Skip to Content
Technical Articles
Author's profile photo Willi Eimler

Understanding saprouter


In the past I always worked with saprouter without understanding the mechanism of the saprouter-rules completely. Thus resulted a saproutertab with lots of useless entries and the inflationary use of *. In order to be able to use a short saproutertab it is necessary to understand the effectiveness of a saprouter entry.

This BLOG is not a full documentation of the saprouter tool! For details please take a look at:

The saprouter controls connections. He permits or disables connection. This behavior depends on the rules defined in the saproutertab. A rule consists of 4 parts:

Part 1 | Part 2                 | Part 3                 | Part 4
D or P | Hostname of a starting | Hostname of an ending  | Port         
       | point of a connection. | point of a connection. |         


In Part 1: D stands for disable and P for permit. If you want to permit a connection from  server1 to server2 with port 3255 than the rule is:

P    server1        server2        3255

In my sap router tab I always disable all connections with:

D    *    *    *

I put this rule to the end of the saprotertab, because it would kill all P rules if it is the first rule. Every P rule after D * * * is ignored.  Then I allow each connection I want to use.

So far it is very simple. But what rules are needed to allow a connection passing several saproutes? For this scenario I use an example with 3 saprouter hops for a connection. I describe how to maintain the saproutertab and how to test the connection with niping. In order to understand the mechanism of the following scenario it is crucial to know, that saprouters communicate with other saprouters via the standard saprouter port (3299).

Scenario Port 1442

We want to communicate from Server A with Server B via port 1442. In the following picture you can see the path of communication and the Names and hostnames of each saprouter.

Now let’s consider how to maintain the saproutertab:

We know:

1.    The saprouter communicate with other saprouter via standard saprouter port (in this case 3299).

2.    The saprouter disables/permits connections.

3.    The port of the addressed server is used.

With this 3 points we can maintain the saproutertab of every saprouter:

Saprouter 1

P    Host_A    Host_2        3299

D    *         *             *      

Saprouter 2

P    Host_1     Host_3       3299

D    *          *            *

Saprouter 3

P    Host_2    Host_B        1442

D    *         *             *   


For the rules the port used on the destination host is important. For the rule in saprouter 1 the port is 3299 because saprouter 2 communicates with saprouter 1 via port 3299. With niping you can test your saproutertab entries. For the simulation of a server use:

niping -s -I 0 -S 1442 -R -P

And for the corresponding client use:

niping -c -H /H/Host_1/H/Host_2/H/Host_3/H/Host_B -S 1442 -R -P

I like to use the niping in raw mode, because in raw mode I can simulate communication with any port I want.

Testing with niping:

niping tests the connection via the saprouter and gives an error message, when a communication is not possible. Lets change the rule in saprouter 2 from

P Host_1 Host_3     3299


P Host_1 nonsense   3299

niping -c -H /H/Host_1/H/Host_2/H/Host_3/H/Host_B -S 1442 -R -P

Now niping will throw the following error:


The error states the information you need to repair the wrong saproutertab configuration:

     Error Host_2: route permission denied ( Hoste_1 to Host_3, 3299)

The error states the saproutertab entry needed to permit the connection.

     P Host_1 Host_3     3299

Scenario Port 3200

Now, we want to connect to a sap system via the tree saprouters. The following picture shows this:

The 32<SysNr.> Port is the SAP Dispatcher port, used by SAP GUI. SysNr. is the Systemnumber of the sap system. In this case the systemnumber is 00 and we use 3200.

In Saprouter 1 we have to add the rule (this rule is going to overrule the entry P     Host_A     Host_2     3299):

P     *               Host_2     3299

This rule is necessary because we want to login with every frontend with a sap-gui. If you want to login only with one frontent Forntend_1 you have to replace rule P * Host_2 3299 by:

P     Frontend_1      Host_2     3299

In Saprouter 2 we don’t have to add a new rule because the communication between the saprouters was not changed. In the last saprouer we have to add the rule for the communication via port 3200:

P     Host_2          Host_B     3200

The configuration of the saproutertabs is:

Saprouter 1

P    *         Host_2        3299

D    *         *             *


Saprouter 2

P    Host_1     Host_3       3299

D    *          *            *  


Saprouter 3

P    Host_2    Host_SAP      3200

D    *         *             *    



In order to test the connection we make the following entry in the sap logon:

If there is an error in the configuration of the saproutertabs you are will get an error like this:


In this case the error can only be located in the 1st or second saprouter (because of port 3299). If the entry in the last saprouter is wrong you get an error with port 3200. If there is no error you get the login screen.


Hope you enjoy this blog.

Usefull links


SAProuter Strig

nipping als Portprüfung (RAW-Mode)

OSS zu niping

500235 – Network Diagnosis with NIPING

Configure SNC saprouter

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Divyanshu Srivastava
      Divyanshu Srivastava

      I have only scrolled and this looks good..

      Thanks and well done 🙂


      Author's profile photo Willi Eimler
      Willi Eimler
      Blog Post Author

      Thanx Divyanshu.

      Author's profile photo Divyanshu Srivastava
      Divyanshu Srivastava

      5 stars from me.. 😛