cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Saprouter is not starting

Go to solution
former_member183788
Active Participant

on ‎04-24-2015 4:49 PM

0 Kudos

Dear Experts,

Our sap router is not starting with the command saprouter -r, gives the error as below, the certificate is also renewed.please advice.

"trcfile  dev_rout

no logging active

routtab  cannot open './saprouttab': EXIT PROGRAM !!!

         (running without saproutab is no longer supported for security reasons)

Could not open permission table"

dev_rout:

---------------------------------------------------

trc file: "dev_rout", trc level: 1, release: "742"

---------------------------------------------------

Fri Apr 24 18:19:09 2015

SAP Network Interface Router, Version 40.4

command line arg 0: f:\usr\sap\saprouter\saprouter.exe

command line arg 1: -r

command line arg 2: -R

command line arg 3: f:\usr\sap\saprouter\saprouttab

command line arg 4: -W

command line arg 5: 60000

command line arg 6: -K

command line arg 7: p:CN=AWQ-SOLMAN1, OU=0000880983, OU=SAProuter, O=SAP, C=DE

SncInit(): Initializing Secure Network Communication (SNC)

      PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)

      GetUserName()="soladm"  NetWkstaUser="soladm"

SncInit(): Trying environment variable SNC_LIB as a

      gssapi library name: "f:\usr\sap\saprouter\sapcrypto.dll".

  File "f:\usr\sap\saprouter\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

  SECUDIR="F:\usr\sap\saprouter" (from $SECUDIR)

  The internal Adapter for the loaded GSS-API mechanism identifies as:

  Internal SNC-Adapter (Rev 1.1) to SAPCRYPTOLIB 5.x

  Product Version = SAPCRYPTOLIB  5.5.5C pl38  (Oct  7 2014) MT,[aesni],NB

main: pid = 4732, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)

reading routtab: 'f:\usr\sap\saprouter\saprouttab'

Fri Apr 24 18:19:50 2015

*** ERROR => NiBufIProcMsg: hdl 17 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    1984]

Fri Apr 24 18:20:15 2015

*** ERROR => NiBufIProcMsg: hdl 18 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    1984]

Fri Apr 24 18:20:37 2015

*** ERROR => NiBufIProcMsg: hdl 19 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    1984]

Fri Apr 24 18:21:19 2015

*** ERROR => NiBufIProcMsg: hdl 20 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    1984]

*** ERROR => NiBufIProcMsg: hdl 21 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    1984]

*** ERROR => NiBufIProcMsg: hdl 22 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    1984]

Fri Apr 24 18:35:06 2015

shutdown message received, good bye ...

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member182657
Active Contributor
‎04-25-2015 11:28 AM
0 Kudos

Hi,



NIEROUT_SNC_FAILURE -104

Code suggests #define NIEROUT_SNC_FAILURE -104 /* Error in the SNC shift */ as per SAP Note  63342 - List: NI error codes

For the same would suggest you try to re-check NAT configurations of private IP with public IP at your gateway security layer.Additionally you could follow SCN doc at

& upgrade accordingly to check again.

If still issue persists open an OSS ticket in parallel with the thread.

Good luck !!

Show replies
Show replies
former_member183788
Active Participant
‎04-28-2015 8:32 AM
0 Kudos

Dear Gaurav,

I reinstalled the sap router with the reply send by SAP directly as below, now i can start sap router via windows services, while starting through command prompt its gives wild character error, but sap replied its ok......all the connections are working, The problem am facing issue is while connecting a server to sap am getting "Host not responds" error.I checked the ports in server 3299 and its opened internally and externally.

Below the details for installing a saprouter:

Creating the certificate request 

  1. As user <snc_adm> set the environment variables SNC_LIB and SECUDIR:
    UNIX
          		SECUDIR = <directory_of_SAProuter>
    SNC_LIB = <path_to_libsecude>/<name_of_sapcrypto_library>
     
    Windows NT, 2000, XP or higher
          		SECUDIR = <directory_of_SAProuter>
    SNC_LIB = <drive>:\<path_to_libsecude>\sapcrypto.dll

    Note IAfter configuring the variables in Windows, verify them with the command 'set'. In case the variables are not displayed as entered, please reboot the server.
    Note II
          		If the O.S. of SAProuter is OS400, please implement SAP note 1818735

  2. Change to Certification. From the list of SAProuters registered to your installation, choose the relevant "Distinguished Name".

  3. Generate the certificate Request with the command:

    sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse "<Distinguished Name>"

    Example:
    sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse "CN=example, OU=0000123456, OU=SAProuter, O=SAP, C=DE"

    Alternatively use the two commands:
    sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -noreq -p local.pse "<Distinguished Name>"
    sapgenpse get_pse -v -onlyreq -r certreq -p local.pse

    You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you will have to enter the same PIN every time you want to use this PSE.

  4. Display the output file "certreq" and with copy & paste (including the BEGIN and END statement) insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.

  5. In response you will receive the certificate signed by the CA in the Service Marketplace. Copy & paste the text to a new local file named "srcert", which must be created in the same directory as the sapgenpse executable.

