09-23-2008 11:03 AM - edited 03-11-2019 06:48 AM
After upgrading our PIX 515E from V7.22 to V8.04 everything but one protocol seems to work fine. When trying to make an Sqlnet connection through the firewall a syslog error is kicked out: "PIX-4-507001: Terminating TCP-Proxy connection from outside:x.x.x.x/1534 to inside:y.y.y.y/2778 - reassembly limit of 8192 bytes exceeded". A packet capture shows the client and server talking, even after the error.
Anyone seen this before?
Thanks.
09-23-2008 01:07 PM
When sqlnet inspection is applied as in your case, the ASA will proxy the TCP stream to make
sure the traffic arrives in order. When performing this, the firewall must buffer any
fragmented packets, but only have a limited size buffer of 8192 bytes. It is this limit
that is being hit in your case.
There is currently a feature request to have this limit changed, but at this point it is
just a request.
#
CSCsl15229
As a workaround, you can try disabling the inspection for this particular server.
##########
ASA-5520-CSC-Standalone(config)# access-list sqlnet-list deny tcp any host 128.104.44.41 eq
554$
ASA-5520-CSC-Standalone(config)# access-list sqlnet-list permit tcp any any eq 1521
ASA-5520-CSC-Standalone(config)# class-map sqlnet-class
ASA-5520-CSC-Standalone(config-cmap)# match access-list sqlnet-list
ASA-5520-CSC-Standalone(config-cmap)# policy-map global_policy
ASA-5520-CSC-Standalone(config-pmap)# class inspection_default
ASA-5520-CSC-Standalone(config-pmap-c)# no inspect sqlnet
ASA-5520-CSC-Standalone(config-pmap-c)# class sqlnet-class
ASA-5520-CSC-Standalone(config-pmap-c)# inspect sqlnet
ASA-5520-CSC-Standalone(config-pmap-c)#
############
Do rate helpful posts.
Regards,
Sushil
10-03-2008 07:18 AM
I am looking at upgrading from 7.2.4 to 8.0.4 and was wondering if you were just recieving the syslog messages or if it was killing your connections between the client and server. Also did you find a fix? Any input would be helpful.
10-03-2008 07:31 AM
When we upgraded to 8.0.4 we had to disable the sqlnet inspect because it was impacting connectivity. There is no fix for this at the moment that I am aware of.
10-04-2008 09:14 PM
I was getting syslog messages until I applied V8.0(4)3. This interim patch stopped the syslog errors and helped the commuincation a little but the the connection still did not function properly. The firewall appeared to be sending resets and killing the traffic. Cisco has indicated the this will be fixed in V8.0(4)6 but did not know when it would be released. I keep checking. For now I have rolled back to the known working V7.22.
10-06-2008 05:27 PM
You can try disabling the rtsp inspect.
Please refer to below URL:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#prob
HTH
MD
10-07-2008 06:15 AM
I tried that and no effect.
10-07-2008 07:53 AM
Does the ASA have the same problem. We have the ASA 5520 and I know there is a good bit of differences between the ASA OS and the Pix OS even if they are running the same version.
10-07-2008 09:33 AM
I do not know. I have not tried this with the ASA. I hope to when I get a chance. If you test this please let me know.
Thanks.
10-09-2008 04:50 AM
We are planning our upgrade at the end of the month so I will post the sqlnets results at that time.
10-09-2008 06:32 AM
Looks like we are hitting the same problem on a PIX running 8.0.4. Any news on the release date for 8.0.4(6)? I will try to apply the workaround this weekend.
10-09-2008 08:57 AM
No news. They closed the case and told me to keep checking their website for the Interim release as they did not have a date for the release. It was still in the testing stages. So far it has not been released and I check the site every week. Please let me if you find a work around that works.
Thanks.
10-09-2008 12:20 PM
Leveraging my advanced services contract I was just able to obtain a copy of asa804-6-k8.bin today which is supposed to resolve this issue.
I'd hit up TAC again and escalate this through the system until they give you access to the interim release as well I guess.
Good luck!
10-09-2008 12:38 PM
I did not know you could do that. If you are going to apply the update please let me know if it seems to fix the issue. That will save me some time. ;-)
10-09-2008 12:49 PM
Will do, however it takes about 2 weeks to get the approvals to get it into production around here lol.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide