VWire and Oracle Database Traffic - Devs are complaining that its slow - Palo Alto 6.1.6

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VWire and Oracle Database Traffic - Devs are complaining that its slow - Palo Alto 6.1.6

L4 Transporter

I was wondering if anyone in the community had any experience with implementing Oracle databases and Palo Alto in a VWire environment.

 

Over the weekend we implemented a pair of Active/Active 5060's between the our data center and core.  Every other application (AD, File Share, Print, VMWare View, Video, Voice, etc.)  seems to be working as normal except the developers for our Oracle Database have started to complain about increased latency with their application.  Their tools are stating that Oracle is reporting that the problem is mostly with the "socket generation" task where Oracle opens up communication to another server or client.

 

I have implented the changes around the URG flag that I saw in another post (I didn't reboot, but it didn't state that you had too) as well as am working with the developers to implement DCD, but I can't seem to put my finger on why there would be increased latency with opening connections.  Yes there is a firewall now as a bump on the wire, but we aren't even close to taxing 1% of the session rate and the throughput is in the Mbps on a 40Gbps port-channel (4x 10Gbps).

 

If connection setup time is the culprit, can anyone suggest where I can look.

 

-Matt

2 REPLIES 2

L4 Transporter

problem may not come from this connection but another one (think about FTP control vs data connection) , you may experience slow data connection start because control session is acting weird or distrutped.

As an example, may be the client is trying to resolve server name from dns, but dns is blocked on primary server so you take 3 seconds delay until secondary DNS server is queried and answers

 

Do a PCAP to prove that firewall delays or not the packets of the connections that devs say they have a problem with.

 

 If PAN delays packet, open a TAC case.

 

 if PAN doesnt delay packets, tell devs to provide better troubleshooting because whatever the problem is (PANOS or other) they are not pointing which flow is not working.

This looks to be an asymmetrical pathing issue between a Cisco VSS core port-channel to southbound Nexus 5k vPC port-channel.  Shutting down the ports in the port channel effectively removing the secondary firewall from the A/A resolved the issues.  Now to just troubleshoot that side of the house.

  • 2405 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!