How to Disable the idle timeout for the firewall

Answered Question
May 21st, 2007

Dear All,

We have application server on normal Vlan and Database server on DMZ. Users are facing problem as mention below and Oracle team mention the soultion as mention below.


CAN ANY ON GUIDE ME HOW TO ACHIVE THIS.


-- Problem Statement:

OmniPortlets fail after some inactivity with the following error in the browser in place of the

portlet:

Error: Call to execute Data Source failed.

-------------------------------

The procedures on the Portal database use a database link to connect to a remote database to fetch

the data.

The Portal database is in the DMZ zone together with the infrastructure and middle tier.

The remote database with the actual data is in the secure intranet zone so there is a firewall

between the 2 databases.

A refresh of the page solves the probem.

-- Business Impact:

As a result some early users may see an error when first accessing the page with such OmniPortlet.

A refresh of the page solves the problem.

-------------------------------------

Cause

The firewall closes connections at a regular interval.

If a firewall closes the database connection between OmniPortlet and the remote database, then

Omni Portlet is not aware of this event and it tries to reuse the connection which causes the error.

--------------------------

Solution

To implement the solution, please execute the following steps:

1. Disable the idle timeout for the firewall, or increase the value of the timeout ,so it is

unlikely to close connection.


Thanks,

Raj

Correct Answer by Jon Marshall about 9 years 9 months ago

Hi Raj


Yes, we had the same problem with some of our Oracle applications. For some reason they cannot do keepalives down their connections so Oracle's answer is to increase timeout on firewalls.


On Pix v6.x you can use the following


firewall(config)#timeout conn 3:00:00


That will increase the idle timeout to 3 hours. If you want to set it unlimited then you can use


firewall(config)#timeout conn 0:00:00


Be aware that with pix v6.x this is a global setting - ie. it affects all connections.


With Pix v7.x you can be more granular and tie it down to just the relevant connections.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 05/21/2007 - 00:17

Hi Raj


Yes, we had the same problem with some of our Oracle applications. For some reason they cannot do keepalives down their connections so Oracle's answer is to increase timeout on firewalls.


On Pix v6.x you can use the following


firewall(config)#timeout conn 3:00:00


That will increase the idle timeout to 3 hours. If you want to set it unlimited then you can use


firewall(config)#timeout conn 0:00:00


Be aware that with pix v6.x this is a global setting - ie. it affects all connections.


With Pix v7.x you can be more granular and tie it down to just the relevant connections.


HTH


Jon

rkcontrol Mon, 05/21/2007 - 01:25

Hi jon:

many thanks for ur promt reply i have applied the config, and will be waiting for the response from the Oracle Guy.

Hope this works out.

Can u paste any links related to this.


*************PIX Config****************

timeout xlate 3:00:00

timeout conn 3:00:00 half-closed 1:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

*************************


what will be command if we use IOS 7.0


Thanks,

Raj

Jon Marshall Mon, 05/21/2007 - 01:29

Hi Raj


The command is the same as in v6.x but it will apply globally to the firewall as in 6.x. If you want to be more granular you need to apply a class map to the connection.


You have increased your timeout to 3 hours. This may be okay but in our production environment we had to completely disable the timeout ie.


timeout conn 0:00:00


to get the apps to work properly.


HTH


Jon

Actions

This Discussion