cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPOSS RFC - Problem with saprouter

Go to solution
Former Member

on ‎03-15-2011 2:46 PM

0 Kudos

Dear all,

We do have a problem to start SAPOSS RFC from all SAP systems.

We do have an issue related to our saprouter.

Our environnement :

1. S00 is our SAP Solution Manager system (as example)

2. atd-saprouter is the server where the saprouter runs

3. We are using sapserv2 194.39.131.34

4. We have configured a SNC connection.

1. From atd-saprouter to S00 (Solman), the connection works

telnet ...

2. From S00 (Solman) to atd-saprouter, the connection works.

3. SAP can login to our S00. We have opened an R/3 connection in S00 and SAP is able to logued on to S00.

4. We have re-installed the sap certificate with sapgenpse. It works.

Info :

1. To start the saprouter, we are using the following command :

./saprouter -r -G sap-rtt.toto.ch.log -S 3299 -K "p:CN=sap-att.toto.ch, OU=0002273377, OU=SAProuter, O=SAP, C=DE"

2. Content of sap-rtt.toto.ch.log

Tue Mar 15 14:00:31 2011 INIT LOGFILE

Tue Mar 15 14:00:31 2011 READ ROUTTAB ./saprouttab o.k.

Tue Mar 15 14:00:52 2011 CONNECT FROM C1/- host 10.120.140.245/45161 (slv0745v)

Tue Mar 15 14:00:52 2011 CONNECT TO S1/2 host 194.39.131.34/sapdp99 (194.39.131.34) (p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE)

Tue Mar 15 14:00:52 2011 DISCONNECT S1/2 host 194.39.131.34/3299 (194.39.131.34)

Tue Mar 15 14:22:06 2011 CONNECT FROM C1/- host 10.120.140.246/39760 (totoslt0807v)

Tue Mar 15 14:22:06 2011 CONNECT TO S1/2 host 194.39.131.34/sapdp99 (194.39.131.34) (p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE)

Tue Mar 15 14:22:06 2011 DISCONNECT S1/2 host 194.39.131.34/3299 (194.39.131.34)

3. Here you have the saprroutab content :

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *

P * * *

4. dev_rout content file

-

trc file: "dev_rout", trc level: 1, release: "700"

-

Tue Mar 15 14:00:31 2011

SAP Network Interface Router, Version 38.10

command line arg 0: ./saprouter

command line arg 1: -r

command line arg 2: -G

command line arg 3: sap-rtt.toto.ch.log

command line arg 4: -S

command line arg 5: 3299

command line arg 6: -K

command line arg 7: p:CN=sap-rtt.toto.ch, OU=0002273377, OU=SAProuter, O=SAP, C=DE

SncInit(): Initializing Secure Network Communication (SNC)

AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 8/64/64)

SncInit(): Trying environment variable SNC_LIB as a

gssapi library name: "/usr/sap/saprouter/linux-x86_64-glibc2.3/libsapcrypto.so".

File "/usr/sap/saprouter/linux-x86_64-glibc2.3/libsapcrypto.so" dynamically loaded as GSS-API v2 library.

The internal Adapter for the loaded GSS-API mechanism identifies as:

Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

main: pid = 32312, ppid = 24529, port = 3299, parent port = 0 (0 = parent is not a saprouter)

reading routtab: './saprouttab'

Tue Mar 15 14:00:52 2011

***LOG Q0I=> NiPConnect2: connect (111: Connection refused) [nixxi.cpp 2823]

      • ERROR => NiPConnect2: SiPeekPendConn failed for hdl 2 / sock 7

(SI_ECONN_REFUSE/111; I4; ST; 194.39.131.34:3299) [nixxi.cpp 2823]

Tue Mar 15 14:22:06 2011

***LOG Q0I=> NiPConnect2: connect (111: Connection refused) [nixxi.cpp 2823]

      • ERROR => NiPConnect2: SiPeekPendConn failed for hdl 2 / sock 7

(SI_ECONN_REFUSE/111; I4; ST; 194.39.131.34:3299) [nixxi.cpp 2823]

4. Result of the following command

./niping -c -H /H/194.39.131.34/H/194.39.131.34

***LOG Q0I=> NiPConnect2: connect (111: Connection refused) [nixxi.cpp 2823]

      • ERROR => NiPConnect2: SiPeekPendConn failed for hdl 0 / sock 3

(SI_ECONN_REFUSE/111; I4; ST; 194.39.131.34:3299) [nixxi.cpp 2823]

      • ERROR => NiTClientLoop: NiHandle (rc=-10) [nixxtst.cpp 2861]

  • ERROR partner '194.39.131.34:3299' not reached

  • TIME Tue Mar 15 14:38:00 2011

  • RELEASE 700

  • COMPONENT NI (network interface)

  • VERSION 38

  • RC -10

  • MODULE nixxi.cpp

  • LINE 2823

  • DETAIL NiPConnect2

  • SYSTEM CALL connect

  • ERRNO 111

  • ERRNO TEXT Connection refused

  • COUNTER 1

Any suggestions are welcome.

