Sunday, January 25, 2015

Solving Firewall Problems on Windows ... ...


To BottomTo Bottom

APPLIES TO:

Oracle Net Services - Version 2.3.4.0.0 to 11.2.0.2
Generic Windows
Checked for relevance on 5-DEC-2012.
TNS-12535
USE_SHARED_SOCKET

PURPOSE

This article describes how to get around firewall problems with SQL*Net or Net*8 on Windows servers.

SCOPE

SCOPE & APPLICATION

A firewall is a secure gateway that controls the traffic into and out of a company's internal network. Firewalls can cause problems when a SQL*Net client outside the firewall tries to connect to an Oracle database on Windows NT inside the firewall, or vice versa. The default Oracle Listener listens on port 1521. It may not be sufficient to configure the firewall to allow access through port 1521 so the SQL*Net clients will be able to connect. To understand why the TNS connect will fail, it is necessary to understand how a SQL*Net connection on Windows NT works.

When a client initiates a TNS connect, a TCP connection is established with port 1521. A TNS CONNECT packet is then sent to the listener. On UNIX systems the listener process will fork a new Oracle process to deal with the new incoming connection. With UNIX, forked processes will inherit the resources owned by the parent process such as the file handle that represents the TCP socket. In Windows NT, the Listener tells the Oracle Service to spawn a thread.

Earlier releases of SQL*Net for Windows NT used the WINSOCK V1.1 API. With this version of WINSOCK there is no capability of passing a TCP socket between two processes, such as from the Listener to the Oracle Service, and so there was no way to inherit the TCP socket. This restriction forced the client to have to create a new TCP connection to the new thread. To do this, the thread randomly selects a new TCP port to use for the connection request, for example port 10087, and informs the listener to redirect the Client to it.

The listener now informs the client that they need to REDIRECT the connection attempt to this newly selected networking endpoint. The listener does this by sending a TNS REDIRECT packet to the client with details of the new port to reconnect to. The client drops the existing TCP connection and issues a TCP Connect sequence to the new TCP port, followed by a TNS Connect packet. The server thread accepts the TCP connect and responds with a TNS ACCEPT packet. The Client exchanges various TNS packets and then logs into the Database.

So, if you create an Access Control List (ACL) on the firewall to allow connects through port 1521, after the REDIRECT packet has been sent to the client and the TCP connection to port 1521 is closed, the firewall will not allow the TCP connection to port 10087 so the TNS connection will fail. As the REDIRECT port that gets generated is entirely at random, it would not be secure to allow connections to this random port range in the firewall as it begins to defeat the purpose of the firewall.

DETAILS

note:62528.1note:62528.1 /To resolve this problem there are several options:
  1. This step should only be performed by the firewall administrator and only if they feel this is a viable workaround for their company. Otherwise, skip to step 2. This would be to configure ACL on the firewall to limit IP addresses rather than port numbers. This is not a very secure option.
  2. Use Oracle Connection Manager. Oracle Connection Manager will "absorb" the REDIRECT as it all occurs on the server side of the firewall. For further information on Connection Manager and how to configure it, refer to Note 62528.1.
  3. If you are on Oracle version 8 or higher on the Database, you can use the WINSOCK V2 API feature of Shared Sockets. This allows a socket to be shared (or passed) between processes. To use this functionality in a single Oracle Home, under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE create USE_SHARED_SOCKET as a STRING_VALUE and set it to TRUE. If you are running multiple Oracle Homes, view the %ORACLE_HOME\bin\oracle.key file to find which registry key to add the parameter USE_SHARED_SOCKET.
Please see Note 124140.1 for greater detail on this Windows feature.

WARNING: When using this method you must restart all Oracle processes for them to pick up the registry change.

Note: This parameter only works in dedicated server mode in a TCP/IP environment and will not work for the Multi-Threaded Server (MTS) configuration. To spawn a dedicated server for an instance of Oracle Database not associated with the same Oracle home as the listener and have shared socket enabled, you must also set the parameter USE_SHARED_SOCKET for both Oracle homes.

Note: If this parameter is set, you cannot use a version 8.0 or later listener to spawn Oracle7 release 7.x databases.

Note: USE_SHARED_SOCKET was introduced in Oracle version 8.0. It was set off by default in 8.0 to 10.0. The default is set to true in 10.1 and later. This parameter is planned to be deprecated in a future release.

