?
Solved

Oracle 10g Session Being Dropped By Firewall

Posted on 2009-04-14
6
Medium Priority
?
1,307 Views
Last Modified: 2013-12-18
Hello...
I'm having a problem with "idle sessions" being dropped by our Firewall. When a database client connects to Oracle 10g sitting behind the firewall all is good and fine. But when the database client goes idle for 10 minutes, the Firewall sees no traffic and drops the connection.

I added "sqlnet.expire_time=2" to the sqlnet.ora configuration file but with no effect whatsoever.

Does anyone have any ideas or thoughts to resolve this problem?

Thx!
Ken
0
Comment
Question by:kencrest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 24137980
how long do you want the session to be open for? what port is it running over? what type and OS version firewall are you runing?
0
 

Author Comment

by:kencrest
ID: 24138100
We are running Oracle 10g on Windows Server 2003. We are using a Cisco ASA Firewall. The firewall is set to time out idle sessions at 10 min. So when someone gets up from their chair to go get a cup of coffee or take a phone call, their idle time could range. I don't want it ever to timeout the database sessions. I want Oracle to be able to "successfully" send its Oracle probe packets thru the firewall to the database clients. I'm using the sqlnet.expire_time=2 value to send probe packets every 2 minutes. But its having no effect. We are communicating over port 1521 for PC and port 5000 for Macintosh.

Thx
Ken
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 24141097
How to do it in in Oracle  - I wouldnt have a scooby doo - thats a bit to sandal wearingly difficult for me.
To do it on the ASA - then you would need to create an inspection map for Ports 1521 and 5000
i.e. locate the ACL allowing traffic and find out what its name is
access-list FIND_OUT _WHAT_ITS_CALLED extended permit tcp {from} {to} 1521
access-list FIND_OUT _WHAT_ITS_CALLED extended permit tcp {from} {to} 5000
Then I will assume its called allow_oracle but yours will be something else you will need to create a traffic class for this ACL I will call this class map ORACLE

class-map ORACLE
match access-list allow_oracle
Then create  a policy and apply the class to it I'll call it ORACLE_POLICY
policy-map ORACLE_POLICY
class ORACLE
set connection timeout tcp 9:00:00 reset
Note: this will set the timeout to 9 hours mess about till you get it correct.
Finally apply that Policy to an interface (You can have one policy per interfaca and one global policy)
service-policy ORACLE_POLICY interface outside
Note: your inteface may be different - I'm assuming people access oracle from outside - but assumption is the mother of all bollox ups so check :)
 
Dont forget to save the config - sit back light your pipe and admire your handiwork :)
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 

Author Comment

by:kencrest
ID: 24197651
Hi Pete,
Sorry for the delay in getting back to you. Its been crazy. Just want to let you know that your idea was FANTASTIC and really helped a lot. Thanks very much for detailing out your explanation. I liked your sense of humor too! Thanks again!

Best Regards,
Ken
0
 

Author Closing Comment

by:kencrest
ID: 31569857
Great answer!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24198261
:) My Pleasure - ThanQ
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Shell script to create broker configuration file using current broker Configuration, solely for purpose of backup on Linux. Script may need to be modified depending on OS-installation. Please deploy and verify the script in a test environment.
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question