cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2951
Views
0
Helpful
6
Replies

Slow SQLnet throughput on ASA

JEFF LAND
Level 1
Level 1

I'm having a throughput problem with a new ASA 5540 running version 8.2 (1). When trying to access a database server using tcp port 1521 (sqlnet) it is about 10 to 20 times slower than when the database is not behind the firewall. We've been running the same software on a database behind an ASA 5520 running version 8.0 (3) with no problems for years. When I check the cpu usage on the 5540 at the ASDM home page, it is rarely above 20% and never above 30% while this is being tested. I tried testing ftp throughput over the same interface and it was normal with ~320 Mbps average rate transferring a 500 MB file. What could be the problem?

6 Replies 6

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,

Do you have the Sqlnet inspection turned on the firewall? If so, remove it and try to access the DB again.

Mike Rojas

Mike

I will try that but inspect sqlnet is enabled under policy-map global_policy on the old 5520 running 8.0 also. Do you know if they made any changes to the sqlnet inspection in 8.1 or 8.2?

They do every change of versions. But we need to confirm if the inspection is actually the problem.

Mike

Mike

Yes, taking the sqlnet inspection out fixed the problem. But now the traffic is uninspected. Is there a rate limit or something similar which can be increased?

On the inspection itself? No, I dont think so. Is not that the traffic is flowing without inspection, it is being inspected, but not under RFC compliance of Sqlnet protocol.

You may be hitting this bug

CSCta27859
ASA 8.2.1 - Enabling inspect sqlnet adds 5 sec delays to big DB queries
Symptom: When "inspect sqlnet" is enabled on ASA, single-connection version of SQLnet protocol experiences 5-seconds delays on big DB queries.  There may be multiple delays in a single SQLnet TCP session.  When inspection disabled, there are no delays.    Conditions: - single-session version of SQLnet protocol is used (i.e. TCP/1521 is used both for command and data sessions)    - "inspect sqlnet" is enabled on ASA    Workaround: Disable sqlnet inspect.  For single-session version of SQLnet protocol,  disabling the inspect sqlnet does not have operational impact since there  are no secondary connections that are being dynamically permitted through the firewall.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCta27859

Try going to the latest 8.2 version (8.2.5) and check if the problem persist.

Mike

Mike

Right. I'll get the update and scedule some downtime. I'll post what I find. Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: