cancel
Showing results for 
Search instead for 
Did you mean: 

sapserv9:route permission denied ( my public ip to oss001 sapdp01 )

Former Member
0 Kudos

Hello Everyone:

When i try to logon to SAPNet, i got the error [ sapserv9:route permission denied ( my public ip to oss001 sapdp01 ) ].

I try to use the command to test connection on sap router.

saprouter -r -K "CN =saprouter, ou=0000612483,ou=SAProuter,O=SAP,C=DE"

show the error

Error  SNC processing failed:SncSetMyNameU

Time  Fri Oct 03 10:19:15 2014

Release 720

Component  NI (network interface)

Version 40

RC -17

Module nisnc.c

Line 576

Detail NisncInit: sncrc=-35

Please help me, Thank all.

Accepted Solutions (1)

Accepted Solutions (1)

varman_geek
Participant
0 Kudos

Hi Lance,

  1. Check the firewall policy for your public IP (open ports from 3200-3299)
  2. Check for the following entry on your saprouttab file.

                              # SNC connection to and from SAP

                              KT "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 169.145.197.110 *

                 

                              # Access from local network to SAP

                              P   <your_lserver_local_IP>  169.145.197.110   3299 

   3.  Do a test connection for RFC SAPOSS (sm59). If reports error logon credential should have an           user oss_rfc. edit and re-enter the pwd: cpic


   4. Also you have missed  a letter "p" on the start command.


saprouter -r -K "CN =saprouter, ou=0000612483,ou=SAProuter,O=SAP,C=DE"

it should be  -->  saprouter -r -K "p:CN =saprouter, ou=0000612483,ou=SAProuter,O=SAP,C=DE"

Try the above and share your results. (if possible share ur routtab file to help you better)

Cheers!!

Mahendra varman

Former Member
0 Kudos

Hi All:

My routertab,as below   [ saprouter server→public ip:114.30.44.35   private ip:192.168.254.35  ]

# SNC connection to and from SAP

KT "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 169.145.197.110 *

# SNC connection to local system for R/3-Support

# R/3 Server: 192.168.1.1

# R/3 Instance: 00

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.254.35 3200

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 114.30.44.35 3200

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.254.35 3299

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 114.30.44.35 3299

# SNC connection to local WINDOWS system for WTS, if applicable

# Windows server: 192.168.1.2

# Default WTS port: 3389

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" * 3389

# SNC connection to local UNIX system for SAPtelnet, if applicable

# UNIX server: 192.168.1.3

# Default Telnet port: 23

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" * 23

# SNC connection to local Portal system for URL access, if applicable

# Portal server: saprouter.infortrend

# Port number: 50003

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" saprouter.infortrend 50003

# Access from local network to SAP

P * 169.145.197.110 3299

P * 169.145.197.110 3200

P 169.145.197.110 * 3299

P 169.145.197.110 * 3200

P * 192.168.254.35 3200

P * 192.168.254.35 3299

P 192.168.254.35 * 3200

P 192.168.254.35 * 3299

P * 114.30.44.35 3200

P * 114.30.44.35 3299

P 114.30.44.35 * 3200

P 114.30.44.35 * 3299

P 192.168.254.35 169.145.197.110 3299

P 192.168.254.35 169.145.197.110 3200

P 169.145.197.110 192.168.254.35 3200

P 169.145.197.110 192.168.254.35 3299

P 114.30.44.35 192.168.254.35 3200

P 114.30.44.35 192.168.254.35 3299

P 169.145.197.110 114.30.44.35 3200

P 169.145.197.110 114.30.44.35 3299

# deny all other connections

D * * *

Hi Mahendra:

When i add a letter "p" on the start command

saprouter -r -K "p:CN =saprouter, ou=0000612483,ou=SAProuter,O=SAP,C=DE"


I got it, as below


trcfile dev_rout

no logging active


Warning: wildcard character used in route target



varman_geek
Participant
0 Kudos

Hi Lance,

You saprouttab seems good, except some unwanted permissions (not a problem though).


When i add a letter "p" on the start command

saprouter -r -K "p:CN =saprouter, ou=0000612483,ou=SAProuter,O=SAP,C=DE"


I got it, as below


trcfile dev_rout

no logging active


Warning: wildcard character used in route target

The above message shows that your sap router is started normally. It seems you are closing the command prompt once you get this above output.

If you close the command prompt then the saprouter will shut down.



Have you registered your saprouter as service?? if not follow the instructions.


1. open command prompt as administrator. (rightlick cmd and choose run as administrator) and navigate to the install DIR of saprouter (folder where you can find saprouter.exe)


2. type the following command. (make sure the command is entered in single line. copying & pasting the from this post would have a line breaks. Hence copy the below commands to notepad and delete the line breaks before pasting it to command prompt)

    

       sc.exe create SAPRouter binPath= "<path>\saprouter.exe service -r -S 3299 -W 60000 -R <path>\saprouttab -K ^p:CN=saprouter, ou=0000612483,ou=SAProuter,O=SAP,C=DE^"


3. You would get an output saying service "SAPRouter" created sucessfully.


4. Open "regedit.exe" and edit the string "ImagePath" under following location.     

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ saprouter

    

5.   Replace ^ with " and click OK. The updated value should look like below

         <path>\saprouter.exe service -r -S 3299 -W 60000 -R <path>\saprouttab -K "p:CN =saprouter, ou=0000612483,ou=SAProuter,O=SAP,C=DE"


6.  Now open "services" right click "SAPRouter" and choose properties. click on "Log On" tab and choose "This account".

     Type the user ID which you have given rights for the local.pse while configuring saprouter (most likely your current <sid>adm), type password and then click apply.


          If you are unsure about the user, then open cmd navigate to path where you can find sapgenpse.exe (most likely <inst_path>\<architecture> folder

          ex: D:\usr\sap\saprouter\ntamd_64)  and type  sapgenpse get_my_name -v -n Issuer

          if you get an output CN=saprouter, ou=0000612483,ou=SAProuter,O=SAP,C=DE then your current user has the right to start saprouter. if not log on

          to other possible users and try the above.


7. Now right click on the service and start the service. You can go to transaction sm59 and test the connection for SAPOSS.


It is recommended to set the start up type of SAProuter service  as "Automatic".


Cheers!!

Mahendra varman

Former Member
0 Kudos

Hi Mahendra:

I registered the saprouter as service. Then i try oss1 to "logon to SAPNet".

I got a new error,as below

SNC processing failed:

SncSessionInitiatorAK

Location     SAProuter 40.4 on `saprouter`

Time           Mon Oct 06 17:14:36 2014

Comonent  NI(network interface)

Release      720

Version       40

Module        nisnc.c

Line             1182

Method        NisncIInitHdlSecurity: sncrc=-4:0291FFD8

Return Code  -104

Counter          20

Thank you for your help

varman_geek
Participant
0 Kudos

Hi Lance,

It seems that the user ID which you specified while registering service, is not authorized to start saprouter .


SNC processing failed:

SncSessionInitiatorAK

SncSessionInitiator in the above message points to the user which you have used while configuring saprouter.


i.e When you used the following command sapgenpse seclogin -p <path>\<psefile> -O <SNC_admin>

You would have used <SID>adm or some other user in place of <SNC_admin>

1. Have you given the same user on the step 6 on my previous post?

2. Have you executed the following command sapgenpse get_my_name -v -n Issuer and got output as

CN=saprouter, ou=0000612483,ou=SAProuter,O=SAP,C=DE ?

Regards

Mahendra varman

Sriram2009
Active Contributor
0 Kudos

Hi Lance

Have you do the technical settings in transaction code oss1? kindly follow the settings as described in the SAP Note - 33135 - Guide for OSS1


BR

SS

Former Member
0 Kudos

Hi All:

I modify my "logon account" of "saprouter service". I use the tcode oss1 to test.

Now I can see "select  a group", then i choose one option.

Finally, I still get the error,as below

sapserv9: route permission denied (114.30.44.35 to 10.16.0.38, sapdp01)

Location  SAProuter 39.3 (SP4) on `sapserv9`

Time  Tue Oct 7 13:20:21 2014

Component  NI (network interface)

Release  710

Version  39

Return Code  -93

Counter  72

alwina_enns
Employee
Employee
0 Kudos

Hello Lance,

since you get the error on

Location  SAProuter 39.3 (SP4) on `sapserv9`

you should contact SAP. I assume, sapserv9 is not your SAProuter but SAProuter at SAP? This SAProuter does not allow the connection.

Regards,
Alwina

varman_geek
Participant
0 Kudos

Hi Lance,

Now your router seems to be working fine.

Can you tell me what you want to do on OSS1?

Because access to SAPnet via sapgui is not permitted. Refer to note 33135.

If just want to check your router connection status, then do a connection test for rfc SAPOSS.

Regards

Mahendra varman

Former Member
0 Kudos

Hi Mahendra:

I just want to confirm my connection is ok.

I try to use sm59→ABAP Connections→SAPOSS→Connection test.

Now the test is ok,

Very thank you for your help.

varman_geek
Participant
0 Kudos

Hi Lance,

I am glad to know that it works now.

Cheers!!

Mahendra varman

Answers (2)

Answers (2)

0 Kudos

Hello Lance

add the following entry in the saprouttab of your SAProuter:

P    sapserv2    (your ip to oss)   (free port no)

Restart the router and check if it is working .


Thanks

Sami Abdul

alwina_enns
Employee
Employee
0 Kudos

Hello Lance,

what is the full error text, which you get? What is seen for "location" in the error message? If "location" is sapserv9, then probably you need to contact SAP.

Regards,
Alwina