This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Time out Oracle sessions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Time out Oracle sessions

Es_tecsupportsecurity
L2 Linker

‎06-21-2017 02:11 AM - edited ‎06-21-2017 03:16 AM

Hi,

 

We have problems with time-outs in Oracle connections. We are seeing how the BBDD sends keep alives and in the FW is increased the number of packets when passing the keep-alive packet, but following one of these connections, in one of them we did not see increase the number of packets in the firewall, And the time to live of the session is not reset. We see how the server restarted its time to send a keep alive again. And we have some sessions that the firewall cuts by time-out.

 

Reviewing Release Notes, we've seen a bug that might be affecting us. This bug is solved in 7.1.6 PanOS:
PAN-64727: Fixed an issue where the firewall changed the sequence numbers of forwarded TCP keep-alive packets

 

Im not sure if this bus ia applying to us and causing this problem in 7.0.x. This problem will be solved in last panos in 7.0.x???

0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎06-21-2017 09:08 AM

@Es_tecsupportsecurity,

That specific bug number does not appear to be affecting 7.0.*, however the bug itself could have been given a seperate number. I did a quick scan through the release notes and didn't notice anything specific to keep-alive that seemed relavent to your issue. 

I would reach out to your SE or contact TAC and see if it was a bug that actually effects 7.0.* and if it is if there is even a plan to backport the fix to 7.0

0 Likes Likes

mlinsemier
L4 Transporter

‎06-21-2017 01:57 PM - edited ‎06-21-2017 02:00 PM

Oracle and firewalls in general, in my expereince, don't play that well together.  In our environment we had to extend the session timeout in the app-id to a ridiculous number so that sessions wouldn't drop.  Alot of this seems to surroud the use of connection pooling where Oracle opens connections for use ahead of time to improve performance.  Firewalls will close these conntections (session timeout) if there is no interesting traffic (I think 6 packets in the session timeout value).  This means that clients may try to connect on ports that were previously closed by the firewall.  We trying setting up keepalives on the Oracle side of the house, but I was having issues getting any help from our developers in general at that time (over a year ago) as they managed the server settings.

 

I would recommend as a troubleshooting step overriding the app-id session timeout for Oracle to like 8 hours and see if you still have the issue.  Just some food for thought.

 

-Matt

0 Likes Likes
  • 3233 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks