PIX and oracle/sql

jrchgtrrz · ‎06-30-2004

Anyone out there know of any issues with a dmz webserver accessing an inside Oracle server thru the PIX? Initial connections work, but after some time, I see a lot of syslog messages with "no connection" errors for the sql traffic. Should the web server access Oracle using a static address local to the dmz, i.e. if the web is 10.101.10.5, db is 10.101.10.6? Or should I just use the inside address?

tia

- Jericho

irelandsky · ‎06-30-2004

Hi

i think that if an initial connection is started, two system are able to communicate.

Have you eneble the correct fixup?? In my envirnonment i have to enable fixup for port 1520-1535

for sql servers

Could you post your syslog message sample??

Ciao

Marco

ehirsel · ‎07-01-2004

What is the pix idle connection timer value set to? Run the show timeout command and look for the conn value? The default is one hour. When you state after some time, is that about one hour? If so, then what I think is happening is that the pix idle timer is closing the connection, but the pix does not send a tcp reset frame to the db or the web server. What you need to do is to either increase the idle timer to some value that should not timeout the db connection (not recommended by me) or reconfig the web server and/or sql client to use keepalives to reset the pix idle timer. Look at the Oracle product doc with regards to sql keepalives or contact them - they should be able to tell you how to get their product to work in a firewall envrionment.

jrchgtrrz · ‎07-01-2004

We have experimented with the idle timeout without success. I'll look up the sql keepalives for Oracle, thanks for the tip.

ehirsel · ‎07-04-2004

If you are running pix 6.2 code or higher, you can use the capture command - it is similar to the tcpdump unix utility to determine what the source of the issue is. I would run it on two interfaces at the same time, and use acls to define the traffic you want. One one interface use acl cap01 with two to permit ip between the web and sql and vice versa. The acl of the sql is the ip address as seen by the web server. Create another acl , called cap01, that does the same thing as cap01, except this acl contains the true address of the sql - if you are not using nat, then just one acl, acl01, will do. Run a capture on the interface that is connected to the web, and the other will run on the interface connected to the sql. It may help if they are run during periods of low activity, and the buffer size may need to be 40960 or higer.

I am interested if one end is closing a connection but the other end is ignoring it. The pix does have a command to allow it to take action against quick-close seqence as well as the normal tcp 3-way handshake termination sequence.

jrchgtrrz · ‎07-12-2004

Ok. In the case of a quick-close sequence what is the PIX command to remedy this? I'm wondering if this is happening due to heavy load, such as our load testing, which is where we see the behavior. Under manual web testing, we don't see it, but then the timing of our requests may not be as fast as our load injectors.

ehirsel · ‎07-12-2004

The pix command, according to the 6.3 doc, to use is:

sysopt connection timewait

It is off by default. From what I have seen pix code 6.1 and 6.2 have it too.