Classic GUI login challenge with a partial network: I was asked to check on a classic SAP GUI login fault when testing a network connectivity solution. Getting to a point of knowing enough to ask intelligent questions was my first step, sort of stretching the mental muscles that have not been deeply into an SAP network traffic analysis since getting too familiar with NIPING and friends.  This time, it’s LGTST, a similarly fossil-like component of a running SAP stack.

A bit of searching for the reported symptoms I was given (connection to SAP ECC failed) showed a logon test suite/tool called “LGTST.EXE” or “lgtst”.

SAP Note 2077230 came up as a central repository, which as usual led to a passel of other notes (in no particular order here other than as logged).

  • 2075150 - SAP Logon (Pad) 740: New format of configuration files as of SAP GUI for Windows 7.40
  • 1760329 - SAP in NAT (Network Address Translation) environment
  • 364552 - Loadbalancing does not find application server
  • 593058 - New RFC load balancing procedure
  • 1053387 - Allow IP caching in SAP GUI to be switched off
  • 64015 - Description of test program lgtst

Great when “new” is still in a 6-digit note number.

https://launchpad.support.sap.com/#/notes/64015

Locally installed version:

3489523 May 31 2016 /usr/sap/NNN/SYS/exe/run/lgtst

That’s on a server, I needed one on my PC where the remote network drop would be plugged in. Looked around the GUI/client files, nothing like that.  Back to the search engines, and maybe SAP HELP.

Hm. Netweaver ’04.  Ah, close enough for this chain.

Try 1, close, but no.

lgtst Could not open the ICU common library. The following files must be in the path described by the environment variable "LIBPATH":

Set up environment, try 2.

Test Program for LG-Layer (SAP Login Info), Release 721, version 5, Jan 28 2014 required options pf=name : profile name or

Within the past couple years on the build, but as to be seen later, probably little code change.  Next, check usage with -? or /h or whatever works.

 -Version : print patch version and exit

OK, not -v, and not -V, and not -version…

$ lgtst -H nnn -S 3603 using trcfile: nnn_lg list of reachable application servers ------------------------------------- [] [] [] [sapdp03] [3203] [DIA UPD BTC SPO UP2 ICM ] [] [] [] [sapdp03] [3203] [DIA UPD ENQ BTC SPO UP2 ICM ] list of selectable logon groups with favorites ------------------------------------------------ [Development] [] [3203] [702] [SPACE] [] [3203] [702]

Server side commands for reference.  PC version was possibly found in a tool bag called message tools, or MSG_TOOLS, because.

As of 6.20, it is provided together with other Message Server tools in MSG_TOOLS*.SAR

Er, yeah, SAR, need to find if that’s on my standard PC image. Nope. Copy to server, unpack, recopy to PC, try 3 as it were.  After reading the SAR usage a few times.

: lgtst.exe Could not open the ICU common library. The following files must be in the path described by the environment variable "PATH": icuuc26.dll, icudt26l.dll, icuin26.dll [nlsui0.c 1406] pid = 28056 Terminating. You may set the environment variable NLSUI_7BIT_FALLBACK to run the program without the ICU libraries in an emergency mode. [nlsui0.c 1154] pid = 28056

Searched, didn’t find these, so over to the support pad.  Right, RFC SDK.

SAP SUPPORT (and downloads)

https://support.sap.com/en/offerings-programs/enterprise-support.html

https://support.sap.com/en/my-support/software-downloads.html

Gui Nat C 6678727

While in the store, look around to see if anything is still on the shelf.

Nothing recent at all this year, and only one recent related to the printing project (for another day).

Gui Nat F 1 2106916

Check the download history.  Wow, some dust there.

History down/up arrow in the search bar shows secure file transfers (from around 2 years ago) and a printer definition meta search from under 2 years.

Gui Nat H 7619434

One download after another, turns out 7xx has a library number 34 or higher and I ended up with versions 26, ostensibly dated 2012.

x nwrfcsdk/lib/icudt34.dll
x nwrfcsdk/lib/icuin34.dll
x nwrfcsdk/lib/icuuc34.dll

Almost working, but somehow in the shuttling the DLL files lost their executable bit(s).  Restored that, and much better.

I didn’t consider the workaround NLSUI_7BIT_FALLBACK as that would have been no fun.

And finally,

lgtst.exe -H  -S 3603 using trcfile: nnn_lg list of reachable application servers ------------------------------------- [] [] [] [sapdp03] [3203] [DIA UPD BTC SPO UP2 ICM ] [] [] [] [sapdp03] [3203] [DIA UPD ENQ BTC SPO UP2 ICM ] list of selectable logpn groups with favorites ------------------------------------------------ [Development] [] [3203] [702] [SPACE] [] [3203] [702]

Wait, what, “logpn”?  Um.

Which version of the client did I end up finding?  More likely 640 vintage than anything 740 or higher, so let’s check

lgtst

+- $ ./lgtst -Version Test Program for LG-Layer (SAP Login Info), Version 5, Jul 6 2005 ********************************************************************** * reason : unknown option specified * ********************************************************************** +-

So the “-Version” check doesn’t exist, though that shows up on the first line after all.  Ok, over 10 years old.  Hopefully not needed to be fresher, because other than IPV6 growth, not much new in decades.

Interestingly, the “Version 5” is no different than the 721 version shown above.

On to the connection tests after those preambles.  Run an in-network set to get the expected results, then power down, relocate, repeat.

Checking for network addresses, finding unusual numbers, thinking nat.

Gui Nat B 4816038

The output shows what the docs and the same old way say, which is IPV4.

Message strings for cross reference:

/

*** ERROR => MsIAttachEx: NiBufConnect to []/36## failed (rc=NIECONN_PENDING) [msxxi.c 647] *** ERROR => LgIAttach: MsAttach (rc=NIECONN_PENDING) [lgxx.c 2997] *** ERROR => LgApplSrvInfo: LgIAttach(rc=LGEMSLAYER) [lgxx.c 695]

/

An SAP wiki doc has the salient ports, but alas, nothing I can discern that would obviate IPV4 addresses over domain names, fully qualified or no.

https://wiki.scn.sap.com/wiki/display/SI/ABAP+Logon+Group+based+Load+Balancing

[

The Message Server sends back the IP address and port number of the favorite server.

]

(emphasis mine)

Conclusions and hey, look, squirrel.

I’d think this was the triage process, with several next steps feasible.  Maybe a ticket to SAP, maybe back to the other team trying this solution out, maybe something more-or-less magical that shims the missing pieces into place.

Create a local hosts file?  Still not unthinkable. Just need to get a policy exception.

Newer user interfaces beyond the SAP GUI abound, but until the critical mass of operational instances shrink this client must be tested against developments in firewalls, virtualization, and security measures in general.

The installation of the logon test program on Windows was a bit convoluted, and whether the main reason was my rustiness (okay, I’d never heard of lgtst before this week) or the layers on layers of software that builds up and is hard to be rid of, I’ve learnt a bit.

Reading documentation sometimes takes me into other directions, perhaps figuring out a different write-up that meets the situation, or perhaps just noticing the odd discrepancy, such as a rightly spelled word that does not belong.

“has to me published to the message server.”