10-08-2012 10:41 PM - edited 03-11-2019 05:06 PM
Hi All,
we do have ASA 5510 with IOS Version 8.0(4).User from inside connects to SQL database in customer place which is at outside. Users can run smaller database queries however they can not run logners queries & get ora-03113 error on client.
we found sql inspect reset increasing by 1 when user tries to connect each time.
Do that mean we need to disable / remote sql inspect form global service policy. Following is policy config.
Need expert advise on following.
1. Do we need to remove sql inspect from service policy
2. will their be any impact while removing policy
3. Is their any way to bypass this specific flow the sql inspect (because dont know if other communications / users may need it)
4. steps to remove sql inspect
Please help..
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 632, drop 0, reset-drop 0
Inspect: ftp, packet 240935, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 1817867, drop 0, reset-drop 1796
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 285, drop 0, reset-drop 0
Inspect: tftp, packet 4894, drop 0, reset-drop 0
Solved! Go to Solution.
10-08-2012 10:53 PM
Hello Yogesh,
Since you are seeing the reset in sqlnet everytime the issue happens, its a good try to remove the inspection for testing.
Are you doing NAT for the sql server in the ASA ? and do you have any other ASA at the other end ( then you need to remove the inspection from their end as well) make sure that you have proper permission both inbound and outbound direction for both sql server and the client
you can remove the inspection as follows
policy-map global_policy
class inspection_default
no inspect sqlnet
exi
exi
clear local-host all
Regards
Harish.
10-08-2012 10:53 PM
Hello Yogesh,
Since you are seeing the reset in sqlnet everytime the issue happens, its a good try to remove the inspection for testing.
Are you doing NAT for the sql server in the ASA ? and do you have any other ASA at the other end ( then you need to remove the inspection from their end as well) make sure that you have proper permission both inbound and outbound direction for both sql server and the client
you can remove the inspection as follows
policy-map global_policy
class inspection_default
no inspect sqlnet
exi
exi
clear local-host all
Regards
Harish.
10-08-2012 11:07 PM
Thanks Harish for quick response. Will their be any kind of distruption while removing sql inspect?
we are not doing natting for SQL server but yes at customer end their are some sort of nattings & multipule firewalls (juniper , asa etc). Is their any way we can simulate & know what is causing SQL inspect reset?
10-08-2012 11:16 PM
Hello Yogesh,
It may reset the connection while removing the command but after that, there is no negetive impact.
coming back to you issue, when SQL inspection is on, ASA will reduce the client window size 65000 to about 16000 which impact the data transfer, i guess that is what you are experiancing now. Please make sure that you are disabling this in all the firewall on the patch and take care of the outside - inside communication as well ( Preferebly all UDP/TCP).
Please let me know if you have any other questions
Harish.
10-08-2012 11:59 PM
Thanks Harish.
Is their any way to bypass sqlinspect for particular source & destination. If Yes Kindly guide
Regards
Yogesh
10-09-2012 12:08 AM
Hello Yogesh,
That can be done as follows
access-list acl_sql_inspect deny tcp
access-list acl_sql_inspect permit tcp any any
!
class-map inspect_sql
match access-list acl_sql_inspect
!
policy-map global_policy
class inspection_default
no inspect sqlnet
class-map inspect_sql
inspect sqlnet
service-policy global_policy global
so it will only bypass the inspection for your prefered traffic defined in the acl
Harish.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide