共享模式下CISCO防火墙拦截数据包引起的ORA-12541
来源:互联网 发布:linux iso文件怎么挂载 编辑:程序博客网 时间:2024/06/05 03:54
WMS数据库由专用模式改为共享模式后,时常会出现 ORA-12541 no listener
而且反应速度很快,后来查看firewall发现是有些封包被直接挡掉,matelink
上有关于这个问题的support matelink id 1212204.1。
Shared dedicated
Intermittent "Broken Pipe" Errors Through Cisco Firewall [ID 1212204.1]
Modified 16-JUN-2011 Type PROBLEM Status PUBLISHED
In this Document
Symptoms
Cause
Solution
Applies to:
JDBC - Version: 10.2.0.1 to 11.2.0.2 - Release: 10.2 to 11.2
Information in this document applies to any platform.
Symptoms
JDBC connections going through a firewall experience intermittent "Broken Pipe" errors, particularly during periods of high load.
The details of the exception stack may vary depending upon the application or container being used; for example, the exception stack when using Oracle's JDBC driver from WebLogic may resemble the following:
<15-Sep-2010 04:13:34 o'clock BST> <Error> <JDBC> <BEA-001112> <Test "SELECT 1 FROM DUAL" set up for pool "A50-sbs-get-image-service-images-DS-1" failed with exception:
"java.sql.SQLException: [BEA][Oracle JDBC Driver]Write failed: Broken pipe".>
[Wed Sep 15 04:34:46 2010][1284521686753] GC reason: Large object allocation failed (69648 bytes), cause: Alloc Queue
[Wed Sep 15 04:34:46 2010][1284521686755] Stopping of javathreads took 1.965 ms
Cause
This is a firewall issue. Oracle traffic does not pass through the firewall.
This issue is caused by the SQL*Net inspection feature of the firewall. When it occurs, the connections are torn out. The TCP proxy for SQL*Net inspection engine was designed to handle multiple TNS frames in one TCP segment. The SQL*Net inspection handles many TNS frames in one packet rendering the code complex.
In order to resolve this issue, the firewall's inspection engine should not handle multiple TNS frames in one packet. It is assumed that each TNS frame is a different TCP packet and is inspected individually.
For the Cisco firewall, bugs have been filed for this behavior, for more information. Refer to the following link, for registered Cisco customers only:CSCsr27940
Solution
From the Cisco firewall: Use the "no inspect sqlnet" command in class configuration mode in order to disable the inspection for SQL*Net. For example:
ASA(config)#class-map sqlnet-port
ASA(config-cmap)#match port tcp eq 1521
ASA(config-cmap)#exit
ASA(config)#policy-map sqlnet_policy
ASA(config-pmap)#class sqlnet-port
ASA(config-pmap-c)#no inspect sqlnet
ASA(config-pmap-c)#exit
ASA(config)#service-policy sqlnet_policy interface outside
For more information, refer to the SQL*Net inspection section of the Cisco Security Appliance Command Reference, Version 8.0here.
