Reply from Sessl on Nov 6 at 5:40 AM Hello Snowy,
Thank you for the hint, but on the local SAP system the NIC just got the internal IP.
This IP is natted to an external IP on the firewall behind, which also create the VPN connection to our customer. On the other side, behind the client firewall, there is a SAPRouter which knows the external IP and the clients, behind the next customer firewall just knows the SAPRouter IP.
This setup runs since 2008 very nicely, but with the switch to JCO 3, we have this curious problem with the way back route.
I found the SAP note: 555162 - Asynchronous RFCs with a dialog using a SAP router
But this is just for a second SAP system which calls a RFC to the first system. I don't know how I can use this @back destinations for the clients instead of a SAP system.
My thoughts go to IP forwarding, so that the SAPRouter sends any request at 192.168.1.1 to the external IP, but this should be the last option.
The next to a separate SAPRouter on our side, so that the clients calls /SAPRouter/SAProuter/InteralIP, but this needs a bit longer to set it up.
The thing is, if I use the MSG server instead the DISP, I get the same error message, because SAPGUI wants to connect to the SAP system with the external IP, SAP sends the "I see you" package back WITH the internal IP, and SAPGUI wants to connect to the given MSG Server Group with the internal IP, which fails ..
To send back the external IP I set up a new MSG Server Group to send back the external IP and the connection from the SAPGUI via SAPRouter to the MSG server works. At the moment we're checking why the tool can't connect to the SAP system via MSG server like the SAPGUI.
So I thought I just missed a setting in the SMGW, or somewhere else to tell the SAP system send your FQDN back instead of the internal IP.
Thank you and best regards,
Tobias
| | | ---------------Original Message---------------
From: Tobias P.
Sent: Tuesday, November 04, 2014 9:46 AM
Subject: RFC connection via JCO 3.0 - NIECONN_BROKEN on SAPRouter
Hello,
Our customer is using a RFC tool, to upload files, start transactions, etc., now they get an update (JCO 2.x to JCO 3.0) of this tool and we have some network problems.
The main reason of this error is because the SAP systems sends his internal IP address back to the RFC tool, and the tool want to connect to the dispatcher with the given internal IP address.
We tested it with the SAPRouter and without, the problem is the same.
1. The tool (client e.g. 10.10.20.1) connects to the SAP Gateway (e.g. 210.10.10.1) with the given external IP address, and/or with a SAPRouter string.
- this connection works
2. The tool want to start a transaction, so it calls the function "SYSTEM_PREPARE_ATTACH_GUI", SAP sends the interal IP address (e.g. 192.168.1.1) to the client and I get the SAPGUI security prompt to allow to start a SAPGUI, after that, the tool wants to connect to the dispatcher with the internal IP address of the SAP system, but this fails .. I know that this is right ..
I read also a few notes:
• 21151 - Multiple Network adapters in SAP Servers
• 148832 - IP address conversion with a firewall
• 555162 - Asynchronous RFCs with a dialog using a SAP router
• 1033987 - Remote login using NAT or SAP router fails
I set the profile parameter "gw/alternative_hostnames" to the external ip "210.10.10.1"
In the dev_rd file i see the following entry:
GwPrintMyHostAddr: my host addresses are :
1 : [210.10.10.1] hostname.domain.de (HOSTNAME)
2 : [127.0.0.1] hostname.domain.de (LOCALHOST)
3 : [192.168.1.1] hostname.domain.de (NILIST)
Full qualified hostname = hostname.domain.de
The connection:
SAP (internal e.g. 192.168.1.1.) > FW (external e.g. 210.10.10.1) > VPN > FW (e.g. 220.10.10.1) > SAPRouter (e.g. 10.10.10.1) > Client (e.g. 10.10.20.1)
The easiest way would be, to tell the gateway to send back the FQDN instead of the internal ip address, but I don't find a way. Any ideas?
Thank you for all your help!
Best regards,
Tobias |
| Reply to this email to post your response. __.____._ |   _.____.__ |
