Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 9.1 Problems with Oracle Database

Hi Everyone,

Having a strange problem.  We recently migrated from FWSM to ASA-5585X running 9.1(2).  Since we did that, we are having problems from an APP server in DMZ-A talking to a DB server in DMZ-B.  The error we are getting in Oracle is ORA-12592: Bad Packet.  Reading about this is says it could be the network, and our DBA's are telling us they saw the error for the first time about 4 hours after our firewall migration.  To note, SQL inspect is OFF.  We have done captures on each server, and on egress and ingress interfaces, but do not see anything special.

Anyone have any ideas?

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Bronze

ASA 9.1 Problems with Oracle Database

As you collected the ingress and egress captures, please search for the TCP URGENT flag (wireshark filter

tcp.flags.urg==1 ), and check if it is used by the orable apps . The ASA by default clears this flag, so if your app uses this flag (as many oracle apps do) , you need to configure a tcp-map to allow it.

Regards.
Mashal Shboul

------------------ Mashal Shboul
Bronze

ASA 9.1 Problems with Oracle Database

Please use this post:  https://supportforums.cisco.com/thread/2212146

You can fix the issue on the ASA or you can do that at the database server.  I personally think this should be fixed at the database server level by enabling SQL*net keep alive to maintain stability rather than depending on the firewall

4 REPLIES
Bronze

ASA 9.1 Problems with Oracle Database

As you collected the ingress and egress captures, please search for the TCP URGENT flag (wireshark filter

tcp.flags.urg==1 ), and check if it is used by the orable apps . The ASA by default clears this flag, so if your app uses this flag (as many oracle apps do) , you need to configure a tcp-map to allow it.

Regards.
Mashal Shboul

------------------ Mashal Shboul
Bronze

ASA 9.1 Problems with Oracle Database

Please use this post:  https://supportforums.cisco.com/thread/2212146

You can fix the issue on the ASA or you can do that at the database server.  I personally think this should be fixed at the database server level by enabling SQL*net keep alive to maintain stability rather than depending on the firewall

New Member

ASA 9.1 Problems with Oracle Database

Very good article - thanks.  I will add these options to my service policy and see what happens.

New Member

ASA 9.1 Problems with Oracle Database

Thanks - this is good info.  I will create the service policy and see what happens.

1352
Views
0
Helpful
4
Replies
CreatePlease to create content