Best regards

SAP NetWeaverAdmin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

JPReyes
Active Contributor
‎03-15-2011 3:08 PM
0 Kudos 
***LOG Q0I=> NiPConnect2: connect (111: Connection refused) http://nixxi.cpp 2823
      • ERROR => NiPConnect2: SiPeekPendConn failed for hdl 2 / sock 7
(SI_ECONN_REFUSE/111; I4; ST; 194.39.131.34:3299)
ERROR partner '194.39.131.34:3299' not reached 
  • ERRNO TEXT Connection refused

Either your SAPRouter is not properly registered with SAP or you have a problem with your firewall..

Also, what type of SAPRouter connection are you using (VPN, SCN, ISDN)?

Regards

Juan

Show replies
Show replies
Former Member
‎03-15-2011 3:35 PM
0 Kudos

Dear Juan,

Thanks for your input.

1. We are using SNC as SAPRouter connection.

2. We have re-generated the saprouter certificate this afternoon and re-install it, without any problem.

3. What do you exactly mean by "your SAPRouter is not properly registered with SAP ...".

If SAP can logued on to our SAP landcape, through our saprouter, is it not the proof that our

saprouter is correctly registered with them ?

Best regards

SAP NetWeaverAdmin

Edited by: SAP NetWeaverAdmin on Mar 15, 2011 4:38 PM

JPReyes
Active Contributor
‎03-15-2011 3:46 PM
0 Kudos

Then its most likely an issue with your firewall blocking the port 32XX.

Also SAPOSS RFC is generated by info in transaction OSS1, can you post the details there from one of your SAP systems that is failing to connect?

Also, if your SAPRouter is sitting on DMZ you need to make sure that the rules are amended to allow access

Regards

Juan

Former Member
‎03-15-2011 4:05 PM
0 Kudos

Dear Juan,

Please note :

1. From our S00 system, SM59, RFC SAPOSS :

Test connection result :

Logon Connection Error

Error Details Error when opening an RFC connection

Error Details ERROR: partner '194.39.131.34:sapdp99' not reached

Error Details LOCATION: SAProuter 38.10 on 'toto0777p'

Error Details DETAIL: NiPConnect2

Error Details CALL: connect

Error Details COMPONENT: NI (network interface)

Error Details COUNTER: 9

Error Details ERROR NUMBER: 111

Error Details ERROR TEXT: Connection refused

Error Details MODULE: nixxi.cpp

Error Details LINE: 2823

Error Details RETURN CODE: -92

Error Details SUBRC: 0

Error Details RELEASE: 700

Error Details TIME: Tue Mar 15 16:01:49 2011

Error Details VERSION: 38

2. RFC detail

/H/xxx.xxxx.xxx/S/sapdp99/H/194.39.131.34/S/sapdp99/H/oss001

SAPNetWeaverAdmin

JPReyes
Active Contributor
‎03-15-2011 4:12 PM
0 Kudos 
/H/xxx.xxxx.xxx/S/sapdp99/H/194.39.131.34/S/sapdp99/H/oss001

/H/xxx.xxxx.xxx/S/sapdp99/

can you telnet port 3299 in xxx.xxx.xxx.xxx?

is sapdp99 maintained in your services file with port 3299?

Simple test will be to replace sapdp99 for 3299 in the saprouter script

Regards

Juan

Former Member
‎03-16-2011 9:47 AM
0 Kudos

Which user ID and password are you using to connect SAPOSS ?

Former Member
‎03-16-2011 10:36 AM
0 Kudos

Dear Juan,

It was a firewall problem. We are using 2 firewalls. One port - 3299 - were not opened.

Thanks

Best regards

SAP NetWeaverAdmin

Answers (1)

Answers (1)

JPReyes
Active Contributor
‎03-16-2011 2:35 PM
0 Kudos

Let me give you one last suggestion,

Security wise your saprouttab is completely open

3. Here you have the saprroutab content :
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
P * * *

You should create one entry per system rather than * *

  1. SNC-connection from SAP to local R/3-System for Support

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <System_IP> 32XX

  1. Access from your local Network to SAP R/3 Frontend (OSS)

P * 194.39.131.34 3299

  1. All other connections will be denied

D * * *

This info is available at service.sap.com/saprouter

Regards

Juan

Show replies
Show replies
Ask a Question