cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2907
Views
15
Helpful
30
Replies

PIX V8.04 Update - Sqlnet Problem

r.bender
Level 1
Level 1

After upgrading our PIX 515E from V7.22 to V8.04 everything but one protocol seems to work fine. When trying to make an Sqlnet connection through the firewall a syslog error is kicked out: "PIX-4-507001: Terminating TCP-Proxy connection from outside:x.x.x.x/1534 to inside:y.y.y.y/2778 - reassembly limit of 8192 bytes exceeded". A packet capture shows the client and server talking, even after the error.

Anyone seen this before?

Thanks.

30 Replies 30

suschoud
Cisco Employee
Cisco Employee

When sqlnet inspection is applied as in your case, the ASA will proxy the TCP stream to make

sure the traffic arrives in order. When performing this, the firewall must buffer any

fragmented packets, but only have a limited size buffer of 8192 bytes. It is this limit

that is being hit in your case.

There is currently a feature request to have this limit changed, but at this point it is

just a request.

#

CSCsl15229

As a workaround, you can try disabling the inspection for this particular server.

##########

ASA-5520-CSC-Standalone(config)# access-list sqlnet-list deny tcp any host 128.104.44.41 eq

554$

ASA-5520-CSC-Standalone(config)# access-list sqlnet-list permit tcp any any eq 1521

ASA-5520-CSC-Standalone(config)# class-map sqlnet-class

ASA-5520-CSC-Standalone(config-cmap)# match access-list sqlnet-list

ASA-5520-CSC-Standalone(config-cmap)# policy-map global_policy

ASA-5520-CSC-Standalone(config-pmap)# class inspection_default

ASA-5520-CSC-Standalone(config-pmap-c)# no inspect sqlnet

ASA-5520-CSC-Standalone(config-pmap-c)# class sqlnet-class

ASA-5520-CSC-Standalone(config-pmap-c)# inspect sqlnet

ASA-5520-CSC-Standalone(config-pmap-c)#

############

Do rate helpful posts.

Regards,

Sushil

Michael.Tuggle
Level 1
Level 1

I am looking at upgrading from 7.2.4 to 8.0.4 and was wondering if you were just recieving the syslog messages or if it was killing your connections between the client and server. Also did you find a fix? Any input would be helpful.

When we upgraded to 8.0.4 we had to disable the sqlnet inspect because it was impacting connectivity. There is no fix for this at the moment that I am aware of.

I was getting syslog messages until I applied V8.0(4)3. This interim patch stopped the syslog errors and helped the commuincation a little but the the connection still did not function properly. The firewall appeared to be sending resets and killing the traffic. Cisco has indicated the this will be fixed in V8.0(4)6 but did not know when it would be released. I keep checking. For now I have rolled back to the known working V7.22.

You can try disabling the rtsp inspect.

Please refer to below URL:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#prob

HTH

MD

I tried that and no effect.

Does the ASA have the same problem. We have the ASA 5520 and I know there is a good bit of differences between the ASA OS and the Pix OS even if they are running the same version.

I do not know. I have not tried this with the ASA. I hope to when I get a chance. If you test this please let me know.

Thanks.

We are planning our upgrade at the end of the month so I will post the sqlnets results at that time.

Looks like we are hitting the same problem on a PIX running 8.0.4. Any news on the release date for 8.0.4(6)? I will try to apply the workaround this weekend.

No news. They closed the case and told me to keep checking their website for the Interim release as they did not have a date for the release. It was still in the testing stages. So far it has not been released and I check the site every week. Please let me if you find a work around that works.

Thanks.

Leveraging my advanced services contract I was just able to obtain a copy of asa804-6-k8.bin today which is supposed to resolve this issue.

I'd hit up TAC again and escalate this through the system until they give you access to the interim release as well I guess.

Good luck!

I did not know you could do that. If you are going to apply the update please let me know if it seems to fix the issue. That will save me some time. ;-)

Will do, however it takes about 2 weeks to get the approvals to get it into production around here lol.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: