02-09-2010 05:36 AM
Has anyone had any luck on an SRX240 running JunOS 9.6 with sqlnet or oracle 10 databases running through it.
This has been worked on for quite some time on the DB side and they are finally pointing the finger at the firewalls. So we started looking at this today.
The only thing they could give us from the DB traces was that packets seem to be dropping randomly and Oracle claims not to many firewalls handle the sqlnet protocol well.
Is there an ALG for this in JunOS 9.6.
Also this is running through a Netscreen 208 that may be the cause as well. The app server is in our DMZ and connects to the Databases on our PCI vlan which has an SRX 240 in front of it to keep it segragated fomr the rest of the network for compliance issues. The DMZ firewalls are Netscreen 208a. Getting replaced later this year with SRX650. But we have to get this DB working now.
08-04-2011 06:56 AM
Hi, we have a juniper SSG-140 with Netscreen and a was having same problem with SQLNETv2 local or remote DB.
Sometimes we have a frozen connection or dropped packets, specially with complex queries or long procedures (ex. 22k lines)
This command "set security alg sql disable" ( turn off the SQL ALG) solved the problem fo us.
tks a lot
08-05-2011 11:54 PM
Here are some reports I have collected from different source regarding recently reported SQL issue....
Report 1 Enabling the Structured Query Language (SQL) ALG on an SRX Series or J Series device, allows SQL*Net traffic in SQL redirect mode to traverse an SRX Series device by creating a TCP pinhole. If the SQL*Net traffic is not in redirect mode, it will not be handled by the SQL ALG and will instead be processed (and should be permitted specifically) by configured firewall policies.
Oracle 9.2 and earlier, requires the SQL ALG to keep traffic from moving to random ports; however versions greater than 9.2 may have intermittent issues when the SQL ALG is applied. This is quite obvious in Oracle, as it reports checksum errors. The following workarounds can alleviate this issue:
- Disable SQL ALG globally using the set security alg sql disable command.
- Define an application which bypasses the SQL ALG. For more information, see KB15492 - [J-Series] [SRX] How to: Bypass an ALG by creating an "application ignore" or "alg ignore"....
- Configure Oracle to use a port other than TCP 1521 (see oracle for details) to bypass the SQL ALG.
Packets dropped in SQL interleave mode. This problem has been addressed by PR 587126.
SQL ALG is not working properly when data is transmitted over the control session. This problem has been addressed by PR 524444.
Hope this helps.
12-11-2012 08:28 PM
I've come across the same issue with an SRX550 cluster running 12.1R3.5 - all the logs were showing the traffic making it through successfully, could ping & ssh across same source/destination but the SQL connection just didnt work. disabled the SQL ALG and it all works fine now.