cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3519
Views
0
Helpful
4
Replies
jss.cisco
Beginner

ASA 9.1 Problems with Oracle Database

Hi Everyone,

Having a strange problem.  We recently migrated from FWSM to ASA-5585X running 9.1(2).  Since we did that, we are having problems from an APP server in DMZ-A talking to a DB server in DMZ-B.  The error we are getting in Oracle is ORA-12592: Bad Packet.  Reading about this is says it could be the network, and our DBA's are telling us they saw the error for the first time about 4 hours after our firewall migration.  To note, SQL inspect is OFF.  We have done captures on each server, and on egress and ingress interfaces, but do not see anything special.

Anyone have any ideas?

2 ACCEPTED SOLUTIONS

Accepted Solutions
malshbou
Beginner

As you collected the ingress and egress captures, please search for the TCP URGENT flag (wireshark filter

tcp.flags.urg==1 ), and check if it is used by the orable apps . The ASA by default clears this flag, so if your app uses this flag (as many oracle apps do) , you need to configure a tcp-map to allow it.

Regards.
Mashal Shboul

------------------ Mashal Shboul

View solution in original post

Please use this post:  https://supportforums.cisco.com/thread/2212146

You can fix the issue on the ASA or you can do that at the database server.  I personally think this should be fixed at the database server level by enabling SQL*net keep alive to maintain stability rather than depending on the firewall

View solution in original post

4 REPLIES 4
malshbou
Beginner

As you collected the ingress and egress captures, please search for the TCP URGENT flag (wireshark filter

tcp.flags.urg==1 ), and check if it is used by the orable apps . The ASA by default clears this flag, so if your app uses this flag (as many oracle apps do) , you need to configure a tcp-map to allow it.

Regards.
Mashal Shboul

------------------ Mashal Shboul

View solution in original post

Please use this post:  https://supportforums.cisco.com/thread/2212146

You can fix the issue on the ASA or you can do that at the database server.  I personally think this should be fixed at the database server level by enabling SQL*net keep alive to maintain stability rather than depending on the firewall

View solution in original post

Very good article - thanks.  I will add these options to my service policy and see what happens.

Thanks - this is good info.  I will create the service policy and see what happens.

Content for Community-Ad