REFERENCES

NOTE:62528.1 - Using Connection Manager (CMAN) as a MultiProtocol Interchange (MPI)
NOTE:124140.1 - How to configure USE_SHARED_SOCKET on Windows NT/2000
Posted by at No comments:

Wednesday, January 21, 2015

SCAN LISTENER TRACING


SCAN LISTENER TRACING

Posted by Srikrishna Murthy Annam on May 12, 2011
This article describes enabling and disabling the SCAN listener tracing. Before capturing the scan listener tracing,please make sure your scan listener is configured as per the following Oracle Support IDs.
1070607.1 
975457.1
Some where you should find some clue for your SCAN connectivity issues. If you are still unable to find the exact problem with the scan connectivity, you need to enable the tracing and analyze the trace files or upload the trace files to oracle support.
To enable level 16 tracing for SCAN listeners, add the following parameters to listener.ora and  try to reproduce the connectivity issue.
1
2
3
4
TRACE_LEVEL_ = 16
TRACE_DIRECTORY_ =<dir location>
TRACE_TIMESTAMP_ = TRUE
DIAG_ADR_ENABLED_=off
Then try to reload all the listeners after these parameters are in place using lsnrctl reload .
Reproduce the issue and verify that the trace and log files are created in the directory mentioned in the parameter TRACE_DIRECTORY_.
To disable scan listener tracing:
1
2
3
4
$lsnrctl
LSNRCTL>set current_listener
LSNRCTL>set trc_level OFF
LSNRCTL>save_config
In the above tracing we disabled diagnostic repository with the parameter DIAG_ADR_ENABLED_ and collected trace files. Now if you want to re-enable DIAG_ADR, just comment out DIAG_ADR_ENABLED_ in listener.ora and reload all the listeners.
NOTE: ADR is the new concept introduced from 11g and it is a file system repository to store all diagnostic data. Please review the article  Automatic Diagnostic Repository  to know more on ADR concepts.
Session Log to show enabling SCAN Tracing:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
[grid@b600e6tr01 admin]$ cp listener.ora listener.ora_bak
[grid@b600e6tr01 admin]$ vi listener.ora   ==> Here add trace parameter
[grid@b600e6tr01 admin]$ clear
[grid@b600e6tr01 admin]$ ps -ef | grep -i tns
grid      5943  4623  0 07:12 pts/1    00:00:00 grep -i tns
grid     18139     1  0 May03 ?        00:01:01 /u01/home/11.2.0/grid/bin/tnslsnr LISTENER -inherit
grid     18142     1  0 May03 ?        00:01:14 /u01/home/11.2.0/grid/bin/tnslsnr LISTENER_SCAN2 -inherit
grid     18164     1  0 May03 ?        00:01:18 /u01/home/11.2.0/grid/bin/tnslsnr LISTENER_SCAN3 -inherit
[grid@b600e6tr01 admin]$ lsnrctl reload listener
 
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 04-MAY-2011 07:12:38
 
Copyright (c) 1991, 2009, Oracle.  All rights reserved.
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
The command completed successfully
 
[grid@b600e6tr01 admin]$ lsnrctl reload LISTENER_SCAN2
 
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 04-MAY-2011 07:12:55
 
Copyright (c) 1991, 2009, Oracle.  All rights reserved.
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2)))
The command completed successfully
[grid@b600e6tr01 admin]$ lsnrctl reload LISTENER_SCAN3
 
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 04-MAY-2011 07:13:02
 
Copyright (c) 1991, 2009, Oracle.  All rights reserved.
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3)))
The command completed successfully
[grid@b600e6tr01 admin]$
 
[grid@b600e6tr02 admin]$ cp listener.ora listener.ora_bak
[grid@b600e6tr02 admin]$ vi listener.ora  ==> Here add trace parameters
[grid@b600e6tr02 ~]$ ps -ef | grep -i tns
grid      1042     1  0 May03 ?        00:01:20 /u01/home/11.2.0/grid/bin/tnslsnr LISTENER_SCAN1 -inherit
grid      1171     1  0 May03 ?        00:01:04 /u01/home/11.2.0/grid/bin/tnslsnr LISTENER -inherit
grid      8231  7935  0 07:06 pts/1    00:00:00 grep -i tns
[grid@b600e6tr02 ~]
[grid@b600e6tr02 admin]$ lsnrctl reload LISTENER
 
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 04-MAY-2011 07:13:26
 
Copyright (c) 1991, 2009, Oracle.  All rights reserved.
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
The command completed successfully
[grid@b600e6tr02 admin]$ lsnrctl reload LISTENER_SCAN1
 
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 04-MAY-2011 07:13:35
 
Copyright (c) 1991, 2009, Oracle.  All rights reserved.
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))
The command completed successfully
[grid@b600e6tr02 admin]$
Session Log to show disabling SCAN Tracing:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
[grid@b600e6tr01 ~]$ ps -ef | grep -i tns
grid      5309  4623  0 07:06 pts/1    00:00:00 grep -i tns
grid     18139     1  0 May03 ?        00:01:01 /u01/home/11.2.0/grid/bin/tnslsnr LISTENER -inherit
grid     18142     1  0 May03 ?        00:01:14 /u01/home/11.2.0/grid/bin/tnslsnr LISTENER_SCAN2 -inherit
grid     18164     1  0 May03 ?        00:01:18 /u01/home/11.2.0/grid/bin/tnslsnr LISTENER_SCAN3 -inherit
[grid@b600e6tr01 ~]$ lsnrctl
 
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 04-MAY-2011 07:07:02
 
Copyright (c) 1991, 2009, Oracle.  All rights reserved.
 
Welcome to LSNRCTL, type "help" for information.
 
LSNRCTL> set current_listener LISTENER
Current Listener is LISTENER
LSNRCTL> set trc_level OFF
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
LISTENER parameter "trc_level" set to off
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
Saved LISTENER configuration parameters.
Listener Parameter File   /u01/home/11.2.0/grid/network/admin/listener.ora
Old Parameter File   /u01/home/11.2.0/grid/network/admin/listener.bak
The command completed successfully
LSNRCTL> set current_listener LISTENER_SCAN2
Current Listener is LISTENER_SCAN2
LSNRCTL> set trc_level OFF
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2)))
LISTENER_SCAN2 parameter "trc_level" set to off
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2)))
Saved LISTENER_SCAN2 configuration parameters.
Listener Parameter File   /u01/home/11.2.0/grid/network/admin/listener.ora
Old Parameter File   /u01/home/11.2.0/grid/network/admin/listener.bak
The command completed successfully
LSNRCTL> set current_listener LISTENER_SCAN3
Current Listener is LISTENER_SCAN3
LSNRCTL> set trc_level OFF
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3)))
LISTENER_SCAN3 parameter "trc_level" set to off
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3)))
Saved LISTENER_SCAN3 configuration parameters.
Listener Parameter File   /u01/home/11.2.0/grid/network/admin/listener.ora
Old Parameter File   /u01/home/11.2.0/grid/network/admin/listener.bak
The command completed successfully
LSNRCTL>
 
[grid@b600e6tr02 ~]$ ps -ef | grep -i tns
grid      1042     1  0 May03 ?        00:01:20 /u01/home/11.2.0/grid/bin/tnslsnr LISTENER_SCAN1 -inherit
grid      1171     1  0 May03 ?        00:01:04 /u01/home/11.2.0/grid/bin/tnslsnr LISTENER -inherit
grid      8231  7935  0 07:06 pts/1    00:00:00 grep -i tns
[grid@b600e6tr02 ~]$ lsnrctl
 
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 04-MAY-2011 07:10:37
 
Copyright (c) 1991, 2009, Oracle.  All rights reserved.
 
Welcome to LSNRCTL, type "help" for information.
 
LSNRCTL> set current_listener LISTENER
Current Listener is LISTENER
LSNRCTL> set trc_level OFF
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
LISTENER parameter "trc_level" set to off
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
Saved LISTENER configuration parameters.
Listener Parameter File   /u01/home/11.2.0/grid/network/admin/listener.ora
Old Parameter File   /u01/home/11.2.0/grid/network/admin/listener.bak
The command completed successfully
LSNRCTL> set current_listener LISTENER_SCAN1
Current Listener is LISTENER_SCAN1
LSNRCTL> set trc_level OFF
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))
LISTENER_SCAN1 parameter "trc_level" set to off
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))
Saved LISTENER_SCAN1 configuration parameters.
Listener Parameter File   /u01/home/11.2.0/grid/network/admin/listener.ora
Old Parameter File   /u01/home/11.2.0/grid/network/admin/listener.bak
The command completed successfully
LSNRCTL>
Posted by at No comments:
Subscribe to: Comments (Atom)