Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
1
Replies

sqlnet inspection with TNS redirects

phil.davenport
Level 1
Level 1

‎04-23-2008 11:29 AM - edited ‎03-11-2019 05:35 AM

Hi,

Running default sqlnet inspection on ASA 7.2(3) for a multithread oracle DB. When the DB issues redirects for the connecting client sqlnet inspection drops the packet (packet captures and show service-policy confirm this). On investigation the redirect contains the following data which includes a FQDN and not an IP.

(ADDRESS=(PROTOCOL=tcp)(HOST=server1.dom.ain.na.me.uk)(PORT=32827)

Is it possible for the ASA to perform a lookup against a FQDN when it receives such a packet? I suspect this would result in too long a processing delay. If it can't then it can't dynamically open the access for the new client request.

My understanding is that the ASA expects the format to be as below containing an ip not a FQDN

(ADDRESS=(PROTOCOL=tcp)(HOST=a.b.c.d)(PORT=a)

Disabling sqlnet inspection and creating an acl gets round the problem. Interestingly in 6.3(5) it seems this condition is handled differently with the redirect packet being allowed through back to the client however there won't be the slot created so in a way pointless the client getting the redirect.

Anyone come across this before?

thanks in advance

Labels:
0 Helpful
1 Reply 1

bwilmoth
Level 5
Level 5

‎04-29-2008 11:07 AM

sqlnet inspection simply NATs embedded IP addresses and opens embryonic connections for return traffic, it does not restrict sql commands.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card