cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3225
Views
0
Helpful
4
Replies
Highlighted
Beginner

ASA 9.1 Problems with Oracle Database

Hi Everyone,

Having a strange problem.  We recently migrated from FWSM to ASA-5585X running 9.1(2).  Since we did that, we are having problems from an APP server in DMZ-A talking to a DB server in DMZ-B.  The error we are getting in Oracle is ORA-12592: Bad Packet.  Reading about this is says it could be the network, and our DBA's are telling us they saw the error for the first time about 4 hours after our firewall migration.  To note, SQL inspect is OFF.  We have done captures on each server, and on egress and ingress interfaces, but do not see anything special.

Anyone have any ideas?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

As you collected the ingress and egress captures, please search for the TCP URGENT flag (wireshark filter

tcp.flags.urg==1 ), and check if it is used by the orable apps . The ASA by default clears this flag, so if your app uses this flag (as many oracle apps do) , you need to configure a tcp-map to allow it.

Regards.
Mashal Shboul

------------------ Mashal Shboul

View solution in original post

Highlighted

Please use this post:  https://supportforums.cisco.com/thread/2212146

You can fix the issue on the ASA or you can do that at the database server.  I personally think this should be fixed at the database server level by enabling SQL*net keep alive to maintain stability rather than depending on the firewall

View solution in original post

4 REPLIES 4
Highlighted
Beginner

As you collected the ingress and egress captures, please search for the TCP URGENT flag (wireshark filter

tcp.flags.urg==1 ), and check if it is used by the orable apps . The ASA by default clears this flag, so if your app uses this flag (as many oracle apps do) , you need to configure a tcp-map to allow it.

Regards.
Mashal Shboul

------------------ Mashal Shboul

View solution in original post

Highlighted

Please use this post:  https://supportforums.cisco.com/thread/2212146

You can fix the issue on the ASA or you can do that at the database server.  I personally think this should be fixed at the database server level by enabling SQL*net keep alive to maintain stability rather than depending on the firewall

View solution in original post

Highlighted

Very good article - thanks.  I will add these options to my service policy and see what happens.

Highlighted

Thanks - this is good info.  I will create the service policy and see what happens.

Content for Community-Ad