Cisco log
ASA-F1(config)# show logging | in 10.7.46.113
Aug 04 2011 17:19:02: %ASA-6-106100: access-list 101 permitted tcp inside/172.16.50.31(55225) -> outside/10.7.46.113(1521) hit-cnt 1 first hit [0xd0205292, 0x0]
Aug 04 2011 17:19:02: %ASA-6-302013: Built outbound TCP connection 188164701 for outside:10.7.46.113/1521 (10.7.46.113/1521) to inside:172.16.50.31/55225 (172.16.50.31/55225)
Aug 04 2011 17:19:02: %ASA-6-302013: Built outbound TCP connection 188164702 for outside:10.7.46.113/46175 (10.7.46.113/46175) to inside:172.16.50.31/55226 (172.16.50.31/55226)
Aug 04 2011 17:19:02: %ASA-6-302014: Teardown TCP connection 188164701 for outside:10.7.46.113/1521 to inside:172.16.50.31/55225 duration 0:00:00 bytes 350 TCP FINs
Aug 04 2011 17:19:02: %ASA-6-302014: Teardown TCP connection 188164702 for outside:10.7.46.113/46175 to inside:172.16.50.31/55226 duration 0:00:00 bytes 0 TCP Reset-O
ASA-F1(config)# show logging | in 10.7.46.113
Aug 04 2011 17:19:02: %ASA-6-106100: access-list 101 permitted tcp inside/172.16.50.31(55225) -> outside/10.7.46.113(1521) hit-cnt 1 first hit [0xd0205292, 0x0]
Aug 04 2011 17:19:02: %ASA-6-302013: Built outbound TCP connection 188164701 for outside:10.7.46.113/1521 (10.7.46.113/1521) to inside:172.16.50.31/55225 (172.16.50.31/55225)
Aug 04 2011 17:19:02: %ASA-6-302013: Built outbound TCP connection 188164702 for outside:10.7.46.113/46175 (10.7.46.113/46175) to inside:172.16.50.31/55226 (172.16.50.31/55226)
Aug 04 2011 17:19:02: %ASA-6-302014: Teardown TCP connection 188164701 for outside:10.7.46.113/1521 to inside:172.16.50.31/55225 duration 0:00:00 bytes 350 TCP FINs
Aug 04 2011 17:19:02: %ASA-6-302014: Teardown TCP connection 188164702 for outside:10.7.46.113/46175 to inside:172.16.50.31/55226 duration 0:00:00 bytes 0 TCP Reset-O
Aug 04 2011 17:19:17: %ASA-6-106100: access-list 101 permitted tcp inside/172.16.50.31(55232) -> outside/10.7.46.113(1521) hit-cnt 1 first hit [0xd0205292, 0x0]
Aug 04 2011 17:19:17: %ASA-6-302013: Built outbound TCP connection 188164804 for outside:10.7.46.113/1521 (10.7.46.113/1521) to inside:172.16.50.31/55232 (172.16.50.31/55232)
Aug 04 2011 17:19:17: %ASA-6-302013: Built outbound TCP connection 188164805 for outside:10.7.46.113/46175 (10.7.46.113/46175) to inside:172.16.50.31/55233 (172.16.50.31/55233)
Aug 04 2011 17:19:17: %ASA-6-302014: Teardown TCP connection 188164804 for outside:10.7.46.113/1521 to inside:172.16.50.31/55232 duration 0:00:00 bytes 350 TCP FINs
Aug 04 2011 17:19:17: %ASA-6-302014: Teardown TCP connection 188164805 for outside:10.7.46.113/46175 to inside:172.16.50.31/55233 duration 0:00:00 bytes 0 TCP Reset-O
Best Regards!
- 共享模式下CISCO防火墙拦截数据包引起的ORA-12541
- 防火墙阻止监听引起ORA-12560错误
- Windows下的个人防火墙-网络数据包拦截技术概览
- Windows下的个人防火墙-网络数据包拦截技术概览
- Windows下的个人防火墙-网络数据包拦截技术概览
- 数据包经过防火墙的路径
- 天网防火墙引起的蓝屏
- 防火墙引起的一些事情
- Cisco PIX防火墙的安装流程 (转载)
- Cisco PIX防火墙的安装流程
- Cisco PIX防火墙的安装流程
- Cisco ASA防火墙SSL VPN的配置
- 配置cisco pix防火墙的syslog
- 关于防火墙Cisco ASA5520 的一些配置
- Cisco PIX防火墙的安装流程
- iptables 数据包经过防火墙的路径
- 如何检查防火墙引起的端口不通
- Linux下,修改虚拟机内存引起oracle 11g ORA-00845错误的解决
- POJ3784Running Median——双向链表/堆
- sequence更新
- matlab图像处理为什么要归一化和如何归一化
- 超级烂片《盗梦空间》
- MySQL5.5 RPM安装的默认安装路径
- 共享模式下CISCO防火墙拦截数据包引起的ORA-12541
- AIX培训总结之一:基础知识
- pthread_once()函数详解
- ORA-1652错误 unable to extend temp segment by 128 in tablespace
- VB模拟进程管理器
- 追根究底,剖析MFC六大关键技术(一)
- 追根究底,MFC六大关键技术之剖析(二)
- 追根究底,MFC六大关键技术剖析(三)
- MFC六大关键技术(四)