cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

defining saprouttab

Go to solution
Former Member

on ‎02-22-2011 4:21 PM

0 Kudos

Hi people,

I´ve the doubt about the saprouttab entries.The entries are the followings:

1. SNC connection to and from SAP

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

1. SNC connection to local system for R/3-Support

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 3200

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 3201

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 3300

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 3301

1. SNC connection to local WINDOWS system for WTS, if applicable

2. Default WTS port: 3389

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 3389

1. SNC connection to local UNIX system for SAPtelnet

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 23

1. SNC connection to local Portal system for URL access, if applicable

2. Portal server: myserver.mydomain

3. Port number: 50003

#KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" myserver.mydomain 50003

1. Access from local network to SAP

P 192.168.. 194.39.131.34 3299

P 192.168.. 194.39.131.34 *

P * 192.168.0.* *

1. deny all other connections

D * * *

If the saprouttab have this entries, then works correctly, but I want to limit the public ip, I will put the entries:

P 192.168.0.* *

then It´s impossible to access via saprouter. The message error are:

host: route permission denied (192.168.0.254 to 192.168.0.128, sapdp00)

How can do this?

More thanks

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-22-2011 6:53 PM
0 Kudos

HI

Check that ports is open in firewall. If yes, paste DEV_ROUTE log file here

Regards

William Neira

Show replies
Show replies
Former Member
‎02-23-2011 9:05 AM
0 Kudos

The dev_rout is the next

-

trc file: "dev_rout", trc level: 1, release: "700"

-

Tue Feb 22 17:02:18 2011

SAP Network Interface Router, Version 38.10

command line arg 0: D:\usr\sap\saprouter\saprouter.exe

command line arg 1: -r

command line arg 2: -W

command line arg 3: 6000

command line arg 4: -R

command line arg 5: D:\usr\sap\saprouter\saprouttab

command line arg 6: -K

command line arg 7: p:CN=devsap00, OU=0000972864, OU=SAProuter, O=SAP, C=DE

SncInit(): Initializing Secure Network Communication (SNC)

PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)

SncInit(): Trying environment variable SNC_LIB as a

gssapi library name: "D:\usr\sap\saprouter\sapcrypto.dll".

File "D:\usr\sap\saprouter\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

The internal Adapter for the loaded GSS-API mechanism identifies as:

Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

main: pid = 596, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)

reading routtab: 'D:\usr\sap\saprouter\saprouttab'

Tue Feb 22 17:02:28 2011

NiHsLGetHostName: to get 172.26.0.254 failed in 4497ms (tl=2000ms)

checkRoute: route not permitted (9)

      • ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 '172.26.0.254' failed (rc=-94) [nirout.cpp 2251]

Tue Feb 22 17:04:44 2011

checkRoute: route not permitted (9)

      • ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 '172.26.0.254' failed (rc=-94) [nirout.cpp 2251]

Tue Feb 22 17:04:56 2011

reading routtab: 'D:\usr\sap\saprouter\saprouttab'

Tue Feb 22 17:05:22 2011

reading routtab: 'D:\usr\sap\saprouter\saprouttab'

Tue Feb 22 17:05:26 2011

checkRoute: route not permitted (10)

      • ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 '172.26.0.254' failed (rc=-94) [nirout.cpp 2251]

Tue Feb 22 17:05:48 2011

reading routtab: 'D:\usr\sap\saprouter\saprouttab'

Tue Feb 22 17:49:22 2011

***LOG Q0I=> NiIRead: recv (10054: WSAECONNRESET: Connection reset by peer) [nixxi.cpp 4424]

      • ERROR => NiIRead: SiRecv failed for hdl 3 / sock 260

(SI_ECONN_BROKEN/10054; I4; ST; 172.26.0.254:39060) [nixxi.cpp 4424]

Wed Feb 23 08:50:58 2011

checkRoute: route not permitted (10)

      • ERROR => NiRClientHandle: NiRExRouteCon for C4/-1 '172.26.0.254' failed (rc=-94) [nirout.cpp 2251]

Wed Feb 23 09:37:37 2011

reading routtab: 'D:\usr\sap\saprouter\saprouttab'

Wed Feb 23 09:37:44 2011

checkRoute: route not permitted (13)

      • ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 '172.26.0.254' failed (rc=-94) [nirout.cpp 2251]

Wed Feb 23 09:38:25 2011

checkRoute: route not permitted (13)

      • ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 '172.26.0.254' failed (rc=-94) [nirout.cpp 2251]

Wed Feb 23 09:39:22 2011

reading routtab: 'D:\usr\sap\saprouter\saprouttab'

-

Wed Feb 23 09:39:25 2011

checkRoute: route not permitted (13)

      • ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 '172.26.0.254' failed (rc=-94) [nirout.cpp 2251] ----------

Wed Feb 23 09:41:16 2011

reading routtab: 'D:\usr\sap\saprouter\saprouttab'

*The error is between lines.

More thanks

Former Member
‎02-23-2011 10:43 AM
0 Kudos

Hi,

Is there any IP NAT between the external network and internal n/w. If yes then you should allow the NATED ip not the public one.

Regards,

Vamshi.

Former Member
‎02-23-2011 1:08 PM
0 Kudos

HI

Do you have issue with access to your network from internet? or your isue is connect to sap?

Try Put this lines in saprouttab.

P 172.26.0.254 * 3200

P * 172.26.0.254 3200

If don't work please enable all connections temporarily with line:

P * * *

The last line enable all conections, this is only temporarily for check your issue.

After every change in saprouttab you must to restart saprouter

Regards

William Neira

TomCenens
Active Contributor
‎02-24-2011 5:03 AM
0 Kudos

Hello Ruben

Slightly offtopic in the sense that it doesn't give an answer to your question but you can automate the generation of permission lines in SAPRouter with SAP Solution Manager. Might be interesting to look at the possiblity.

Transaction SOLMAN_SAPROUTER.

Kind regards

Tom

Former Member
‎02-25-2011 1:40 PM
0 Kudos

Thanks William,

I´ve put in the saprouttab P 172.26.0.254 * *

And It worked. I don´t undertand the convesion of the public ip over the private. I suppose that is work of firewall.

More thanks.

Former Member
‎02-25-2011 1:46 PM
0 Kudos

The conversion should doing the firewall with a NAT. Take an IP Address Public and direction to Private Address.

If you issue is solved please mark how answered your thread

Thanks and best regards

William Neira

Answers (1)

Answers (1)

Former Member
‎03-12-2013 6:32 PM
0 Kudos

Excuse my English:

I need to set restrictions for connecting via SAProuter, we do not allow anyone who knows the string of SAProuter can connect, we would like to restrict by mac address or otherwise functional, I'm new to this but I want to demonstrate the effectiveness and flexibility of the SAP

Show replies
Show replies
Ask a Question