Sap Router 720 En

SAProuter

Release 720

HE

LP

X.B

CC

ST

NI

(C) SAP AG HELPX.BCCSTNI 2

Copyright © Copyright 2011 SAP AG. All rights reserved. SAP Library document classification: PUBLIC No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.


Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.


Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table

titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.


Table of Contents SAProuter ................................................................................................................................... 7

What is SAProuter? ................................................................................................................. 8 NI Network Interface ........................................................................................................... 10

SAP Protocol .................................................................................................................. 11 Route Connections ............................................................................................................. 12 SNC - Secure Network Communication .............................................................................. 14

Installing the SAProuter ......................................................................................................... 15 Hardware Requirements for SAProuter ............................................................................... 15 Installation on UNIX ............................................................................................................ 17 Installation Under Windows ................................................................................................ 17 Installation on IBM i ............................................................................................................ 19

Using and Configuring the SAProuter ..................................................................................... 20 Starting SAProuter ............................................................................................................. 20 Testing Basic Functions...................................................................................................... 21 Entering Route Strings ....................................................................................................... 23

Route Strings .................................................................................................................. 25 Creating a Route Permission Table .................................................................................... 26

Route Permission Table .................................................................................................. 27 Example of a Route Permission Table ............................................................................. 30 Example of a Route Permission Table with SNC ............................................................. 31

Setting Up Logging in the SAProuter .................................................................................. 32 Identifying and Correcting Errors ............................................................................................ 35

Successful Connection Setup and Data Transfer ................................................................ 36 SAProuter Error Messages ................................................................................................. 38

Checking the Route Permission Table ............................................................................. 39 Setting Up More Connections.......................................................................................... 40

Connection Setup Errors .................................................................................................... 40 Connection Terminations .................................................................................................... 47 Other Errors ....................................................................................................................... 49 SAP Notes for SAProuter ................................................................................................... 57

Reference .............................................................................................................................. 58 SAProuter Options ............................................................................................................. 58

Option -s (stop saprouter) ............................................................................................... 61 Option -n (new saprouttab) .............................................................................................. 61 Option -t (toggle trace) .................................................................................................... 62


Option -c<n> (cancel connection n) ................................................................................. 64 Option -l / -L .................................................................................................................... 64 Option -d (dump buffers) ................................................................................................. 65 Option -f (flush buffers) ................................................................................................... 65 Option -p (Soft Shutdown) ............................................................................................... 66 Option -R <routtab> ........................................................................................................ 66 Option -K <mysncname> ................................................................................................ 67 Option -G<logfile> ........................................................................................................... 67 Option -J<size in bytes> .................................................................................................. 68 Option -T<tracefile> ........................................................................................................ 68 Option -V<tracelev> ........................................................................................................ 68 Option -E ........................................................................................................................ 69 Option -S <service> ........................................................................................................ 69 Option -C <clients> ......................................................................................................... 69 Option -D ........................................................................................................................ 70 Option -6 (enable IPv6) ................................................................................................... 71 Option -Z ........................................................................................................................ 71 Option -I <address> ........................................................................................................ 71 Option -Y <n> ................................................................................................................. 72 Option -H <host name> [-P <password>]......................................................................... 72 Option -M <min> <max> ................................................................................................. 74

NI and SAProuter Implementation ...................................................................................... 74 Communication Modes ................................................................................................... 75 Route Connects .............................................................................................................. 75 Buffered Connection Handles.......................................................................................... 77 Select Sets ..................................................................................................................... 77 NI Keepalive ................................................................................................................... 78 NI Error Information ........................................................................................................ 78 NI Control Messages ...................................................................................................... 78 Common Settings for Sockets ......................................................................................... 79 SAProuter Route Permission........................................................................................... 79

Route Table Examples ................................................................................................ 80


SAProuter

SAProuter is an SAP program that can protect your SAP network against unauthorized access. It is a stand-alone program that is normally installed on the system with the firewall.

WAN (Internet)

SAProuterLAN

(SAP System)

SAProuter in the Network

More Information This documentation comprises the following sections.

Section Content

What is SAProuter? Introduction, concept, and architecture of SAProuter.

Installing the SAProuter Installation guidelines for the platforms supported by SAP

Using and Configuring the SAProuter

Starting and stopping, administration functions while the SAProuter is running, and configuration of SAProuter

Identifying and Correcting Errors Troubleshooting

Reference SAProuter Options: Overview of All Administration Options


Section Content

NI and SAProuter Implementation: Implementation Details

What is SAProuter?

SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP systems, or between SAP systems and external networks. SAProuter controls the access to your network, and, as such, is a useful enhancement to an existing firewall system (port filter).

Figuratively, the firewall forms an impenetrable “wall”around your network. However, since particular types of connections need to penetrate this wall, a “gate”has to be made in the firewall. SAProuter assumes control of this gate.

In short, SAProuter provides you with the means of controlling access to your SAP system.

Implementation Considerations You can use SAProuter to do the following:

Control and log the connections to your SAP system, for instance from an SAP service center

Set up an indirect connection when programs involved in the connection cannot communicate with each other due to the network configuration

o Address conflicts when using non-registered IP addresses

o Restrictions arising from firewall systems

Improve network security by means of the following:

o A password, which protects your connection and data from unauthorized external access

o Allowing access from only particular SAProuters

o Only allowing encrypted connections from a known partner (using the SNC layer)

Increase performance and stability by reducing the SAP system workload within a local area network (LAN) when communicating with a wide area network (WAN)

The following graphic illustrates your network (LAN) using a firewall as protection against access from outside. SAProuter runs on the firewall host, and serves as a “gate” to your network. This gate is only opened for connections you specify.


WAN (Internet)

SAProuterLAN

(SAP System)

This is often useful if, for example, there is a support connection from SAP to your SAP system that SAP staff use to access your system in the case of problems. SAProuter controls and monitors these connections.

Note that installing SAProuter without the use of a firewall does not protect your network against access from external networks. You must ensure that all incoming SAP connections go through the SAProuter “gate”.

Increasing Network Security with SAProuter

The SAProuter running on your firewall host should be configured to allow the following:

Only the NI protocol (SAP Protocol) is accepted from external systems

Not just any number of SAProuters are allowed before and after this one in a route station.

Only SAProuters that you trust are allowed access

Under UNIX, we do not recommend starting the SAProuter on a port reserved for root.


Constraints The following scenarios are supported by the SAProuter:

SAP GUI communication through the SAProuter (to the Message Server and/or SAP Dispatcher)

RFC communication between systems or between RFC client and SAP Gateway

Support connections from SAP to customers. For support purposes SAP enables the transfer of other protocols through special, proprietary precautions, but these are not appropriate for production operation and are not released.

The following scenarios are not supported by the SAProuter:

Communication between server components with HTTP-based protocols through the SAProuter (e.g. Web service calls through HTTP)

Communication from a user interface such as the browser or the Business Client through SAProuter to an application server (e.g. Web Dynpro or BSP-based applications)

Binary protocols (e.g. terminal server, X-server) between communication partners

More Information NI Network Interface

Route Connections

SNC - Secure Network Communication

Installing the SAProuter


NI Network Interface

To provide independency from the various platforms, SAP has developed the intermediate layer NI (Network Interface) for all network connections. It is used by SAProuter and all SAP programs, as well as by the development kits for CPI-C and Remote Function Call (RFC).

Structure In the OSI 7 layer model, the NI layer forms the upper part of the transport layer, and is therefore the part nearer the applications. Specifically, this means that NI uses TCP or UDP. The protocol is also known as the SAP Protocol [Page 11] .

NI in the OSI 7 layer model

OSI layer Protocol

7 Application

6 Presentation


OSI layer Protocol

5 Session

4 Transport NI

TCP / UDP

3 Network IP

2 Data transfer Ethernet,...

1 Transfer method

The test program niping, which tests the NI functions, belongs to the NI layer. A predefined number of data packages is simply sent from the client to the server, is returned by the server, and read again by the client. The program also outputs average transfer times and, depending on the trace level, detailed information on the data transfer. Niping can be used to test network connections with or without SAProuter.

If niping is entered without parameters, an online help is displayed with possible parameters and additional options.

More Information Testing Basic Functions

NI and SAProuter Implementation

SAP Protocol

The protocol used by SAP programs that communicate using the NI interface is called the SAP Protocol. This is an enhanced version of the TCP/IP protocol, which has been supplemented by one length field and some options for error information .

When defining the route permission table, you can use S as the initial letter. This then only allows the SAP protocol, that is, the line is interpreted as usual, but only SAP programs (SAP GUI, SAP application servers, etc.) are permitted to communicate with each other.

For more information, see: Creating a Route Permission Table

Integration The NI network interface provides the SAP protocol as the default for communication, although it can also use the TCP/IP protocol with external programs (for example, telnet or lpd) that do not 'speak' SAP protocol.

More Information Route Connections



Route Connections

A route connection is a connection between two hosts via a network. The route is the sequence of intermediate stations used to set up the connection.

Structure You can set up a connection between SAP systems with or without SAProuter.

Connections Without SAProuter

The following graphic shows a network connection from SAP to the customer without SAProuter:

CustomerLAN

CustomerWork

Stations

SAPLAN

SAPWork

Stations

WAN (Internet)

We are assuming that both the SAP LAN (local area network) as well as the customer LAN are protected against unwanted access by firewalls.

If a connection is to be set up between an SAP workstation and a customer workstation, a "hole" needs to be made in the firewall. The more connections required to external hosts, the more holes (and therefore security gaps) the firewall contains.

If a connection is set up without SAProuter, the following information is required:


1. IP address of the host

or the logical name of the host on which the server process is running. The target host must therefore have a unique IP address.

2. Port number or the logical name of the port used by the process.

The server process must use an exclusive port number on its host. Also, this port number must be known to the client.

When the NI network interface is used, the host address and port number can be passed as logical names (for example, host saposs, service sapdp00) or address strings (for example, a host IP address in the form www.xxx.yyy.zzz, port sapdp00).

Connections with SAProuter

The following graphic shows a network connection with SAProuter:

CustomerLAN

CustomerWork

Stations

SAPLAN

WAN (Internet)

SAProuterSAProuter

SAPWork

Stations

SAProuter only allows a network to be accessed from fixed points. The number of access points (holes) is therefore reduced, since fewer direct lines are required for connections. Each "hole" is guarded by an SAProuter whose route permission table determines the routes that can be used and the necessary passwords for gaining access. The hole in the firewall is therefore monitored.

Without SAProuter, the IP addresses must be unique. This is not always possible, particularly in the case of a connection between two networks that do not normally have an external connection. The concatenation of SAProuter enables two points with identical IP addresses to be connected.


SAProuter cannot only be used to connect one host with a particular service, but also several hosts and services with each other. The route information is provided in the form of a route string. The passwords required for access are also specified in the route string.

More Information Route Permission Table

Route Strings


Route Connects in the implementation part


SNC is used to make network connections using the Internet, in particular WAN connections, secure. It provides reliable authentication as well as encryption of the data to be transferred.

SAProuter allows SNC connections to be set up. The route permission table can be used to specify precisely whether SNC connections are allowed, and if so, which ones.

Prerequisites You are using at least version 30 of SAProuter, and have configured SNC using the relevant guide.

The following are prerequisites for setting up an SNC connection between two SAProuters:

Both SAProuters must have been started with option -K <SNCname> (IBM i: '-K <SNCname>'). These names ensure the authenticity of a host.

There must be a KT entry in the route permission table of the source host. This causes the connection to the target host to use the SNC layer.

There must be a KP entry in both route permission tables, allowing the connection.

Activities To set up an SNC connection between two SAProuters, you need to start them using the option -K and configure the route permission table appropriately.

More Information Option -K <mysncname>

Route Connections

Route Permission Table


Installing the SAProuter

The following describes how to install SAProuter. On UNIX, SAProuter is installed as a daemon. On Windows it is installed as a service.

We recommend you always install the latest SAProuter.

Prerequisites For information about the hardware prerequisites see Hardware Requirements for SAProuter.

Procedure Download

You will find the latest SAProuter in the SAP Service Marketplace under Download SAP Software <Support Packages & Patches>,

http://service.sap.com/patches..

