Oracle 9i RAC and Firewall (config expert needed)

Posted on 2006-05-26
Last Modified: 2012-08-13
I'm supporting a government agency, under bureau A. Bureau A has an interface (really, a DB Link) to some information at bureau B. Because there are two separate networks involved there is a firewall in between. Bureau A accesses bureau B's server, but B does not access A. Currently, this interface exists between two 8i servers. However, bureau B is in the process of upgrading to 9i and implenting RAC. It is in testing this new configuration (me, with an 8i server, them with a 9i RAC) that my question/problem arises. Before continuing, please know that I am by no means an Oracle configuration expert... or even novice for that matter. I am the developer on this project for Bureau A, and although I have OS and Database server configuration in my background, Oracle is not on that list. Bureau B's idea of trouble-shooting is "try this, try this, try this..." and I would rather approach the issue intellegently and methodically and find out why it's not working, not just make a bunch of random changes hoping one might fix it. Getting it to work is important, but understanding why and how it works is just as important to me. Anyway, my point is, if I use a term in a way that doesn't make complete sense, be forewarned.

In the past, they (B) have used MTS, and have locked down the dispatcher to one port, the same port as the listener. This way only one port needs to be listed in the firewall rule. I was told that this configuration is still in effect, and therefore in testing against their RAC we have opened up one, and only one port in our firewall. Here's the problem. Sometimes I can connect, sometimes I cannot. When I cannot the error is... ORA-12545: Connect failed because target host or object does not exist. The trace file (via TRACE_LEVEL_CLIENT=16) shows this... (I'm showing as the IP address "B" provided for us to use to connect to their RAC, and SERVERA as the name of our server (Windows 2000))

niotns: Calling address: (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=\oracle\ora81\bin\SQLPLUSW.EXE)(HOST=SERVERA)(USER=[me, as I'm logged in to the server]))))

(so far so good...)

nttbnd2addr: port resolved to 15211
nttbnd2addr: using host IP address:


nttcni: trying to connect to socket 380.
nttcni: exit
nttcon: NT layer TCP/IP connection has been established.
nttcon: set TCP_NODELAY on 380
nttcon: exit
nsopen: transport is open

(socket's open, good...)

nscon: doing connect handshake...
nscon: sending NSPTCN packet
nspsend: entry
nspsend: plen=258, type=1
nttwr: entry
nttwr: socket 380 had bytes written=258
nttwr: exit
nspsend: 258 bytes to transport
nspsend: packet dump
nspsend: 01 02 00 00 01 00 00 00  |........|
nspsend: 01 36 01 2C 00 00 08 00  |.6.,....|
nspsend: 7F FF A3 0A 00 00 01 00  |........|
nspsend: 00 C8 00 3A 00 00 02 00  |...:....|
nspsend: 61 61 00 00 00 00 00 00  |aa......|
nspsend: 00 00 00 00 07 A0 00 00  |........|
nspsend: 72 28 00 00 00 00 00 00  |r(......|
nspsend: 00 00 28 44 45 53 43 52  |..(DESCR|
nspsend: 49 50 54 49 4F 4E 3D 28  |IPTION=(|
nspsend: 41 44 44 52 45 53 53 3D  |ADDRESS=|
nspsend: 28 50 52 4F 54 4F 43 4F  |(PROTOCO|
nspsend: 4C 3D 54 43 50 29 28 48  |L=TCP)(H| (etc..., some connect string as above)

(right connection string sent... yet the response received is not right...)