  6. With this in turn you can install the certificate in your SAProuter by calling:
    sapgenpse import_own_cert -c srcert -p local.pse

  7. Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user_for_SAProuter>, the credentials are created for the logged in user account):

    sapgenpse seclogin -p local.pse -O <user_for _SAProuter>

    Note: The account of the service user should always be entered in full <domainname>\<username>
  8. This will create a file called "cred_v2" in the same directory as "local.pse"

    For increased security please check that the file can only be accessed by the user running the SAProuter.

    Do not allow any other access (not even from the same group)!
    On UNIX this will mean permissions being set to 600 or even 400!
    On Windows check that the permissions are granted only to the user the service is running as!

  9. Check if the certificate has been imported successfully with the following command:
    sapgenpse get_my_name -v -n Issuer

    The name of the Issuer should be:
    CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

    After 04/15/2015 tha name of the Issuer should be:
    CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE

  10. If this is not the case, delete the files "cred_v2", "local.pse", "srcert" and "certreq" and start over at item 3. If the output still does not match please open an incident at component XX-SER-NET stating the actions you have taken so far and the output of the commands 3.,6.,7. and 9.
  11. From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:

The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.

Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.

sapgenpse maintain_pk -a smprootca.der -p local.pse

This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established

former_member182657
Active Contributor
‎04-28-2015 3:41 PM
0 Kudos

Hi Prathish,

Great news your issue has been resolved.For the issue Host did not respond 1 times you could follow SAP doc at Using Remote Service Connections on SAP Support Portal User Documentation | SAP Support Portal

Hope this will help you & kindly close the thread if satisfied with the responses.

Good luck !!

Answers (5)

Answers (5)

former_member182657
Active Contributor
‎04-25-2015 4:25 AM
0 Kudos

Hi,

Hope your issue will get resolved,if not please re-share dev_rout log file.

Thanks,

Show replies
Show replies
former_member183788
Active Participant
‎04-25-2015 8:50 AM
0 Kudos

Dear Gaurav

The issue is not solved:

dev_rout:

---------------------------------------------------

trc file: "dev_rout", trc level: 1, release: "742"

---------------------------------------------------

Fri Apr 24 22:54:18 2015

SAP Network Interface Router, Version 40.4

command line arg 0: f:\usr\sap\saprouter\saprouter.exe

command line arg 1: -r

command line arg 2: -R

command line arg 3: f:\usr\sap\saprouter\saprouttab

command line arg 4: -W

command line arg 5: 60000

command line arg 6: -K

command line arg 7: p:CN=AWQ-SOLMAN1, OU=0000880983, OU=SAProuter,

O=SAP, C=DE

SncInit(): Initializing Secure Network Communication (SNC)

PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)

GetUserName()="soladm" NetWkstaUser="soladm"

SncInit(): Trying environment variable SNC_LIB as a

gssapi library name: "f:\usr\sap\saprouter\sapcrypto.dll".

File "f:\usr\sap\saprouter\sapcrypto.dll" dynamically loaded as

GSS-API

v2 library.

SECUDIR="F:\usr\sap\saprouter" (from $SECUDIR)

The internal Adapter for the loaded GSS-API mechanism identifies as:

Internal SNC-Adapter (Rev 1.1) to SAPCRYPTOLIB 5.x

Product Version = SAPCRYPTOLIB 5.5.5C pl38 (Oct 7 2014) MT,

[aesni],NB

main: pid = 2988, ppid = 0, port = 3299, parent port = 0 (0 = parent is

not a saprouter)

reading routtab: 'f:\usr\sap\saprouter\saprouttab'

Fri Apr 24 23:04:47 2015

*** ERROR => NiBufIProcMsg: hdl 17 received rc=-104

(NIEROUT_SNC_FAILURE)

from peer [nibuf.cpp 1984]

Fri Apr 24 23:04:48 2015

*** ERROR => NiBufIProcMsg: hdl 18 received rc=-104

(NIEROUT_SNC_FAILURE)

from peer [nibuf.cpp 1984]

*** ERROR => NiBufIProcMsg: hdl 19 received rc=-104

(NIEROUT_SNC_FAILURE)

from peer [nibuf.cpp 1984]

Fri Apr 24 23:21:14 2015

*** ERROR => NiBufIProcMsg: hdl 20 received rc=-104

(NIEROUT_SNC_FAILURE)

from peer [nibuf.cpp 1984]

*** ERROR => NiBufIProcMsg: hdl 21 received rc=-104

(NIEROUT_SNC_FAILURE)

from peer [nibuf.cpp 1984]

*** ERROR => NiBufIProcMsg: hdl 22 received rc=-104

(NIEROUT_SNC_FAILURE)

from peer [nibuf.cpp 1984]

