SAP-ROUTER

Introduction:

SAP router is an SAP program that acts as an intermediate station in a network connection between SAP Systems, or between SAP Systems and external networks.

SAP router controls the access to your network at the application level and as such is a useful enhancement to an existing firewall system.

SAP router is an SAP program that acts to protect your SAP network against unauthorized access.

However, since particular types of connections need to penetrate this wall, an entry point or a hole has to be made in the firewall. SAP router assumes the control of this hole.

In short, SAP router provides you with the means of controlling access to your SAP system

General Steps for Troubleshooting:

1. Check whether router is up or not, try to ping the router to see for the connectivity.

2. If only one of the host is not getting connected then check the address entry in the saprouttab, weather its correct or not.

3. If then also the problem persists then check the trace in dev_rout file, which keeps a track of the sap router trace and also check the log file.

Some common errors & there remedy:

Error 1:

There is an error message of the following type in the SAP GUI:

Connection to partner 'sapserver:sapdp00' broken

The SAP GUI then closes immediately.

Causes

This error message can be caused by two factors:

1. There is a crash in the dispatcher process of the instance to which the client was connected. All connections are then automatically broken.

2. Network problems

a) Firewall idle timeout

b) VPN, WAN problems

c) Router problem

Solution

If the dispatcher crashes, it means that the entire instance terminates. In this case, put the message under the component BC-CST-DP for further analysis.

Network problems can be analyzed and solved by the customer's network department.

The trace of the affected dispatcher (dev_disp) and the error trace of the SAP GUI (errorlog.gui) can be used as sources of information.

For more details, reproduce the error and perform the following steps:

u2022 Increase the trace level of the dispatcher to 2 before the user logs on.

u2022 When the error occurs, confirm that you want to see a detailed error message.

If you require help analyzing the trace, send the following information to SAP Support:

u2022 dev_disp

u2022 errorlog.gui

u2022 User name

u2022 IP address of the user

u2022 Time when you reproduced the error

Error 2:

It may happen that when you try to log on to the OSS system using Transaction OSS1, the error message S1452 appears:

'Unable to connect to OSS message server. Default connection will be used'.

Causes

This error message can be caused by two factors:

1. Program u2018lgtstu2019 not installed.

2. Configuration not correct

Solution

If program u2018lgtstu2019 is not installed, install the program 'lgtst', which is available on the 2.2D CD, in the executables directory of your system.

/usr/sap/[SID]/SYS/exe/run

This program is used by Transaction OSS1 to establish the connection to the OSS message server and determine the logon groups available and the OSS application server with the best performance. When this program is missing, the connection to the message server cannot be established, i.e., the server cannot be determined.

The program 'lgtst' should be started manually only when problems occur.

To start the program manually, enter the following command at the shell level of the database or application server.

/usr/sap/[SID]/SYS/exe/run/lgtst

u2013H /H/[YS]/S/[YSS]/H/[sapservX]/S/sapdp99/H/oss001/S/sapmsO01

-S x -W 30000

Note:

a) This is one command with many parameters.

b) [SID] must be replaced by the system ID of your system.

c) [YS] must be replaced by the name of the computer on which the SAP

Router runs (YS = Your SAP Router).

d) [YSS] must be replaced by the service under which the SAP Router

runs, usually 'sapdp99' (YSS = Your SAP Routeru2019s Service).

e) If you are working with two SAP routers, repeat /H/[YS]/S/[YSS] with

the data of the second SAP router before the sapserv specifications.

f) [sapservx] must be replaced by the IP address of the server that you are

connected to.

g) Make sure that you replace [YS], [YSS] and [sapservx] with the same

data that you have configured in OSS1.

In cases where the program 'lgtst' has been installed correctly, but the connection to the message server cannot be built up, the configuration is not correct. The possible reasons are,

a) Technical OSS1 settings

b) Service entries missing in /etc/services

To find out the reason why the attempt to establish the connection to the message server has failed, run the transaction ST11, and then look for the entry

'dev_lg'. This file contains the error log. Click on dev_lg, if a line 'LOCATION' exists, the computer where the error occurred is described there. The problem is described in the line 'ERROR'.

Error 3:

At times it happens that you start up SAP GUI to connect to On-line Service system. But the SAP GUI prompts a screen to show you connection fail.

