cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Netweaver TCP Port binding

Former Member

on ‎09-19-2012 10:14 AM

0 Kudos

Dear community,

We are moving our SAP landscape towards a virtualized SAP environment by using application virtualization and SAP LVM. To enable this we are installing our Netweaver ASs as a 'distributed installations' on virtual hostnames and virtual IP addresses.

By this, a SAP System consists of one physical resource (host and OS) and two services (DB and central instance). The services are running on the virtual hostnames and IP-addresses.

The following example shows the describes scenario:

In this example, the host tl-sap17 owns 3 IP-Adresses and hostnames at a time wheen both services are running on it. (OS is Windows 2008 R2 x64)

The following behaviour of the Netweaver AS is a problem in this concept in our opinion:

All outgoing TCP connections are binded to the IP of the physical host. This means that RFC-Connections to other systems are initiated by 10.244.40.119 which is wrong. The connections should be owned by 10.244.40.118, the central instance which is the application server.

We are facing different problems with our Network Administration associated whith firewall-rules etc.

Is there a way to configure the TCP binding behaviour of the WebAS just like in many other software products?

greetings

Eike

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

stefan_hainer
Explorer
‎04-29-2013 7:54 AM
0 Kudos

For RFC connections you may follow SAP note 824722.

https://service.sap.com/sap/support/notes/824722

You can define the IP address for outgoing gateway connections using parameter gw/local_addr.

Normally the SAP system relys on the OS to select the correct route and IP address.

Please be very carefull with such static settings .Use them only if actually needed and no OS setting can solve your problem!

Regards,

Stefan

Show replies
Show replies
Former Member
‎04-29-2013 9:17 AM
0 Kudos

hello,

glad to see some response on this topic!

interesting point on using multiple NICs. We'll try adding another virtual adapter and see on how it reacts. but nevertheless, it should be possible using just one NIC. We have to keep in mind, that in an adaptive enabled (cloud) scenario, services are loosely coupled and services like DB and SCS could move around any LVM host at any time. We found out, that always the first IP that is configured for the adapter in the TCP-settings in Windows is taken. So if the order changes, the IP of the AS changes.

a classic example for software-configuration of the listening behaviour is the Oracle TNS-listener. There are config options in the listener.ora to specify which IP address the listener listens on.

http://docs.oracle.com/cd/E11882_01/network.112/e10835/listener.htm

specifying gw/local_addr could help for all traffic thats handled by the gateway. but is this the case in all of the time? what about direct communication?

furthermore we have also found out, that all incoming traffic on the three ip-addresses is accepted because the ms-port 3600 is also bound to 0.0.0.0.

C:\Users\XR1adm>netstat -an |find "3600"

  TCP    0.0.0.0:3600           0.0.0.0:0              LISTENING

this shouldn't be the case either. I agree on Stefan, that no OS or network setting could be of any help here.

Regards,

Eike

Former Member
‎05-06-2013 1:02 PM
0 Kudos

Hi Eike,

Just to avoid any misunderstanding: I was not try to suggest multiple NICs as a solution, but rather discuss whether a fixed outgoing IP concept would still theoretically fit on a 3-Tier setup with separate client (e.g. SAPGui) and backend (e.g. for DB connections) networks. E.g. if you were to tell the entire AS to use one outgoing IP address and therefore one subnet, the other subnet would surely become unreachable. So what I’m getting at is that this concept could well exclude you from being able to use a multiple subnet concept for your landscape, which you may need in the future or maybe even already have?

Coming back to defining the outgoing IP address though; What you refer to on the Oracle listener is the incoming IP address on which the application listens. I have still not yet found anywhere where you can tell the Oracle DB to fix the outgoing IP address though, but I’m happy to be shown otherwise. As I mentioned, it would help to have examples of applications support the fixing of outgoing IP addresses, especially the SAP supported DB’s. If at all, then you need to check your entire software stack are also able to fix the outgoing IP addresses.

The netstat listing of the message server is again incoming, not outgoing. I don’t see how the incoming/listing IP would create a problem for your firewall rules. Can you explain?

The SAP Note 824722 mentioned by Stefan sounds very interesting, have you tested that? That would seem to fit your original question about setting the outgoing IP address for RFC connects really well?

Regards

Lee

Former Member
‎04-25-2013 2:27 PM
0 Kudos

Unless I'm mistaken, SAP does in fact bind sockets to the IP address of the hostname defined for the SAP instance. You could verify by using the "netstat" command while you are connected to your SAP instance. Furthermore I'm guessing the problem you are seeing is due to route settings, you do not have a shorter route (virtual host) than the default one (physical host). Talk to your Windows and network admins to get some help.

Show replies
Show replies
Former Member
‎04-25-2013 2:05 PM
0 Kudos

Hi Eike,

AFAIK, the WebAS always lets the network stack in the OS make routing decisions and also does not specify a specific source IP address, but best SAP Support comment officially on that.

I see your example above was a simple 2-Tier setup with a single NIC, but 3-Tier setups with multiple NICs/networks are also common, e.g. with a “client” interface and a “backend” interface (e.g. AS to DB connectivity). In such an example setting a source IP would seem be problematic, since surely destinations on the other network/NIC would then become unreachable due to incorrect routing?

While I was googling this subject I found the following interesting article about setting source IP addresses: http://blogs.technet.com/b/networking/archive/2009/04/24/source-ip-address-selection-on-a-multi-home...

You mentioned in your post that many other software products are able to bind source IP addresses, it would be helpful if you could explicitly mention which ones you are thinking of. I have found examples where indeed applications listen on specific IP addresses, but I don’t seem to find much on ability to configure a source IP. I guess an important question would also be if you have been able to configure your database to explicitly set the source IP?

Kind Regards

Lee

Show replies
Show replies
csaba_goetz
Contributor
‎10-01-2012 12:29 PM
0 Kudos

Hello Eike,

Check if gw/alternative_hostnames helps with this case.

Best regards,

Adam

Show replies
Show replies
Ask a Question