Friday, June 12, 2009

Successful Connection Setup and Data Transfer

When the connection is set up and data transferred without any errors, you can see the following entries in the log file:

Operation Without SNC

Thu Jun 14 16:08:04 2007 CONNECT FROM C9/ host 10.66.66.90/19114 (host1.company.corp)

Thu Jun 14 16:08:04 2007 CONNECT TO S9/17 host 10.21.83.41/3299 (host2)

Thu Jun 14 16:08:06 2007 ESTABLISHED S9/17

Thu Jun 14 16:21:06 2007 DISCONNECT C9/17 host 10.66.66.90/19114 (host1.company.corp)

Thu Jun 14 14:28:40 2007 CONNECT FROM C19/ host 10.66.66.90/12127 (host1.company.corp)

Thu Jun 14 14:28:40 2007 CONNECT TO S19/11 host 10.21.72.60/3299 (host3), *** NATIVE ROUTING ***

Thu Jun 14 14:28:41 2007 ESTABLISHED S19/11 , *** NATIVE ROUTING ***

Thu Jun 14 14:58:43 2007 DISCONNECT S19/11 host 10.21.72.60/3299 (host3), *** NATIVE ROUTING ***

Operation with SNC

When using SNC for data communication between two SAProuters there are two different mechanisms for setting up the connection.

SNC Forwards Setup

With this mechanism, client-side SAProuter initiates the SNC connection/encryption. The SAProuter on the client-side has an entry of the type KT in the router permission table for the server-side SAProuter and therefore establishes the SNC connection. The SNC name is written to the 'CONNECT TO' log when the connection to the server-side SAProuter is established. The 'ESTABLISHED' log displays the recipient side of the SNC communication once the connection has been set up successfully.

Client Side

Thu Jun 14 17:13:22 2007 CONNECT FROM C9/ host 10.66.66.90/30888 (host1.company.corp)

Thu Jun 14 17:13:25 2007 CONNECT TO S9/17 host 10.18.211.3/3299 (10.18.211.3) (p:CN=D039768, O=SAP-AG, C=DE)

Thu Jun 14 17:13:25 2007 ESTABLISHED S9/17 (-/SNC)

Thu Jun 14 17:19:12 2007 DISCONNECT C9/17 host 10.66.66.90/30888 (host1.company.corp)

Server Side

Thu Jun 14 17:13:22 2007 CONNECT FROM C9/- host 10.18.211.3/1150 (host2)

Thu Jun 14 17:13:25 2007 CONNECT TO S9/17 host 10.66.66.91/3253 (binmain)

Thu Jun 14 17:13:25 2007 ESTABLISHED S9/17 (SNC/-)

Thu Jun 14 17:19:12 2007 DISCONNECT C9/17 host 10.18.211.3/1150 (host2)

SNC Backwards Setup

The server-side SAProuter can also initiate SNC. This is what happens if the incoming connection from the client-side SAProuter does not use SNC (see above) but the server-side SAProuter requires it due to the relevant entries in the route permission table. In this scenario, the SNC handshake is triggered by the server-side SAProuter later on. This means that there is no SNC name in the 'CONNECT TO' entry in the log on the client side.

Client Side

Thu Jun 14 16:55:21 2007 CONNECT FROM C9/- host 10.18.211.3/1065 (host2)

Thu Jun 14 16:55:21 2007 CONNECT TO S9/17 host 10.18.211.3/3299 (10.18.211.3)

Thu Jun 14 16:55:21 2007 ESTABLISHED S9/17 (-/SNC)

Thu Jun 14 16:56:42 2007 DISCONNECT S9/17 host 10.18.211.3/3299 (10.18.211.3)

Server Side

Thu Jun 14 16:55:21 2007 CONNECT FROM C9/- host 10.18.211.3/1066 (host2)

Thu Jun 14 16:55:21 2007 CONNECT TO S9/17 host 10.66.66.91/sapdp53 (host4.company.corp)

Thu Jun 14 16:55:21 2007 ESTABLISHED S9/17 (SNC/-)

Thu Jun 14 16:56:42 2007 DISCONNECT S9/17 host 10.66.66.91/3253 (host4.company.corp)

Connection Setup Errors

The following errors can occur during the connection setup:

  • Connect fails because the server is not running

  • TCP/IP connect takes too long (longer than the timeout -W value)

  • Route setup takes too long (longer than the timeout -W value)

  • No route permission for the connection

  • Error on the subsequent host

These errors are described below with possible solutions.

Connect fails (server not running)

The log file contains the following entries:

SAProuter Log File

Thu Jun 14 13:18:22 2007 CONNECT FROM C9/- host 10.66.66.90/35169 (host2.company.corp)

Thu Jun 14 13:18:22 2007 CONNECT TO S9/17 host 10.66.66.91/3299 (host1)

Thu Jun 14 13:18:22 2007 CONNECT ERR S9/17 connection refused

Thu Jun 14 13:18:22 2007 DISCONNECT S9/17 host 10.66.66.91/3299 (host1)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'ld8060'
    * ERROR partner '10.66.66.91:3299' not reached
    *
    * TIME Thu Jun 14 13:18:22 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -92
    * MODULE nixxi.cpp
    * LINE 3068
    * DETAIL NiPConnect2: 10.66.66.91:3299
    * SYSTEM CALL connect
    * ERRNO 111
    * ERRNO TEXT Connection refused
    * COUNTER 4
    ***********************************************************************
End of the code.
Background and Further Analysis

On the server side, there is no program running that listens to the IP address 10.66.66.91 and port 3299 (LISTEN). Check that the host name/IP address and server name/port number are correct. If they are correct, the right server is being reached but it appears that the program to which the connection should be established is not running. Check that the SAProuter and the system or corresponding program on the server is running and is using the correct port (OS command netstat -an).

TCP/IP connect takes too long (longer than the timeout -W value)

The log file contains the following entries:

SAProuter Log File

Thu Jun 14 13:22:01 2007 CONNECT FROM C10/- host 10.66.66.90/41060 (host2.company.corp)

Thu Jun 14 13:22:01 2007 CONNECT TO S10/18 host 1.1.1.1/3299 (1.1.1.1)

Thu Jun 14 13:22:06 2007 CONNECT ERR S10/18 could not establish connection within 5s

Thu Jun 14 13:22:06 2007 DISCONNECT S10/18 host 1.1.1.1/3299 (1.1.1.1)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'ld8060'
    * ERROR connection to 1.1.1.1:3299 timed out
    *
    * TIME Thu Jun 14 13:22:06 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -5
    * MODULE nirout.cpp
    * LINE 6548
    * DETAIL RTPENDLIST::timeoutPend: could not establish connection within
    * 5s (ROUTED)
    * COUNTER 6
    ***********************************************************************
End of the code.
Background and Further Analysis

In this example, the TCP/IP connection from the SAProuter to the next node (the next SAProuter, a system, or another network component) could not be established within a specified timeout period. This error can occur if the server host is down or the IP address of the host cannot be reached. It can also be due to the network failing to establish the TCP/IP connection within 5 seconds (the timeout value defined in option -W). You might be able to solve this problem by using a greater value for option -W.

For more information, see: Expert Options in SAProuter Options.

Route setup takes too long

The SAProuter is able to connect to the next host using TCP/IP, but the next host takes too long to establish the route to the destination. It receives no NI_PONG (confirmation that the route has been established) within the -W timeout period.

The log file contains the following entries:

SAProuter Log File

Thu Jun 14 13:34:19 2007 CONNECT FROM C15/- host 10.66.66.90/41070 (host2.company.corp)

Thu Jun 14 13:34:19 2007 CONNECT TO S15/23 host 10.21.72.60/3299 (host3)

Thu Jun 14 13:34:24 2007 CONNECT ERR S15/23 no route completion within 5s; check SAProuter on 'host3'

Thu Jun 14 13:34:24 2007 DISCONNECT S15/23 host 10.21.72.60/3299 (host3)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'ld8060'
    * ERROR connection to host3:3299 timed out
    *
    * TIME Thu Jun 14 13:34:24 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -5
    * MODULE nirout.cpp
    * LINE 6537
    * DETAIL RTPENDLIST::timeoutPend: no route completion within 5s
    * (ROUTED)
    * COUNTER 17
    ***********************************************************************
End of the code.
Background and Further Analysis

Find out why the subsequent SAProuter was unable to establish the connection within 5 seconds (in this example). It might be due to slow name resolution, for example. The log and trace files should provide further information on this. In the case of connections using multiple SAProuters in a WAN environment, increase option -W. If multiple SAProuters are involved in setting up a connection and the network response times are relatively high, the default value of 5 seconds is not sufficient to enable the connection to the target system to be established.

For more information, see: Expert Options in SAProuter Options.

No route permission for the connection

The SAProuter rejects the connection because the route permission table does not allow it.

The log file contains the following entries:

SAProuter Log File

Thu Jun 14 14:18:20 2007 CONNECT FROM C10/- host 10.66.66.90/63669 (host2.company.corp)

Thu Jun 14 14:18:20 2007 PERM DENIED C10/- host 10.66.66.90 (host2.company.corp) to host1/3254

Thu Jun 14 14:18:20 2007 DISCONNECT C10/- host 10.66.66.90/63669 (host2.company.corp)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ************************************************************************ 
    * LOCATION SAProuter 39.1 (SP3) on 'ld8060'
    * ERROR ld8060: route permission denied (host2.company.corp to
    * host1, 3254)
    *
    * TIME Thu Jun 14 14:18:20 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -94
    * COUNTER 5
    ***********************************************************************
End of the code.
Background and Further Analysis

Checking the Route Permission Table

Error on the subsequent host

This error does not occur on the local SAProuter. Instead, it occurs on a subsequent host. Messages of the following type appear in the log of the local SAProuter:

SAProuter Log File

Thu Jun 14 14:42:53 2007 CONNECT FROM C10/- host 10.66.66.90/30005 (host2.company.corp)

Thu Jun 14 14:42:53 2007 CONNECT TO S10/18 host 10.21.72.60/3299 (host3)

Thu Jun 14 14:42:54 2007 CONNECT ERR S10/18 NIEROUT_INTERN on 'SAProuter 37.15 on hs0126'

Thu Jun 14 14:42:54 2007 DISCONNECT S10/18 host 10.21.72.60/3299 (host3)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ************************************************************************  LOCATION    SAProuter 37.15 on hs0126
    * ERROR partner not reached (host 10.66.66.91, service 3298)
    *
    * TIME Thu Jun 14 14:42:54 2007
    * RELEASE 640
    * COMPONENT NI (network interface)
    * VERSION 37
    * RC -93
    * MODULE nixxi.cpp
    * LINE 8724
    * DETAIL NiPConnect2
    * SYSTEM CALL SiPeekPendConn
    * ERRNO 239
    * ERRNO TEXT Connection refused
    * COUNTER 5
    ***********************************************************************
End of the code.

Or

SAProuter Log File

Thu Jun 14 14:40:28 2007 CONNECT FROM C9/- host 10.66.66.90/24016 (host2.company.corp)

Thu Jun 14 14:40:28 2007 CONNECT TO S9/17 host 10.21.72.60/3299 (host3), *** NATIVE ROUTING ***

Thu Jun 14 14:40:28 2007 CONNECT ERR S9/17 NIEROUT_PERM_DENIED on 'SAProuter 39.0 on 'host3'', *** NATIVE ROUTING ***

Thu Jun 14 14:40:28 2007 DISCONNECT S9/17 host 10.21.72.60/3299 (host3), *** NATIVE ROUTING ***

Syntax Syntax

SAProuter Error Message
  1. ***********************************************************************
    * LOCATION SAProuter 39.0 on 'host3'
    * ERROR host3: route permission denied (host2.company.corp to
    * host1, 3253)
    *
    * TIME Thu Jun 14 14:40:28 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -93
    * COUNTER 3
    **********************************************************************
End of the code.
Background and Further Analysis

Check the log and trace files on the SAProuter where the error occurred if the information already provided is not sufficient. The SAProuter error message that is normally displayed on the client contains information on the error. The LOCATION line tells you the location of the error.

Connection Terminations

Connection terminations can be triggered from both the client side and the server side

Connection Terminations from the Server Side

The following entries appear in the log file when a connection termination is triggered from the server side (if the local SAProuter is the client).

SAProuter Log File

Thu Jun 14 16:08:47 2007 CONNECT FROM C18/- host 10.66.66.90/24761 (host2.company.corp)

Thu Jun 14 16:08:47 2007 CONNECT TO S18/10 host 10.21.83.41/3299 (host2)

Thu Jun 14 16:08:47 2007 ESTABLISHED S18/10

Thu Jun 14 16:08:58 2007 DISCONNECT S18/10 host 10.21.83.41/3299 (host2)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ************************************************************************  LOCATION    SAProuter 39.0 on 'host2'
    * ERROR connection to partner '10.21.72.60:3298' broken
    *
    * TIME Thu Jun 14 16:08:58 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -95
    * MODULE nixxi.cpp
    * LINE 4660
    * DETAIL NiIRead: P=10.21.72.60:3298; L=???
    * SYSTEM CALL recv
    * ERRNO 232
    * ERRNO TEXT Connection reset by peer
    * COUNTER 17
    ***********************************************************************
End of the code.

Or

SAProuter Log File

Thu Jun 14 16:09:50 2007 CONNECT FROM C19/- host 10.66.66.90/24847 (host2.company.corp)

Thu Jun 14 16:09:50 2007 CONNECT TO S19/11 host 10.21.72.60/3298 (ldp007)

Thu Jun 14 16:09:50 2007 ESTABLISHED S19/11

Thu Jun 14 16:10:02 2007 DISCONNECT S19/11 host 10.21.72.60/3298 (ldp007) RST

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'host1'
    * ERROR connection to partner '10.21.72.60:3298' broken
    *
    * TIME Thu Jun 14 16:10:02 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -95
    * MODULE nixxi.cpp
    * LINE 4660
    * DETAIL NiIRead: P=10.21.72.60:3298; L=10.66.66.90:24848
    * SYSTEM CALL recv
    * ERRNO 104
    * ERRNO TEXT Connection reset by peer
    * COUNTER 10
    ***********************************************************************
End of the code.
Connection Terminations from the Client Side

The following entries appear in the log file when a connection termination is triggered from the client side (if the local SAProuter is the server).

