Oracle Replication Failed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Oracle Replication Failed

Not applicable

We have a case  where the Oracle connection failed during the replication to the DR , the replication process start for one to three hours then it failed ,  Oracle admins opened a ticket with oracle support and oracle support recommends to disable  the below for oracle application :

SQLNet fixup protocol

Deep Packet Inspection (DPI)

SQLNet packet inspection

SQL Fixup

SQL ALG

We have disabled the the inspection , but for the ALG I found in admin guide v6  that the paloalto  functions as an ALG for the following protocols: FTP, SIP, H.323, RTSP, Oracle/SQLNet/TNS, MGCP protocols.but shows how to disable ALG just for SIP.

in the time I have added new custom application to override the oracle default one and added it to application policy so the PA will not affect this application .

and we are waiting for the result .

will this disable the ALG functionality  on the Oracle application?

9 REPLIES 9

L7 Applicator

Yes, you are correct. If you create a custom application and refer that to a application override policy, the PAN firewall will skip the Layer-7 processing ( content check, ALG)  for that traffic.

Thanks

the same error with the same ORA number in oracle server

L2 Linker

Please use this document to create application override policy.

How to Create an Application Override Policy

After creating correct policy please check the session by using below command:

show session all filter source <x.x.x.x> destination <y.y.y.y>

show session id <type appropriate session number from above output>

This output will show

layer7 processing             : completed

application                       : <the name of the custom app that you have created>

Hello Sir,

Could you please enable packet capture on PAN firewall between source and destination IP (bi-directional) to understand who is causing this problem. Also if you are using an application override policy for SQL traffic, could you please increase the time-out value for those custom application.

Ref Doc: How to Run a Packet Capture

Thanks

Thanks but the problem with pcap andthe cli monitor is that the replication is online process and it will work for hours then it will stop, we don't have a trigger to fire to reproduce the problem , it's just happening daily with no time standard

Try to disable TCP sequence number checking:

set deviceconfig setting tcp asymmetric-path bypass

set deviceconfig setting tcp asymmetric-path

  bypass   bypass inspection for the session that has TCP sliding window tracking errors

  drop     drop offending packets that violated TCP sliding window tracking, enable TCP sequence number check for FIN/RST

Thanks Anon but will it effect other tcp protocol? In other words can we specify it for oracle only? Or for src and dest only?

Hi,

no, this setting will disable the inspection globally for all traffic.

L0 Member

hi all, for the same problem, I have created custom application override policy for the port TCP/1521 (Oracle application) along with # set deviceconfig setting tcp asymmetric-path bypass but still connections are failing at validation steps. (replication looks fine). when I bypass the PA FW, replication and validation both working fine.

  • 6798 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!