Oracle 9i RAC and Firewall (config expert needed)
Posted on 2006-05-26
I'm supporting a government agency, under bureau A. Bureau A has an interface (really, a DB Link) to some information at bureau B. Because there are two separate networks involved there is a firewall in between. Bureau A accesses bureau B's server, but B does not access A. Currently, this interface exists between two 8i servers. However, bureau B is in the process of upgrading to 9i and implenting RAC. It is in testing this new configuration (me, with an 8i server, them with a 9i RAC) that my question/problem arises. Before continuing, please know that I am by no means an Oracle configuration expert... or even novice for that matter. I am the developer on this project for Bureau A, and although I have OS and Database server configuration in my background, Oracle is not on that list. Bureau B's idea of trouble-shooting is "try this, try this, try this..." and I would rather approach the issue intellegently and methodically and find out why it's not working, not just make a bunch of random changes hoping one might fix it. Getting it to work is important, but understanding why and how it works is just as important to me. Anyway, my point is, if I use a term in a way that doesn't make complete sense, be forewarned.
In the past, they (B) have used MTS, and have locked down the dispatcher to one port, the same port as the listener. This way only one port needs to be listed in the firewall rule. I was told that this configuration is still in effect, and therefore in testing against their RAC we have opened up one, and only one port in our firewall. Here's the problem. Sometimes I can connect, sometimes I cannot. When I cannot the error is... ORA-12545: Connect failed because target host or object does not exist. The trace file (via TRACE_LEVEL_CLIENT=16) shows this... (I'm showing 10.10.10.10 as the IP address "B" provided for us to use to connect to their RAC, and SERVERA as the name of our server (Windows 2000))
niotns: Calling address: (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=10.10.10.10)(PORT=15211)))(CONNECT_DATA=(SERVICE_NAME=tst1)(SERVER=SHARED)(CID=(PROGRAM=C:\oracle\ora81\bin\SQLPLUSW.EXE)(HOST=SERVERA)(USER=[me, as I'm logged in to the server]))))
(so far so good...)
nttbnd2addr: port resolved to 15211
nttbnd2addr: using host IP address: 10.10.10.10
nttcni: trying to connect to socket 380.
nttcon: NT layer TCP/IP connection has been established.
nttcon: set TCP_NODELAY on 380
nsopen: transport is open
(socket's open, good...)
nscon: doing connect handshake...
nscon: sending NSPTCN packet
nspsend: plen=258, type=1
nttwr: socket 380 had bytes written=258
nspsend: 258 bytes to transport
nspsend: packet dump
nspsend: 01 02 00 00 01 00 00 00 |........|
nspsend: 01 36 01 2C 00 00 08 00 |.6.,....|
nspsend: 7F FF A3 0A 00 00 01 00 |........|
nspsend: 00 C8 00 3A 00 00 02 00 |...:....|
nspsend: 61 61 00 00 00 00 00 00 |aa......|
nspsend: 00 00 00 00 07 A0 00 00 |........|
nspsend: 72 28 00 00 00 00 00 00 |r(......|
nspsend: 00 00 28 44 45 53 43 52 |..(DESCR|
nspsend: 49 50 54 49 4F 4E 3D 28 |IPTION=(|
nspsend: 41 44 44 52 45 53 53 3D |ADDRESS=|
nspsend: 28 50 52 4F 54 4F 43 4F |(PROTOCO|
nspsend: 4C 3D 54 43 50 29 28 48 |L=TCP)(H| (etc..., some connect string as above)
(right connection string sent... yet the response received is not right...)
nscon: recving a packet
nsbgetfl: normal exit
nsmal: 44 bytes at 0x13b6b68
nsmal: normal exit
nsbal: normal exit
nsprecv: reading from transport...
nttrd: socket 380 had bytes read=79
nsprecv: 79 bytes from transport
nsprecv: tlen=79, plen=79, type=5
nsprecv: packet dump
nsprecv: 00 4F 00 00 05 00 00 00 |.O......|
nsprecv: 00 45 28 41 44 44 52 45 |.E(ADDRE|
nsprecv: 53 53 3D 28 50 52 4F 54 |SS=(PROT|
nsprecv: 4F 43 4F 4C 3D 74 63 70 |OCOL=tcp|
nsprecv: 29 28 48 4F 53 54 3D 48 |)(HOST=X|
nsprecv: 52 54 53 54 44 42 30 32 |XTSTDB02|
nsprecv: 2E 77 61 73 68 64 63 2E |.xxxxxx.|
nsprecv: 73 74 61 74 65 2E 73 62 |abcde.ts|
nsprecv: 75 29 28 50 4F 52 54 3D |t)(PORT=|
nsprecv: 31 36 32 31 30 29 29 00 |16210)).|
nsprecv: normal exit
(...then, because of the firewall, we're done...)
nttbnd2addr: port resolved to 16210
nttbnd2addr: looking up IP addr for host: XXTSTDB02.xxxxxx.abcde.tst
nttbnd2addr: *** hostname lookup failure! ***
And thus the ORA-12545: Connect failed because target host or object does not exist.
Of course, XXTSTDB02.xxxxxx.abcde.tst is a made up name. I've been told that this host is IP address 10.10.10.11, not 10.10.10.10. I've also been told that I'm supposed to be connecting to XXTSTDB01.xxxxxx.abcde.tst, not "02".
I know nothing about RAC, but it looks to me like something on their side is making arbitrary, or perhaps informed decisions about what to do with my incoming request to connect, sometimes sending back the same IP address and port, sometimes sending back another. Or maybe this has nothing to do with RAC.
I'm calling on all you Oracle config experts to give me some ideas to pass over the bureua B. If you need more information about how things might be configured, just ask specific questions and I'll try to get specific answers.
Thanks in advance!