Hello

We have replaced our FWSM with the cisco ASA 5585-x (SSP-60).We have configured them in cluster mode. But some Oracle applications are losing connectivity to the database after replacement of Firewalls, Frequently.

The error on the application server is:

“Failed getting connection - at oradatabase.cpp(101) ORA-12547 : TNS: lost contact”

And error on the ASA is:

“Deny TCP (no connection) from appserver_ip/54864 to database_server_ip/1521 flags FIN ACK on interface Application_server_interface.”

The first thing we created IP ANY ANY rules on the interface that belongs to applications.

According to forum suggestions, we have disabled SQLNET global policy inspection.

The next thing, we have created a service policy (interface base) to match our application to database connection on TCP/1521 protocol.

Then we have setted up TCP connection properties on those streams to include the following details:

1. Timeout=0:00:00 >>>>>unlimited
2. Reset enabled
3. DCD enabled
4. Retry interval 00:15:00
5. Retry times=5

We also have configured TCP map in the TCP normalization options on that:

1. Setted the reserved bits on “Allow only”.
2. Disabled the "Clear Urgent flag" to allow URG flags.
3. Disabled the “Drop Connection on window variation”.
4. Disabled the “Drop Packets that exceed maximum segment size”.
5. Disabled the “check if retransmitted data is the same as original”.
6. Disabled the “Drop SYN packets with data”.
7. Enable TTL evasion protection.
8. Disabled the “Verify TCP checksum”.
9. Disabled the “Drop SYNACK packets with data”.
10. Disabled the “Drop packets with invalid ACK”.

And in TCP option just “clear window scale” has enabled.

Does inspection on SQLNET ineffect by disabling SQLNET global policy inspection?

What‘s wrong with us?

Thank you.