Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyone ever disable sqlnet inspection during active Oracle connections?

Running FWSM 3.2(9) in a datacenter with active Oracle connections from an outside vlan to an inside vlan.  Sqlnet inspection is enabled, however I don't believe it is needed, so I want to disable for possible performance improvement.  If I remove the inspection while active Oracle connections are open through the firewall, will they get dropped (of course this assumes the sqlnet inspection isn't needed).   Anyone ever done that?

  • Firewalling
Everyone's tags (2)
4 REPLIES
Cisco Employee

Re: Anyone ever disable sqlnet inspection during active Oracle c

Pls. issue "sh service-policy" and make sure whether the sql inspection is processing packets and if they increment by issuing the same command again.

Inspection does two things, NAT fixup and dynamically opening ports as needed without the need for ACLs.

May be you are not doing any address translation or you are doing just identity translation and if you remove inspection then, make sure the ACLs allow the ports.

-KS

New Member

Re: Anyone ever disable sqlnet inspection during active Oracle c

Show service-policy definitely shows processed packets.  Below is the output between back to back commands (~ 1 second apart).  Correct, we are using static identity NAT for the Oracle servers on the inside, and a "debug sqlnet" shows only port 1521 (INFO: intercepted port is 1521).  Therefore, it doesn't look like sqlnet inspection is needed.  Have you ever disabled it during active Oracle connections?  I want to disable it, but I'm afraid that it will bounce all Oracle connections, at which point, we'd need to restart a whole bunch of application servers.


FWSM# sho service-pol

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns maximum-length 512, packet 104891795, drop 0, reset-drop 0
      Inspect: ftp, packet 1540053619, drop 126, reset-drop 9
      Inspect: h323 h225, packet 0, drop 0, reset-drop 0
      Inspect: h323 ras, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 596580, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: sqlnet, packet 836274856, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
      Inspect: tftp, packet 278078, drop 0, reset-drop 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: dcerpc, packet 10601143, drop 18, reset-drop 0
    Class-map: class_sip_tcp
      Inspect: sip, packet 0, drop 0, reset-drop 0
FWSM#


FWSM# sho service-pol

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns maximum-length 512, packet 104891905, drop 0, reset-drop 0
      Inspect: ftp, packet 1540053721, drop 126, reset-drop 9
      Inspect: h323 h225, packet 0, drop 0, reset-drop 0
      Inspect: h323 ras, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 596580, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: sqlnet, packet 836285544, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
      Inspect: tftp, packet 278078, drop 0, reset-drop 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: dcerpc, packet 10601143, drop 18, reset-drop 0
    Class-map: class_sip_tcp
      Inspect: sip, packet 0, drop 0, reset-drop 0
FWSM#

Cisco Employee

Re: Anyone ever disable sqlnet inspection during active Oracle c

The connections that are up will not be terminated. Any new connections will not be inspeted and if ACLs do not allow will be denied.

You can remove inspection.  If you are worried you can remove the inspection later in the day when the load will be low.

-KS

New Member

Re: Anyone ever disable sqlnet inspection during active Oracle c

Thanks for the info.  Will give it a try at our next maintenance window, and will post the results.

Thanks,

Pat

4239
Views
0
Helpful
4
Replies
This widget could not be displayed.