ASA 5585-x and sqlnet connectivity failure

MKH — Tue, 12 Mar 2019 09:46:29 GMT

Hello

We have replaced our FWSM with the cisco ASA 5585-x (SSP-60).We have configured them in cluster mode. But some Oracle applications are losing connectivity to the database after replacement of Firewalls, Frequently.

The error on the application server is:

“Failed getting connection - at oradatabase.cpp(101) ORA-12547 : TNS: lost contact”

And error on the ASA is:

“Deny TCP (no connection) from appserver_ip/54864 to database_server_ip/1521 flags FIN ACK on interface Application_server_interface.”

The first thing we created IP ANY ANY rules on the interface that belongs to applications.

According to forum suggestions, we have disabled SQLNET global policy inspection.

The next thing, we have created a service policy (interface base) to match our application to database connection on TCP/1521 protocol.

Then we have setted up TCP connection properties on those streams to include the following details:

Timeout=0:00:00 >>>>>unlimited
Reset enabled
DCD enabled
Retry interval 00:15:00
Retry times=5

We also have configured TCP map in the TCP normalization options on that:

Setted the reserved bits on “Allow only”.
Disabled the "Clear Urgent flag" to allow URG flags.
Disabled the “Drop Connection on window variation”.
Disabled the “Drop Packets that exceed maximum segment size”.
Disabled the “check if retransmitted data is the same as original”.
Disabled the “Drop SYN packets with data”.
Enable TTL evasion protection.
Disabled the “Verify TCP checksum”.
Disabled the “Drop SYNACK packets with data”.
Disabled the “Drop packets with invalid ACK”.

And in TCP option just “clear window scale” has enabled.

Does inspection on SQLNET ineffect by disabling SQLNET global policy inspection?

What‘s wrong with us?

Thank you.

Hi,

Aditya Ganjoo — Fri, 04 Aug 2017 04:41:10 GMT

Hi,

Please share the output of show run policy-map and show service-policy.

Regards,

Aditya

Please rate helpful and mark correct answers

Hello

MKH — Fri, 04 Aug 2017 07:39:20 GMT

Hello

Please find attached file.

Thank you.

Hi,

Aditya Ganjoo — Fri, 04 Aug 2017 09:21:07 GMT

Hi,

I see the service-policy is applied on two different interfaces:

policy-map Fruad-Web/App-Service-policy

policy-map Interconnect-Billing-DB-policy

Can you let me know which is the one that is facing an issue?

Regards,

Aditya

Please rate helpful and mark correct answers

Hello

MKH — Fri, 04 Aug 2017 09:54:04 GMT

Hello

The policy-map Fruad-Web/App-Service-policy have confronted with problem.

Thank you.

topic ASA 5585-x and sqlnet connectivity failure in Network Security

ASA 5585-x and sqlnet connectivity failure

Hi,

Hello

Hi,

Hello