nscon: recving a packet
nsprecv: entry
nsbal: entry
nsbgetfl: entry
nsbgetfl: normal exit
nsmal: entry
nsmal: 44 bytes at 0x13b6b68
nsmal: normal exit
nsbal: normal exit
nsprecv: reading from transport...
nttrd: entry
nttrd: socket 380 had bytes read=79
nttrd: exit
nsprecv: 79 bytes from transport
nsprecv: tlen=79, plen=79, type=5
nsprecv: packet dump
nsprecv: 00 4F 00 00 05 00 00 00  |.O......|
nsprecv: 00 45 28 41 44 44 52 45  |.E(ADDRE|
nsprecv: 53 53 3D 28 50 52 4F 54  |SS=(PROT|
nsprecv: 4F 43 4F 4C 3D 74 63 70  |OCOL=tcp|
nsprecv: 29 28 48 4F 53 54 3D 48  |)(HOST=X|
nsprecv: 52 54 53 54 44 42 30 32  |XTSTDB02|
nsprecv: 2E 77 61 73 68 64 63 2E  |.xxxxxx.|
nsprecv: 73 74 61 74 65 2E 73 62  |abcde.ts|
nsprecv: 75 29 28 50 4F 52 54 3D  |t)(PORT=|
nsprecv: 31 36 32 31 30 29 29 00  |16210)).|
nsprecv: normal exit

(...then, because of the firewall, we're done...)

nttbnd2addr: entry
nttbnd2addr: port resolved to 16210
nttbnd2addr: looking up IP addr for host: XXTSTDB02.xxxxxx.abcde.tst
nttbnd2addr:  *** hostname lookup failure! ***
nttbnd2addr: exit

And thus the ORA-12545: Connect failed because target host or object does not exist.

Of course, XXTSTDB02.xxxxxx.abcde.tst is a made up name. I've been told that this host is IP address, not I've also been told that I'm supposed to be connecting to XXTSTDB01.xxxxxx.abcde.tst, not "02".

I know nothing about RAC, but it looks to me like something on their side is making arbitrary, or perhaps informed decisions about what to do with my incoming request to connect, sometimes sending back the same IP address and port, sometimes sending back another. Or maybe this has nothing to do with RAC.

I'm calling on all you Oracle config experts to give me some ideas to pass over the bureua B. If you need more information about how things might be configured, just ask specific questions and I'll try to get specific answers.

Thanks in advance!
Question by:iamix
    LVL 7

    Accepted Solution


    In an RACconfiguration what happens is that you have two nodes with individual instances running on it. In your case lets assume node 1 is and node 2 is There are listeners running on both the nodes. Therefore you have a listener running on port 15211 on node 1 and another listener running on node 2 (maybe on same port or some other port). To load balance the connections on both the nodes, Oracle registers both the instances with both the listeners. This means listener on node 1 knows about instance on node 1 as well as node 2 and same for listener on node 2. When a connect request is recieved by a listener (in this case listener on node 1), for load balancing purpose listener can either connect to the local instance or decide to redirect the request to node 2. This is what is happening in your case, whenever listener decides to connect to local instance your connection works, but whenever listener decides that the connection needs to be relocated to the second node, your connection fails as that port is not opened on your firewall.

    To resolve the issue there are two ways, one is to open another port on the firewall (this is assuming that bureau B has MTS configuration on both the nodes). The second solution is simpler and this is what I would recommend. Change your tnsnames.ora and specify the instance you want to connect to. This will ensure that you are always connected to the instance on node 1 i.e. To do this you need to change the connect data section in the tnsnames.ora file. Add instance_name=inst1 after the service_name (assuming inst1 is the instance name on node 1). For example the connect data section would look like following
        (CONNECT_DATA =
          (SERVICE_NAME = proddb)
          (INSTANCE_NAME = prod1)


    Author Comment

    Once again, experts-exchange has proven worth it's weight in gold. 500 points gladly rewarded to a most excellent explanation and solution! (btw, I went the instance_name route... brilliant!)

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    Working with Network Access Control Lists in Oracle 11g (part 1) Part 2: So, you upgraded to a shiny new 11g database and all of a sudden every program that used UTL_MAIL, UTL_SMTP, UTL_TCP, UTL_HTTP or any oth…
    Cursors in Oracle: A cursor is used to process individual rows returned by database system for a query. In oracle every SQL statement executed by the oracle server has a private area. This area contains information about the SQL statement and the…
    This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.
    This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now