Thu Jun 14 16:13:20 2007 CONNECT FROM C20/- host 10.66.66.90/24849 (host2.company.corp)

Thu Jun 14 16:13:20 2007 CONNECT TO S20/12 host 10.21.83.41/3299 (host2)

Thu Jun 14 16:13:20 2007 ESTABLISHED S20/12

Thu Jun 14 16:13:43 2007 DISCONNECT C20/12 host 10.66.66.90/24849 (host2.company.corp) RST

There is no error message with errInfo because the error is on the client side.

Background and Further Analysis

The DISCONNECT entry in teh log file tells you the side where the connection termination was triggered. You can use this information to find the node/program that first closed the connection. The trace file for this program contains more information on the cause of the connection termination.

In some cases, the connection between the two programs can be terminated without either side triggering the termination. For example, this is the case if two SAProuters with a direct TCP/IP connection both record that the other side triggered the connection termination. This means that an active network component between the two programs terminated the TCP/IP connection. The network component concerned is often a firewall or a router with an idle timeout. If this occurs, check the network.

The DISCONNECT log entry also tells you whether or not the connection was closed in a TCP/IP-compliant manner. 'RST' at the end of the line indicates and RDT package or a retransmit timeout. This means that the other side or an active network component between the two sides of the TCP/IP connection ended the connection incorrectly. This can be caused by the program crashing, the connection being closed to early at application level, or a firewall.

Background documentation Other Errors

The following errors occur only rarely. The descriptions below aim to help you to analyze and eliminate these errors.

  • The SAProuter receives incorrect data. This can happen if the route is too short or if the system overlooks the fact that the connection is to a SAProuter rather than a backend connection.

  • The SAProuter receives the route information too late (TCP/IP connection setup was successful).

  • The SAProuter is the client and it receives an incorrect response from the server.

  • The SAProuter is the server and it receives the data from the client too early.

  • SNC not active for a forwards connection

  • SNC not active for a backwards connection

Incorrect data sent to the SAProuter

The log file contains the following entries:

SAProuter Log File

Thu Jun 14 09:55:36 2007 CONNECT FROM C10/- host 10.66.66.90/34506 (host1.company.corp)

Thu Jun 14 09:55:36 2007 INVAL DATA C10/- route expected

Thu Jun 14 09:55:36 2007 DISCONNECT C10/- host 10.66.66.90/34506 (host1.company.corp)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'host1'
    * ERROR internal error
    *
    * TIME Thu Jun 14 09:55:36 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -93
    * MODULE nirout.cpp
    * LINE 2664
    * DETAIL NiRClientHandle: route expected
    * COUNTER 4
    ***********************************************************************
End of the code.
Background and Further Analysis

The client program sends incorrect data to the SAProuter. This is usually the case if the client assumes that it is already communicating with the target system but the connection was actually established to an SAProuter that has to wait for a route first. Check the parameters for the connection setup on the client.

Route sent too late

The connection setup (connect) was successful but the client sends the route to the SAProuter too late, or the client assumes that it is already connected to the server and is waiting for data, or the timeout -W is exceeded.

The log file contains the following entries:

SAProuter Log File

Thu Jun 14 12:27:27 2007 CONNECT FROM C11/- host 10.66.66.90/35087 (host1.company.corp)

Thu Jun 14 12:27:32 2007 CONNECT ERR C11/- no route received within 5s

Thu Jun 14 12:27:32 2007 DISCONNECT C11/- host 10.66.66.90/35087 (host1.company.corp)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'host1'
    * ERROR connection timed out
    *
    * TIME Thu Jun 14 12:27:32 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -5
    * MODULE nirout.cpp
    * LINE 6519
    * DETAIL RTPENDLIST::timeoutPend: no route received within 5s
    * (CONNECTED)
    * COUNTER 5
    ***********************************************************************
End of the code.
Background and Further Analysis

This error can occur if the client does not send the route quickly enough after the TCP/IP connect to the SAProuter. This might be caused by the client hanging temporarily.

Incorrect response from the server

If a server-side program other than a SAProuter responds, or if the back end responds, the SAProuter cannot use t he response. It needs another SAProuter as the server.

The log file contains the following entries:

SAProuter Log File

Thu Jun 14 13:59:43 2007 CONNECT FROM C9/- host 10.66.66.90/46915 (host1.company.corp)

Thu Jun 14 13:59:43 2007 CONNECT TO S9/17 host 10.66.66.91/3253 (host2)

Thu Jun 14 13:59:43 2007 CONNECT ERR S9/17 invalid data form server during route completion

Thu Jun 14 13:59:43 2007 DISCONNECT S9/17 host 10.66.66.91/3253 (host2)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'host1'
    * ERROR internal error
    *
    * TIME Thu Jun 14 13:59:43 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -93
    * MODULE nirout.cpp
    * LINE 2694
    * DETAIL NiRClientHandle: invalid data from server 'host2' during
    * route completion
    * COUNTER 3
    ***********************************************************************
End of the code.
Background and Further Analysis

Check the parameters for the connection setup on the client.

Data received too early from the client

If the SAProuter, as the server, receives data from the client before the route is established, the following entries appear in the log file:

SAProuter Log File

Thu Jun 14 14:15:00 2007 CONNECT FROM C10/- host 10.66.66.90/52640 (host1.company.corp)

Thu Jun 14 14:15:00 2007 CONNECT TO S10/18 host 10.66.66.91/3253 (host2)

Thu Jun 14 14:15:00 2007 CONNECT ERR C10/18 invalid data form client during route completion

Thu Jun 14 14:15:00 2007 DISCONNECT C10/18 host 10.66.66.90/52640 (host1.company.corp)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'host1'
    * ERROR internal error
    *
    * TIME Thu Jun 14 14:15:00 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -93
    * MODULE nirout.cpp
    * LINE 2688
    * DETAIL NiRClientHandle: invalid data from client
    * 'host1.company.corp' during route completion
    * COUNTER 5
    ***********************************************************************
End of the code.
Background and Further Analysis

The client program is behaving incorrectly. Check for a more recent version of the client program.

Data received too early from the server

The log file contains the following entries:

SAProuter Log File

Thu Jun 14 13:59:43 2007 CONNECT FROM C9/- host 10.66.66.90/46915 (host1.company.corp)

Thu Jun 14 13:59:43 2007 CONNECT TO S9/17 host 10.66.66.91/3253 (host2)

Thu Jun 14 13:59:43 2007 CONNECT ERR S9/17 invalid data form server during route completion

Thu Jun 14 13:59:43 2007 DISCONNECT S9/17 host 10.66.66.91/3253 (host2)

The client issues the error message below.

Syntax Syntax

SAProuter Error Message
  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'host1'
    * ERROR internal error
    *
    * TIME Thu Jun 14 13:59:43 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -93
    * MODULE nirout.cpp
    * LINE 2694
    * DETAIL NiRClientHandle: invalid data from server 'host2' during
    * route completion
    * COUNTER 3
    ***********************************************************************
End of the code.
Background and Further Analysis

Check the version of the SAProuter on the server side and update the program if necessary.

SNC not active for a forwards connection

The log file contains the following entries:

Client Side

Thu Jun 14 17:16:40 2007 CONNECT FROM C18/ host 10.66.66.90/30891 (host1.company.corp)

Thu Jun 14 17:16:40 2007 CONNECT TO S18/10 host 10.18.211.3/3299 (10.18.211.3) (p:CN=D039768, O=SAP-AG, C=DE)

Thu Jun 14 17:16:40 2007 CONNECT ERR S18/10 forwarding route failed NIESNC_FAILURE

Thu Jun 14 17:16:40 2007 DISCONNECT C18/10 host 10.66.66.90/30891 (host1.company.corp)

Server Side

Thu Jun 14 17:16:40 2007 CONNECT FROM C9/- host 10.18.211.3/1168 (host3.wdf.sap.corp)

Thu Jun 14 17:16:40 2007 DISCONNECT C9/- host 10.18.211.3/1168 (host3.wdf.sap.corp)

SAProuter Error Message on Client Sire

Syntax Syntax

  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'host3'
    * ERROR SNC processing failed:
    * SNC not enabled
    *
    * TIME Thu Jun 14 17:16:40 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -104
    * MODULE nisnc.c
    * LINE 566
    * DETAIL NiSncOpcode: NISNC_REQ
    * COUNTER 2
    ***********************************************************************
End of the code.
Background and Further Analysis

The SAProuter on the server side has not activated SNC. Restart the SAProuter on the server side with the option -K mysncname.

SNC not active for a backwards connection

The log file contains the following entries:

Client Side

Thu Jun 14 17:08:19 2007 CONNECT FROM C9/ host 10.66.66.90/30883 (host1.company.corp)

Thu Jun 14 17:08:19 2007 CONNECT TO S9/17 host 10.18.211.3/3299 (10.18.211.3)

Thu Jun 14 17:08:19 2007 CONNECT ERR S9/17 NIESNC_FAILURE on 'SAProuter 39.1 (SP3) on 'host3''

Thu Jun 14 17:08:19 2007 DISCONNECT S9/17 host 10.18.211.3/3299 (10.18.211.3)

Server Side

Thu Jun 14 17:08:19 2007 CONNECT FROM C12/- host 10.18.211.3/1119 (host3.wdf.sap.corp)

Thu Jun 14 17:08:19 2007 CONNECT TO S12/20 host 10.66.66.91/3253 (host2)

Thu Jun 14 17:08:19 2007 CONNECT ERR C12/20 NIECONN_BROKEN on 'SAProuter 39.1 (SP3) on 'host3''

Thu Jun 14 17:08:19 2007 DISCONNECT C12/20 host 10.18.211.3/1119 (host3.wdf.sap.corp)

SAProuter Error Message on Client Sire

Syntax Syntax

  1. ***********************************************************************
    * LOCATION SAProuter 39.1 (SP3) on 'host3'
    * ERROR SNC processing failed:
    * SNC not enabled
    *
    * TIME Thu Jun 14 17:08:19 2007
    * RELEASE 710
    * COMPONENT NI (network interface)
    * VERSION 39
    * RC -104
    * MODULE nisnc.c
    * LINE 586
    * DETAIL NiSncOpcode: NISNC_ACC
    * COUNTER 4
    ***********************************************************************
End of the code.
Background and Further Analysis

The SAProuter on the client side has not activated SNC. Restart the SAProuter on the client side with the option -K mysncname.

SAP Notes for SAProuter

As a rule, always refer to the relevant SAP Notes if you experience problems with SAProuter. You will find these on the SAP Service Marketplace.

Note Number

Content

0029684

STFK: Route Permission Denied

0062636

saprouter terminates on ending UNIX session

0063342

List: NI error codes

0164937

NiPBind: service 'sap????' in use

0104576

Package filter between ITS and R/3

0042692

Test tool for RFC connections: sapinfo

0066168

Required documents when analyzing RFC problems

0025917

Changes to /etc/hosts are not accepted

0147021

"Address already in use" due to TCP state

0037211

ftp not via SAProuter : "connection refused"

You can also search for SAP Notes under component BC-CST-NI to find current corrections in the SAProuter environment.

Setting Up Logging in the SAProuter

To get an overview of the function and capacity of the SAProuter, a log can be kept of all the connections established and actions performed via the SAProuter.

Procedure

You can configure the log using Option -G. Here you create the name of the log file and specify where it is to be created.

Structure of the Log File

The log file is structured line by line. Each line contains the following information:

  • Date and time: week day, month, day, time, year

  • Action: Possible actions are INIT LOGFILE (start of log file), READ ROUTTAB (read Route Permission Table), CONNECT FROM/TO (set up connection from/to), DISCONNECT (close connection), PERM DENIED (connection not permitted by route permission table).

After the action there is always a handle pair n/m, whereby the letter means whether the action was initialized by the client or the server, and the two numbers refer to the internal NI handle numbers.

Example Example

The handle pair 'C1/2' means that this log refers to the connection with handle 1 to the client (the first number) and with handle 2 to the server (second number). The C at the front means that the action was initialized by the client. A CONNECT FROM is therefore always written with C; a CONNECT TO with S. With a DISCONNECT each page closed by the connection is specified. The IP address and port always refer to the connection’s counter page (peer). A log with a handle pair C1/- means that no server-side connection between a pair exists yet.

End of the example.

The most important log entries are described below.

Example

Actions

Assuming that logging has been activated, the following actions are executed through the SAProuter. The SAProuter stands between the physical hosts ldp007 with the IP address 10.21.72.60 and binmain (IP address 10.21.82.77).

  1. Connection is opened between host ldp007 (10.21.72.60) and host binmain (10.21.82.77) with port sapmsBIN, which is closed by the client again.

  2. Administrator calls up local SAProuter to display the list of connections ( saprouter -l).

  3. Connection is established between host ldp007 (10.21.72.60) and the same host ldp007 with port 3298, which is closed by the server again.

  4. Attempt to open connection from host ldp007 (10.21.72.60) to the same host with telnet port 23 is rejected by the SAProuter.

Route Permission Table

The route permission table in this example allows connections from any host to host 10.21.82.77 with port sapmsBIN, as well as to host 10.21.72.60 with port 3298:

P * 10.21.82.77 sapmsBIN

P * 10.21.72.60 3298

Log File

After these actions have been executed, the log file would look like the following (the line numbers are not displayed, but are added here to help with the description).

(1) Wed Dec 7 13:13:59 2005 INIT LOGFILE

(2) Wed Dec 7 13:13:59 2005 READ ROUTTAB ./saprouttab o.k.

(3) Wed Dec 7 13:14:05 2005 CONNECT FROM C1/- host 10.21.72.60/1245 (ldp007.wdf.sap.corp)

(4) Wed Dec 7 13:14:05 2005 CONNECT TO S1/2 host 10.21.82.77/sapmsBIN (binmain)

(5) Wed Dec 7 13:14:05 2005 DISCONNECT C1/2 host 10.21.72.60/1245 (ldp007.wdf.sap.corp)

(6) Wed Dec 7 13:14:13 2005 CONNECT FROM C2/- host 127.0.0.1/44997 (local host)

(7) Wed Dec 7 13:14:13 2005 SEND INFO TO C2/-

(8) Wed Dec 7 13:14:13 2005 DISCONNECT C2/- host 127.0.0.1/44997 (localhost)

(9) Wed Dec 7 13:14:23 2005 CONNECT FROM C2/- host 10.21.72.60/1276 (ldp007.wdf.sap.corp)

(10) Wed Dec 7 13:14:23 2005 CONNECT TO S2/1 host 10.21.72.60/3298 (ldp007)

(11) Wed Dec 7 13:14:24 2005 DISCONNECT S2/1 host 10.21.72.60/3298 (ldp007)

(12) Wed Dec 7 13:14:31 2005 CONNECT FROM C2/- host 10.21.72.60/1352 (ldp007.wdf.sap.corp)

(13) Wed Dec 7 13:14:31 2005 PERM DENIED C2/- host 10.21.72.60 (ldp007.wdf.sap.corp) to ldp007/23

(14) Wed Dec 7 13:14:31 2005 DISCONNECT C2/- host 10.21.72.60/1352 (ldp007.wdf.sap.corp)

Meaning

The lines mean the following:

Line(s)

Meaning

(1), (2)

The first two lines are always at the start of the log file. The first line marks the start, the second means that the Route Permission Table has been read in successfully.

(3), (4)

The client (host 10.21.72.60, port 1245) connects to the SAProuter and through this host it can connect to host 10.21.82.77, port sapmsBIN, since this connection is permitted according to the route permission table.

(5)

The connection between host 10.21.72.60, port 1245 and host 110.21.82.77, port sapmsBIN is closed by the client.

(6)

On the local host (IP address 127.0.0.1, port 44997) the connection list display is called up (saprouter -l). The connection is opened with the SAProuter.

(7)

The SAProuter sends the client the requested connection information.

(8)

The connection is closed again. As it is not a client/server connection via the SAProuter, the connection is closed by the SAProuter.

(9), (10)

Client host 10.21.72.60, port 1276 wants to connect to server 10.21.72.60, port 3298 via the SAProuter, which is permitted according to the route permission table. The SAProuter opens the connection.

(11)

The connection is closed again (from the server).

(12), (13)

Client host 10.21.72.60, port 1352 wants to connect to server 10.21.72.60, port 23 (telnet) via the SAProuter, which is not permitted according to the route permission table. The SAProuter returns message, "permission denied".

(14)

The connection is closed by the SAProuter. (With unpermitted connections and in error situations the SAProuter closes the connections.)

Creating a Route Permission Table

You can create a route permission table with a standard text editor.

You must create a separate route permission table for each SAProuter in your network.

If no specific route permission table has been assigned to the SAProuter, ./saprouttab is used on UNIX and IBM i. File saprouttab is searched for in the working directory of SAProuter :\usr\sap\saprouter. If this file is not available, SAProuter terminates with an appropriate message.

Procedure

Create the file in the relevant directory. You can find a description of the syntax under Route Permission Table.

You can use generic entries ( *) in hosts, ports, and passwords.

You can use subnetworks in host routes as described in the following table:

Entry in the Route Permission Table

Meaning

156.56.*.*

All host addresses beginning with 156.56.

133.27.17.*

All host addresses beginning with 133.27.17

133.27.16.0/24

All host addresses beginning with 133.27.16 (0/24 at the end means that the first 24 bits are relevant, that is, the first three blocks)

156.56.1011xxxx.*

All host addresses from 156.56.176.* bis 156.56.191.*.

(Binary interpretation of the third byte of the address. 'x' is a freely selectable binary value (1 or 0).)

Example Example

You can display an example of a route permission table on the screen. To do this, enter saprouter to call the SAProuter online help:

Route Strings

A route string describes the stations of a connection required between two hosts. A route string has the syntax

Syntax Syntax

  1. (/H/host/S/service/W/pass)*
End of the code.

It consists of any number of “substrings” in the form /H/host/S/service/W/pass.

Caution Caution

H, S, and W must be uppercase!

End of the caution.

Structure

A route string contains a substring for each SAProuter and for the target server.

Each substring contains the information required by SAProuter to set up a connection in the route: the host name, the port name, and the password, if one was given.

Syntax for substrings
  • /H/ indicates the host name

    Caution Caution

    Note that the host name must be at least two characters long.

    End of the caution.
  • /S/ is used for specifying the service (port); it is an optional entry, the default value is 3299

  • /W/ indicates the password for the connection between the predecessor and successor on the route and is also optional (default is "", no password)

    Caution Caution

    In earlier Releases (<4.0a),>

    New /H/saprouter/W/pass/H/targetserver

    Old: /H/saprouter/H/targetserver/P/pass

    (Here pass is the password which is checked by the SAProuter on host saprouter to set up or prohibit the connection from the source host to the target host.)

    Due to downward compatibility, the old password entry form is still possible.

Entering Route Strings

A route string describes a connection required between two hosts using one or more SAProuters. Each of these SAProuters then checks its Route Permission Table to see whether the connection between its predecessor and successor is allowed, and if it is, sets it up.

Procedure

The entry of route strings is best illustrated by an example.

The following graphic shows an example of a connection between SAP and a customer system. In this example, an SAP service employee working on sappc wants to log on to a customer application server yourapp that provides or uses the service sapsrv.

This graphic is explained in the accompanying text.

The SAP service employee logs on to the SAP system, and sets up a connection between sappc and yourapp using the SAProuter on sap_rout and the customer's SAProuter your_rout.

your_rout requires password pass_to_app for connections with yourapp.

The route string appears as follows:

/H/sap_rout/H/your_rout/W/pass_to_app/H/yourapp/S/sapsrv

This route string is interpreted by the SAProuters involved in the route as follows:


Host/address

Service/port

Password

Substring 1

/H/sap_rout

/S/

Substring 2

/H/your_rout

/S/

/W/pass_to_app

Substring 3

/H/yourapp

/S/sapsrv


The connection from sappc to the application server is set up in the following steps:

sappc (front end)

Sets up the connection to SAProuter sap_rout according to substring 1 and relays the route information.

sap_rout (SAProuter on SAP side)

Uses the route permission table to check whether route sappc zu your_rout 3299 is allowed, sets up the connection to the customer SAProuter on host your_rout, and passes substring 2 and 3.

your_rout (SAProuter on customer side)

Checks whether route sap_rout to yourapp, sapsrv is permitted. Password pass_to_app is also checked. SAProuter then sets up the connection to the application server.

A SAProuter always checks only the previous host name or the previous IP address and the next substring (/H/.../S/.../W/..) for host name or IP address, service and password. The last substring does not contain a password, since there is no successor in the route.

If the /S/ section is missing, the default port number of the SAProuter is used. If the /W/ section is missing, a password is not used.

With the old password entry, the above route string would appear as follows:

/H/sap_rout/H/your_rout/H/yourapp/S/sapsrv/P/pass_to_app

Note that the host name (which follows the /H/ in the route string) must be at least two characters long.

Procedure documentationTesting Basic Functions

Prerequisites

Before using SAProuter, you should test whether there are any network problems.

To test the basic functions of the SAProuter, you require the programs saprouter and niping as well as three open windows (shells) on one or more hosts.

Procedure

The following table shows the test scenario when using niping:

SAProuter runs in window 1, the server in window 2, and the client in window 3.

UNIX/Windows


Window 2 (host2)

Window 1 (host1)

Window 3 (host3)

Without SAProuter

niping -s


niping -c -H host2

With SAProuter

niping -s

saprouter -r

niping -c -H /H/host1/H/host2

IBM i


Window 2 (host2)

Window 1 (host1)

Window 3 (host3)

Without SAProuter

call niping '-s'


call niping '-c' '-H' 'host2'

With SAProuter

call niping '-s'

saprouter '-r'

call niping '-c' '-H' '/H/host1/H/host2'

Follow the procedure below:

  1. Start SAProuter in window 1 (on host1). To do this, enter the following command:

    UNIX/Windows: saprouter -r (IBM i: saprouter '-r'

    This command calls SAProuter without any parameters.

    For a complete list of the SAProuter commands, refer to the chapter SAProuter Options or the online help. To call the online help, enter saprouter.

  2. In window 2 (host2), start the test program niping to simulate a test server. Enter the command

    UNIX/Windows: niping -s

    IBM i call niping '-s'

    For a complete list of the niping commands, see the online help. To call the online help, enter niping.

  3. In window 3 (host3), start the test program niping to simulate a client. Enter the command

    UNIX/Windows: niping -c -H host2

    IBM i call niping '-c' '-H' 'host2'

    This command tests the connection without the SAProuter, that is directly between host2 and host3.

  4. In window 3, start the test program niping again with the following command:

    UNIX/Windows: niping -c -H /H/host1/H/host2

    IBM i call niping '-c' '-H' '/H/host1/H/host2'

    This command tests the connection with SAProuter. A host name is interpreted as a route (over one or more SAProuters to the server) if /H/ is added as a prefix to the host name.

    For more information, see Route Strings

In steps 3 and 4, data packages are sent to the server, and the server sends the data packages back. In step 3, the data packages should be sent to the server more frequently, since more process changes take place.

To perform a self test for the local host:

Enter the command niping -t (IBM i: call niping '-t').

A list with function names, parameters, and return codes is displayed. If the self test is successful, the following message appears:

*** SELFTEST O.K. ***

Note Note

To get an idea of the options provided by niping, enter niping without any parameters.

SAP Note 500235 contains comprehensive documentation about the nipingtool.

Blog Archive