Causes

There are many possibilities in this case,

1. Local Router problem

2. Local Router Authorization check fails

3. Line provider problem

4. Local SAP Router problem

5. Remote Router problem

6. Remote Router Authorization setting problem

7. Remote SAP Router routing setting problem

8. Local setting problem

9. Server problem

Solution

First, find out the possible problem. Then try to contact with system administrator or connection provider to solve the problem.

a) partner not reached (host <hostname or IP> , service 32XX)

If <hostname or IP> is local machine

Check 1. Does hostname or IP is your SAP Router?

If not, change it.

If yes, check does your SAP Router start?

Does the service port right? default 3299.

Does the connection to SAP Router work?

If <hostname or IP> is SAPServX

Check connection

If error text show "Connection refused" mean the host is

not SAP Router or SAP Router do not start.

If error text show "Connection timed out" mean the host do

not exist or can not reach.

b) Route permission denied (hostIP1 to hostIP2, sapdpXX)

Check the services file on Local PC/SAP Server/SAPRouter

A line like

sapdpXX 32XX/tcp

(Ex. sapdp01 3201/tcp

sapdp00 3200/tcp)

should be add into services file.

The location of services file is --

Win95/98 %WINDIR%\services

WinNT/2000 %WINDIR%\System32\drivers\etc\services

UNIX/Linux /etc/services

c) Route permission denied (hostIP1 to hostIP2, 32XX)

this mean that the routing settings do not allow you to connect from

hostIP1 to hostIP2.

Please read the next line :

Location SAPRouter on hostname

If the hostname(or IP) is your local machine, please

Check is there password setting on SAPRouteTAB file.

If there is password, please verify do you use the correct pswd.

Or add the SAP routing permission into SAPRouteTAB file.

If the hostname (or IP) is relate to SAP (like sapservX)

Send the above message to SAP support team.

d) Check line connection:

Use ping or tracert (traceroute) to check connection.

Run these instructions under your router or SAPRouter.

For ex : Ping sapserv7

Tracert sapserv7 (use Traceroute under unix)

If the response is fail (timeout or other) then

connection build fail

Else connection to SAP successful.

e) Check connection between front-end and local SAPRouter.

If you want to connect from a workstation, you may need to check the

connection between your workstation to SAPRouter with 'Ping'.

f) For ISDN router

Check dial indicator, does router dial?

If router does not dial, please contact router vendor.

If router dials but fail, please check dialup number or contact ISDN

service provider. Maybe authorization fails, or line fail, or configuration

error.

If dialup connection is successful

: ping the remote router to check IP configuration

: ping to SAPServX to check connection

: collect the above information and contact with ISDN provider

: if all setting is right but fail to reach remote router, ask line provider to

reset gateway.

g) Server problem

if the connection check is Ok, but still there is some issue then try to take help from SAP to do further check.

Error 4:

Another situation can be that you are unable to start the router from command level.

Cause

This can be due to missing fields in the saprout table.

Solution

Check the entries in the file saprouttab

Also add this value in your saproutab P<tab><tab><tab>* to give full permission

Save the file without any extension.

Now try to start the sap router from the command prompt.

OR

1)Take a backup of your present saprouttab

2)Then remove all values inside saproutab file and add the following value

P<tab>*<tab><tab> to give full permission

Now save the file with out any extension and then try to restart the router.

Error 5:

This is a problem in which you are able to ping SAP server side IP but unable to ping through hostname of SAP server.

Cause

This situation occurs when the host name of the server is not identified

Solution

If you want to ping the SAP hostname, then add host name and IP address into

c:\windows\system32\drivers\etc\hosts file

Significance of SAP Router:

You can use SAP router to do the following:

u2022 Control and log the connections to your SAP System, e.g. from an SAP service center

u2022 Set up an indirect connection when programs involved in the connection cannot communicate with each other due to the network configuration. This may be due to:

1. Address conflicts when using non-registered IP addresses

2. Restrictions which exist for firewall systems

u2022 Improve network security by means of the following:

1. A password, which protects your connection and data from unauthorized external access

2. Allowing access from only particular SAP routers

3. Only allowing encrypted connections from a known partner (using the SNC layer)

u2022 Increase performance and stability by reducing the SAP System load within a local area network (LAN) when communicating with a wide area network (WAN)

Enhanced Network Security with SAP Router:

To provide independency from the various platforms, SAP has developed the intermediate layer NI (Network Interface) for all network connections. SAP router also provides connectivity using this layer.

In the OSI 7 layer model, the NI layer forms the upper part of the transport layer. NI uses TCP or UDP protocol also known as the SAP Protocol.

The test program niping, which tests the NI functions, belongs to the NI layer. A predefined number of data packages is simply sent from the client to the server, is returned by the server, and read again by the client. The program also outputs average transfer times.

