cancel
Showing results for 
Search instead for 
Did you mean: 

RFC_COMMUNICATION_FAILURE for SNC Connection

jongilman
Explorer
0 Kudos
4,174

We have an external application making RFC calls into our SAP system without a problem. However, we have now decided to use SSO with Active Directory for user authentication. The user logs in to an ADFS service and the SAML response containing the user's X509 certicate is then sent through our application to SAP. For some reason port 4800 is not running on our SAP server. The error we are getting is below:

RFCCommunicationError: RFC COMMUNICATION ERROR: RFC connection open failed/ 1 / RFC_COMMUNICATION_FAILURE /

LOCATIONCPIC (TCP/IP) on local host with Unicode

ERROR partner '192.168.204.102:4800' not reached

TIMEMon Mar 26 10:24:33 2018

RELEASE 720

COMPONENT NI (network interface)

VERSION 40

RC-10

MODULEnibuf.cpp

LINE4658

DETAILNiBufIConnect: connection pending after 60000ms

SYSTEM CALL connect

ERRNO 115

ERRNO TEXTOperation now in progress

COUNTER 2

Here are the connection parameters we are using:

{

"lang": "EN",

"client": "010",

"ashost": "192.168.204.102",

"gwhost": "sapeccdb101",

"gwserv": "sapgw00",

"sysid": "DEV",

"snc_lib": "/home/ubuntu/sec/libsapcrypto.so",

"snc_mode": "1",

"extidtype": "UN",

"extiddate": "< user name >"

"x509cert": "< base64 encoded user certificate >"

"snc_myname": "< our app's canonical name >",

"snc_partnername": "< sap server's canonical name >"

}

I have confirmed that the process sapgw00s is not running. I've also confirmed that our users are using SAP's Secure Login Client for SNC connections into SAP, but that the SNC traffic for the GUI is flowing over port 3200. I was under the impression that SNC GUI traffic flowed over port 4700. How do you control the ports over which SNC traffic flows?

Accepted Solutions (1)

Accepted Solutions (1)

BJarkowski
Active Contributor
0 Kudos

Maybe it’s firewall issue?

Try to telnet to port 4800 from your network and from the external app location.

jongilman
Explorer
0 Kudos

We tried a telnet, saw the traffic flowing over the network nicely, and then getting blocked by SAP. My guess is the service sapgw00s is not running. I have the Basis team changing the snc/r3int_rfc_secure from 0 to 1 and they will reboot the SAP server tonight. Do you know if that parameter drives the start of the sapgw00s service?

jongilman
Explorer

Actually it was the firewall. The SAP instance is running on Amazon, and although our network was allowing traffic over port 4800, the security group in AWS was not allowing port 4800.

Answers (3)

Answers (3)

oppancs
Contributor
0 Kudos

Please try tje followings:

1. Check the profile parameter snc/enable on your application servers. On the CI probably it is turned off, as result there is no service sapgw00s on the application server and when the other application server is trying to reach this the connection fails. For more see the following document: http://help.sap.com/saphelp_nwpi71/helpdata/en/ed/fb958dd978458e99168d43f408665e/frameset.htm

2. Verify if the AS Java is able to reach the hostname using OS commands (i.e. ping, traceroute, nslookup) from the affected system. If not, please ask for internal IT team assistance to verify the resolution for the hostname issue at OS level.

3. If everything seems ok, try connect to hostabc2 and sapgw02 from where the error occurs (hostabc1):
niping -c -H hostabc2 -S 3302
Check also if the host and port are resolved to the correct value
(also on the host where the error occurs - in this example hostabc1)
> niping -v -H hostabc2
> niping -v -S sapgw02
If these tests are not successful then the config of the ports/services that are used must be checked

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Jon,

Is the parameter "snc/enable" set to one at the SAP server?

Was SNC configured at the SAP server? 🙂

The service "sapgw00s" will be opened by the Gateway process (transaction SMGW; "dev_rd" trace file) but only if SNC was configured and activated.

Regards,

Isaías

jongilman
Explorer
0 Kudos

Yes, our users are already using SNC via SAP's Secure Login Client.

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Can you please provide the "dev_rd" trace file of the instance (system DEV, instance 00, server "sapeccdb101")? If you compress it ("zip") you should be able to attach it to this thread.

jongilman
Explorer
0 Kudos

lutz.rottmann2 I see that you answered a similar question 2 years ago, any ideas?