Introduction
In the past I always worked with saprouter without understanding the mechanism of the saprouter-rules completely. Thus resulted a saproutertab with lots of useless entries and the inflationary use of *
. In order to be able to use a short saproutertab it is necessary to understand the effectiveness of a saprouter entry.
:!:
This BLOG is not a full documentation of the saprouter tool! For details please take a look at:
http://sap.help.com/
The saprouter controls connections. He permits or disables connection. This behavior depends on the rules defined in the saproutertab. A rule consists of 4 parts:
In Part 1: D stands for disable and P for permit. If you want to permit a connection from server1 to server2 with port 3255 than the rule is:
P server1 server2 3255
In my sap router tab I always disable all connections with:
D * * *
I put this rule to the end of the saprotertab, because it would kill all P rules if it is the first rule. Every P rule after D * * * is ignored. Then I allow each connection I want to use.
So far it is very simple. But what rules are needed to allow a connection passing several saproutes? For this scenario I use an example with 3 saprouter hops for a connection. I describe how to maintain the saproutertab and how to test the connection with niping. In order to understand the mechanism of the following scenario it is crucial to know, that saprouters communicate with other saprouters via the standard saprouter port (3299).
Scenario Port 1442
We want to communicate from Server A with Server B via port 1442. In the following picture you can see the path of communication and the Names and hostnames of each saprouter.
Now let's consider how to maintain the saproutertab:
We know:
1. The saprouter communicate with other saprouter via standard saprouter port (in this case 3299).
2. The saprouter disables/permits connections.
3. The port of the addressed server is used.
With this 3 points we can maintain the saproutertab of every saprouter:
Saprouter 1
P Host_A Host_2 3299
D * * *
Saprouter 2
P Host_1 Host_3 3299
D * * *
Saprouter 3
P Host_2 Host_B 1442
D * * *
For the rules the port used on the destination host is important. For the rule in saprouter 1 the port is 3299 because saprouter 2 communicates with saprouter 1 via port 3299. With niping you can test your saproutertab entries. For the simulation of a server use:
niping -s -I 0 -S 1442 -R -P
And for the corresponding client use:
niping -c -H /H/Host_1/H/Host_2/H/Host_3/H/Host_B -S 1442 -R -P
I like to use the niping in raw mode, because in raw mode I can simulate communication with any port I want.
Testing with niping:
niping tests the connection via the saprouter and gives an error message, when a communication is not possible. Lets change the rule in saprouter 2 from
P Host_1 Host_3 3299
to
P Host_1 nonsense 3299
niping -c -H /H/Host_1/H/Host_2/H/Host_3/H/Host_B -S 1442 -R -P
Now niping will throw the following error:
The error states the information you need to repair the wrong saproutertab configuration:
Error Host_2: route permission denied ( Hoste_1 to Host_3, 3299)
The error states the saproutertab entry needed to permit the connection.
P Host_1 Host_3 3299
Scenario Port 3200
Now, we want to connect to a sap system via the tree saprouters. The following picture shows this:
The 32<SysNr.> Port is the SAP Dispatcher port, used by SAP GUI. SysNr. is the Systemnumber of the sap system. In this case the systemnumber is 00 and we use 3200.
In Saprouter 1 we have to add the rule (this rule is going to overrule the entry
P Host_A Host_2 3299😞
P * Host_2 3299
This rule is necessary because we want to login with every frontend with a sap-gui. If you want to login only with one frontent Forntend_1 you have to replace rule
P * Host_2 3299 by:
P Frontend_1 Host_2 3299
In Saprouter 2 we don't have to add a new rule because the communication between the saprouters was not changed. In the last saprouer we have to add the rule for the communication via port 3200:
P Host_2 Host_B 3200
The configuration of the saproutertabs is:
Saprouter 1
P * Host_2 3299
D * * *
Saprouter 2
P Host_1 Host_3 3299
D * * *
Saprouter 3
P Host_2 Host_SAP 3200
D * * *
In order to test the connection we make the following entry in the sap logon:
If there is an error in the configuration of the saproutertabs you are will get an error like this:
In this case the error can only be located in the 1st or second saprouter (because of port 3299). If the entry in the last saprouter is wrong you get an error with port 3200. If there is no error you get the login screen.
Hope you enjoy this blog.
Usefull links
Portmapping
http://www.easymarketplace.de/saprouter.php
http://www.easymarketplace.de/saprouter.php
SAProuter Strig
https://help.sap.com/saphelp_nw04/helpdata/de/4f/992dd7446d11d189700000e8322d00/content.htm
nipping als Portprüfung (RAW-Mode)
http://darrylgriffiths.blogspot.de/2014/01/network-port-test-using-sap-niping.html
OSS zu niping
500235 - Network Diagnosis with NIPING
Configure SNC saprouter
http://www.erpgenie.com/sapgenie/docs/SAP%20SNC%20CONFIGURATION.pdf http://www.erpgenie.com/sapgenie/docs/SAP%20SNC%20CONFIGURATION.pdf