On the Support Packages and Patches page choose links in navigation bar Entry by Application Group, and then Additional Components SAPROUTER SAPROUTER 7.20 <Platform>

.

Here you will find the saprouter packet.

Installation

How you install the SAProuter depends on the operating system you are using. Choose the appropriate method:

Installation on UNIX

Installation Under Windows

Installation on IBM i

Hardware Requirements for SAProuter

SAProuter Architecture and Requirement Profile

Since the work of the SAProuter (also with SNC) is mainly I/O-based (input/output), you do not require any especially powerful CPU.

The workload handled by the SAProuter is determined by the number of open connections.

If over 800 connections have to be maintained, we recommend that you start new SAProuter processes with Option -Y <n>. This distributes the load across several processes and reduces the risk of any problem occurring (if a problem does occur, it never affects all the open

http://service.sap.com/patches


connections.) The following rule of thumb applies to many connections: 1 SAProuter per 500 connections.

Alternatively to option -Y you can also set a script that monitors the SAProuter process and restarts the SAProuter (soft shutdown with Option -p, then restart), as soon as a certain number of connections is exceeded, or when the message

Maximum number of clients reached is written for the first time.

Since the SAProuter process is running in one thread (single threaded) and is often busy with I/O calls or with host name resolutions, a computer with one CPU manages well with several SAProuter processes running in parallel.

Recommended Hardware

For an SAProuter with 3000 parallel connections between SAP GUIs and application servers, transferring an average volume of data, a small number of file downloads and uploads (approximately 8kB data transfer in both directions per connection and per 10 seconds), we recommend:

Quick network adapter (very important)

2 hyper-threading (HTT) CPUs with 2GHz tact frequency

512 MB RAM

50 MB free space on the hard drive for SAProuter and configuration

Hard drive space for log files

Background

For 3000 users we estimate six SAProuter processes (set Option -C <clients> to 1000).

Each of these processes requires 4.5 MB of memory, and 9% of a two-way HTT 3 GHz CPU, if you assume one third of the CPU workload is for the users and two thirds for the system. The six SAProuter processes together require approximately 30 MB and 55% of the CPU.

Sometimes it takes a few seconds to determine the host name from the IP address (reverse lookup), and during this time the process is blocked. The cause is usually an error in the DNS configuration. Users will notice these delays particularly if the workload on the SAProuter is large. Use Option -D, to prevent this happening.

Recommended Start Options

Start the SAProuter as follows:

saprouter -r -K <SNC name> -Y 0 -C 1000 -D -G <log file> -J 2000000

More Information For information about operating the SAProuter under Windows see SAP note 734095.

http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=734095&_NLANG=en&_NVERS=0


Installation on UNIX Procedure

1. Create the subdirectory saprouter in directory /usr/sap/.

2. Get the latest version of the SAProuter from the SAP Service Marketplace (http://service.sap.com/patches, as described under Installation of the SAProuter. The SAProuter is in packet saprouter*.SAR; the niping program is also in this packet. Copy programs saprouter andniping to the newly created directory /usr/sap/saprouter.

If you cannot copy the programs from SAP Service Marketplace, you can copy a version (may be obsolete) from your directory /usr/sap/<SID>/SYS/exe/run.

3. (Optional) If you want to start the SAProuter on the same computer used for an SAP instance, insert the following line into file /usr/sap/<SID>/SYS/exe/run/startsap:

#

# Start saprouter

#

SRDIR=/usr/sap/saprouter

if [ -f $SRDIR/saprouter ] ; then

echo "\nStarting saprouter Daemon " | tee -a $LOGFILE

echo "----------------------------" | tee -a $LOGFILE

$SRDIR/saprouter -r -R $SRDIR/saprouttab \

| tee -a $LOGFILE &

fi

Insert the lines before the commands to start the SAP instance.

Normally the SAProuter runs on a different computer. If this is so, this step is omitted and you start the SAProuter as described in Starting the SAProuter.

4. Maintain the Route Permission Table in directory /usr/sap/saprouter. If you want to keep it in another directory or under a name other than saprouttab, you must specify this with the SAProuter option -R (see Option R <routtab>).

Installation Under Windows Prerequisites You have the latest version of SAProuter available on SAP Service Marketplace (http://service.sap.com/patches, seeInstalling the SAProuter), and have read the README file.




Procedure 1. Create the subdirectory saprouter in directory <laufwerk>:\usr\sap.

2. Download the latest version of the SAProuter from SAP Service Marketplace. Read the README file in this package. Copy the executables saprouter.exe and niping.exe into the directory you have just created.

If there is no SAProuter there, you can get a version (may be obsolete) from your directory <laufwerk>:\usr\sap\<SID>\SYS\exe\run.

3. If SAProuter has already been entered as a service with srvany.exe, remove the definition of the service from the Registry and restart the host.

4. Define the service with the following command:

ntscmgr install SAProuter -b ...\saprouter\saprouter.exe -p "service -r <parameter>"

Note:

The points stand for <drive>:\usr\sap

<parameter> can be replaced by other parameters with which SAProuter is to be started. See SAProuter Options. It is important that the parameters are within the character string enclosed in double quotation marks.

5. Define the general attributes of the service: In Control Panel Services , set the startup type to "automatic" and enter a user. SAProuter should not run under the SystemAccount.

6. To avoid the error message The description for Event ID (0)" in the Windows NT event log, you must enter the following in the registry: Choose

HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Eventlog Application , create the key saprouter, and define the following values for it:

EventMessageFile (REG_SZ): ....\saprouter\saprouter.exe

TypesSupported (REG_DWORD): 0x7

These adjustments are not obligatory for running SAProuter. They are only used for providing detailed error messages in the event log.

Maintain the Route Permission Table in the system32 Windows directory. If you want to keep it in another directory or under a name other than saprouttab, you must specify this with the SAProuter option -R.

For more information, see: Option -R <routtab>

Result You have installed SAProuter under Windows.

There may be a problem if some of the Microsoft DLLs have not been replaced. You can find which ones you need in SAP Note 684106.



Installation on IBM i Prerequisites

You have the latest version of SAProuter available on SAP Service Marketplace (see Installing the SAProuter), and have read the README file.

Procedure Install the programs SAPROUTER and NIPING in a separate library (such as SAPROUTER).

1. Log on to the IBM i machine as <SID>ADM.

2. Create a library

CRTLIB <library name>

3. Create the backup file SAPROUTER:

CRTSAVF <library name>/SAPROUTER

4. Create the backup file NIPING:

using the command <library name>/NIPING

5. Download the programs SAPROUTER.SVF and NIPING.SVF from the SAP Service Marketplace to your local PC, using the following commands:

ftp <IBM i>

cd QGPL

lcd <dir> (<dir> is the directory where SAPROUTER.SVF and NIPING.SVF are located)

bin:

put SAPROUTER.SVF SAPROUTER

put NIPING.SVF NIPING

quit

6. Re-create the SAPROUTER or NIPING objects. Use the command APYR3FIX as described in SAP Note 493654, and for parameter KRNLIB use the library that you created above.

7. Create the directory /usr/sap/saprouter.

8. You have to maintain the Route Permission Table in /usr/sap/saprouter/saprouttab.

More Information Creating a Route Permission Table [Page 26]



Starting SAProuter

Using and Configuring the SAProuter Procedure This section describes how SAProuter is started, tested, and configured.

The following tasks are described:

Operation

Starting SAProuter

Testing Basic Functions

Entering Route Strings

Configuration

Creating a Route Permission Table

Setting Up Logging in the SAProuter

More Information SAProuter Options

Error Diagnosis

Starting SAProuter Prerequisites Before using SAProuter, you should test its basic functions.

For more information, see Testing SAProuter Basic Functions

Procedure To start SAProuter:

Enter saprouter -r in the input field. (IBM i: enter saprouter '-r' in the input field in batch mode if possible.)

This command starts SAProuter. The connections allowed are contained in the saprouttab.

You can start SAProuter automatically when booting the system. Under UNIX, for example, you change your /etc/rc file.


If you want to run a high number of connections (more than 1000) via SAProuter, start the SAProuter using Option -r -Y <n>, and set the maximum number of clients to 2000 using Option -C <clients>, thus:

saprouter -r -Y 0 -C 2000

If this option is set, a new SAProuter is automatically started if the client table becomes full. New connections then use this new SAProuter.

The table below contains the most important SAProuter commands:

Command Meaning

saprouter Displays a complete list of SAProuter parameters on the screen

saprouter -r (IBM i: saprouter '-r') Starts SAProuter

saprouter -s (IBM i: saprouter '-s') Stops the running SAProuter

More Information Creating a Route Permission Table

SAProuter Options

Testing Basic Functions Prerequisites Before using SAProuter, you should test whether there are any network problems.

To test the basic functions of the SAProuter, you require the programs saprouter and niping as well as three open windows (shells) on one or more hosts.

Procedure The following table shows the test scenario when using niping:

SAProuter runs in window 1, the server in window 2, and the client in window 3.

UNIX/Windows

Window 2 (host2)

Window 1 (host1) Window 3 (host3)

Without SAProuter

niping -s niping -c -H host2

With SAProuter niping -s saprouter -r niping -c -H /H/host1/H/host2


IBM i

Window 2 (host2)

Window 1 (host1) Window 3 (host3)

Without SAProuter

call niping '-s' call niping '-c' '-H' 'host2'

With SAProuter

call niping '-s'

saprouter '-r'

call niping '-c' '-H' '/H/host1/H/host2'

Follow the procedure below:

1. Start SAProuter in window 1 (on host1). To do this, enter the following command:

UNIX/Windows: saprouter -r (IBM i: saprouter '-r'

This command calls SAProuter without any parameters.

For a complete list of the SAProuter commands, refer to the chapter SAProuter Options or the online help. To call the online help, enter saprouter.

2. In window 2 (host2), start the test program niping to simulate a test server. Enter the command

UNIX/Windows: niping -s

IBM i call niping '-s'

For a complete list of the niping commands, see the online help. To call the online help, enter niping.

3. In window 3 (host3), start the test program niping to simulate a client. Enter the command

UNIX/Windows: niping -c -H host2

IBM i call niping '-c' '-H' 'host2'

This command tests the connection without the SAProuter, that is directly between host2 and host3.

4. In window 3, start the test program niping again with the following command:

UNIX/Windows: niping -c -H /H/host1/H/host2

IBM i call niping '-c' '-H' '/H/host1/H/host2'

This command tests the connection with SAProuter. A host name is interpreted as a route (over one or more SAProuters to the server) if /H/ is added as a prefix to the host name.

For more information, see Route Strings

In steps 3 and 4, data packages are sent to the server, and the server sends the data packages back. In step 3, the data packages should be sent to the server more frequently, since more process changes take place.


To perform a self test for the local host:

Enter the command niping -t (IBM i: call niping '-t').

A list with function names, parameters, and return codes is displayed. If the self test is successful, the following message appears:

*** SELFTEST O.K. ***

To get an idea of the options provided by niping, enter niping without any parameters.

SAP Note 500235 contains comprehensive documentation about the nipingtool.

More Information Entering Route Strings for SAProuter


NI Network Interface

Entering Route Strings

A route string describes a connection required between two hosts using one or more SAProuters. Each of these SAProuters then checks its Route Permission Table to see whether the connection between its predecessor and successor is allowed, and if it is, sets it up.

Procedure The entry of route strings is best illustrated by an example.

The following graphic shows an example of a connection between SAP and a customer system. In this example, an SAP service employee working on sappc wants to log on to a customer application server yourapp that provides or uses the service sapsrv.



CustomerLAN

SAPLAN

WAN (Internet)

your_routsap_rout

sappc

yourapp

sapsrv

The SAP service employee logs on to the SAP system, and sets up a connection between sappc and yourapp using the SAProuter on sap_rout and the customer's SAProuter your_rout.

your_rout requires password pass_to_app for connections with yourapp.

The route string appears as follows:

/H/sap_rout/H/your_rout/W/pass_to_app/H/yourapp/S/sapsrv

This route string is interpreted by the SAProuters involved in the route as follows:

Host/address Service/port Password

Substring 1 /H/sap_rout /S/<default> <no password>

Substring 2 /H/your_rout /S/<default> /W/pass_to_app

Substring 3 /H/yourapp /S/sapsrv

The connection from sappc to the application server is set up in the following steps:

sappc (front end) Sets up the connection to SAProuter sap_rout according to substring 1 and relays the route information.

sap_rout (SAProuter on SAP side)

Uses the route permission table to check whether route sappc zu your_rout 3299 is allowed, sets up the connection to the customer SAProuter on host your_rout, and passes substring 2 and 3.


your_rout (SAProuter on customer side)

Checks whether route sap_rout to yourapp, sapsrv is permitted. Password pass_to_app is also checked. SAProuter then sets up the connection to the application server.

A SAProuter always checks only the previous host name or the previous IP address and the next substring (/H/.../S/.../W/..) for host name or IP address, service and password. The last substring does not contain a password, since there is no successor in the route.

If the /S/ section is missing, the default port number of the SAProuter is used. If the /W/ section is missing, a password is not used.

With the old password entry, the above route string would appear as follows:

/H/sap_rout/H/your_rout/H/yourapp/S/sapsrv/P/pass_to_app

Note that the host name (which follows the /H/ in the route string) must be at least two characters long.

More Information Route Strings



Route Strings

A route string describes the stations of a connection required between two hosts. A route string has the syntax

1. (/H/host/S/service/W/pass)*

It consists of any number of “substrings” in the form /H/host/S/service/W/pass.

H, S, and W must be uppercase!

Structure A route string contains a substring for each SAProuter and for the target server.

Each substring contains the information required by SAProuter to set up a connection in the route: the host name, the port name, and the password, if one was given.

Syntax for substrings

/H/ indicates the host name


Note that the host name must be at least two characters long.

/S/ is used for specifying the service (port); it is an optional entry, the default value is 3299

/W/ indicates the password for the connection between the predecessor and successor on the route and is also optional (default is "", no password)

In earlier Releases (<4.0A), the password entry was made one substring later and with the letter /P/.

New /H/saprouter/W/pass/H/targetserver

Old: /H/saprouter/H/targetserver/P/pass

(Here pass is the password which is checked by the SAProuter on host saprouter to set up or prohibit the connection from the source host to the target host.)

Due to downward compatibility, the old password entry form is still possible.

More Information Entering Route Strings



You can create a route permission table with a standard text editor.

You must create a separate route permission table for each SAProuter in your network.

If no specific route permission table has been assigned to the SAProuter, ./saprouttab is used on UNIX and IBM i. File saprouttab is searched for in the working directory of SAProuter <lwk>:\usr\sap\saprouter. If this file is not available, SAProuter terminates with an appropriate message.

Procedure Create the file in the relevant directory. You can find a description of the syntax under Route Permission Table.

You can use generic entries ( *) in hosts, ports, and passwords.

You can use subnetworks in host routes as described in the following table:

Entry in the Route Permission Table Meaning


Entry in the Route Permission Table Meaning

156.56.*.* All host addresses beginning with 156.56.

133.27.17.* All host addresses beginning with 133.27.17

133.27.16.0/24 All host addresses beginning with 133.27.16 (0/24 at the end means that the first 24 bits are relevant, that is, the first three blocks)

156.56.1011xxxx.* All host addresses from 156.56.176.* bis 156.56.191.*.

(Binary interpretation of the third byte of the address. 'x' is a freely selectable binary value (1 or 0).)

You can display an example of a route permission table on the screen. To do this, enter saprouter to call the SAProuter online help:

More Information You can find more examples of route permission tables in the following sections:

Example of a Route Permission Table

Example of a Route Permission Table with SNC

More Information


Route String Entry for SAProuter



The route permission table contains the host names and port numbers of the predecessor and successor points on the route (from the SAProuter’s point of view), as well as the passwords required to set up the connection (corresponds to a substring).

It is used to specify which connections are allowed and which prohibited by SAProuter. It also specifies whether SNC connections are set up and which these are.

For more information, see: Route Strings

Structure Standard Entries

Standard entries in a route permission table appear as follows:


P/S/D <source-host> <dest-host> <dest-serv> <password>

Here <source-host> and <dest-host> could be the SAProuter.

Elements of a table entry are described below:

Handling Connection: P/S/D

The beginning of the line can be as follows:

P(ermit) causes SAProuter to set up the connection. P(ermit) entries can contain a password. SAProuter checks whether this password corresponds to that sent by the client.

Directly after the P, you can also specify the maximum number of SAProuters permitted before and after this SAProuter on the route for the connection to be allowed: Pv,n –here v denotes the maximum number of preceding SAProuters on the route, n the maximum number of following ones.

S(ecure) only allows connections with the SAP Protocol; connections with other protocols (such as TCP) are not allowed.

With Sv,n you can determime the number of preceding and succeeding SAProuters on the route, the same as you can with P.

D(eny) prevents the connection from being set up.

You can also add comment lines, which must begin with #.

Source Host <source host>

This element describes the host from where the connection comes (from viewpoint of the SAProuter). This can be a host name, an IP address, or an IP subnetwork.

For more information, see: Creating a Route Permission Table

Destination Host <dest host>

This element describes the host the connection is going to (from viewpoint of the SAProuter). This can be a host name, an IP address, or an IP subnetwork.

Destination Port <dest serv>

This element describes the port (service) of the destination host where the connection is going to. Here you can also specify port ranges by separating the two ports that enclose the port range with a point. If <dest-serv> has value 3200.3298, this means connections to the target server on all ports between 3200 and 3298.

If a <source-host> client wants to set up a connection to <dest-host> <dest-serv> using SAProuter, SAProuter checks its route permission before the connection is set up. If the password and route SAProuter has received correspond to the entries in the route permission table, SAProuter sets up the connection. In this is not the case, SAProuter does not set up the connection, and issues the message, Route permission denied.


For more information, see:


Identifying and Correcting Errors

SNC Entries

SNC entries always start with the letter K (like key).

There are two types of SNC entries:

1. KT entries (key target)

This defines which connections should be SNC connections. This can be defined for both incoming and outgoing connections (from the point of view of this SAProuter).

1. Incoming connections

The syntax is KT <SNCname src-host> <src-host> <src-serv>.

This means that connections coming from the host <src-host> <src-serv> with the SNC name <SNCname src-host> should be SNC connections.

The user can thus define that service connections from SAP must be SNC connections.

2. Outgoing connections

They have the syntax KT <SNCname dest-host> <dest-host> <dest-serv>. This means that connections from the SAProuter to <dest-host> <dest-serv> with the SNC name <SNCname> should be SNC connections.

2. KD, KP, and KS entries

They have the following syntax:

K<D/P/S> <SNCname source-host> <dest-host> <dest-serv> <password>. This means that the (encrypted) SNC connection from <SNCname source-host> via SAProuter to <dest-host> <dest-serv> is set up when the route string contains the correct <password>.

So that SNC connections are possible, the appropriate SAProuters need to have been started with the option -K and the route permission table must contain the appropriate KT entry.

For more information, see: Example of a Route Permission Table with SNC

Evaluation of the Route Permission Table

The following rules apply when the SAProuter evaluates the route permission table.


First Match

The first entry in the route permission table for which source address, target address, and target port match is decisive. In other words, in the Example of a Route Permission Table, this means that the connection from host1 to host2, service serviceX, is not allowed (because of the first entry) although all connections with service serviceX are allowed according to the third entry.

No match

If there is not an appropriate entry in the table for a route, the connection is rejected. It behaves as though the last line were a

D * * *.

Wildcards Exception

If the SAProuter is the last SAProuter on the route (for example, the front end), and the service is not an SAP service (not an SAP protocol), a wildcard (“*”) cannot be used with the service. The connection is only allowed if the non-SAP service is explicitly selected. If the example given above contained a * instead of telnet, and the SAProuter was the last one on the route, the telnet connection would not be set up.

Note

Security Note

For security reasons SAP recommends, that you do not use wildcards ( *) for the target host ( <dest-host>) and the target port ( <dest-serv>) in P and S lines in the route permission table. If the table contains these lines, the SAProuter issues a warning message:

WARNING: wildcard character used in route target

End of the note.


SAProuter Route Permission in the implementation part.


A route permission table could appear as follows:

D host1 host2 serviceX

D host3

P * * 3200.3298

P 155.56.*.* 155.56.*.*


P 155.57.1011xxxx.*

P host4 host5 * pass

S host6

P host7 host8 telnet

P*,0 * * gui

This means:

Do not allow routes from host1 to host2, service serviceX

Do not allow routes starting from host3

Allow all routes to server processes that use a service in area 3200 to 3298

Allow all routes within subnetwork 155.56.0.0/16

Allow all routes starting from subnetwork 155.57.1011xxxx (the last byte is written as a binary number; each x stands for 0 or 1).

Allow all routes from host4 to host5 if password pass is correct

All routes from host6, but only SAP protocol

Native protocol routes (TCP/IP) from host7 to host8 for the non-SAP service telnet on telnet

All connections to non-SAProuters (no more SAProuters allowed on this route) if password gui is correct

In the above example in Entering Route Strings the route permission table of host saprouter must have the entry:

P sappc your_rout

and the route permission table of host yoursaprouter must contain the entry

P saprouter yourapp sapsrv pass_to_app

It can contain parentheses, signs and the following operators:

More Information Example of a Route Permission Table with SNC



A route permission table using SNC could look like this:


P * * * pass

KT S:SR@host4 host4 3333

KT S:SR@host4 host9 *

KD S:SR@host4 host9 *

KP S:SR@host4 * * pass2

KS * host10 4444

KP * * *

This means:

Allow all connections if password pass is specified correctly.

Connections from this SAProuter to host4 (SNC name S:SR@host4), service 3333 should be SNC connections.

Connections from host9 (SNC name s:SR@host9) to this SAProuter should be SNC connections.

A SNC connection from SR@host4 to host9 through this SAProuter should not be set up.

A SNC connection from S:SR@host4 through this SAProuter (any target host) is allowed if the password pass2 is correct (unless the connection is to host9, since this is not allowed according to the previous entry - the first entry which “matches” is decisive).

All SAP to SAP connections (NI protocols) to host10, service 4444, which come in as SNC connections are passed on as non-SNC connections to host10 (no SNC host).

All SNC connections (for which the previous entries are not suitable) are allowed.



Setting Up Logging in the SAProuter

To get an overview of the function and capacity of the SAProuter, a log can be kept of all the connections established and actions performed via the SAProuter.

Procedure You can configure the log using Option -G<logfile>. Here you create the name of the log file and specify where it is to be created.


Structure of the Log File

The log file is structured line by line. Each line contains the following information:

Date and time: week day, month, day, time, year

Action: Possible actions are INIT LOGFILE (start of log file), READ ROUTTAB (read Error! Hyperlink reference not valid.), CONNECT FROM/TO (set up connection from/to), DISCONNECT (close connection), PERM DENIED (connection not permitted by route permission table).

After the action there is always a handle pair <C|S>n/m, whereby the letter means whether the action was initialized by the client or the server, and the two numbers refer to the internal NI handle numbers.

The handle pair 'C1/2' means that this log refers to the connection with handle 1 to the client (the first number) and with handle 2 to the server (second number). The C at the front means that the action was initialized by the client. A CONNECT FROM is therefore always written with C; a CONNECT TO with S. With a DISCONNECT each page closed by the connection is specified. The IP address and port always refer to the connection’s counter page (peer). A log with a handle pair C1/- means that no server-side connection between a pair exists yet.

The most important log entries are described below.

Example Actions

Assuming that logging has been activated, the following actions are executed through the SAProuter. The SAProuter stands between the physical hosts ldp007 with the IP address 10.21.72.60 and binmain (IP address 10.21.82.77).

1. Connection is opened between host ldp007 (10.21.72.60) and host binmain (10.21.82.77) with port sapmsBIN, which is closed by the client again.

2. Administrator calls up local SAProuter to display the list of connections ( saprouter -l).

3. Connection is established between host ldp007 (10.21.72.60) and the same host ldp007 with port 3298, which is closed by the server again.

