https://community.cisco.com/t5/network-security/asa-5520-sqlnet-inspection-dropping-connections/m-p/1268207#M858527 <P>Hi,</P><P></P><P>After one year and 3 months without any problems I had to upgrade the ASA 5520 from version 8.03 to 8.04 due to a known bug (tcpmss problem).</P><P>Everything worked fine with one exception: the Oracle application is not working any more.</P><P>Whenever I remove the sqlnet inspection the application works fine.</P><P>It can perform some simple queries, however, I realized that after a query containg a clob field in Oracle the connection are dropped by the ASA.</P><P>Below you can find the debug msgs and </P><P>logging messages:</P><P></P><P># debug sqlnet 255</P><P>PROBLEM HERE -&gt; SQLNet: received partial fragment, frag len: 1732, partial frag len: 1380, 352 bytes needed</P><P>SQLNet: received whole fragment, 1732 bytes</P><P>SQLNet: using proxy forward</P><P>SQLNet: received a new complete fragment of 289 bytes</P><P>SQLNet: received a new complete fragment of 21 bytes</P><P>SQLNet: received a new complete fragment of 155 bytes</P><P>PROBLEM HERE -&gt; SQLNet: received partial fragment, frag len: 2011, partial frag len: 1380, 631 bytes needed</P><P>SQLNet: received whole fragment, 2011 bytes</P><P>SQLNet: using proxy forward</P><P></P><P># syslog msgs:</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44946 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44951 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44955 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44958 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44959 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44960 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:59 asa Jul 18 2009 23:58:04: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44965 flags ACK on interface DMZ</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-302014: Teardown TCP connection 138604883 for DMZ:dbserver-dmz/1521 to Internal:adm-int/44985 duration 0:00:36 bytes 2001924 Flow closed by inspection</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags ACK on interface DMZ</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags PSH ACK on interface DMZ</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags ACK on interface DMZ</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags PSH ACK on interface DMZ</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from adm-int/44985 to dbserver-dmz/1521 flags ACK</P><P></P><P>The dbserver is on the DMZ interface and the system is on the Internal interface. Traffic is allowed and it was working with the inspection on version 8.03.</P><P></P><P>Any help is appreciated.</P><P></P><P>Thanks,</P><P></P><P>Marcelo Pinheiro</P> Mon, 11 Mar 2019 15:57:15 GMT m.pinheiro 2019-03-11T15:57:15Z https://community.cisco.com/t5/network-security/asa-5520-sqlnet-inspection-dropping-connections/m-p/1268207#M858527 <P>Hi,</P><P></P><P>After one year and 3 months without any problems I had to upgrade the ASA 5520 from version 8.03 to 8.04 due to a known bug (tcpmss problem).</P><P>Everything worked fine with one exception: the Oracle application is not working any more.</P><P>Whenever I remove the sqlnet inspection the application works fine.</P><P>It can perform some simple queries, however, I realized that after a query containg a clob field in Oracle the connection are dropped by the ASA.</P><P>Below you can find the debug msgs and </P><P>logging messages:</P><P></P><P># debug sqlnet 255</P><P>PROBLEM HERE -&gt; SQLNet: received partial fragment, frag len: 1732, partial frag len: 1380, 352 bytes needed</P><P>SQLNet: received whole fragment, 1732 bytes</P><P>SQLNet: using proxy forward</P><P>SQLNet: received a new complete fragment of 289 bytes</P><P>SQLNet: received a new complete fragment of 21 bytes</P><P>SQLNet: received a new complete fragment of 155 bytes</P><P>PROBLEM HERE -&gt; SQLNet: received partial fragment, frag len: 2011, partial frag len: 1380, 631 bytes needed</P><P>SQLNet: received whole fragment, 2011 bytes</P><P>SQLNet: using proxy forward</P><P></P><P># syslog msgs:</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44946 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44951 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44955 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44958 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44959 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44960 flags FIN ACK on interface DMZ</P><P>Jul 18 23:56:59 asa Jul 18 2009 23:58:04: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44965 flags ACK on interface DMZ</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-302014: Teardown TCP connection 138604883 for DMZ:dbserver-dmz/1521 to Internal:adm-int/44985 duration 0:00:36 bytes 2001924 Flow closed by inspection</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags ACK on interface DMZ</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags PSH ACK on interface DMZ</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags ACK on interface DMZ</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags PSH ACK on interface DMZ</P><P>Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from adm-int/44985 to dbserver-dmz/1521 flags ACK</P><P></P><P>The dbserver is on the DMZ interface and the system is on the Internal interface. Traffic is allowed and it was working with the inspection on version 8.03.</P><P></P><P>Any help is appreciated.</P><P></P><P>Thanks,</P><P></P><P>Marcelo Pinheiro</P> Mon, 11 Mar 2019 15:57:15 GMT https://community.cisco.com/t5/network-security/asa-5520-sqlnet-inspection-dropping-connections/m-p/1268207#M858527 m.pinheiro 2019-03-11T15:57:15Z https://community.cisco.com/t5/network-security/asa-5520-sqlnet-inspection-dropping-connections/m-p/1268208#M858529 <HTML><HEAD></HEAD><BODY><P>I ran into a similar issue at a client and what is happening is there isn't a two way connection between the client and the server. There were two things we did that clear this up. One was to turn of sqlnet inspection and the other was to have the client that was having the issue restart their computer.</P></BODY></HTML> Tue, 21 Jul 2009 00:13:51 GMT https://community.cisco.com/t5/network-security/asa-5520-sqlnet-inspection-dropping-connections/m-p/1268208#M858529 deyster94 2009-07-21T00:13:51Z https://community.cisco.com/t5/network-security/asa-5520-sqlnet-inspection-dropping-connections/m-p/1268209#M858531 <HTML><HEAD></HEAD><BODY><P>Thank you for your response. The first option I already did and it is working.</P><P>The second is impossible because it is an application server.</P><P>I was wondering if there is a way to keep sqlnet inspecting with this problem or is it a bug?</P></BODY></HTML> Tue, 21 Jul 2009 22:10:44 GMT https://community.cisco.com/t5/network-security/asa-5520-sqlnet-inspection-dropping-connections/m-p/1268209#M858531 m.pinheiro 2009-07-21T22:10:44Z