07-20-2009 03:18 PM - edited 03-11-2019 08:57 AM
Hi,
After one year and 3 months without any problems I had to upgrade the ASA 5520 from version 8.03 to 8.04 due to a known bug (tcpmss problem).
Everything worked fine with one exception: the Oracle application is not working any more.
Whenever I remove the sqlnet inspection the application works fine.
It can perform some simple queries, however, I realized that after a query containg a clob field in Oracle the connection are dropped by the ASA.
Below you can find the debug msgs and
logging messages:
# debug sqlnet 255
PROBLEM HERE -> SQLNet: received partial fragment, frag len: 1732, partial frag len: 1380, 352 bytes needed
SQLNet: received whole fragment, 1732 bytes
SQLNet: using proxy forward
SQLNet: received a new complete fragment of 289 bytes
SQLNet: received a new complete fragment of 21 bytes
SQLNet: received a new complete fragment of 155 bytes
PROBLEM HERE -> SQLNet: received partial fragment, frag len: 2011, partial frag len: 1380, 631 bytes needed
SQLNet: received whole fragment, 2011 bytes
SQLNet: using proxy forward
# syslog msgs:
Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44946 flags FIN ACK on interface DMZ
Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44951 flags FIN ACK on interface DMZ
Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44955 flags FIN ACK on interface DMZ
Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44958 flags FIN ACK on interface DMZ
Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44959 flags FIN ACK on interface DMZ
Jul 18 23:56:58 asa Jul 18 2009 23:58:02: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44960 flags FIN ACK on interface DMZ
Jul 18 23:56:59 asa Jul 18 2009 23:58:04: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44965 flags ACK on interface DMZ
Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-302014: Teardown TCP connection 138604883 for DMZ:dbserver-dmz/1521 to Internal:adm-int/44985 duration 0:00:36 bytes 2001924 Flow closed by inspection
Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags ACK on interface DMZ
Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags PSH ACK on interface DMZ
Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags ACK on interface DMZ
Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from dbserver-dmz/1521 to adm-int/44985 flags PSH ACK on interface DMZ
Jul 18 23:57:13 asa Jul 18 2009 23:58:17: %ASA-6-106015: Deny TCP (no connection) from adm-int/44985 to dbserver-dmz/1521 flags ACK
The dbserver is on the DMZ interface and the system is on the Internal interface. Traffic is allowed and it was working with the inspection on version 8.03.
Any help is appreciated.
Thanks,
Marcelo Pinheiro
07-20-2009 05:13 PM
I ran into a similar issue at a client and what is happening is there isn't a two way connection between the client and the server. There were two things we did that clear this up. One was to turn of sqlnet inspection and the other was to have the client that was having the issue restart their computer.
07-21-2009 03:10 PM
Thank you for your response. The first option I already did and it is working.
The second is impossible because it is an application server.
I was wondering if there is a way to keep sqlnet inspecting with this problem or is it a bug?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: