ASA 5520 - Sqlnet inspection dropping connections

m.pinheiro · ‎07-20-2009

Hi,

After one year and 3 months without any problems I had to upgrade the ASA 5520 from version 8.03 to 8.04 due to a known bug (tcpmss problem).

Everything worked fine with one exception: the Oracle application is not working any more.

Whenever I remove the sqlnet inspection the application works fine.

It can perform some simple queries, however, I realized that after a query containg a clob field in Oracle the connection are dropped by the ASA.

Below you can find the debug msgs and

logging messages:

# debug sqlnet 255

PROBLEM HERE -> SQLNet: received partial fragment, frag len: 1732, partial frag len: 1380, 352 bytes needed

SQLNet: received whole fragment, 1732 bytes

SQLNet: using proxy forward

SQLNet: received a new complete fragment of 289 bytes

SQLNet: received a new complete fragment of 21 bytes

SQLNet: received a new complete fragment of 155 bytes

PROBLEM HERE -> SQLNet: received partial fragment, frag len: 2011, partial frag len: 1380, 631 bytes needed

SQLNet: received whole fragment, 2011 bytes

SQLNet: using proxy forward

# syslog msgs:

Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44946 flags FIN ACK on interface DMZ

Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44951 flags FIN ACK on interface DMZ

Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44955 flags FIN ACK on interface DMZ

Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44958 flags FIN ACK on interface DMZ

Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44959 flags FIN ACK on interface DMZ

Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44960 flags FIN ACK on interface DMZ

Jul 18 23:56:59 asa Jul 18 2009 23:58:04: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44965 flags ACK on interface DMZ

Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-302014: Teardown TCP connection 138604883 for DMZ:dbserver-dmz/1521 to Internal:adm-int/44985 duration 0:00:36 bytes 2001924 Flow closed by inspection

Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags ACK on interface DMZ

Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags PSH ACK on interface DMZ

Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags ACK on interface DMZ

Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags PSH ACK on interface DMZ

Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from adm-int/44985 to dbserver-dmz/1521 flags ACK

The dbserver is on the DMZ interface and the system is on the Internal interface. Traffic is allowed and it was working with the inspection on version 8.03.

Any help is appreciated.

Thanks,

Marcelo Pinheiro

deyster94 · ‎07-20-2009

I ran into a similar issue at a client and what is happening is there isn't a two way connection between the client and the server. There were two things we did that clear this up. One was to turn of sqlnet inspection and the other was to have the client that was having the issue restart their computer.

m.pinheiro · ‎07-21-2009

Thank you for your response. The first option I already did and it is working.

The second is impossible because it is an application server.

I was wondering if there is a way to keep sqlnet inspecting with this problem or is it a bug?