Oracle Replication Failed

Reply
Highlighted
Not applicable

Oracle Replication Failed

We have a case  where the Oracle connection failed during the replication to the DR , the replication process start for one to three hours then it failed ,  Oracle admins opened a ticket with oracle support and oracle support recommends to disable  the below for oracle application :

SQLNet fixup protocol

Deep Packet Inspection (DPI)

SQLNet packet inspection

SQL Fixup

SQL ALG

We have disabled the the inspection , but for the ALG I found in admin guide v6  that the paloalto  functions as an ALG for the following protocols: FTP, SIP, H.323, RTSP, Oracle/SQLNet/TNS, MGCP protocols.but shows how to disable ALG just for SIP.

in the time I have added new custom application to override the oracle default one and added it to application policy so the PA will not affect this application .

and we are waiting for the result .

will this disable the ALG functionality  on the Oracle application?

Tags (4)
L7 Applicator

Re: Oracle Replication Failed

Yes, you are correct. If you create a custom application and refer that to a application override policy, the PAN firewall will skip the Layer-7 processing ( content check, ALG)  for that traffic.

Thanks

Not applicable

Re: Oracle Replication Failed

the same error with the same ORA number in oracle server

L2 Linker

Re: Oracle Replication Failed

Please use this document to create application override policy.

How to Create an Application Override Policy

After creating correct policy please check the session by using below command:

show session all filter source <x.x.x.x> destination <y.y.y.y>

show session id <type appropriate session number from above output>

This output will show

layer7 processing             : completed

application                       : <the name of the custom app that you have created>

L7 Applicator

Re: Oracle Replication Failed

Hello Sir,

Could you please enable packet capture on PAN firewall between source and destination IP (bi-directional) to understand who is causing this problem. Also if you are using an application override policy for SQL traffic, could you please increase the time-out value for those custom application.

Ref Doc: How to Run a Packet Capture

Thanks

Not applicable

Re: Oracle Replication Failed

Thanks but the problem with pcap andthe cli monitor is that the replication is online process and it will work for hours then it will stop, we don't have a trigger to fire to reproduce the problem , it's just happening daily with no time standard

L4 Transporter

Re: Oracle Replication Failed

Try to disable TCP sequence number checking:

set deviceconfig setting tcp asymmetric-path bypass

set deviceconfig setting tcp asymmetric-path

  bypass   bypass inspection for the session that has TCP sliding window tracking errors

  drop     drop offending packets that violated TCP sliding window tracking, enable TCP sequence number check for FIN/RST

Not applicable

Re: Oracle Replication Failed

Thanks Anon but will it effect other tcp protocol? In other words can we specify it for oracle only? Or for src and dest only?

L4 Transporter

Re: Oracle Replication Failed

Hi,

no, this setting will disable the inspection globally for all traffic.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!