This tool niping is a server and client for testing the SAP NI (Network Interface) Layer. As the name is similar to "ping", it does something similar, but just with the SAP network layer. So, you can test SAP router connections or other SAP connections with using this special ping - the niping.

Route Connections:

A route connection is a connection between two hosts via a network. The route is the sequence of intermediate stations used to set up the connection.

You can set up a connection between SAP systems with or without SAP router.

A) Connections without SAP router:

The following graphic shows a network connection from SAP to the

customer without SAP router

Here both the SAP LAN (local area network) as well as the customer LAN

are protected against unwanted access by firewalls. If a connection is to be set up between an SAP workstation and a customer workstation, a u201Choleu201D needs to be made in the firewall.

The more connections required to external hosts, the more holes (and therefore security gaps) the firewall contains.

If a connection is set up without SAP router, the following information is required:

1. IP address of the host or the logical name of the host on which the server process is running. The target host must therefore have a unique IP address.

2. Port number or the logical name of the port used by the process.

The server process must use an exclusive port number on its host. Also, this port number must be known to the client

B) Connections with SAP router:

The following graphic shows a network connection from SAP to the

customer with SAP router

SAP router only allows a network to be accessed from fixed points. The number of access points (u201Cholesu201D) is therefore reduced, since fewer direct lines are required for connections.

Each "hole" is guarded by a SAP router whose route permission table determines the routes that can be used and the passwords required for access. The hole in the firewall is therefore monitored.

Without SAP router, the IP addresses must be unique. This is not always possible, particularly in the case of a connection between two networks that do not normally have an external connection. SAP router enables two points with identical IP addresses to be connected.

Installing SAP Router:

SAP router is installed as a service on Windows. You will find the latest SAP router in the SAP Service Marketplace under:

Download SAP Software u2192 <Support Packages & Patches>

In the hierarchy choose:

SAP WEB AS u2192 SAP WEB AS <latest release> u2192 Binary Patches u2192 SAP KERNEL <Release/ 32/64-BIT [UNICODE]> u2192 <OS> u2192 Database independent.

Installation on Windows:

Prerequisites:

You have the latest version of SAP router (available from the SAP Service Marketplace and have read the u201Creadmeu201D file. The SAP router version must not be under 23.

Procedure:

1. Create the subdirectory saprouter in the directory <drive>:\usr\sap.

2. Download the latest version of the SAP router from SAP Service Marketplace. Read the readme file in this package. Copy the executables saprouter.exe and niping.exe to the directory you have just created.

3. If SAP router has already been entered as a service with srvany.exe, remove the definition of the service from the Registry and restart the host.

4. Define the service with the following command:

ntscmgr install SAProuter -b <drive>:\usr\sap \saprouter\saprouter.exe -p

u201Cservice -r <parameter>u201C

<parameter> can be replaced by other parameters with which SAP router is to be started. It is important that the parameters are within the character string enclosed in double quotation marks.

5. Define the general attributes of the service: In Control Panel u2192 Services, set the startup type to u201Cautomaticu201D and enter a user. SAP router should not run under the System Account.

6. To avoid the error message u201CThe description for Event ID (0)u201D in the Windows NT event log, you must enter the following in the registry: Under HKEY_LOCAL_MACHINE u2192 SYSTEM u2192 CurrentControlSet u2192 Services u2192 Eventlog u2192 Application, create the key saprouter and define the following values under it:

EventMessageFile (REG_SZ): ....\saprouter\saprouter.exe

Starting SAP Router:

Procedure:

Enter saprouter -r in the input field. This command starts SAP router. The allowed connections are listed in the Route Permission Table saprouttab.

Main SAP router commands and what they do:

saprouter Displays a complete list of SAP router parameters on the

screen

saprouter u2013r Starts SAP router.

saprouter u2013s Stops SAP router.

Testing SAP router Basic Functions:

Prerequisites:

You require the programs saprouter and niping as well as three open windows on one or more hosts.

Procedure:

1. Start SAP router in window 1 (on host1). To do this, enter the following command: saprouter -r

2. In window 2 (host2), start the test program niping to emulate a test server. Enter the following command: niping -s

3. In window 3, start the test program niping again with the following command: niping -c -H /H/host1/H/host2

This command tests the connection with SAP router. A host name is interpreted as a route (over one or more SAP routers to the server) if /H/ is added as a prefix to the host name.

In steps 3 data packages are sent to the server, and the server sends the data packages back.

