Hi jogillis

Thanks for the reponse. Here's my timeout values:

timeout xlate 3:00:00

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

I hope this helps. I've been scratching my head for a week now trying to solve this.

Thanks again

Dan

Dan,

I see you have connections set to not timeout. Did you check for old connections?

show conn | include

I had your exact scenario with our sql server, requests go into the pix but never come out. We also have connections set to never timeout. I used the caputure command on both interfaces to get my trace, then using the port numbers from the capture I discovered old connections with those same port numbers. Of course if you pix is restarted very often then this is a mute point.

jogillis

Hi

Just to add evidence to my theory, I get the following in my logs:

Mar 17 17:15:58 fwl-inside-pri Mar 17 2006 15:48:00: %PIX-6-302014: Teardown TCP connection 21835588 for green:10.110.9.122/53488 to data:10.10.8.22/22 duration 0:02:01 bytes 0 SYN Timeout

However the above logs don't account for every timeout, that I have seen.

Any idea how to fix this?

Thanks in advance

Dan

Hi

Just to add further evidence:

By sniffing the network on the pix external facing network interface I receive packets similar to this:

19:49:15.758315 red.example.com.44808 > green.example.com.1521: S

3506603012:3506603012(0) win 5840

ale 0> (DF)

But sniffing the internal facing interface (i.e the database end), those packets don't come through. Its as though the pix has silently dropped them.

Now so far from my tests, I've noticed that a failure has always been occurring when the mss value is set to 1460. Although this might be a red-herring as trawling through the capture logs I can see other SYN packets pass through with that value. Setting the "sysopt tcpmss" value to 1460 doesn't make any difference.

Any ideas where the problem may lie?

Is this a bug in the cisco OS?

Thanks

Dan

Are you nat'ing. Did you try a one to one static ip mapping?

No, I was hoping not having to NAT. We're not using the PIX for the internet, but rather as a security device to separate our 2 internal networks. Anyhow, since it is all internal, I'd prefer to stay away from NAT. Is NAT required in order to use SQL*Net Inspection? It just doesn't make any sense...

Are those servers in the inside and are you letting external clients connect to it?

From the Pix standpoint, network A having security level 100 and network B having security level 50. One of the scenario is Oracle client on Network B trying to "connect" to Oracle Server on network A. No NATs configured. Access-lists are configured to allow all ports bidirectionally. The Pix is configured just like a router, with access-lists allowing all traffic.

Hi,

Is there already a solution for this problem. I think we have the same issue, we have a pix between the application server and oracle. Where running pix 7.2.1 and see that queries to the database are rejected without any logging in the pix. I disabled the inspect rules for sqlnet, but no solution. When we directly connect the database in the same subnet as the application server we have no problem. Also connections through the pix with tools like DBvisualiser/tora are dropped?

Jeroen.

I don't know if it is related, but we had an issue with HTTP, and the MSS value exceeded being dropped silently. We added the following lines to allow MSS values exceeded, and traffic flowed correctly. This should work with any TCP traffic. You may want to lock this down further with ACL's ("match any" line)as there are some security concerns with MSS exceeded packets. Hope this helps.

tcp-map mss-map

exceed-mss allow

class-map http-map1

match any

policy-map global_policy

class http-map1

set connection advanced-options mss-map