This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
JonnyV
Nickel
‎2020-06-26 12:38 PM

policy push causes DB timeouts/drops/renegotiation on Oracle TNS 19100 and 1521 traffic

Jump to solution

Problem:

We have been having issues with a DB performance impact after policy push since our upgrade to r80.30 (more than 4 months ago). We did not notice these issues in r77.30.

We eventually found document that seemed to match our behavior. https://packetpushers.net/sqlnet-a-k-a-oracle-tns-and-firewalls/

Observed behavior is as follows:

We push policy and begin to see an uptick in 19100 traffic from clients to server in new sessions. Typical traffic was appx 10 packets per minute, after push it jumped to almost 9k per min. We were unable to gather debug info from CP, because of the sheer volume of traffic would max out the CPUs and lock up the FW.

Solution:

Set 1521 and 19100 traffic at the service object to "keep connections open after policy has been installed"
We did not have to configure user.def or tables.def to address any OOS packets, as this just appears to be noise from the software load-balancing within Oracles TNS implementation.

1 Solution

Accepted Solutions
Highlighted
JonnyV
Nickel
‎2020-06-26 12:59 PM

Jump to solution
Understood
For our environment setting it at the service object made more sense; since those services are not present on the perimeter firewalls.

View solution in original post

0 Kudos
2 Replies
Highlighted
PhoneBoy
Admin
Admin
‎2020-06-26 12:54 PM

Jump to solution
You can also set it in global properties (I think) to keep all existing connections on a policy installation.
Highlighted
JonnyV
Nickel
‎2020-06-26 12:59 PM

Jump to solution
Understood
For our environment setting it at the service object made more sense; since those services are not present on the perimeter firewalls.

View solution in original post

0 Kudos