Sriram2009
Active Contributor
‎04-25-2015 10:24 AM
0 Kudos

Hi Philip

1. Is this any antivirus software installed on SAPRouter system? answer is yes, You can disable that and then try again.

2. Is this any firewall blocking the port? could you use the Niping utility to find the issue?

You can refer the SAP Note for Niping  - 500235 - Network Diagnosis with NIPING

BR

SS

Former Member
‎04-25-2015 11:04 AM
0 Kudos

Hi Prathish,

SAP recently sent a mail regarding saprouter certificate renewal after July 2015. It also tells about the procedure after the 15th of April 2015. It says to refer to note 2131531 for more info. Please check whether it's relevant in your case and take the necessary actions.

regards,

Suraj

former_member185954
Active Contributor
‎04-27-2015 10:21 AM
0 Kudos

Hello Prathish,

Have a look at the resolved thread:

Regards,

Siddhesh

former_member182657
Active Contributor
‎04-24-2015 5:07 PM
0 Kudos

In addition please follow SAP Note   68481 - Additional Info: Upgrade from Release 3.0C DB2/400

& the recommendation



SAPROUTER needs a file called saprouttab.


          Create this file as described in the 


          online documentation in path:


                  R/3 Services and Support -> Saprouter ->


                  Passwords and access authorization


          Please note that 'D * * * ' is used as default.

Hope this will resolve your issue.

Good luck !!

Show replies
Show replies
former_member183788
Active Participant
‎04-24-2015 5:17 PM
0 Kudos

Dear Gaurav,

The file is there as below:

# SNC connection to and from SAP

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC connection to local system for R/3-Support

# R/3 Server: 192.168.1.1

# R/3 Instance: 00

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.31.65.21 3200

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.31.65.31 3200

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.31.65.41 3200

# SNC connection to local WINDOWS system for WTS, if applicable

# Windows server: 192.168.1.2

# Default WTS port: 3389

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.31.65.21 3389

# SNC connection to local UNIX system for SAPtelnet, if applicable

# UNIX server: 192.168.1.3

# Default Telnet port: 23

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.31.65.21 23

# SNC connection to local Portal system for URL access, if applicable

# Portal server: 192.168.1.4

# Port number: 50003

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.31.65.21 50003

# Access from the local Network to SAP

P* * * *

# deny all other connections

D * * *

former_member185239
Active Contributor
‎04-24-2015 8:13 PM
0 Kudos

Hi Prathish,

There is no point in keeping P * * * when you maintained the D * * *

Moreover there is extra * in P

With Regards

Ashutosh Chaturvedi

former_member185239
Active Contributor
‎04-24-2015 8:42 PM
0 Kudos

Hi Prathish,

There is no point in keeping P * * * when you maintained the D * * *

Moreover there is extra * in P

With Regards

Ashutosh Chaturvedi

former_member182657
Active Contributor
‎04-24-2015 5:05 PM
0 Kudos

Hi,

running without saproutab is no longer supported for security reasons

Have you checked the above ? Please be sure saprouttab file exists under /usr/sap/saprouter directory.If not place it under the mentioned directory & then try to restart the router.

Regards,

Show replies
Show replies
former_member185239
Active Contributor
‎04-24-2015 5:05 PM
0 Kudos

Hi Prathish,

Try to start the saprouter with the distinguish name

saprouter -r -R f:\usr\sap\saprouter\saprouttab -W 60000 -K  "p:CN=AWQ-SOLMAN1, OU=0000880983, OU=SAProuter, O=SAP, C=DE"

Goto the folder f:\usr\sap\saprouter\saprouttab and try to open the folder saprouttab file.

Also do check the below link for the SNC

SAProuter via SNC - Basis Corner - SCN Wiki

With Regards

Ashutosh Chaturvedi

Show replies
Show replies
former_member183788
Active Participant
‎04-24-2015 5:15 PM
0 Kudos

Dear Ashutosh,

Its throws error as:

former_member185239
Active Contributor
‎04-24-2015 8:09 PM
0 Kudos

Hi Philip,

Above is not a error.

After executing the command

saprouter -r -R f:\usr\sap\saprouter\saprouttab -W 60000 -K  "p:CN=AWQ-SOLMAN1, OU=0000880983, OU=SAProuter, O=SAP, C=DE"


Check the SAPOSS rfc and also paste the dev_rout log file.


With Regards

Ashutosh Chaturvedi

Sriram2009
Active Contributor
‎04-24-2015 5:01 PM
0 Kudos

Hi Philip

On your system file name saprouttab (File location f:\usr\sap\saprouter\saprouttab) add the enter " P * * * * " and the try to start the SAPRouter. and also check the permission

BR

SS

Show replies
Show replies
former_member183788
Active Participant
‎04-24-2015 5:06 PM
0 Kudos

Dear Sriram,

Tried,but gives the same error and having full permission also.

Sriram2009
Active Contributor
‎04-24-2015 5:14 PM
0 Kudos

Hi Philip

Thanks for you info, Could you check this SAP KBA 1814643

BR

SS

former_member183788
Active Participant
‎04-24-2015 5:20 PM
0 Kudos

Dar Sriram,

My password is only 6 characters,still same issue.

Ask a Question