4. Attempt to open connection from host ldp007 (10.21.72.60) to the same host with telnet port 23 is rejected by the SAProuter.


The route permission table in this example allows connections from any host to host 10.21.82.77 with port sapmsBIN, as well as to host 10.21.72.60 with port 3298:

P * 10.21.82.77 sapmsBIN

P * 10.21.72.60 3298


Log File

After these actions have been executed, the log file would look like the following (the line numbers are not displayed, but are added here to help with the description).

(1) Wed Dec 7 13:13:59 2005 INIT LOGFILE

(2) Wed Dec 7 13:13:59 2005 READ ROUTTAB ./saprouttab o.k.

(3) Wed Dec 7 13:14:05 2005 CONNECT FROM C1/- host 10.21.72.60/1245 (ldp007.wdf.sap.corp)

(4) Wed Dec 7 13:14:05 2005 CONNECT TO S1/2 host 10.21.82.77/sapmsBIN (binmain)

(5) Wed Dec 7 13:14:05 2005 DISCONNECT C1/2 host 10.21.72.60/1245 (ldp007.wdf.sap.corp)

(6) Wed Dec 7 13:14:13 2005 CONNECT FROM C2/- host 127.0.0.1/44997 (local host)

(7) Wed Dec 7 13:14:13 2005 SEND INFO TO C2/-

(8) Wed Dec 7 13:14:13 2005 DISCONNECT C2/- host 127.0.0.1/44997 (localhost)


(10) Wed Dec 7 13:14:23 2005 CONNECT TO S2/1 host 10.21.72.60/3298 (ldp007)

(11) Wed Dec 7 13:14:24 2005 DISCONNECT S2/1 host 10.21.72.60/3298 (ldp007)


(13) Wed Dec 7 13:14:31 2005 PERM DENIED C2/- host 10.21.72.60 (ldp007.wdf.sap.corp) to ldp007/23

(14) Wed Dec 7 13:14:31 2005 DISCONNECT C2/- host 10.21.72.60/1352 (ldp007.wdf.sap.corp)

Meaning

The lines mean the following:

Line(s) Meaning

(1), (2) The first two lines are always at the start of the log file. The first line marks the start, the second means that the Route Permission Table has been read in successfully.

(3), (4) The client (host 10.21.72.60, port 1245) connects to the SAProuter and through this host it can connect to host 10.21.82.77, port sapmsBIN, since this connection is permitted according to the route permission table.


Line(s) Meaning

(5) The connection between host 10.21.72.60, port 1245 and host 110.21.82.77, port sapmsBIN is closed by the client.

(6) On the local host (IP address 127.0.0.1, port 44997) the connection list display is called up (saprouter -l). The connection is opened with the SAProuter.

(7) The SAProuter sends the client the requested connection information.

(8) The connection is closed again. As it is not a client/server connection via the SAProuter, the connection is closed by the SAProuter.

(9), (10)

Client host 10.21.72.60, port 1276 wants to connect to server 10.21.72.60, port 3298 via the SAProuter, which is permitted according to the route permission table. The SAProuter opens the connection.

(11) The connection is closed again (from the server).

(12), (13)

Client host 10.21.72.60, port 1352 wants to connect to server 10.21.72.60, port 23 (telnet) via the SAProuter, which is not permitted according to the route permission table. The SAProuter returns message, "permission denied".

(14) The connection is closed by the SAProuter. (With unpermitted connections and in error situations the SAProuter closes the connections.)

Identifying and Correcting Errors

If an error occurs while a SAProuter is in operation, an error message is displayed by the SAProuter client. The message helps you to locate the cause of the error and find a solution.

Prerequisites You can find more information about error handling in the log file. Logging in SAProuter must be activated (Option -G<logfile>).

Procedure Restrict the error to one of the following error groups:

Connection Setup Errors

Connection Terminations

Other errors /occasional errors

To find the relevant group, you can enter the error text in the full text search in the documentation.

Once you have restricted the error to a group, proceed as follows:




Other Errors

More Information You can find information about the syntax of SAProuter error messages, and examples of frequently occurring errors in SAProuter Error Messages

Log file

If no error occurs, you can tell this from the log file. Entries are described in Successful Connection Setup and Data Transfer.

SAP Notes

With other error messages or problems with SAProuter you can look for solutions in the SAP Note system under component BC-CST-NI.

You can find notes about the SAProuter environment in section SAP Notes for the SAProuter.

Successful Connection Setup and Data Transfer

When the connection is set up and data transferred without any errors, you can see the following entries in the log file:

Operation Without SNC

Thu Jun 14 16:08:04 2007 CONNECT FROM C9/ host 10.66.66.90/19114 (host1.company.corp)

Thu Jun 14 16:08:04 2007 CONNECT TO S9/17 host 10.21.83.41/3299 (host2)

Thu Jun 14 16:08:06 2007 ESTABLISHED S9/17

Thu Jun 14 16:21:06 2007 DISCONNECT C9/17 host 10.66.66.90/19114 (host1.company.corp)


Thu Jun 14 14:28:40 2007 CONNECT TO S19/11 host 10.21.72.60/3299 (host3), *** NATIVE ROUTING ***

Thu Jun 14 14:28:41 2007 ESTABLISHED S19/11 , *** NATIVE ROUTING ***

Thu Jun 14 14:58:43 2007 DISCONNECT S19/11 host 10.21.72.60/3299 (host3), *** NATIVE ROUTING ***

Operation with SNC

When using SNC for data communication between two SAProuters there are two different mechanisms for setting up the connection.


SNC Forwards Setup

With this mechanism, client-side SAProuter initiates the SNC connection/encryption. The SAProuter on the client-side has an entry of the type KT in the router permission table for the server-side SAProuter and therefore establishes the SNC connection. The SNC name is written to the 'CONNECT TO' log when the connection to the server-side SAProuter is established. The 'ESTABLISHED' log displays the recipient side of the SNC communication once the connection has been set up successfully.

Client Side


Thu Jun 14 17:13:25 2007 CONNECT TO S9/17 host 10.18.211.3/3299 (10.18.211.3) (p:CN=D039768, O=SAP-AG, C=DE)

Thu Jun 14 17:13:25 2007 ESTABLISHED S9/17 (-/SNC)


Server Side

Thu Jun 14 17:13:22 2007 CONNECT FROM C9/- host 10.18.211.3/1150 (host2)

Thu Jun 14 17:13:25 2007 CONNECT TO S9/17 host 10.66.66.91/3253 (binmain)

Thu Jun 14 17:13:25 2007 ESTABLISHED S9/17 (SNC/-)

Thu Jun 14 17:19:12 2007 DISCONNECT C9/17 host 10.18.211.3/1150 (host2)

SNC Backwards Setup

The server-side SAProuter can also initiate SNC. This is what happens if the incoming connection from the client-side SAProuter does not use SNC (see above) but the server-side SAProuter requires it due to the relevant entries in the route permission table. In this scenario, the SNC handshake is triggered by the server-side SAProuter later on. This means that there is no SNC name in the 'CONNECT TO' entry in the log on the client side.

Client Side

Thu Jun 14 16:55:21 2007 CONNECT FROM C9/- host 10.18.211.3/1065 (host2)

Thu Jun 14 16:55:21 2007 CONNECT TO S9/17 host 10.18.211.3/3299 (10.18.211.3)

Thu Jun 14 16:55:21 2007 ESTABLISHED S9/17 (-/SNC)

Thu Jun 14 16:56:42 2007 DISCONNECT S9/17 host 10.18.211.3/3299 (10.18.211.3)

Server Side

Thu Jun 14 16:55:21 2007 CONNECT FROM C9/- host 10.18.211.3/1066


(host2)

Thu Jun 14 16:55:21 2007 CONNECT TO S9/17 host 10.66.66.91/sapdp53 (host4.company.corp)

Thu Jun 14 16:55:21 2007 ESTABLISHED S9/17 (SNC/-)

Thu Jun 14 16:56:42 2007 DISCONNECT S9/17 host 10.66.66.91/3253 (host4.company.corp)

More Information Route Connections


SAProuter Error Messages

A SAProuter error message consists of eight or more lines, with a blank line inserted after one or two lines.

SAProuter error message

LOCATION SapRouter on myhost

ERROR partner not reached

TIME Wed Jul 23 15:24:42 2008

RELEASE 710

COMPONENT NI (network interface)

VERSION 39.2

RC -100

COUNTER 1

The first two lines are important. They indicate:

On which host the SAProuter concerned is running (in this example myhost)

To which application area the error belongs (here connection setup)

In this example, SAProuter cannot set up the connection to its partner. You are advised to check the connection again.

If there is no LOCATION entry, the error message refers to a local program.

The information after the blank line is particularly relevant for internal errors. If you cannot correct the error and therefore contact SAP, the detailed information may be helpful.


The most important error messages are:

Route permission denied: The connection is not permitted and will not be opened by the SAProuter. Check the route permission table and make changes, if necessary.

For more information, see: Checking the Route Permission Table

Maximum number of clients reached: SAProuter cannot open the connection because it has already opened the maximum number of connections. Change the maximum setting or start another SAProuter.

For more information, see: Setting Up More Connections

More Information Connection Setup Errors


Other Errors

Checking the Route Permission Table

One of the most common error messages is the following:


ERROR Route Permission Denied

TIME .....

.... ....

A connection has not been set up because SAProuter does not allow the route concerned.

Procedure Check the route permission table of this SAProuter (on host myhost) carefully and change it, if necessary.

You can find out which directory the running SAProuter and the route permission table are in with option -l / -L.

Remember that the first entry in the route permission table for which the source address, target address, and target port match is decisive.

You can import a modified route permission table with option -n (new saprouttab).



Option -l / -L

Option -n (new saprouttab)

Setting Up More Connections

SAProuter does not accept a connection and outputs the following error message:


ERROR maximum number of clients reached

TIME .....

.... ....

This means that SAProuter cannot accept any further clients because the maximum number has been reached (default 800). However, SAProuter continues running with all other clients.

Procedure In order not to have to restart SAProuter (and thereby end all existing connections), you should perform a soft shutdown of the SAProuter using Option -p. SAProuter then continues running on a different port. SAProuter can then be started on the old port, possibly with a larger number of clients. It will then accept clients again.

If you would like to automate this procedure, you can start SAProuter using Option -Y <n>. A new SAProuter is started automatically every time the client table becomes full.

More Information Option -p (Soft Shutdown)

Option -C <clients>

Option -Y <n>


The following errors can occur during the connection setup:

Connect fails because the server is not running

TCP/IP connect takes too long (longer than the timeout -W value)

Route setup takes too long (longer than the timeout -W value)

No route permission for the connection


Error on the subsequent host

These errors are described below with possible solutions.

Connect fails (server not running)

The log file contains the following entries:

SAProuter Log File

Thu Jun 14 13:18:22 2007 CONNECT FROM C9/- host 10.66.66.90/35169 (host2.company.corp)


Thu Jun 14 13:18:22 2007 CONNECT ERR S9/17 connection refused

Thu Jun 14 13:18:22 2007 DISCONNECT S9/17 host 10.66.66.91/3299 (host1)

The client issues the error message below.

SAProuter Error Message 1. ********************************************************

***************

2. * LOCATION SAProuter 39.1 (SP3) on 'ld8060'

3. * ERROR partner '10.66.66.91:3299' not reached

4. *

5. * TIME Thu Jun 14 13:18:22 2007

6. * RELEASE 710

7. * COMPONENT NI (network interface)

8. * VERSION 39

9. * RC -92

10. * MODULE nixxi.cpp

11. * LINE 3068

12. * DETAIL NiPConnect2: 10.66.66.91:3299

13. * SYSTEM CALL connect

14. * ERRNO 111

15. * ERRNO TEXT Connection refused

16. * COUNTER 4

17. ***********************************************************************

nd of the source code.


Background and Further Analysis

On the server side, there is no program running that listens to the IP address 10.66.66.91 and port 3299 (LISTEN). Check that the host name/IP address and server name/port number are correct. If they are correct, the right server is being reached but it appears that the program to which the connection should be established is not running. Check that the SAProuter and the system or corresponding program on the server is running and is using the correct port (OS command netstat -an).

TCP/IP connect takes too long (longer than the timeout -W value)


SAProuter Log File



Thu Jun 14 13:22:06 2007 CONNECT ERR S10/18 could not establish connection within 5s




***************


3. * ERROR connection to 1.1.1.1:3299 timed out

4. *

5. * TIME Thu Jun 14 13:22:06 2007

6. * RELEASE 710


8. * VERSION 39

9. * RC -5

10. * MODULE nirout.cpp

11. * LINE 6548

12. * DETAIL RTPENDLIST::timeoutPend: could not establish connection within

13. * 5s (ROUTED)

14. * COUNTER 6

15. ***********************************************************************




In this example, the TCP/IP connection from the SAProuter to the next node (the next SAProuter, a system, or another network component) could not be established within a specified timeout period. This error can occur if the server host is down or the IP address of the host cannot be reached. It can also be due to the network failing to establish the TCP/IP connection within 5 seconds (the timeout value defined in option -W). You might be able to solve this problem by using a greater value for option -W.

For more information, see: Expert Options in SAProuter Options.

Route setup takes too long

The SAProuter is able to connect to the next host using TCP/IP, but the next host takes too long to establish the route to the destination. It receives no NI_PONG (confirmation that the route has been established) within the -W timeout period.


SAProuter Log File



Thu Jun 14 13:34:24 2007 CONNECT ERR S15/23 no route completion within 5s; check SAProuter on 'host3'




***************


3. * ERROR connection to host3:3299 timed out

4. *

5. * TIME Thu Jun 14 13:34:24 2007

6. * RELEASE 710


8. * VERSION 39

9. * RC -5


11. * LINE 6537


12. * DETAIL RTPENDLIST::timeoutPend: no route completion within 5s

13. * (ROUTED)

14. * COUNTER 17

15. ***********************************************************************



Find out why the subsequent SAProuter was unable to establish the connection within 5 seconds (in this example). It might be due to slow name resolution, for example. The log and trace files should provide further information on this. In the case of connections using multiple SAProuters in a WAN environment, increase option -W. If multiple SAProuters are involved in setting up a connection and the network response times are relatively high, the default value of 5 seconds is not sufficient to enable the connection to the target system to be established.

For more information, see: Expert Options in SAProuter Options.

No route permission for the connection

The SAProuter rejects the connection because the route permission table does not allow it.


SAProuter Log File


Thu Jun 14 14:18:20 2007 PERM DENIED C10/- host 10.66.66.90 (host2.company.corp) to host1/3254

Thu Jun 14 14:18:20 2007 DISCONNECT C10/- host 10.66.66.90/63669 (host2.company.corp)



****************


3. * ERROR ld8060: route permission denied (host2.company.corp to

4. * host1, 3254)

5. *

6. * TIME Thu Jun 14 14:18:20 2007

7. * RELEASE 710



9. * VERSION 39

10. * RC -94

11. * COUNTER 5

12. ***********************************************************************



Checking the Route Permission Table

Error on the subsequent host

This error does not occur on the local SAProuter. Instead, it occurs on a subsequent host. Messages of the following type appear in the log of the local SAProuter:

SAProuter Log File



Thu Jun 14 14:42:54 2007 CONNECT ERR S10/18 NIEROUT_INTERN on 'SAProuter 37.15 on hs0126'




**************** LOCATION SAProuter 37.15 on hs0126

2. * ERROR partner not reached (host 10.66.66.91, service 3298)

3. *

4. * TIME Thu Jun 14 14:42:54 2007

5. * RELEASE 640


7. * VERSION 37

8. * RC -93


10. * LINE 8724

11. * DETAIL NiPConnect2

12. * SYSTEM CALL SiPeekPendConn


13. * ERRNO 239

14. * ERRNO TEXT Connection refused

15. * COUNTER 5

16. ***********************************************************************


Or

SAProuter Log File


Thu Jun 14 14:40:28 2007 CONNECT TO S9/17 host 10.21.72.60/3299 (host3), *** NATIVE ROUTING ***

Thu Jun 14 14:40:28 2007 CONNECT ERR S9/17 NIEROUT_PERM_DENIED on 'SAProuter 39.0 on 'host3'', *** NATIVE ROUTING ***

Thu Jun 14 14:40:28 2007 DISCONNECT S9/17 host 10.21.72.60/3299 (host3), *** NATIVE ROUTING ***


***************

2. * LOCATION SAProuter 39.0 on 'host3'

3. * ERROR host3: route permission denied (host2.company.corp to

4. * host1, 3253)

5. *

6. * TIME Thu Jun 14 14:40:28 2007

7. * RELEASE 710


9. * VERSION 39

10. * RC -93

11. * COUNTER 3

12. **********************************************************************



Check the log and trace files on the SAProuter where the error occurred if the information already provided is not sufficient. The SAProuter error message that is normally displayed on the client contains information on the error. The LOCATION line tells you the location of the error.


More Information Connection Terminations

Other Errors

SAProuter Options


Connection terminations can be triggered from both the client side and the server side

Connection Terminations from the Server Side

The following entries appear in the log file when a connection termination is triggered from the server side (if the local SAProuter is the client).

SAProuter Log File







**************** LOCATION SAProuter 39.0 on 'host2'

2. * ERROR connection to partner '10.21.72.60:3298' broken

3. *

4. * TIME Thu Jun 14 16:08:58 2007

5. * RELEASE 710


7. * VERSION 39

8. * RC -95


10. * LINE 4660

11. * DETAIL NiIRead: P=10.21.72.60:3298; L=???


12. * SYSTEM CALL recv

13. * ERRNO 232

14. * ERRNO TEXT Connection reset by peer

15. * COUNTER 17

16. ***********************************************************************


Or

SAProuter Log File


Thu Jun 14 16:09:50 2007 CONNECT TO S19/11 host 10.21.72.60/3298 (ldp007)


Thu Jun 14 16:10:02 2007 DISCONNECT S19/11 host 10.21.72.60/3298 (ldp007) RST



***************

2. * LOCATION SAProuter 39.1 (SP3) on 'host1'

3. * ERROR connection to partner '10.21.72.60:3298' broken

4. *

5. * TIME Thu Jun 14 16:10:02 2007

6. * RELEASE 710


8. * VERSION 39

9. * RC -95


11. * LINE 4660

12. * DETAIL NiIRead: P=10.21.72.60:3298; L=10.66.66.90:24848

13. * SYSTEM CALL recv

14. * ERRNO 104

15. * ERRNO TEXT Connection reset by peer


16. * COUNTER 10

17. ***********************************************************************


Connection Terminations from the Client Side

The following entries appear in the log file when a connection termination is triggered from the client side (if the local SAProuter is the server).




Thu Jun 14 16:13:43 2007 DISCONNECT C20/12 host 10.66.66.90/24849 (host2.company.corp) RST

There is no error message with errInfo because the error is on the client side.


The DISCONNECT entry in teh log file tells you the side where the connection termination was triggered. You can use this information to find the node/program that first closed the connection. The trace file for this program contains more information on the cause of the connection termination.

In some cases, the connection between the two programs can be terminated without either side triggering the termination. For example, this is the case if two SAProuters with a direct TCP/IP connection both record that the other side triggered the connection termination. This means that an active network component between the two programs terminated the TCP/IP connection. The network component concerned is often a firewall or a router with an idle timeout. If this occurs, check the network.

The DISCONNECT log entry also tells you whether or not the connection was closed in a TCP/IP-compliant manner. 'RST' at the end of the line indicates and RDT package or a retransmit timeout. This means that the other side or an active network component between the two sides of the TCP/IP connection ended the connection incorrectly. This can be caused by the program crashing, the connection being closed to early at application level, or a firewall.

Procedure Connection Setup Errors

Other Errors

Other Errors

The following errors occur only rarely. The descriptions below aim to help you to analyze and eliminate these errors.


The SAProuter receives incorrect data. This can happen if the route is too short or if the system overlooks the fact that the connection is to a SAProuter rather than a backend connection.

The SAProuter receives the route information too late (TCP/IP connection setup was successful).

The SAProuter is the client and it receives an incorrect response from the server.

The SAProuter is the server and it receives the data from the client too early.

SNC not active for a forwards connection

SNC not active for a backwards connection

Incorrect data sent to the SAProuter


SAProuter Log File


Thu Jun 14 09:55:36 2007 INVAL DATA C10/- route expected




***************


3. * ERROR internal error

4. *

5. * TIME Thu Jun 14 09:55:36 2007

6. * RELEASE 710


8. * VERSION 39

9. * RC -93


11. * LINE 2664

12. * DETAIL NiRClientHandle: route expected

13. * COUNTER 4

14. ***********************************************************************




The client program sends incorrect data to the SAProuter. This is usually the case if the client assumes that it is already communicating with the target system but the connection was actually established to an SAProuter that has to wait for a route first. Check the parameters for the connection setup on the client.

Route sent too late

The connection setup (connect) was successful but the client sends the route to the SAProuter too late, or the client assumes that it is already connected to the server and is waiting for data, or the timeout -W is exceeded.


SAProuter Log File


Thu Jun 14 12:27:32 2007 CONNECT ERR C11/- no route received within 5s




***************


3. * ERROR connection timed out

4. *

5. * TIME Thu Jun 14 12:27:32 2007

6. * RELEASE 710


8. * VERSION 39

9. * RC -5


11. * LINE 6519

12. * DETAIL RTPENDLIST::timeoutPend: no route received within 5s

13. * (CONNECTED)

14. * COUNTER 5

15. ***********************************************************************




This error can occur if the client does not send the route quickly enough after the TCP/IP connect to the SAProuter. This might be caused by the client hanging temporarily.

Incorrect response from the server

If a server-side program other than a SAProuter responds, or if the back end responds, the SAProuter cannot use t he response. It needs another SAProuter as the server.


SAProuter Log File



Thu Jun 14 13:59:43 2007 CONNECT ERR S9/17 invalid data form server during route completion




***************



4. *

5. * TIME Thu Jun 14 13:59:43 2007

6. * RELEASE 710


8. * VERSION 39

9. * RC -93


11. * LINE 2694

12. * DETAIL NiRClientHandle: invalid data from server 'host2' during

13. * route completion

14. * COUNTER 3

15. ***********************************************************************




Check the parameters for the connection setup on the client.

Data received too early from the client

If the SAProuter, as the server, receives data from the client before the route is established, the following entries appear in the log file:

SAProuter Log File



Thu Jun 14 14:15:00 2007 CONNECT ERR C10/18 invalid data form client during route completion




***************



4. *

5. * TIME Thu Jun 14 14:15:00 2007

6. * RELEASE 710


8. * VERSION 39

9. * RC -93


11. * LINE 2688

12. * DETAIL NiRClientHandle: invalid data from client

13. * 'host1.company.corp' during route completion

14. * COUNTER 5

15. ***********************************************************************




The client program is behaving incorrectly. Check for a more recent version of the client program.

Data received too early from the server


SAProuter Log File



Thu Jun 14 13:59:43 2007 CONNECT ERR S9/17 invalid data form server during route completion




***************



4. *

5. * TIME Thu Jun 14 13:59:43 2007

6. * RELEASE 710


8. * VERSION 39

9. * RC -93


11. * LINE 2694

12. * DETAIL NiRClientHandle: invalid data from server 'host2' during

13. * route completion

14. * COUNTER 3

15. ***********************************************************************



Check the version of the SAProuter on the server side and update the program if necessary.


SNC not active for a forwards connection


Client Side


Thu Jun 14 17:16:40 2007 CONNECT TO S18/10 host 10.18.211.3/3299 (10.18.211.3) (p:CN=D039768, O=SAP-AG, C=DE)

Thu Jun 14 17:16:40 2007 CONNECT ERR S18/10 forwarding route failed NIESNC_FAILURE


Server Side

Thu Jun 14 17:16:40 2007 CONNECT FROM C9/- host 10.18.211.3/1168 (host3.wdf.sap.corp)

Thu Jun 14 17:16:40 2007 DISCONNECT C9/- host 10.18.211.3/1168 (host3.wdf.sap.corp)

SAProuter Error Message on Client Sire

1. ********************************************************

***************


3. * ERROR SNC processing failed:

4. * SNC not enabled

5. *

6. * TIME Thu Jun 14 17:16:40 2007

7. * RELEASE 710


9. * VERSION 39

10. * RC -104

11. * MODULE nisnc.c

12. * LINE 566

13. * DETAIL NiSncOpcode: NISNC_REQ

14. * COUNTER 2

15. ***********************************************************************




The SAProuter on the server side has not activated SNC. Restart the SAProuter on the server side with the option -K mysncname.

SNC not active for a backwards connection


Client Side



Thu Jun 14 17:08:19 2007 CONNECT ERR S9/17 NIESNC_FAILURE on 'SAProuter 39.1 (SP3) on 'host3''


Server Side

Thu Jun 14 17:08:19 2007 CONNECT FROM C12/- host 10.18.211.3/1119 (host3.wdf.sap.corp)


Thu Jun 14 17:08:19 2007 CONNECT ERR C12/20 NIECONN_BROKEN on 'SAProuter 39.1 (SP3) on 'host3''

Thu Jun 14 17:08:19 2007 DISCONNECT C12/20 host 10.18.211.3/1119 (host3.wdf.sap.corp)

SAProuter Error Message on Client Sire

1. ********************************************************

***************


3. * ERROR SNC processing failed:

4. * SNC not enabled

5. *

6. * TIME Thu Jun 14 17:08:19 2007

7. * RELEASE 710


9. * VERSION 39

10. * RC -104

11. * MODULE nisnc.c


12. * LINE 586

13. * DETAIL NiSncOpcode: NISNC_ACC

14. * COUNTER 4

15. ***********************************************************************



The SAProuter on the client side has not activated SNC. Restart the SAProuter on the client side with the option -K mysncname.

More Information SNC - Secure Network Communication

Option -K <mysncname>

SAP Notes for SAProuter

As a rule, always refer to the relevant SAP Notes if you experience problems with SAProuter. You will find these on the SAP Service Marketplace.

Note Number Content

0029684 STFK: Route Permission Denied

0062636 saprouter terminates on ending UNIX session

0063342 List: NI error codes

0164937 NiPBind: service 'sap????' in use

0104576 Package filter between ITS and R/3

0042692 Test tool for RFC connections: sapinfo

0066168 Required documents when analyzing RFC problems

0025917 Changes to /etc/hosts are not accepted

0147021 "Address already in use" due to TCP state

0037211 ftp not via SAProuter : "connection refused"

You can also search for SAP Notes under component BC-CST-NI to find current corrections in the SAProuter environment.












Reference

The reference section of the SAProuter documentation contains the following information:

A complete overview of the SAProuter options: For example, start options, options for the administration of a running SAProuter: SAProuter Options

Technical description of the implementation of SAProuter in the NI layer of the SAP kernel: NI and SAProuter Implementation

More Information What is SAProuter?

SAProuter Options

SAProuter provides a number of optional functions. They consist of a letter, which is specified when SAProuter is called (syntax: UNIX/Windows: saprouter -<option>, Syntax IBM i: saprouter -'<option>') or is sent to a running SAProuter. The following describes how they are used and the default values.

Features There are administrative options (lowercase), additional options, and expert options (uppercase). The various options can be combined by specifying an administrative option and any number of other options.

Under IBM i options must be enclosed in inverted commas. For example, to stop the SAProuter, enter saprouter '-s'.

Administrative Options

Administrative options, except for the startup function, are sent to a running SAProuter. It then executes the appropriate function.

SAProuter is started with function saprouter -r (IBM i:saprouter '-r')

The following list gives you an overview of the administrative options:


Option Meaning

Option -s (stop saprouter) Stop SAProuter

Option -n (new saprouttab) Re-read in the route permission table

Option -t (toggle trace) Changing the trace level

Option -c<n> (cancel connection n) Terminate connection n



Option Meaning

Option -l / -L Display route information

Option -d (dump buffers) Write detailed information from the internal buffers to the trace file

Option -f (flush buffers) Reset internal buffers

Option -p Carry out soft shutdown

For more information, see Starting SAProuter.

Additional Options

The additional options - with one exception - are indicated by uppercase letters. They can be combined with each other and with an administrative option, as long as this makes sense. Most additional options are used when the SAProuter is started. The ways in which the options can be combined are indicated in the sections in which they are described.

If an invalid combination of SAProuter options is specified, SAProuter behaves as if only saprouter was specified and displays the online help.

The additional options can also be omitted, as there are default values that are specified for each option.

The following options are available:

Additional Options

Option Meaning Default Value

Option -R <routtab>

File name and path of the route permission table

./saprouttab (UNIX and IBM i)

<lwk>:\usr\sap\saprouter\saprouttab (Windows)


Use of SNC: SNC name of the host on which the SAProuter is running.

-

Option -G<logfile>

Name and path of the SAProuter log file No log file

Option -J<size in bytes>

Size restriction for SAProuter log file No size restriction

Option -T<tracefile>

Name and path of the SAProuter trace file dev_rout in the directory of the SAProuter

Option -V<tracelev>

Trace level of the SAProuter 1

Option -E Update trace and log files instead of

- (Trace and log files are overwritten when the SAProuter is restarted)


Additional Options

Option Meaning Default Value overwriting them

Option -S <service>

Service (port) on which the SAProuter runs 3299

Option -C <clients>

Maximum number of client that the SAProuter administrates. Note:

This value cannot exceed 2048

2 clients make a connection

800

Option -D Deactivate DNS reverse lookup -

Option -6 (enable IPv6) Activate IPv6 support

Option -Z Suppress exact error message while opening connection

Option -I <address>

Establish external connection, if there are several network cards.

-

Option -Y <n>

n number of times an SAProuter automatically restarts if the client table is overfilled

SAProuter is not automatically restarted (case n=1)

Option -H <host name> [-P <password>]

Name of the host to which the SAProuter listens; password protection for route information (see Option -l / -L)

-

Option -M <min> <max>

A port area for outgoing connection -

Expert Options

SAProuter has some expert options, which are described below.

Use these options only after consulting SAP or if you are very experienced in this area.

The following expert options are available:


Expert Options

Command Function Default

-B <bufsize> Maximum queue length per client 1 NI package

-Q <queuesize> Maximum heap space for NI package 20,000,000 bytes

-W <waittimeL> Timeout for blocking network calls (if there is an error) 5000 msec

Activities Call SAProuter with the desired functions using the following commands:

UNIX/Windows: saprouter [-<adm>] [-<opt>].

IBM i saprouter '[-<adm>] [-<opt>]'

If an invalid combination of SAProuter options is specified, SAProuter behaves as if only saprouter was specified and displays the online help.

Option -s (stop saprouter)

This function is used to stop a running SAProuter.

Integration If the SAProuter to be stopped is not running on the default service 3299, the service has to be made known with Error! Hyperlink reference not valid..

This also applies toall successive administrative options that are send to a SAProuter that is already running.

Commands saprouter -s -S 3299 and saprouter -s (IBM i: : saprouter '-s -S 3299' and saprouter '-s') have the same effect.

Option -n (new saprouttab)

The saprouter -n command (IBM i: saprouter -n is used to report changes in the route permission table to the running SAProuter. It causes SAProuter to use the updated table, as named with option -R <routtab> (default saprouttab).


If you would like to enter, for example, other restrictions in the route permission table, you do not have to stop and restart SAProuter, but you can use this function.

The new route permission table does not affect connections which already exist! Even if the existing connection is not allowed according to the new table, it remains in place!


Option -t (toggle trace)

This function is used to toggle the trace level of a running SAProuter. Trace levels 1, 2 and 3 exist. If the trace level was 1, it is now increased to 2, and if it was 2 or 3, it is decreased to 1.

You can also activate the trace for individual connections (see below).

Integration When SAProuter is started, the trace level is selected with option -V<tracelev> .

Features Connection Trace

You can also activate the trace for individual connections. For these connections the information is written with trace level 2.

The connection is traced using an enhanced syntax of option –t. You have the following options:

Command Meaning

saprouter -t "on <id>"

<id> is the number of the connection. You can see this number when you display the connection information (saprouter -l). This command activates the trace for this (existing) connection.

For more information, see: Option -l / -L

saprouter -t "off <id>" Deactivates the trace for connection with number <id>.

saprouter -t "on <IPaddress>"

Activates the trace for all new connections coming from the IP address <IP address>. You use this option if the connection is not yet open and you are looking the for connection setup information.

saprouter -t "off <IPaddress>"

Deactivates the trace for all new connections coming from the IP address <IP address>.

saprouter -t "on <subnet>"

<subnet> specifies a set of IP addresses. The command activates the trace for all new connections coming from this subnetwork.


Command Meaning

saprouter -t "off <subnet>"

Deactivates the trace for all new connections coming from this subnetwork.

Trace ID in the Connection Overview

Connections for which the trace is activated are marked with an asterisk in the connection overview (to display the overview enter command saprouter -l).

You can find the trace information in the trace file dev_rout.

Example You activate the trace for connection number 4 by sending the command saprouter -t "on 4" to the active SAProuter.

Then you call saprouter -l to display the connections. You get the following output:

1. SAP Network Interface Router running on port 3299 (PID =

1576962)

2. Started on: Wed Apr 13 09:00:10 2005

3.

4. ID CLIENT | PARTNER service

5. ------------------------------+-------------------------------

6. 7 localhost | (no partner)

7. 6 10.18.203.8 | 10.17.74.118 3227

8. 4 *10.18.203.8 | 10.17.74.118 3227

9. 2 10.18.203.8 | 10.17.74.118 3227

10.

11. Total no. of clients: 7

12. Working directory : /usr/sap/PRD/work

13. Routtab : ./saprouttab


The * is the trace for connection 4.

More Information Option -l / -L


Option -c<n> (cancel connection n)

Internally, each connection using SAProuter has a number, which can be seen with option -l / -L . This function can be used to close a connection.

The saprouter -c 2 command (IBM i: Command saprouter '-c 2' closes the connection with the (internal) number 2.

Option -l / -L

With function saprouter -l (IBM i: saprouter '-l') you trigger the SAProuter to display route information on the screen; with saprouter -L (IBM i: saprouter '-L') you get more detailed information.

The information contains the following:

A table with the connection number, client, partner, and service for each existing connection Connections for which the connection trace is activated are marked with an asterisk (*).

For more information, see Option -t (toggle trace)

The total number of clients, the working directory in which SAProuter is running, and the path of the route permission table

The PID and the port of the parent, if the SAProuter was started by another SAProuter process (For more information, see Starting the SAProuter and Option -Y <n>.)

If you want to display the SAProuter information from a remote host, use option -H <hostname> [-P <password>].

Route Details for Several SAProuters

If you are running several SAProuter processes, and you want to display the route details of a SAProuter other than the last one started, use option Option -S <service> and specify the port. You can find out the port of the SAProuter preceding the current one by using the option -l (see above).

Example If you specify saprouter –l, the output may look like:

1. Wed Apr 11 09:01:57 2007


2. SAP Network Interface Router, Version 38.0

3.

4. Wed Apr 11 09:01:58 2007

5. peer SAProuter with NI version 38 ...

6. send info-request to running SAProuter ...

7.

8. SAP Network Interface Router running on port 3299 (PID = 1576962)

9. Started on: Wed Apr 13 09:00:10 2005

10.

11. ID CLIENT | PARTNER service

12. --------------------------------+------------------------------------

13. 7 localhost | (no partner)

14. 6 10.18.203.8 | 10.17.74.118 3227

15. 4 *10.18.203.8 | 10.17.74.118 3227

16. 2 10.18.203.8 | 10.17.74.118 3227

17.

18. Total no. of clients: 7

19. Working directory : /net/usr.scratch/d039768/mm/rs6000_64

20. Routtab : ./saprouttab


Option -d (dump buffers)

If this function is used, detailed information on the host names involved in the connection and their IP addresses is written to the trace file (default dev_rout, or the name specified with Error! Hyperlink reference not valid.). The trace file is not overwritten, the information is simply appended at the end.

Option -f (flush buffers)

This function can be used to empty the internal buffer (which is written to the trace file with option -d (dump buffers)).


Option -p (Soft Shutdown)

This option can be used to perform a soft shutdown of an SAProuter. SAProuter continues running on another port and can be administrated on this port, but does not accept any logon requests, and terminates automatically when no more clients are connected.

The port on which SAProuter was running before (default 3299) is now free. This is useful in the following cases:

You want to start a new SAProuter without closing all existing connections.

More connections are required than one SAProuter alone can handle (max. 1018).

If you enter the command saprouter -p, information is displayed telling you on which port SAProuter can now be administered, and the host on which SAProuter is running.

The standard port on which SAProuter is running is port 65000. If it is already assigned or if a port range was already defined for the SAProuter with option -M <min>.<max>. , a different port is selected.

You can start the SAProuter using the Option -r -Y <n>. This has the effect that the existing SAProuter is automatically moved to another port and a new SAProuter is started. The new SAProuter then accepts incoming connections on this port.

Option -R <routtab>

Option saprouter -R <path> (IBM i: saprouter -R <path>) specifies the file containing the route permission table. If nothing is specified, SAProuter searches the file

./saprouttab (UNIX and IBM i)

<lwk>:\usr\sap\saprouter\saprouttab (Windows)

Caution

The route permission table is essential for SAProuter. If it is not found, SAProuter terminates with an appropriate message.

If you want to permit all connections, you must specify the following single-line route permission table:

P * * *

End of the caution.




For SNC connections to be possible with SAProuter, SAProuter must be started with this option:

saprouter -r -K <mysncname> (IBM i: saprouter '-r -K <mysncname>').

There must also be a KT entry in the Route Permission Table specifying that connections with a certain host (whose SNC name is known) should be SNC connections. <mysncname> is the SNC name of the host on which the SAProuter is running.

More Information SNC - Secure Network Communication


Option -G<logfile>

If you want to use Logging in the SAProuter, you can start your SAProuter with this option and specify a log file.

UNIX/Windows: saprouter -r -G <logfile>

IBM i saprouter '-r -G <logfile>'

<logfile> is the name (relative path name) you specify for the log file. All important activities, such as starting the connection and runtime operations, are logged in this file:

Connection from (client name/address)

Connection to (partner name/address)

Partner service

Start time

End time

Connection requests rejected after checking the route permission table.

You can restrict the size of the log file in Option -J<size in bytes>.

If the SAProuter can no longer write to the log file, because for instance the hard drive is full, for security reasons it switches to soft shutdown mode (it does not accept any new connections, see Option -p (Soft Shutdown)).

If this option is not used, a log file is not created.


Example In section Logging im SAProuter you can find an example of a log file.

Option -J<size in bytes>

This option enables you to restrict the size of the log file and archive the resulting files.

If you do not use this option, the log file can become as large as is necessary.

Prerequisites You are using a log file (see Option -G<logfile>).

Features If you use this option, once the log file reaches the defined size, it is renamed to

<logfile name>_a_<start date>_<start time>-<end date>_<end time>.

Option -T<tracefile>

A trace file is used to search for and correct errors. It logs what SAProuter does (the higher the trace level, the more detailed is the information). From this, you can see in which function an error occurred, why a connection was not established, etc.

When you start SAProuter, you can specify a trace file:

UNIX/Windows: saprouter -r -T <tracefile>

IBM i saprouter '-r -T <tracefile>'

There is always a trace file. If the option is not used, the trace file dev_rout is used. It resides in the working directory of the SAProuter.

More Information Option -V<tracelev>

Option -V<tracelev>

This option is used to set the trace level when SAProuter is started.

UNIX/Windows: saprouter -r -V3


IBM i saprouter '-r -V3'

for example, starts SAProuter with trace level 3.

The trace level specifies how detailed the information should be in the trace file: 1 means hardly any information, 3 very detailed information. The name of the trace file can be set with option -T<tracefile> .

You can change the trace level while SAProuter is running with option -t (toggle trace).

Possible values are 1, 2, and 3. The default value is 1.

Option -E

This option is used to prevent old trace files and log files from being overwritten when the SAProuter is restarted.

If you start the SAProuter with option -E (saprouter -r -E), the SAProuter updates all existing log and trace files.

Option -S <service>

The option -S <service> is used to specify the service (port) on which SAProuter runs (default 3299). SAProuter can, for example, be started on any other service:

saprouter -r-S 4444 (IBM i: saprouter '-r -S 4444') starts SAProuter on the local host on service 4444.

If you then want to administer this SAProuter, the service obviously has to be specified.

Option -C <clients>

You can use this function to set the maximum number of clients. The default setting is 800, the maximum value is 2039.

Note that two clients correspond to one connection; that is max 400 connections are preset and max. 1019 connections are possible.

If you want to run 1000 connections with your SAProuter, start SAProuter as follows:


UNIX/Windows: saprouter -r -C 2000

IBM i saprouter '-r -C 2000'

If you would like to have more connections than the maximum (1019), you can "move" SAProuter to another port with option -p and start a new SAProuter on this port.

These limitations are obviously only valid if smaller values for the number of connections have not been set in the operating system. Therefore you must take the operating system parameters into consideration.

As of SAProuter version 37 significant higher values are possible, up to 16000 (with the exception of IBM i). But make sure that only one thread process is involved. For this reason having more than about 1000/1500 clients is not at all practical. With many connections you can work better with Option -Y <n>, which distributes the connections across several processes.

Option -D

With this option you can set the IP addresses so that they are not broken up by incoming connections in the SAProuter.

This can result in better performance for SAProuters, with which connections from many different clients are established. However, if this option is used, only the IP addresses are visible in the log (client-side).


Option -6 (enable IPv6)

With this option you can activate the Internet Protocol version 6 (IPv6) for the SAProuter. The SAProuter can then open and manage both IPv4 and IPv6 connections.

Prerequisites You have at least SAProuter version 38.0.

The section Installing SAProuter describes where you can find the latest SAProuter.

Option -Z

With this option you can specify that any errors occurring while opening the connection are not reported in detail to the client. The same error text is then always returned to the caller regardless of the error (connection could not be opened, route is not permitted, host name could not be resolved, and so on).

The client receives the following error text that the connection could not be established:

1. ********************************************************

**************

2. * LOCATION SAProuter

3. * ERROR route could not be established

4. *

5. * TIME Tue Sep 5 15:38:57 2006

6. * RELEASE 0


8. * RC -92

9. **********************************************************************


Prerequisites You have at least SAProuter version 38.0.

The section Installing SAProuter describes where you can find the latest SAProuter.

Option -I <address>


If a computer has several network interfaces, you can use this option to determine which interface is used to establish external connections. For example, this can be useful for firewalls between two networks. In this way you can specify that the connection is established in one specific network only.

The specified address must be a local interface.

Option -Y <n>

You can use this function to force the SAProuter to automatically start a new SAProuter if the client table is full when the SAProuter is started. This allows you to circumvent the limit of 1000 clients.

saprouter -r -Y <n>

The numner n specifies the maximum number of times a new SAProuter can be started.

Value of n Meaning

0 A new SAProuter is started every time the client table becomes full.

1 SAProuter never starts automatically.

n > 1 SAProuter is started a maximum of n times when the client table becomes full. You can use this value to control the amount of SAProuter restarts.

Integration If you use Option -l / -L to display information on the running SAProuter, you are given information about whether the SAProuter was started, and if so, which SAProuter process started the SAProuter.

Prerequisites You have not yet started the SAProuter. You cannot send this option to a running SAProuter. You can only specify if before the SAProuter starts.

Example If you want to run a high number of connections via the SAProuter (more than 1000), you can use the following option to start the SAProuter:

saprouter -r -Y 0 -C 2000

If this option is set, a new SAProuter is automatically started if the client table becomes full. New connections then use this new SAProuter.

Option -H <host name> [-P <password>]


With this option you can specify the host name and password. The option can be specified when the SAProuter is started, or sent to a running SAProuter. The two procedures are described below.

At Startup

You can define the option when you start SAProuter:

saprouter -r -H <host name> (IBM i: saprouter '-r -H <host name>).

This caues SAProuter to "listen" to the IP address of host <hostname>.

If nothing else is defined with option -S, SAProuter uses the default port 3299. If SAProuter is started without option -H, it listens to all the IP addresses belonging to this host. <hostname> can also be an IP address.

Host myhost has two IP addresses: a1 and a2.

Call saprouter -r (IBM i: saprouter '-r') causes SAProuter to listen to a1/3299 and a2/3299. The call to saprouter -r -H a2 (IBM i: saprouter '-r -H a2') causes SAProuter to listen only to a2/3299.

If you started SAProuter with option -H <host name>, of course you also have to define the host name for administration. For example, if you want to use a new route permission table, you must enter saprouter -n -H <host name> (IBM i: saprouter '-n -H <host name>').

When SAProuter is Running

You can use this option in a running SAProuter to get SAProuter information (displayed with option -l / -L) from a remote host. A password may be required, which is then entered with option -P <password> (IBM i: Option '-P <password>'). SAProuter then checks its route permission table to determine whether the route is allowed with this password, and if it is, it displays the information.

SAProuter is running on host_sr, port 3299 (default). You would like to display the SAProuter information (list of all SAProuter clients, for example) from the host myhost.

Enter command saprouter -l -H host_sr -P pass (IBM i: saprouter '-l -H host_sr -P pass ').

SAProuter checks whether its route permission table contains the entry

P myhost host_sr 3299 pass

Do_Destroy. If it does, the SAProuter information is displayed on your host myhost.


Integration If the SAProuter is running on a port other than the default port 3299, you can specify this in the command line with option -S <service>.

Option -M <min> <max>

With this option you can specify a range of ports for outgoing connections, which will increase security. For example, command saprouter -r -M 1.1023 only allows outgoing connections from ports 1 to 1023 (reserved for root under UNIX).


NI and SAProuter Implementation

The following documentation gives a detailed technical description of the implementation of the SAP Network Interface (NI) and SAProuter.

This is supplementary information and not a customer interface. Do not create custom developments based on this information. The interface is subject to change without notice.

SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP Systems, or between SAP Systems and external networks. SAProuter controls the access to your network (application level gateway), and, as such, is a useful enhancement to an existing firewall system (port filter).

This documentation covers the following topics:

Communication Modes

Route Connects

Route Strings

Buffered Connection Handles

Select Sets


NI Keepalive

NI Error Information

NI Control Messages


Common Settings for Sockets


Communication Modes

The network interface supports a platform independent interface to communicate between SAP systems. NI knows the following different operation modes:

NI_RAW_IO

NI_MESG_IO

NI_ROUTE_IO

The NI_RAW_IO mode is used to communicate between SAP applications without any further interpretation of the data blocks.

The NI_MSG_IO mode is the common used operation mode between SAP applications. The format is also called the SAP Protocol. A 4-byte header precedes each data block. These 4 bytes give the length of the data block (length without leading 4 bytes). This value is needed to recognize a complete data block, if underlying layers fragment it.

In addition this operation mode knows three special messages. They are recognized by a leading byte-string 'NI_PING\0', 'NI_PONG\0' or 'NI_RTERR\0'. The first two are used for keepalive tests, the third one for error messages (see NI Keepalive, NI Error Information and NI Control Messages).

Only the SAProuter uses the NI_ROUTE_IO mode. This mode is similar to the NI_MSG_IO mode, but keepalive messages are ignored. This is necessary for the keepalive test passing the SAProuter.

Route Connects

If the connection should be established over SAProuters, the route information is sent as the first message. The information includes:

Eye catcher

Route information version

NI version

Operation mode

Route length

Total number of nodes on the route


Pointer to the next hop on the route

Number of remaining nodes

Route string

The field for the route string contains the whole route, inclusive all previous nodes. For each node, the hostname, service/port and the password is included, separated by null characters. The values for the service/port and the password field may be empty strings. As default port number the value 3299 is used.

In the connect phase, the NI layer converts the route string from the input format (see Route Strings) into this internal format.

The data structure for the message is as follows:

Offset

Size (bytes) Description and Value

0x00 9 eye catcher ("NI_ROUTE\0")

0x09 1 route information version (current version: 2)

0x0a 1 NI version (current version: 36)

0x0b 1 total number of entries (value 2 to 255)

0x0c 1 talk mode (NI_MSG_IO: 0; NI_RAW_IO; 1; NI_ROUT_IO: 2), see Communication Modes.

0x0d 2 currently unused field

0x0f 1 number of rest nodes (remaining hops; value 2 to 255)

0x10 4 route length (integer value in net byte order)

0x14 4 current position as an offset into the route string (integer value in net byte order)

0x18 * route string in ASCII

This is supplementary information and not a customer interface. Do not create custom developments based on this information. The interface is subject to change without notice.

Route String Format

The internal format of the route string looks like following (ASCII characters):

1. <hostname node 1>\0<port node 1>\0<password node

1>\0<hostname node 2>\0 ...

where \0 means the null character.


Example of a remote connection

localhost\03300\0test\0sapserv3.wdf.sap-ag.de\0\0\0147.204.100.35\0sapdp01\0\0

with

node 1: hostname = localhost; port = 3300; password = test

node 2: hostname = sapserv3.wdf.sap-ag.de; port = 3299 (def.); password =

node 3: host address = 147.204.100.35; service name = sapdp01; password =

After a SAProuter has received the route information, the next destination is extracted from the string. If the connect to the next destination is successful, the same route information is passed with an incremented current position and decremented number of remaining nodes.

The own hostname in the string is replaced by the address / hostname of the previous node. This mechanism allows following SAProuters still to extract the whole route. In addition, newer SAProuter will add a leading blank to the hostname.

Buffered Connection Handles

To hide fragmentation of messages from the application, NI supports buffered connections, which provide the assembly of the fragments. In NI_MESG_IO and NI_ROUTE_IO the data block length is given, which is necessary for buffering the incoming data until the block is completed. NI_RAW_IO does not support buffering.

For an incoming data block, the data buffer is created after the first received packet (particularly after receiving the whole data block header; 4 bytes). To prevent running out of memory, a limit for the maximal message length can be set.

More Information Communication Modes

Select Sets

A select set is a wrapper around a select or poll implementation. The advantages are, that the user does not have to care about the final implementation (select or poll) and the set stores the status. If events for buffered handles are received, the implementation processes it silently and notifies the user only if a whole data block has arrived or the connection is writable again. Keepalive as well as control messages, packed in error info blocks, can be processed hidden. Most applications, e.g. dispatcher or SAProuter, use these select sets.


NI Keepalive

In NI a keepalive mechanism is implemented, to check connections between applications. That includes 2 messages, a request and response.

The request message contains 8 data bytes, headed by the data length, a 4-byte integer. The data corresponds the ASCII String "NI_PING\0". If the receiver mode is NI_MSG_IO, this packet will be detected as a keepalive request. The receiver is going to reply with the response packet. This response is as long as the request and contains the ASCII sting "NI_PONG\0". The keepalive initiator notes the test as successful, if he receives the response within a specified time interval.

NI Error Information

If an error occurs or is detected by a node between the client and final destination, an error info packet is sent to the client. A 9-byte eye catcher characterizes this error information; the data is basically an ASCII string.

The data structure is formatted as follows:

Offset Size Description and Value

0x00 9 eye catcher ("NI_RTERR\0")

0x09 1 NI version (current version: 36)

0x0a 1 operation code (error information: 0; other messages > 0)

0x0b 1 currently unused filed

0x0c 4 return code (integer value in net byte order)

0x10 4 error information text length (integer value in net byte order)

0x04 * error information text in ASCII

A user will be notified by the client (e.g. SAP GUI) that an error occurred, the SAProuter just forwards the packet.

NI Control Messages

Control messages are used for handshakes and other communication, located in the NI layer. These messages are based on the same structure as the NI Error Information. None zero operation code indicates a message. The following control messages are known in NI version 36:


NI control messages

NI version request

NI version response

NI send handle (4 messages)

SNC control messages:

SNC request from client side

SNC request from server side

SNC handshake completed

Common Settings for Sockets

The sockets created by NI have set several socket settings differently from the operating system defaults.

Following setting will be set:

Non-blocking mode

Disable Nagle algorithm for client sockets (TCP no delay)

Allow reuse of address

No keepalive

Not remain open across exec (close on exec flag)

In addition on some platforms receive and send buffer size is redefined as well.

SAProuter Route Permission

The SAProuter works with a Route Permission Table, which is used to authorize route connection. Following properties are essential for the route-check:

Source IP address

Destination IP address

Destination port

Number of previous SAProuter hops

Number of remaining SAProuter hops


The route permission file is loaded in an internal table during the SAProuter startup. The permission is checked for each accepted connection after receiving the route data. Administrative requests are rejected, if they are not from the local host. Info requests need to be authorized by the route table, too.

The permission check works with a first-match-lookup of the route data received against the route table. For a successful lookup source address, destination address and port are required to match.

The number of previous and post hops are conditions for the permission, but not essential for the match.

The internal table, in which the route table is mapped, has the following fields:

Type (permitted or denied)

SNC (secure network communication required or not)

Native (native protocols permitted or not)

Previous hops (maximum number of previous hops / SAProuters)

Post hops (maximum number of following hops / SAProuters)

Source address

Source address mask

Destination address

Destination address mask

All destination ports (no port specified)

Destination port min

Destination port max

Password (required password for building up the route)

SNC name

The address masks are set, if a subnet is given in the route file. You find details about the route table in section Route Permission Table. Mapping examples of file entries into the internal table are given in Route Table Examples.

Route Table Examples

In this part, few examples are given, how the entries in the route permission file are mapped into the internal table.


Table Fields

Field Meaning Possible Values

t type P = permitted; D = denied; T = SNC target

s SNC X = secure network communication required

n native X = native protocols permitted

shs previous SAProuter hops number

dsh post SAProuter hops number

s-add source address

s-msk source address mask

d-add destination address

d-msk destination address mask

a all destination ports X = no port specified

d-p-l destination port min (low) 16-bit integer

d-p-m destination port max (high) 16-bit integer

pwd password string

snc-n SNC name string

Example mapping route table file into internal route table

The route table file

D 10.1.0.0 * *

P0,* 10.1.*.* * *

S*,0 * 10.2.00001xxx.* *

P*,1 * 10.2.*.* *

P 10.3.0.0 10.4.*.* 7

P 10.3.0.1 10.4.0.1 * test

P 10.3.0.2 localhost *

P 10.3.0.3 localhost * info

S 10.3.0.4

KT "p:CN=s0" 10.5.0.0 *

KD "p:CN=s1" 10.5.0.1 *

KP "p:CN=s1" * *


KS * 10.5.0.* *

D * * *

is mapped into the following internal route table:

t s n shs

dsh

s-add s-msk d-add d-msk a d-p-l d-p-

h pwd

snc-n

Entry

D ~ ~~~

~~~

a.1.0.0

00.00.00.00

0.0.0.0

ff.ff.ff.ff X ~~~~

~~~ ~~~~~~~ * ~~~~

~~~ a

P X 0 255

a.1.0.0

00.00.ff.ff

0.0.0.0

ff.ff.ff.ff X ~~~~

~~~ ~~~~~~~ * ~~~~

~~~ b

P 255

0 0.0.0.0

ff.ff.ff.ff

a.2.8.0

00.00.07.ff X ~~~~

~~~ ~~~~~~~ * ~~~~

~~~ c

P X 255

1 0.0.0.0

ff.ff.ff.ff

a.2.0.0

00.00.ff.ff X ~~~~

~~~ ~~~~~~~ * ~~~~

~~~ d

P X 255

255

a.3.0.0

00.00.00.00

a.4.0.0

00.00.ff.ff 7 7 * ~~~~

~~~ e

P X 255

255

a.3.0.1

00.00.00.00

a.4.0.1

00.00.00.00 X ~~~~

~~~ ~~~~~~~

test

~~~~~~~ f

P X 255

255

a.3.0.2

00.00.00.00

7f.0.0.1

00.00.00.00 X ~~~~

~~~ ~~~~~~~ * ~~~~

~~~ g

P X 255

255

a.3.0.3

00.00.00.00

7f.0.0.1

00.00.00.00 X ~~~~

~~~ ~~~~~~~

info

~~~~~~~ h

P 255

255

a.3.0.4

00.00.00.00

0.0.0.0

ff.ff.ff.ff X ~~~~

~~~ ~~~~~~~ * ~~~~

~~~ i

T X ~ 255

255

0.0.0.0

ff.ff.ff.ff

a.5.0.0

00.00.00.00 X ~~~~

~~~ ~~~~~~~ * p:CN

=s0 j

D X ~ ~~~

~~~

0.0.0.0

ff.ff.ff.ff

a.5.0.1

00.00.00.00 X ~~~~

~~~ ~~~~~~~ * p:CN

=s1 k

P X X 255

255

0.0.0.0

ff.ff.ff.ff

0.0.0.0

ff.ff.ff.ff X ~~~~

~~~ ~~~~~~~ * p:CN

=s1 l


t s n shs

dsh

s-add s-msk d-add d-msk a d-p-l d-p-

h pwd

snc-n

Entry

P X 255

255

0.0.0.0

ff.ff.ff.ff

a.5.0.0

00.00.00.ff X ~~~~

~~~ ~~~~~~~ * * m

D ~ ~~~

~~~

0.0.0.0

ff.ff.ff.ff

0.0.0.0

ff.ff.ff.ff X ~~~~

~~~ ~~~~~~~ * ~~~~

~~~ n

The entry '~' will specify a filed as not initialized respectively unused.

Permission example with permission table above

Permission example with permission table above

The current SAProuter is running on the host "this" on port 3299. A '*' indicates a parameter without effect.

For a match, one of the following conditions for the destination port must be complied:

1. Entry 'destination port' is valid and equal with destination port of route

2. Entry 'native' is not set and 'all destination ports' is set, i.e. no destination port specified

3. Entry 'type' is not 'permitted' and 'all destination ports' is set

4. Route has further destination nodes and 'all destination ports' is set

Client native Route Entr

y P/D Reason

10.1.0.0 /H/this/H/*/S/3299/W/test a D

All connections from host 10.1.0.0 are denied.

* /H/10.1.0.0/H/this/H/* a D

All connections from host 10.1.0.0 are denied.

10.1.0.1 X /H/this/H/10.2.9.0/S/* n D

Entry b doesn't match because 'native' is set and the route has no further destinations.



y P/D Reason

10.1.0.1 X /H/this/H/10.2.9.0/H/*/S/* b P

b matches as the route has further destinations (4.)

* X /H/10.1.0.1/H/this/H/10.2.9.0/S/* n D

No match with b (native with no further destinations), c (native) and d (native with no further destinations).

* X /H/10.1.0.1/H/this/H/10.2.9.0/H/*/S/* b D

Matches b but has one previous hop, so denied.

10.9.0.0 /H/this/H/10.2.9.0/S/* c P Matches c

(2.)

10.9.0.0 X /H/this/H/10.2.9.0/S/* n D

Does not match c (native with no further destinations)

10.9.0.0 X /H/this/H/10.2.9.0/H/*/S/* c D

Matches c (4.), is denied because it is native (type S).

10.9.0.0 /H/this/H/10.2.9.0/H/*/S/* c D

Matches c (2.), is denied because no following hop is allowed.

10.9.0.0 /H/this/H/10.2.7.0/H/*/S/* d P

Doesn't match c because of



y P/D Reason

IP address; matches d (2.)

10.3.0.0 X /H/this/H/10.4.0.0/S/7 e P Matches e

(1.)

10.3.0.0 /H/this/H/10.4.0.0/S/7 e P Matches e

(1.)

10.3.0.0 X /H/this/H/10.4.0.0/H/*/S/7 n D

Doesn't match e because the port 7 must be used on host 10.4.0.0 (see 1.)

10.3.0.1 /H/this/H/10.4.0.1/H/* f D

Matches e, is denied because password test is missing

Sap Router 720 En

Documents

Transcript of Sap Router 720 En