topic Re: Oracle Replication Failed in General Topics

Oracle Replication Failed

malswealmeen — Sun, 23 Feb 2014 21:32:22 GMT

We have a case where the Oracle connection failed during the replication to the DR , the replication process start for one to three hours then it failed , Oracle admins opened a ticket with oracle support and oracle support recommends to disable the below for oracle application :

SQLNet fixup protocol

Deep Packet Inspection (DPI)

SQLNet packet inspection

SQL Fixup

SQL ALG

We have disabled the the inspection , but for the ALG I found in admin guide v6 that the paloalto functions as an ALG for the following protocols: FTP, SIP, H.323, RTSP, Oracle/SQLNet/TNS, MGCP protocols.but shows how to disable ALG just for SIP.

in the time I have added new custom application to override the oracle default one and added it to application policy so the PA will not affect this application .

and we are waiting for the result .

will this disable the ALG functionality on the Oracle application?

Re: Oracle Replication Failed

HULK — Sun, 23 Feb 2014 22:42:29 GMT

Yes, you are correct. If you create a custom application and refer that to a application override policy, the PAN firewall will skip the Layer-7 processing ( content check, ALG) for that traffic.

Thanks

Re: Oracle Replication Failed

malswealmeen — Mon, 24 Feb 2014 12:10:33 GMT

the same error with the same ORA number in oracle server

Re: Oracle Replication Failed

Mystique — Mon, 24 Feb 2014 15:15:02 GMT

Please use this document to create application override policy.

How to Create an Application Override Policy

After creating correct policy please check the session by using below command:

show session all filter source <x.x.x.x> destination <y.y.y.y>

show session id <type appropriate session number from above output>

This output will show

layer7 processing : completed

application : <the name of the custom app that you have created>

Re: Oracle Replication Failed

HULK — Mon, 24 Feb 2014 17:31:45 GMT

Hello Sir,

Could you please enable packet capture on PAN firewall between source and destination IP (bi-directional) to understand who is causing this problem. Also if you are using an application override policy for SQL traffic, could you please increase the time-out value for those custom application.

Ref Doc: How to Run a Packet Capture

Thanks

Re: Oracle Replication Failed

malswealmeen — Wed, 26 Feb 2014 21:49:49 GMT

Thanks but the problem with pcap andthe cli monitor is that the replication is online process and it will work for hours then it will stop, we don't have a trigger to fire to reproduce the problem , it's just happening daily with no time standard

Re: Oracle Replication Failed

Anon1 — Thu, 27 Feb 2014 14:45:43 GMT

Try to disable TCP sequence number checking:

set deviceconfig setting tcp asymmetric-path bypass

set deviceconfig setting tcp asymmetric-path

bypass bypass inspection for the session that has TCP sliding window tracking errors

drop drop offending packets that violated TCP sliding window tracking, enable TCP sequence number check for FIN/RST

Re: Oracle Replication Failed

malswealmeen — Sat, 01 Mar 2014 13:14:02 GMT

Thanks Anon but will it effect other tcp protocol? In other words can we specify it for oracle only? Or for src and dest only?

Re: Oracle Replication Failed

Anon1 — Mon, 03 Mar 2014 12:59:10 GMT

Hi,

no, this setting will disable the inspection globally for all traffic.

Re: Oracle Replication Failed

swapnkok — Thu, 14 Mar 2024 11:03:04 GMT

hi all, for the same problem, I have created custom application override policy for the port TCP/1521 (Oracle application) along with # set deviceconfig setting tcp asymmetric-path bypass but still connections are failing at validation steps. (replication looks fine). when I bypass the PA FW, replication and validation both working fine.