返回首页
当前位置: 主页 > 数据库 > Oracle教程 >

oracle DBLINK 通过ASA 防火墙无法获取数据解决方法

时间:2014-06-18 23:54来源:电脑教程学习网 www.etwiki.cn 编辑:admin

今天在查询数据时,无法获取数据信息,程序卡死。通过debug  sqlnet 信息发现如下提示:

SQLNet: received partial fragment, frag len: 2011, partial frag len: 1380, 631 bytes needed
SQLNet: multiple TNS frames in one packet!

这个问题是由于cisco防火墙sqlnet  inspection 特点 造成的,当事件发生时,数据就被分开了 。tcp是检查sqlnet引擎,被设计用于处理一个多重TNS帧TCP段,sqlnet处理许多TNS的检验框架在一个复杂的包 。为了解决这个问题,检查引擎框架不应该处理多个TNS在一个包。解决方法参考如下:(主要参考红色区域)

 

Oracle traffic does not pass through the firewall. How can I resolve this issue?

A. This issue is caused by the sqlnet inspection feature of the firewall. When it occurs, the connections are torn out. The TCP proxy for sqlnet inspection engine was designed to handle multiple TNS frames in one TCP segment. The sqlnet inspection handles many TNS frames in one packet rendering the code complex.

In order to resolve this issue, the inspection engine should not handle multiple TNS frames in one packet. It is assumed that each TNS frame to be a different TCP packet and is inspected individually.

Software bugs have been filed for this behavior; for more information, refer to
CSCsr27940 (registered customers only) and CSCsr14351 (registered customers only) .

The solution for this problem is given below.Use the no inspect sqlnet command in class configuration mode in order to disable the inspection for sqlnet.

ASA(config)#class-map sqlnet-port
ASA(config-cmap)#match port tcp eq 1521
ASA(config-cmap)#exit
ASA(config)#policy-map sqlnet_policy
ASA(config-pmap)#class sqlnet-port
ASA(config-pmap-c)#no inspect sqlnet
ASA(config-pmap-c)#exit
ASA(config)#service-policy sqlnet_policy interface outside

For more information, refer to the SQLNet inspection section of the Cisco Security Appliance Command Reference, Version 8.0.

Changes

Database Links to databases on Local Area Network (LAN) do not exhibit this problem. This issue is limited to a database link where the target is a remote database accessed via a VPN Tunnel using default port 1521.

Cause

Problem was isolated to use of port 1521 over a VPN Tunnel that utilizes Cisco 5400/5500 Series Adaptive Security Appliances (ASA) where the Cisco SQLnet fixup protocol/Sql Inspector was enabled. However, on port 1522 where this Sql packet Inspection was not enabled, the problem did not reproduce. Note: The Cisco 5400/5500 Series Adaptive Security Appliances (ASA) have this SQLnet fixup protocol/Sql Inspection enabled by default for port 1521.

Please see the following document for a list of other Firewall features that may cause issues such as the one documented here. Refer to this section: Note A – Firewall Restrictions

Note 119706.1Troubleshooting Guide TNS-12535 or ORA-12535 or ORA-12170 Errors

Solution

Customer’s Firewall Administrator(s) disabled the ‘SQLnet fixup protocol’ in the ASA’s on both sides of the VPN Tunnel, the INSERT from SELECT over the DBLINK where the number of rows was higher began to work over port 1521

------分隔线----------------------------
标签(Tag):Oracle oracle数据库 数据库
------分隔线----------------------------
推荐内容
猜你感兴趣