Skip to Content
avatar image
Former Member

saprouter A2200202:Actual server name differs from requested one

Hi,

I have done everything (I think) mentionned in the online documentation to setup my saprouter but I still can't connect with saposs.

Here is my dev_rout:

[root@saprouter saprouter]# cat dev_rout --------------------------------------------------- trc file: "dev_rout", trc level: 1, release: "745" --------------------------------------------------- Wed Dec 14 13:58:47 2016 SAP Network Interface Router, Version 40.4 command line arg 0: ./saprouter command line arg 1: -r command line arg 2: -K SncInit(): Initializing Secure Network Communication (SNC) AMD/Intel x86_64 with Linux (mt,ascii,SAP_UC/size_t/void* = 8/64/64) UserId="root" (0), envvar USER="root" SncInit(): Trying environment variable SNC_LIB as gssapi library name: "/usr/sap/saprouter/libsapcrypto.so". File "/usr/sap/saprouter/libsapcrypto.so" dynamically loaded as GSS-API v2 library. SECUDIR="/usr/sap/saprouter" (from $SECUDIR) The internal Adapter for the loaded GSS-API mechanism identifies as: Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib Product Version = CommonCryptoLib 8.5.5 (Sep 23 2016) [AES-NI,CLMUL,SSE3,SSSE3] main: pid = 1819, ppid = 1734, port = 3299, parent port = 0 (0 = parent is not a saprouter) reading routtab: './saprouttab' Wed Dec 14 13:59:33 2016 *** ERROR => SncPEstablishContext() failed for target='p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE' [/bas/745_R 3638] *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [/bas/745_REL/sr 3604] GSS-API(maj): Miscellaneous failure GSS-API(min): A2200202:Actual server name differs from requested one. Unable to establish the security context target="p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" <<- SncProcessInput()==SNCERR_GSSAPI *** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0x1e62740;1421) [nisnc.c 1003]

If I created the credentials with root, is this an issue?

What else could be the issue?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    Dec 16, 2016 at 12:02 AM
    *** ERROR => SncPEstablishContext() failed for target='p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE' [/bas/745_R 3638]
    *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [/bas/745_REL/sr 3604]
          GSS-API(maj): Miscellaneous failure
          GSS-API(min): A2200202:Actual server name differs from requested one.
    Thu Dec 15 08:48:39 2016
        Unable to establish the security context
        target="p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE"
    <<- SncProcessInput()==SNCERR_GSSAPI
    *** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0x1f95b50;1421) [nisnc.c      1003
    

    Your saprouttab could be the issue.

    [root@saprouter saprouter]# cat saprouttab
    # SNC connection to and from SAP
    KT "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
    

    Modify the above entry to:

    KT "p:CN=sapserv2, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
    # SNC connection to local system for R/3 support
    KP "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.229 3200
    KP "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.178 3200

    Modify the above two entries to:

    KP "p:CN=sapserv2, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.229 3200
    KP "p:CN=sapserv2, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.178 3200

    Restart the saprouter and check if it helps.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      It worked, thank you Reagan.

      For some reason, I thought "CN=sapserv2, OU=SAProuter, O=SAP, C=DE" was a generic example to be replaced everywhere with the distinguished name I received.

      I'm happy I did everything else right... glass half full!

  • Dec 14, 2016 at 11:13 PM

    Did you register the router with SAP prior to the configuration? As you are setting up the saprouter with SNC, are you using the distinguished name provided by SAP?

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 15, 2016 at 02:47 PM

    Hi Reagan,

    Yes, I filled and sent the remote connection data sheet to SAP as component XX-SER-NET-NEW.

    I named the server where saprouter is installed "saprouter" so the distinguished name provided by SAP is really "CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE"

    I currently have an open incident for support regarding this. They asked for the saprouter to be stopped and restarted with:

    # ./saprouter -r -V 2 -K "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE"
    

    I sent them the following information:

    [root@saprouter saprouter]# ./sapgenpse get_my_name -n all
    
    SSO for USER "root"
      with PSE file "/usr/sap/saprouter/local.pse"
    
    Subject               :   CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE
    Issuer                :   CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE
    Serialno              :   72:65:B0:8B:8C:A8:90:1B:10:01:EA:00
    KeyInfo               :   RSA, 2048-bit
    Validity  -  NotBefore:   Tue Dec 13 10:08:07 2016 (161213150807Z)
                 NotAfter :   Wed Dec 13 10:08:07 2017 (171213150807Z)
    KeyUsage              :   digitalSignature nonRepudiation keyEncipherment dataEncipherment
    ExtKeyUsage           :   none
    SubjectAltName        :   none
    
    [root@saprouter saprouter]# ./sapgenpse seclogin -l
    
     running seclogin with USER="root"
     0 (LPS:OFF): CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE
             (LPS:OFF): /usr/sap/saprouter/local.pse
     1 readable SSO-Credentials available
    
    [root@saprouter saprouter]# ./niping -c -O -S 3299 -H 194.39.131.34
    
    Thu Dec 15 09:42:15 2016
    connect to server o.k.
    send 10 messages (len 1000)
    ------- times -----
    avg     0.006 ms
    max     0.029 ms
    min     0.001 ms
    tr  174386.161 kB/s
    excluding max and min:
    av2     0.003 ms
    tr2 300480.769 kB/s
    [root@saprouter saprouter]# ./niping -c -H /H/192.168.10.222/H/194.39.131.34/H/localhost
    
    Thu Dec 15 09:43:06 2016
    *** ERROR => NiBufIProcMsg: hdl 1 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    2042]
    *** ERROR => NiBufIConnect: route connect for non-buffered hdl 1 failed (rc=-104;/H/192.168.10.222/H/194.39.131.34/H/localhost); pong not received [nibuf.cpp    4730]
    *** ERROR => NiTClientLoop: NiHandle (rc=-104) [nixxtst.cpp  2935]
    
    *****************************************************************************
    *
    *  LOCATION    SAProuter 40.4 on 'saprouter'
    *  ERROR       SNC processing failed:
    *              SncProcessInput
    *
    *  TIME        Thu Dec 15 09:43:06 2016
    *  RELEASE     745
    *  COMPONENT   NI (network interface)
    *  VERSION     40
    *  RC          -104
    *  MODULE      /bas/745_REL/src/base/ni/nisnc.c
    *  LINE        1000
    *  DETAIL      NiSncIProcIn: sncrc=-4;0x1fa2010
    *  COUNTER     17
    *
    *****************************************************************************
    
    [root@saprouter saprouter]# cat saprouttab
    # SNC connection to and from SAP
    KT "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
    
    # SNC connection to local system for R/3 support
    KP "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.229 3200
    KP "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.178 3200
    
    # Access from the local network to SAP
    P 192.168.10.* 194.39.131.34 3299
    
    # Deny all other connections
    D * * *

    And the content of dev_rout after these commands, which I attached to this message.

    Thanks for your help!

    06-dev-rout.txt

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 16, 2016 at 02:48 PM

    Hi,

    Could you perform dns host look up and check whether same host name resolves.

    You may also update local host file with appropriate hostname including FQDN.

    Regards,

    Deepak Kori

    Add comment
    10|10000 characters needed characters exceeded