do you use to start saprouter? Can you please add the -K switch?

saprouter -r -S 3299 -K "p:<Your Distingushed Name>"

Show replies
Show replies
former_member449168
Participant
‎08-13-2018 2:13 PM
0 Kudos
I'm starting my SAProuter as:

saprouter -K p:CN=ourcertificatename -r -G log.txt

BJarkowski
Active Contributor
‎08-13-2018 2:19 PM
0 Kudos

Did you install the certificate response from SAP as well?

From the bellow output it doesn't look like running the saprouter with -K switch. Can you please attach the logs again?

command line arg 0:  ./saproutercommand line arg 1:  -rcommand line arg 2:  -Rcommand line arg 3:  /usr/sap/saprouter/saprouttabcommand line arg 4:  -Gcommand line arg 5:  log.txtmain

Based on the log there is clearly something with SNC - so either problem is with a certificate or SNC activation (-K switch).

When you run the saprouter with -K switch the logs will be different. Please post them that we can analyze further! 🙂

Good luck!

former_member449168
Participant
‎08-13-2018 3:16 PM
0 Kudos

I can mention that the client said they are NOT using SNC.
I am not sure what command the client is using to start their SAProuter. Mine is with the -K.

The contents from the log.txt field are as follow:

Thu Aug 09 10:05:26 2018 INIT LOGFILE
Thu Aug 09 10:05:26 2018 READ ROUTTAB ./saprouttab o.k.
Thu Aug 09 10:06:00 2018 CONNECT FROM C9/- host ourSAProuterIP/52739
Thu Aug 09 10:06:00 2018 CONNECT TO S9/17 host theirSAProuterIP/3299 (theirSAProuterIP)
Thu Aug 09 10:06:00 2018 ESTABLISHED S9/17
Thu Aug 09 10:06:00 2018 DISCONNECT S9/17 host theirSAProuterIP/3299 (theirSAProuterIP)
Thu Aug 09 10:08:53 2018 CONNECT FROM C10/- host ourSAProuterIP/52748
Thu Aug 09 10:08:53 2018 CONNECT TO S10/18 host theirSAProuterIP/3299 (theirSAProuterIP) (p:CN=theirCertificateName, OU=0000446700, OU=SAProuter, O=SAP, C=DE)
Thu Aug 09 10:08:53 2018 CONNECT ERR S10/18 NIESNC_FAILURE on 'SAProuter 40.4 on 'sapservername''
Thu Aug 09 10:08:53 2018 DISCONNECT S10/18 host theirSAProuterIP/3299 (theirSAProuterIP)

Do I need to regenerate the dev_rout contents?

Ask a Question