Bind service port (socket/ssl) to port using parameter gw/internal_port
A strange thought ran into my head while reading the gateway trace file (dev_rd). Have you noticed the following entries in the beginning of the gateway trace file :
Bind service 26134 (socket/ssl) to port 26134
Bind service 45021 (socket/ssl) to port 45021
Bind service 6008 (socket/ssl) to port 6008
I was never intrigued about what these meant , until yesterday when because of these simple elegant entries resulted in my RFC’s failing.
What does the entries mean ?
If we look carefully then these ports are all ssl ports. These ports can vary from customer-to-customer as we don’t have a control over this. So every time the gateway is restarted these ports will change!
One important point here is that this issue would occur only if you had a firewall placed between your application servers.
Each time the gateway is restarted the ports change and thefirewall thinks the changed port should not be allowed as the port is different than the one we have allowed in the ACL list.
The obvious question that comes to us is :How to tell to Network security team that the SSL Sockets needs to be open and what would be the range for this.
Troubleshooting / What Next ?
Digging deep I came to know how these ports function and what needs to be done next 😉 … yes , I do have a way out for this!
These ports are chosen by the Operating System , which will be different after each restart. This feature got changed from ABAP Release 7.40 SP8 (component SAP_BASIS) . More details can be checked in SAP note # 2040644 – Secure Internal Server Communication.So by default ( by using SWPM ) the parameter system/secure_communication is set to “ON” the SSL encryption of internal communication is activated. Please see the link for more reference SAP System Parameters.
To avoid this problem in future and BIND the ports to fixed value there is a parameter an internal, non-public parameter “gw/internal_port“. The range for this is between 1024 – 65535.
So once you set this parameter explicitly in the profile then the gateway will by default take this new value ( for gw/internal_port ) and next time the gateway is restarted there would be no problem for the RFC’s failing!
Post this you can add these set ports in the firewall as well.
Let me know in case you have any queries.
Thanks, saved my day, I kept struggling to find why I cannot switch between app servers on Azure as we have used strict NSG rules.
Thanks, saved my day as well.
thanks, you also saved my day. I think this situation should be documented in the "used SAP Ports" Documentation. We set up serveral servers accordingly and ran into exact this issue when activating local windows firewalls.
Do you mean at this SAP help page? https://help.sap.com/viewer/ports
I have posted the suggestion, internally.
yes i was searching for the ports to configure in advance and used the ports listed there.
The server starts fine and works in most parts without the port open which is a bit missleading.
If the customer only has additional application servers in PRD (as many small companies do) the problem might directly hit the production enviroment and is bad to test beforehand (we encountered the issue in our QAS as we have serveral servers here)
Thanks for the suggestion!