共享模式下CISCO防火墙拦截数据包引起的ORA-12541

 

WMS数据库由专用模式改为共享模式后，时常会出现 ORA-12541 no listener

而且反应速度很快，后来查看firewall发现是有些封包被直接挡掉，matelink

上有关于这个问题的support matelink id 1212204.1。

 

Shared    dedicated

 

Intermittent "Broken Pipe" Errors Through Cisco Firewall [ID 1212204.1]

---

 

Modified 16-JUN-2011     Type PROBLEM     Status PUBLISHED

 

In this Document
  Symptoms
  Cause
  Solution

---

Applies to:

JDBC - Version: 10.2.0.1 to 11.2.0.2 - Release: 10.2 to 11.2
Information in this document applies to any platform.

Symptoms

JDBC connections going through a firewall experience intermittent "Broken Pipe" errors, particularly during periods of high load. 

The details of the exception stack may vary depending upon the application or container being used; for example, the exception stack when using Oracle's JDBC driver from WebLogic may resemble the following:

<15-Sep-2010 04:13:34 o'clock BST> <Error> <JDBC> <BEA-001112> <Test "SELECT 1 FROM DUAL" set up for pool "A50-sbs-get-image-service-images-DS-1" failed with exception:
"java.sql.SQLException: [BEA][Oracle JDBC Driver]Write failed: Broken pipe".>
[Wed Sep 15 04:34:46 2010][1284521686753] GC reason: Large object allocation failed (69648 bytes), cause: Alloc Queue
[Wed Sep 15 04:34:46 2010][1284521686755] Stopping of javathreads took 1.965 ms

 

 

Cause

This is a firewall issue.  Oracle traffic does not pass through the firewall.

This issue is caused by the SQL*Net inspection feature of the firewall. When it occurs, the connections are torn out. The TCP proxy for SQL*Net inspection engine was designed to handle multiple TNS frames in one TCP segment. The SQL*Net inspection handles many TNS frames in one packet rendering the code complex.

In order to resolve this issue, the firewall's inspection engine should not handle multiple TNS frames in one packet. It is assumed that each TNS frame is a different TCP packet and is inspected individually.

For the Cisco firewall, bugs have been filed for this behavior, for more information. Refer to the following link, for registered Cisco customers only:CSCsr27940

Solution

From the Cisco firewall:  Use the "no inspect sqlnet" command in class configuration mode in order to disable the inspection for SQL*Net.  For example:

ASA(config)#class-map sqlnet-port
ASA(config-cmap)#match port tcp eq 1521
ASA(config-cmap)#exit
ASA(config)#policy-map sqlnet_policy
ASA(config-pmap)#class sqlnet-port
ASA(config-pmap-c)#no inspect sqlnet
ASA(config-pmap-c)#exit
ASA(config)#service-policy sqlnet_policy interface outside

For more information, refer to the SQL*Net inspection section of the Cisco Security Appliance Command Reference, Version 8.0here.

 

Cisco log

 

ASA-F1(config)# show logging | in 10.7.46.113

Aug 04 2011 17:19:02: %ASA-6-106100: access-list 101 permitted tcp inside/172.16.50.31(55225) -> outside/10.7.46.113(1521) hit-cnt 1 first hit [0xd0205292, 0x0]

Aug 04 2011 17:19:02: %ASA-6-302013: Built outbound TCP connection 188164701 for outside:10.7.46.113/1521 (10.7.46.113/1521) to inside:172.16.50.31/55225 (172.16.50.31/55225)

Aug 04 2011 17:19:02: %ASA-6-302013: Built outbound TCP connection 188164702 for outside:10.7.46.113/46175 (10.7.46.113/46175) to inside:172.16.50.31/55226 (172.16.50.31/55226)

Aug 04 2011 17:19:02: %ASA-6-302014: Teardown TCP connection 188164701 for outside:10.7.46.113/1521 to inside:172.16.50.31/55225 duration 0:00:00 bytes 350 TCP FINs

Aug 04 2011 17:19:02: %ASA-6-302014: Teardown TCP connection 188164702 for outside:10.7.46.113/46175 to inside:172.16.50.31/55226 duration 0:00:00 bytes 0 TCP Reset-O

ASA-F1(config)# show logging | in 10.7.46.113

Aug 04 2011 17:19:02: %ASA-6-106100: access-list 101 permitted tcp inside/172.16.50.31(55225) -> outside/10.7.46.113(1521) hit-cnt 1 first hit [0xd0205292, 0x0]

Aug 04 2011 17:19:02: %ASA-6-302013: Built outbound TCP connection 188164701 for outside:10.7.46.113/1521 (10.7.46.113/1521) to inside:172.16.50.31/55225 (172.16.50.31/55225)

Aug 04 2011 17:19:02: %ASA-6-302013: Built outbound TCP connection 188164702 for outside:10.7.46.113/46175 (10.7.46.113/46175) to inside:172.16.50.31/55226 (172.16.50.31/55226)

Aug 04 2011 17:19:02: %ASA-6-302014: Teardown TCP connection 188164701 for outside:10.7.46.113/1521 to inside:172.16.50.31/55225 duration 0:00:00 bytes 350 TCP FINs

Aug 04 2011 17:19:02: %ASA-6-302014: Teardown TCP connection 188164702 for outside:10.7.46.113/46175 to inside:172.16.50.31/55226 duration 0:00:00 bytes 0 TCP Reset-O

Aug 04 2011 17:19:17: %ASA-6-106100: access-list 101 permitted tcp inside/172.16.50.31(55232) -> outside/10.7.46.113(1521) hit-cnt 1 first hit [0xd0205292, 0x0]

Aug 04 2011 17:19:17: %ASA-6-302013: Built outbound TCP connection 188164804 for outside:10.7.46.113/1521 (10.7.46.113/1521) to inside:172.16.50.31/55232 (172.16.50.31/55232)

Aug 04 2011 17:19:17: %ASA-6-302013: Built outbound TCP connection 188164805 for outside:10.7.46.113/46175 (10.7.46.113/46175) to inside:172.16.50.31/55233 (172.16.50.31/55233)

Aug 04 2011 17:19:17: %ASA-6-302014: Teardown TCP connection 188164804 for outside:10.7.46.113/1521 to inside:172.16.50.31/55232 duration 0:00:00 bytes 350 TCP FINs

Aug 04 2011 17:19:17: %ASA-6-302014: Teardown TCP connection 188164805 for outside:10.7.46.113/46175 to inside:172.16.50.31/55233 duration 0:00:00 bytes 0 TCP Reset-O

Best Regards!