topic Re: Time out Oracle sessions in General Topics

Time out Oracle sessions

Es_tecsupportsecurity — Wed, 21 Jun 2017 10:16:09 GMT

Hi,

We have problems with time-outs in Oracle connections. We are seeing how the BBDD sends keep alives and in the FW is increased the number of packets when passing the keep-alive packet, but following one of these connections, in one of them we did not see increase the number of packets in the firewall, And the time to live of the session is not reset. We see how the server restarted its time to send a keep alive again. And we have some sessions that the firewall cuts by time-out.

Reviewing Release Notes, we've seen a bug that might be affecting us. This bug is solved in 7.1.6 PanOS:
PAN-64727: Fixed an issue where the firewall changed the sequence numbers of forwarded TCP keep-alive packets

Im not sure if this bus ia applying to us and causing this problem in 7.0.x. This problem will be solved in last panos in 7.0.x???

Re: Time out Oracle sessions

BPry — Wed, 21 Jun 2017 16:08:33 GMT

@Es_tecsupportsecurity,

That specific bug number does not appear to be affecting 7.0.*, however the bug itself could have been given a seperate number. I did a quick scan through the release notes and didn't notice anything specific to keep-alive that seemed relavent to your issue.

I would reach out to your SE or contact TAC and see if it was a bug that actually effects 7.0.* and if it is if there is even a plan to backport the fix to 7.0

Re: Time out Oracle sessions

mlinsemier — Wed, 21 Jun 2017 21:00:25 GMT

Oracle and firewalls in general, in my expereince, don't play that well together. In our environment we had to extend the session timeout in the app-id to a ridiculous number so that sessions wouldn't drop. Alot of this seems to surroud the use of connection pooling where Oracle opens connections for use ahead of time to improve performance. Firewalls will close these conntections (session timeout) if there is no interesting traffic (I think 6 packets in the session timeout value). This means that clients may try to connect on ports that were previously closed by the firewall. We trying setting up keepalives on the Oracle side of the house, but I was having issues getting any help from our developers in general at that time (over a year ago) as they managed the server settings.

I would recommend as a troubleshooting step overriding the app-id session timeout for Oracle to like 8 hours and see if you still have the issue. Just some food for thought.

-Matt