Learn how to a build a cloud-first strategyRegister Now


Oracle 9i RAC and Firewall (config expert needed)

Posted on 2006-05-26
Medium Priority
Last Modified: 2012-08-13
I'm supporting a government agency, under bureau A. Bureau A has an interface (really, a DB Link) to some information at bureau B. Because there are two separate networks involved there is a firewall in between. Bureau A accesses bureau B's server, but B does not access A. Currently, this interface exists between two 8i servers. However, bureau B is in the process of upgrading to 9i and implenting RAC. It is in testing this new configuration (me, with an 8i server, them with a 9i RAC) that my question/problem arises. Before continuing, please know that I am by no means an Oracle configuration expert... or even novice for that matter. I am the developer on this project for Bureau A, and although I have OS and Database server configuration in my background, Oracle is not on that list. Bureau B's idea of trouble-shooting is "try this, try this, try this..." and I would rather approach the issue intellegently and methodically and find out why it's not working, not just make a bunch of random changes hoping one might fix it. Getting it to work is important, but understanding why and how it works is just as important to me. Anyway, my point is, if I use a term in a way that doesn't make complete sense, be forewarned.

In the past, they (B) have used MTS, and have locked down the dispatcher to one port, the same port as the listener. This way only one port needs to be listed in the firewall rule. I was told that this configuration is still in effect, and therefore in testing against their RAC we have opened up one, and only one port in our firewall. Here's the problem. Sometimes I can connect, sometimes I cannot. When I cannot the error is... ORA-12545: Connect failed because target host or object does not exist. The trace file (via TRACE_LEVEL_CLIENT=16) shows this... (I'm showing as the IP address "B" provided for us to use to connect to their RAC, and SERVERA as the name of our server (Windows 2000))

niotns: Calling address: (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=\oracle\ora81\bin\SQLPLUSW.EXE)(HOST=SERVERA)(USER=[me, as I'm logged in to the server]))))

(so far so good...)

nttbnd2addr: port resolved to 15211
nttbnd2addr: using host IP address:


nttcni: trying to connect to socket 380.
nttcni: exit
nttcon: NT layer TCP/IP connection has been established.
nttcon: set TCP_NODELAY on 380
nttcon: exit
nsopen: transport is open

(socket's open, good...)

nscon: doing connect handshake...
nscon: sending NSPTCN packet
nspsend: entry
nspsend: plen=258, type=1
nttwr: entry
nttwr: socket 380 had bytes written=258
nttwr: exit
nspsend: 258 bytes to transport
nspsend: packet dump
nspsend: 01 02 00 00 01 00 00 00  |........|
nspsend: 01 36 01 2C 00 00 08 00  |.6.,....|
nspsend: 7F FF A3 0A 00 00 01 00  |........|
nspsend: 00 C8 00 3A 00 00 02 00  |...:....|
nspsend: 61 61 00 00 00 00 00 00  |aa......|
nspsend: 00 00 00 00 07 A0 00 00  |........|
nspsend: 72 28 00 00 00 00 00 00  |r(......|
nspsend: 00 00 28 44 45 53 43 52  |..(DESCR|
nspsend: 49 50 54 49 4F 4E 3D 28  |IPTION=(|
nspsend: 41 44 44 52 45 53 53 3D  |ADDRESS=|
nspsend: 28 50 52 4F 54 4F 43 4F  |(PROTOCO|
nspsend: 4C 3D 54 43 50 29 28 48  |L=TCP)(H| (etc..., some connect string as above)

(right connection string sent... yet the response received is not right...)

nscon: recving a packet
nsprecv: entry
nsbal: entry
nsbgetfl: entry
nsbgetfl: normal exit
nsmal: entry
nsmal: 44 bytes at 0x13b6b68
nsmal: normal exit
nsbal: normal exit
nsprecv: reading from transport...
nttrd: entry
nttrd: socket 380 had bytes read=79
nttrd: exit
nsprecv: 79 bytes from transport
nsprecv: tlen=79, plen=79, type=5
nsprecv: packet dump
nsprecv: 00 4F 00 00 05 00 00 00  |.O......|
nsprecv: 00 45 28 41 44 44 52 45  |.E(ADDRE|
nsprecv: 53 53 3D 28 50 52 4F 54  |SS=(PROT|
nsprecv: 4F 43 4F 4C 3D 74 63 70  |OCOL=tcp|
nsprecv: 29 28 48 4F 53 54 3D 48  |)(HOST=X|
nsprecv: 52 54 53 54 44 42 30 32  |XTSTDB02|
nsprecv: 2E 77 61 73 68 64 63 2E  |.xxxxxx.|
nsprecv: 73 74 61 74 65 2E 73 62  |abcde.ts|
nsprecv: 75 29 28 50 4F 52 54 3D  |t)(PORT=|
nsprecv: 31 36 32 31 30 29 29 00  |16210)).|
nsprecv: normal exit

(...then, because of the firewall, we're done...)

nttbnd2addr: entry
nttbnd2addr: port resolved to 16210
nttbnd2addr: looking up IP addr for host: XXTSTDB02.xxxxxx.abcde.tst
nttbnd2addr:  *** hostname lookup failure! ***
nttbnd2addr: exit

And thus the ORA-12545: Connect failed because target host or object does not exist.

Of course, XXTSTDB02.xxxxxx.abcde.tst is a made up name. I've been told that this host is IP address, not I've also been told that I'm supposed to be connecting to XXTSTDB01.xxxxxx.abcde.tst, not "02".

I know nothing about RAC, but it looks to me like something on their side is making arbitrary, or perhaps informed decisions about what to do with my incoming request to connect, sometimes sending back the same IP address and port, sometimes sending back another. Or maybe this has nothing to do with RAC.

I'm calling on all you Oracle config experts to give me some ideas to pass over the bureua B. If you need more information about how things might be configured, just ask specific questions and I'll try to get specific answers.

Thanks in advance!
Question by:iamix

Accepted Solution

vishal68 earned 2000 total points
ID: 16768965

In an RACconfiguration what happens is that you have two nodes with individual instances running on it. In your case lets assume node 1 is and node 2 is There are listeners running on both the nodes. Therefore you have a listener running on port 15211 on node 1 and another listener running on node 2 (maybe on same port or some other port). To load balance the connections on both the nodes, Oracle registers both the instances with both the listeners. This means listener on node 1 knows about instance on node 1 as well as node 2 and same for listener on node 2. When a connect request is recieved by a listener (in this case listener on node 1), for load balancing purpose listener can either connect to the local instance or decide to redirect the request to node 2. This is what is happening in your case, whenever listener decides to connect to local instance your connection works, but whenever listener decides that the connection needs to be relocated to the second node, your connection fails as that port is not opened on your firewall.

To resolve the issue there are two ways, one is to open another port on the firewall (this is assuming that bureau B has MTS configuration on both the nodes). The second solution is simpler and this is what I would recommend. Change your tnsnames.ora and specify the instance you want to connect to. This will ensure that you are always connected to the instance on node 1 i.e. To do this you need to change the connect data section in the tnsnames.ora file. Add instance_name=inst1 after the service_name (assuming inst1 is the instance name on node 1). For example the connect data section would look like following
      (SERVICE_NAME = proddb)
      (INSTANCE_NAME = prod1)


Author Comment

ID: 16769474
Once again, experts-exchange has proven worth it's weight in gold. 500 points gladly rewarded to a most excellent explanation and solution! (btw, I went the instance_name route... brilliant!)

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring and using Oracle Database Gateway for ODBC Introduction First, a brief summary of what a Database Gateway is.  A Gateway is a set of driver agents and configurations that allow an Oracle database to communicate with other platforms…
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Via a live example, show how to restore a database from backup after a simulated disk failure using RMAN.
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question