on 03-27-2010 7:09 AM
Dear Team,
We are going to access sap from out side internet without using the office VPN or network.
Now I want to set SAP Router string thru which any person who wants to access our SAP system can do so without getting into our VPN or network. Basically people in Sales when they are at the customer sites.
My saprouter is working fine, as SAP can login to our systems.The NAT is completed so that does not seem any issue.
find the below is our configuration..
Our sap router has configured in SOLMAN SERVER.
For Solman server below are the IP:
132.147.166.3 Private IP for internal access
210.18.50.134Public IP address.
ROUTAB file is in the below path C:\usr\sap\saprouter.
Below is the content of ROUTAB file
SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC connection to local system for R/3-Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.19 3202
Access from the local Network to SAP
P 192.168.. 194.39.131.34 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 5631
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.19 3389
P * 194.39.131.34 3299
P "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3201
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3200
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3389
deny all other connections
D * * *
Now I want to access my production server with ip =132.147.166.11from outside .
So I had configured the below setting in Sap GUI .
Application server=132.147.166.11 [public ip of server where saprouter has installed]
SAProuter String=/H/210.18.50.134/S/3299
system id=ELP
system number=02
but when i click on login it is showing below error..
-
router permission denied(210.18.50.134 to 132.147.166.11 ,sapdp02
location =saprouter 38.10 ON 'SOLMAN'
relese=700
version=38
returncode=-94
counter=012
-
Is it nacessary to make any change in routab file , as net work admin is saying problem is from saprouter to production server
please help us for the same
Regards
Rabin Nayak
SAP Basis Team
Rabin,
Next time onwards post your querry in a readable form.
Your router string should be like this: /H/<SAProuter public IP>/H/<Target server IP>/H/.
router permission denied(210.18.50.134 to 132.147.166.11,
sapdp02 location =saprouter 38.10 ON 'SOLMAN' relese=700
version=38 returncode=-94 counter=012
Check whether your target server IP 132.147.166.11 is talking to public 210.18.50.134.
Add following line to your routtab file if you want all the IPs to access your target server:
P * * *
Also post your routtab file in a neat and clean way.
Regards
Sourabh Majumdar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Saurabh,
Thanks for your replay, As per your suggestion i had added [P * * *] at last line in my routab file & used
/H/210.18.50.134/H/132.147.166.5/H/ in Routerstring field in SAP GUI.
But i got again same error.[ Time out while pending for route completion]
Find below is my Routab file after addition of P * * * at last line.
-
SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC connection to local system for R/3-Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.19 3202
Access from the local Network to SAP
P 192.168.. 194.39.131.34 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 5631
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.19 3389
P * 194.39.131.34 3299
P "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3201
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3200
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3389
deny all other connections
D * * *
P * * *
-
Regards
Rabin
Hi Rabin
Always make sure you carry out the changes in routtab file by stopping the SAProuter. I believe your target server IP is 132.147.166.11 of the production server which you want to access. If yes your router string will be:
/H/210.18.50.134/H/132.147.166.11/H/
Then restart the SAProuter and try again. Have you verified the communication between your target server IP 132.147.166.11 is talking to public 210.18.50.134?
Also is your public IP is registered with SAP? Please check it and make it registered.
Can you paste the contents of dev_rout file and saprouter.log file.
Regards
Sourabh Majumdar
Dear Sourabh,
Thanks for your support, I am using /H/210.18.50.134/H/132.147.166.11/H/ for production server only
& /H/210.18.50.134/H/132.147.166.5/H/ for my developement server.
Please find the below is the Log of dev_rout file.
-
-
trc file: "dev_rout", trc level: 1, release: "700"
-
Mon Mar 29 10:51:26 2010
SAP Network Interface Router, Version 38.10
command line arg 0: saprouter
command line arg 1: -r
command line arg 2: -S
command line arg 3: 3299
command line arg 4: -K
command line arg 5: p:CN=SOLMAN, OU=0000849045, OU=SAProuter, O=SAP, C=DE
SncInit(): Initializing Secure Network Communication (SNC)
PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
SncInit(): Trying environment variable SNC_LIB as a
gssapi library name: "C:\usr\sap\saprouter\sapcrypto.dll".
