SAPRouter Documentation — SAP Skills Portal

Overview

What is SAPRouter?

SAPRouter is a standalone SAP program that acts as a proxy and application-level firewall for SAP network connections. It sits between external clients and internal SAP systems, controlling which connections are allowed based on a route permission table.

Key Functions:

Access Control — Controls and logs all incoming connections to SAP systems using a route permission table (saprouttab)
Network Security — Acts as an extra firewall layer, reducing the number of open ports needed on the corporate firewall
Indirect Connections — Enables connections between programs that cannot reach each other directly due to network/firewall restrictions
Connection Logging — Records all connection attempts (allowed and denied) for audit and troubleshooting
SNC Encryption — Supports Secure Network Communications for encrypted connections with SAP Crypto library

Supported Scenarios:

SAP GUI communication through SAPRouter to the message server / dispatcher
RFC communication between systems or between RFC client and Gateway
SAP Support connections from SAP to customer systems (via SAP backbone network)

Not Supported: HTTP-based protocols (Web Service calls, Web Dynpro, BSP), browser-to-application-server communication, and binary protocols (terminal server, X-server).

Infrastructure

Server Details

Property	Value
Hostname	`saprouter` (GCP VM: `saprouter-internal`)
Operating System	Rocky Linux 10.1 (Red Quartz) — kernel 6.12
CPUs	2 vCPUs
Memory	3.6 GB RAM
Internal IP	`10.128.0.111`
External IP	`34.46.174.105`
GCP Zone	`us-central1-c`
GCP Project	`internal-sales`

SAP Software Versions

Component	Version	Details
SAProuter	Kernel 7.54, Patch 635	Compiled for linuxx86_64, 64-bit, Non-Unicode (Feb 6, 2026)
NI Version	40.4	Network Interface protocol version
SAP Crypto Library	8.6.3 (Patch 8603)	`/saprouter/sec/libsapcrypto.so`
SAPCAR	Included	`/saprouter/SAPCAR` — SAP archive extraction tool
niping	Included	`/saprouter/niping` — network connectivity test tool
sapgenpse	Included	`/saprouter/sec/sapgenpse` — PSE/certificate management

Disk Layout

Mount	Size	Purpose
`/`	50 GB	Root filesystem (OS)
`/saprouter`	30 GB	Dedicated SAPRouter filesystem — binaries, config, logs, crypto
`/boot/efi`	200 MB	EFI boot partition

Network Architecture

The SAPRouter sits in front of the internal SAP systems. External clients connect to the SAPRouter's public IP on port 3299, and the SAPRouter forwards allowed connections to the internal SAP servers.

Flow	Source	Destination	Port
Inbound	External clients (Internet)	`34.46.174.105` (SAPRouter)	`3299`
Forward to S/4HANA	SAPRouter (`10.128.0.111`)	`10.128.15.239` (sapidess4)	`3203`
Forward to ECC Oracle	SAPRouter (`10.128.0.111`)	`10.128.15.241` (sapidesecc8)	`3200`
Forward to ECC MSSQL	SAPRouter (`10.128.0.111`)	`10.128.0.51` (sap-sql)	`3200`

Default Port: SAPRouter listens on port 3299 (standard SAP port). This can be changed with option -S.

Installation

Directory Structure

/saprouter/
├── saprouter              # SAProuter binary (kernel 7.54, patch 635)
├── niping                 # Network connectivity test tool
├── SAPCAR                 # SAP archive extraction tool
├── saprouttab             # Route permission table (active config)
├── patches.mf             # Patch manifest
├── dev_rout               # Trace file (runtime)
├── saprouter_635-80007328.sar   # SAProuter SAR package
├── log/
│   └── saprouter.log      # Connection log (-G option)
├── run/                   # Runtime directory (empty)
└── sec/
    ├── libsapcrypto.so    # SAP Crypto library (8.6.3)
    ├── libslcryptokernel.so  # Crypto kernel library
    ├── sapgenpse           # PSE/certificate management tool
    ├── sapcrypto.lst       # Crypto library manifest
    ├── sapcrypto.mf        # Crypto metadata
    └── SAPCRYPTOLIBP_8603-20011697.SAR  # Crypto SAR package

OS User

Property	Value
User	`saprouter` (uid 995)
Group	`saprouter` (gid 995)
Home	`/saprouter`
Service runs as	`root` (via systemd)

The saprouter user owns the binaries and config files. The systemd service runs as root for port binding (port 3299 < 1024 not needed, but simplifies access to /saprouter/sec/).

Installation from SAR Package

To update or reinstall the SAPRouter binary:

# Extract new SAProuter package
cd /saprouter
./SAPCAR -xvf saprouter_635-80007328.sar

# Extract crypto library (if updating)
cd /saprouter/sec
/saprouter/SAPCAR -xvf SAPCRYPTOLIBP_8603-20011697.SAR

# Restart the service
systemctl restart saprouter

Download the latest SAProuter from SAP Software Download Center: Support Packages and Patches A-Z → S → SAPROUTER → SAPROUTER 7.54

Configuration

Systemd Service

SAPRouter runs as a systemd service with automatic restart:

# /etc/systemd/system/saprouter.service
[Unit]
Description=SAProuter
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/saprouter
ExecStart=/saprouter/saprouter -r -G /saprouter/log/saprouter.log
Restart=always
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

Parameter	Meaning
`-r`	Start SAPRouter in routing mode
`-G /saprouter/log/saprouter.log`	Enable connection logging to the specified file
`Restart=always`	Auto-restart on crash or stop, with 5-second delay
`LimitNOFILE=65536`	Allow up to 65,536 open file descriptors (connections)

Startup Options Reference

Common SAPRouter startup options:

Option	Description	Default
`-r`	Start SAPRouter	—
`-s`	Stop SAPRouter	—
`-n`	Reload route permission table without restart	—
`-R <file>`	Specify route permission table file	`./saprouttab`
`-K <SNC name>`	Enable SNC (Secure Network Communications)	Disabled
`-G <logfile>`	Enable connection logging	No logging
`-T <tracefile>`	Specify trace file	`dev_rout`
`-V <level>`	Set trace level at startup (0-3)	1
`-S <port>`	Change SAPRouter port	3299
`-C <n>`	Max number of clients	1024
`-Y <n>`	Start additional SAPRouter process at n clients	Disabled
`-D`	Do not resolve IP addresses (improve performance)	Resolve
`-J <size>`	Max log file size in bytes	Unlimited
`-H <host> <pwd>`	Set hostname and admin password	—
`-l`	Display active connections (short)	—
`-L`	Display active connections (detailed)	—
`-p`	Trigger soft shutdown (finish current, reject new)	—
`-t`	Toggle trace level in running system	—
`-d`	Dump trace buffers to file	—
`-f`	Flush internal buffers	—

SAP Crypto Library (SNC)

The SAP Crypto Library is installed for SNC-capable connections:

File	Version	Purpose
`/saprouter/sec/libsapcrypto.so`	8.6.3 (patch 8603)	Main SAP cryptographic library
`/saprouter/sec/libslcryptokernel.so`	—	Crypto kernel library
`/saprouter/sec/sapgenpse`	—	Tool for creating and managing PSE (Personal Security Environment) files

To enable SNC connections, generate a PSE with sapgenpse and start SAPRouter with -K <SNC name>. Set the SECUDIR environment variable to /saprouter/sec.

Route Permission Table

Current Configuration

The active route permission table at /saprouter/saprouttab:

# /saprouter/saprouttab
# Format: P/S/D  <source>  <destination>  <port>
#
# P = Permit    S = Permit (SAP protocol only)    D = Deny

P * 10.128.15.239 3203      # S/4HANA 2023 (sapidess4) - dispatcher instance 03
P * 10.128.15.241 3200      # ECC 6.0 EHP8 on Oracle (sapidesecc8) - instance 00
P * 10.128.0.51   3200      # ECC 6.0 on SQL Server (sap-sql / SQ1) - instance 00
D * * *                      # Deny everything else

Rule	Source	Destination	Port	SAP System
PERMIT	Any (`*`)	`10.128.15.239`	`3203`	S/4HANA 2023 — sapidess4 (instance 03)
PERMIT	Any (`*`)	`10.128.15.241`	`3200`	ECC 6.0 EHP8 — sapidesecc8 (instance 00)
PERMIT	Any (`*`)	`10.128.0.51`	`3200`	ECC 6.0 SQ1 — sap-sql (instance 00)
DENY	Any (`*`)	Any (`*`)	Any (`*`)	Block all other traffic

Route Table Syntax

Each line follows the format: P/S/D <source host> <destination host> <destination port> [password]

Prefix	Action	Description
`P`	Permit	Allow any protocol (SAP + native TCP/IP)
`S`	Permit (SAP only)	Allow only SAP protocol connections (SAP GUI, RFC)
`D`	Deny	Reject the connection

Wildcards: * matches any value. The table is read top-down; first matching rule wins.

Important: Always end with D * * * to deny all unmatched traffic (default-deny policy).

Route Strings (Client Side)

Clients connect through SAPRouter using route strings in the format:

# Route string syntax
/H/<saprouter_host>/S/<saprouter_port>/H/<target_host>/S/<target_port>

# Example: Connect to S/4HANA through SAPRouter
/H/34.46.174.105/S/3299/H/10.128.15.239/S/3203

# Example: Connect to ECC Oracle through SAPRouter
/H/34.46.174.105/S/3299/H/10.128.15.241/S/3200

# Example: Connect to ECC SQL Server through SAPRouter
/H/34.46.174.105/S/3299/H/10.128.0.51/S/3200

Substring	Meaning
`/H/`	Host name or IP address
`/S/`	Service (port number) — optional, defaults to 3299
`/W/`	Password for the route — optional

Modifying the Route Table

# Edit the route table
vi /saprouter/saprouttab

# Reload without restart (soft reload)
/saprouter/saprouter -n

# Or restart the service (if reload doesn't apply)
systemctl restart saprouter

The -n option re-reads the route table without stopping active connections. Use this in production.

Operations

Service Management

# Check service status
systemctl status saprouter

# Start SAPRouter
systemctl start saprouter

# Stop SAPRouter
systemctl stop saprouter

# Restart SAPRouter
systemctl restart saprouter

# Enable on boot
systemctl enable saprouter

SAPRouter Admin Commands

# Display active connections (short)
/saprouter/saprouter -l

# Display active connections (detailed)
/saprouter/saprouter -L

# Soft shutdown (reject new, finish current)
/saprouter/saprouter -p

# Hard stop
/saprouter/saprouter -s

# Reload route table without restart
/saprouter/saprouter -n

# Toggle trace level (cycle through 0-3)
/saprouter/saprouter -t

# Dump buffers to trace file
/saprouter/saprouter -d

# Flush internal buffers
/saprouter/saprouter -f

# Display version info
/saprouter/saprouter -v

Network Testing with niping

Use niping to test network connectivity between hosts:

# Self-test
/saprouter/niping -t

# Start niping server (on target host)
/saprouter/niping -s

# Test direct connection (without SAPRouter)
/saprouter/niping -c -H <target_host>

# Test connection through SAPRouter
/saprouter/niping -c -H /H/saprouter/H/<target_host>

# Example: test route to S/4HANA via SAPRouter
/saprouter/niping -c -H /H/34.46.174.105/H/10.128.15.239

Logging & Tracing

Connection Log

The connection log (-G option) records all connection attempts:

File	Purpose
`/saprouter/log/saprouter.log`	Connection log — timestamps, source IPs, destinations, connect/disconnect events
`/saprouter/dev_rout`	Trace file — startup info, errors, debug details (trace level 1 by default)

Log format example:

Tue Mar 31 23:06:43 2026 CONNECT FROM C9/- host 47.141.146.42/63968 (47-141-146-42.fdr01.bnng.ca.frontiernet.net)
Tue Mar 31 23:06:43 2026 CONNECT TO   S9/17 host 10.128.15.241/3200 (10.128.15.241)
Tue Mar 31 23:06:43 2026 ESTABLISHED  S9/17
Tue Mar 31 23:06:46 2026 DISCONNECT   S9/17 host 10.128.15.241/3200 (10.128.15.241)

Field	Meaning
`CONNECT FROM`	Incoming connection from external client (with source IP and resolved hostname)
`CONNECT TO`	Outbound connection to internal SAP system
`ESTABLISHED`	Connection successfully established end-to-end
`DISCONNECT`	Connection closed
`C9/-`	Client connection ID 9
`S9/17`	Server connection ID 9, file descriptor 17

Trace Levels

Level	Description	Use Case
`0`	No trace	Production (minimal overhead)
`1`	Basic (default)	Normal operation — startup, errors
`2`	Detailed	Troubleshooting connection issues
`3`	Full	Deep debugging (verbose, large files)

# Toggle trace level on running SAPRouter (cycles 1 → 2 → 3 → 0 → 1)
/saprouter/saprouter -t

# Start with specific trace level
/saprouter/saprouter -r -V 2 -G /saprouter/log/saprouter.log

# View trace file
cat /saprouter/dev_rout

# View connection log
tail -50 /saprouter/log/saprouter.log

Log rotation: Use -J <bytes> to limit log file size. Recommended: -J 2000000 (2 MB). Use -E to prevent overwriting old log/trace files (appends timestamp to filename).

Troubleshooting

Common Errors

Error	Cause	Fix
`Route permission denied`	The route is blocked by `saprouttab`	Add a permit rule for the source/destination/port, then reload with `saprouter -n`
`Maximum number of clients reached`	Connection limit exceeded (default 1024)	Increase with `-C <n>` or use `-Y` for multi-process mode
`Connection timed out`	Target host unreachable or GCP firewall blocking	Check GCP firewall rules, verify target SAP system is running
`NiPConnect2: connect failed`	Cannot reach the SAPRouter on port 3299	Check if SAPRouter is running, verify GCP firewall allows port 3299 inbound
`Connection refused`	SAPRouter not running or wrong port	`systemctl start saprouter`, verify port with `ss -tlnp \| grep 3299`
`partner not reached`	Target SAP system is down or port mismatch	Verify target system is running, check instance number matches port (inst 00 = 3200)

Diagnostic Commands

# Check if SAPRouter is running
systemctl status saprouter
ps aux | grep saprouter

# Check listening port
ss -tlnp | grep 3299

# View recent connections
tail -20 /saprouter/log/saprouter.log

# View trace for errors
cat /saprouter/dev_rout

# List active connections
/saprouter/saprouter -l

# Test connectivity to target SAP system
/saprouter/niping -c -H 10.128.15.239 -S 3203

# Test full route through SAPRouter
/saprouter/niping -c -H /H/34.46.174.105/H/10.128.15.239/S/3203

SAP Notes

Note	Title
3713006	SAProuter patch 0.635 (current installed version)
500235	Comprehensive documentation for niping tool
734095	Operating SAProuter on Windows
618053	Registering SAProuter as a Windows service
684106	Missing Microsoft DLLs for SAProuter on Windows
1818735	Installing SAProuter on IBM i