topic Re: Problem with FWSM and SQL*Net in Network Security

Problem with FWSM and SQL*Net

agustinmar — Mon, 11 Mar 2019 09:22:59 GMT

Hello, I have a FWSM and I have problem with Oracle server. The FWSM throws down the connections with Oracle server (port 1521).

I saw something message with this problem, but I haven't clear the solution.

Please, someone can help me.

Sorry for my bad english.

Thank you.

Regards

Re: Problem with FWSM and SQL*Net

vijayasankar — Mon, 22 Jan 2007 10:54:07 GMT

Hi Marquez,

Kindly provide more details related to your setup.

If possible provide us the configuration( excluding sensitive details like public ip etc) along with the details of the involved components in this setup( oracle server ip, client ip etc)

If you have carried out some troubleshooting, kindly provide the details regarding the same.

-VJ

Re: Problem with FWSM and SQL*Net

Jon Marshall — Mon, 22 Jan 2007 10:54:55 GMT

When you say throws down the connections do you mean that the traffic is not allowed through or that it is but then after a certain amount of time the FWSM tears down the connection.

Jon

Re: Problem with FWSM and SQL*Net

agustinmar — Mon, 22 Jan 2007 10:59:23 GMT

I want to say that after a certain amount of time the FWSM tears down the connection.

Sorry for my English.

Re: Problem with FWSM and SQL*Net

Jon Marshall — Mon, 22 Jan 2007 11:20:27 GMT

Are these connections from clients or from mid-tier servers.

We have faced a similiar problem on our pix firewalls, both standalone and FWSM. The mid-tiers would open database connections and then assume that these connection would be open forever. The firewall would tear them down if their was no activity on the connection but the mid-tier still assumed it was open so it didn't try to recreate a new connection.

We had to increase the tcp timeouts on our firewalls, on at least some of them we had to have an unlimited timeout, not ideal but they are coping okay.

The problem is that timeouts are global altho i believe with v3.1 you could apply a timeout to particular connections only without having to apply it to all connections through the firewall.

HTH

Re: Problem with FWSM and SQL*Net

vijayasankar — Mon, 22 Jan 2007 11:59:53 GMT

Hi Marquez,

I agree with the post by the fellow netpro.

You might have to increase the TCP IDLE connection timetout values, so that the FWSM doesn't tears down a idle connection.

You can tune the TCP connection timeout parameter as mentioned in the below URL

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577c66.html#wp1058493

-VJ

Re: Problem with FWSM and SQL*Net

vijayasankar — Mon, 22 Jan 2007 12:01:50 GMT

Hi Jon,

For PIX/ASA, Optionally we can use the DCD feature available version 7.2 onwards.

Here's the URL to refer..

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063705c.html#wp1053110

Hope this helps.

-VJ

Re: Problem with FWSM and SQL*Net

Jon Marshall — Mon, 22 Jan 2007 12:46:26 GMT

Hi VJ

Many thanks for that. Very useful info.

Jon

Re: Problem with FWSM and SQL*Net

agustinmar — Mon, 22 Jan 2007 13:16:43 GMT

Please, someone can send to me the config of some equipment of your with respect to timeouts.

Thank you for all.

Regards

Re: Problem with FWSM and SQL*Net

agustinmar — Mon, 22 Jan 2007 15:01:43 GMT

Hello, I send the config of FWSM. I hope that you can help me.

Thank you for all.

Regards.

Re: Problem with FWSM and SQL*Net

vijayasankar — Mon, 22 Jan 2007 15:02:15 GMT

Hi Marquez,

As mentioned in the URL provided by me in the earlier post, this would be the configuration to set the tcp timeout to 1440 minutes => 24 hours. Change the value suitably to your requirement.

hostname (config)#policy map tcp_conn_timeout

hostname (config)#class alltcp_traffic

hostname (config)#set connection timeout tcp 1440

hostname (config)#service policy tcp_conn_timeout global

Hope this helps. Kindly rate the post if it was helpful.

-VJ

Re: Problem with FWSM and SQL*Net

agustinmar — Mon, 22 Jan 2007 15:04:17 GMT

Hello, these connections are from mid-tier servers. Do you know how have I to change the timeouts.

I have posted the config too.

thank you for all and sorry for my bad English.

Regards.

Re: Problem with FWSM and SQL*Net

agustinmar — Tue, 23 Jan 2007 17:26:38 GMT

Hello vijayasankar, I would to like to know if these commands need to be introduced in FWSM or in Catalyst 6500 where FWSM is installed. I comment this, because I have intended to introduce these commands in FWSM and FWSM don't support these commands.

Thank you.

Regards.

Re: Problem with FWSM and SQL*Net

Jon Marshall — Tue, 23 Jan 2007 17:49:19 GMT

Hi Marquez

The commands VJ sent are for Firewall version 3.1. They are meant to be added to the FWSM not the MSFC.

Unfortunately you are running v2.3(3) and these commands are not supported in that release.

You can either upgrade, but be aware that 2.3 is equivalent to 6.3 pix and 3.1 is equivalent to version 7 so there are some major changes or

you can increase the timeout of ALL your tcp connections. In v2.3 it is a global setting so it will affect all tcp connections.

As i say we did this on some of our firewalls, not internet facing firewalls but firewalls in our data centre.

If you want to do this you need to change the timeout line ie from your config

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout conn 1:00 is for the tcp connections. 1:00:00 = 1 hour.

HTH

Re: Problem with FWSM and SQL*Net

fauresr — Thu, 25 Jan 2007 01:59:06 GMT

Hi Marquez,

I had similar a issue with our backup software. TCP connection would remian open for too long and the FWSM would eventually terminate then.

I change the timeout value to 8 hours and the problem was fixed.

The command on our FWSM running v2.3 was: timeout conn 8:00:00

If you do this, keep an eye on your FW resources (memory) to make sure the number of open connections does exhaust you system (not likely unless you have a great number of connections)

Hope this helps

Remy

Re: Problem with FWSM and SQL*Net

limtohsoon — Tue, 22 Apr 2008 07:41:22 GMT

Hi All,

I'm experiencing similar issue.

I have an FWSM which originally run version 2.3(3). It is configured in multiple context mode. One of the contexts passes SQL*Net traffic (TCP port 1521).

Recently I upgraded the FWSM to 3.1(8). The end-user started to complain that their backup application (using SQL) took 12 hours to complete compared to 2 hours previously before the FWSM upgrade.

Comparing the "timeout" commands of both 2.3 and 3.1, I notice they are the same, as follows:

FWSM 2.3(3)

-----------

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

FWSM 3.1(8)

-----------

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

I have the following application inspection configs:

class-map class_sip_tcp

match port tcp eq sip

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

class class_sip_tcp

inspect sip

The client is located at other parts of the network. The SQL server is located behind this FWSM context. Capturing packet trace on the client VLAN reveals many of the following messages:

[TCP Dup ACK...]

[TCP Retransmission...]

[TCP Out-Of-Order] [Continuation to #...]

[TCP ACKed lost segment]

Can anyone advise what's wrong with the FWSM? I can't find Release Notes of 3.1(8). Going through Release Notes of 3.1(9), I don't find any SQL-related issues.

Please help.

Thank you.

B.Rgds,

Lim TS

Re: Problem with FWSM and SQL*Net

capjjy — Fri, 16 May 2008 16:50:54 GMT

Hi.all

Trying remove "inspect sqlnet" on fwsm.

Maybe...problem solved.