File "C:\usr\sap\saprouter\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
main: pid = 5260, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: './saprouttab'
ERROR => invalid token (p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE) in IPadr-string, skip line 11 [nirout.cpp 8585]
Mon Mar 29 10:56:20 2010
checkRoute: route not permitted (15)
ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 'mail.supremegroup.co.in' failed (rc=-94) [nirout.cpp 2243]
Mon Mar 29 10:56:44 2010
checkRoute: route not permitted (15)
ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 'mail.supremegroup.co.in' failed (rc=-94) [nirout.cpp 2243]
Mon Mar 29 11:25:43 2010
checkRoute: route not permitted (15)
ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 '210.18.50.134.sify.net' failed (rc=-94) [nirout.cpp 2243]
-
I had addedd another twolines in my routab file as below mentioned Hilited mark.
-
SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC connection to local system for R/3-Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.19 3202
Access from the local Network to SAP
P 192.168.. 194.39.131.34 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 5631
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.19 3389
P * 194.39.131.34 3299
P "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3201
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3200
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 3299
deny all other connections
D * * *
P * * *
-
I had checked my Public Ip already registered with SAP,still i am getting same error at time of login.
Regards
Rabin
Edited by: RABIN-SAP BASIS on Mar 29, 2010 8:03 AM
Hi ,
Add the following line in SAP routetab file
P * 132.147.166.11 3202
Once you added the file , run the following command
saprouter -n
Now login to your production system 132.147.166.11 , thorough SAP GUI and in SAP gui setting should as you replied on first thread i.e as below
Application server=132.147.166.11
SAProuter String=/H/210.18.50.134/S/3299
system id=ELP
system number=02
Thanks
Anil
Edited by: Anil Bhandary on Mar 29, 2010 9:53 AM
Dear Anil,
Thank you for your support, I had already added [ P * 132.147.166.11 3202] rather i have also added P*** for all access.
when i run the command saprouter -n it shows the below error.
-
C:\usr\sap\saprouter>saprouter -n
Tue Mar 30 10:03:55 2010
SAP Network Interface Router, Version 38.10
Tue Mar 30 10:03:56 2010
***LOG Q0I=> NiPConnect2: connect (10061: WSAECONNREFUSED: Connection refused) [
nixxi.cpp 2770]
ERROR => NiPConnect2: SiPeekPendConn failed for hdl 0 / sock 1912
(SI_ECONN_REFUSE/10061; I4; ST; 127.0.0.1:3299) [nixxi.cpp 2770]
ERROR => RTADMINREQ::sendAdminReq: NiBufConnect failed (rc=-10) [nirout.cpp
5649]
*****************************************************************************
*
LOCATION SAProuter 38.10 on 'SOLMAN'
ERROR partner '127.0.0.1:3299' not reached
*
TIME Tue Mar 30 10:03:56 2010
RELEASE 700
COMPONENT NI (network interface)
VERSION 38
RC -10
MODULE nixxi.cpp
LINE 2770
DETAIL NiPConnect2
SYSTEM CALL connect
ERRNO 10061
ERRNO TEXT WSAECONNREFUSED: Connection refused
COUNTER 2
*
*****************************************************************************
Kindly let me know what to do next
Hi,
* LOCATION SAProuter 38.10 on 'SOLMAN'
* ERROR partner '127.0.0.1:3299' not reached
Do the following steps.
1. Login to the host of saprouter i.e i thing
SOLMAN
is a host of saprouter
2. stopsaprouter
saprouter -s
3. make following changes in the hosts file of SOLMAN
hosts file will will be located
windows :- C:\WINDOWS\system32\drivers\etc\hosts
add the followig entry
<ip address of your solman> SOLMAN
4. Now Start the saprouter & check whether your problem resolved or not.
Thanks
Anil
Hi Madan,
Is there any firewall or other devices which may block the port?
Or are there any settings which may prevent the access to public ip:3299?
Can you reach the server successfully without sap router?
What is the result of the following commands?
niping -c -H router IP -s 3299
Is the connection to publich IP OK? You can test the connection with niping test:
start from router server:
niping -s -I 0
start from client:
niping -c -H <IP>
Best regards
Helen
Hi,
Thanks for all for helping in the solving the issue. My problem solved now.
Best Regards,
Madan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.