To perform a self test for the local host:

Enter the command niping -t .If the self test is successful, the following message appears:

• SELFTEST O.K. ***

Route Strings:

A route string describes the stations of a connection required between two hosts. A route string has the syntax:

/H/host/S/service/W/pass

It consists of any number of substrings in the form /H/host/S/service/W/pass.

H, S, and W must be uppercase!

A route string contains a substring for each SAP router and for the target server. Each substring contains the information required by SAP router to set up a connection in the route: the host name, the port name, and the password.

Syntax for substrings:

u2022 /H/ indicates the host name it must be at least two characters long.

u2022 /S/ indicates the port, it is an optional entry the default value is 3299

u2022 /W/ indicates the password for the connection between the predecessor and

successor on the route and is also optional (default is u201Cu201D, no password)

Route String Entry for SAP Router:

A route string describes a connection required between two hosts using one or more SAP routers. Each of these SAP routers then checks its Route Permission Table to see whether the connection between its predecessor and successor is allowed, and if it is, sets it up.

The following graphic shows an example of a connection between SAP and a customer system. In this example, a SAP employee working on sappc wants to log on to a customer application server yourapp, which provides or uses the service sapsrv.

The SAP service employee logs on to the SAP System, and sets up a connection between sappc and yourapp using the SAP router on sap_rout and the customeru2019s SAP router your_rout.

your_rout requires the password pass_to_app for connections with yourapp. The route string appears as follows:

/H/sap_rout/H/your_rout/W/pass_to_app/H/yourapp/S/sapsrv

This route string is interpreted by the SAP routers involved in the route as follows:

Host/address Service/port Password

Substring 1 /H/sap_rout /S/<default> <no password>

Substring 2 /H/your_rout /S/<default> /W/pass_to_app

Substring 3 /H/yourapp /S/sapsrv

The connection from sappc to the application server is set up in the following steps:

sappc (front end) Sets up the connection to SAP router sap_rout according to substring 1 and relays the route information.

sap_rout (SAP router

on SAP side) Uses the Route Permission Table to check whether the route u201Csappc to your_rout 3299u201D is allowed, sets up the connection to the customer SAP router on the host your_rout, and passes substring 2 and 3.

your_rout (SAP router on customer side)

Checks whether the route u201Csap_rout to yourapp,

sapsrvu201D is allowed. The password pass_to_app is also checked. SAP router then sets up the connection to the application server.

A SAP router always checks only the previous host name or the previous IP address and the next substring (/H/.../S/.../W/...) for host name or IP address, service and password. The last substring does not contain a password, since there is no successor in the route.

If the /S/ section is missing, the default port number of the SAP router is used.

If the /W/ section is missing, a password is not used.

Route Permission Table:

The route permission table contains the host names and port numbers of the predecessor and successor points on the route as well as the passwords required to set up the connection. It is used to specify which connections are allowed and which prohibited by SAP router.

Standard entries in a route permission table appear as follows:

P/S/D <source-host> <dest-host> <dest-serv> <password>

<source-host> and <dest-host> could be SAP routers.

The beginning of the line can be as follows:

P (permit) causes SAP router to set up the connection, can contain a password.

S (secure) only allows connections with the SAP Protocol, connections with other protocols (such as TCP) are not allowed.

D (deny) prevents the connection from being set up.

Error Diagnosis:

As a rule, always refer to the relevant notes in SAPNet if you experience problems with SAP router.

Note number Content

0012023 ERROR => NI_PONG in more than one package

0029684 STFK: Route permission denied

0062636 Sap router terminates on ending UNIX session

0063342 List: NI error codes

0139184 Sap router: Invalid DATA from C...

0155839 SAP router and the Year 2000

0163436 Check connection and raise a event when connect

0164937 NiPBind: service 'sap????' in use

0167857 niping -s error on Windows 95/8

0168937 AIX: Error code for accept exits server

0169398 Reliant: setup connection in the R/3 System fails

0180075 SAP router for Linux

0181896 AS/400: Signal handling in NI

0184896 NI: Error correction NI

0104576 Package filter between ITS and R/3

0042692 Test tool for RFC links: sapinfo

0066168 Required documents when analyzing RFC problems

0025917 Changes to /etc/hosts are not accepted

0147021 "Address already in use" due to TCP state

0053459 SAP programs for Linux

0085749 Using SAProuter with SNC for secure printing

0037211 ftp not via SAProuter : "connection refused"

The error messages output directly by SAP router are described under SAP router

Edited by: Chetan Seth on Nov 16, 2008 3:03 PM