Screen OS

Dear teama,

Currently, i have SSG5 which configure more secondary interface IP ranges; from my Application server(192.168.1.x) is able to ping oracle database server(192.168.2.x), but Application server cannot query data from oracle database. What is the cause of this problem?

Best regards,

Pisal

Hi Pisal,

Please add more details for members to understand your problem.

A simple description with the setup you have, traffic flow directions, policies being hit etc., will help

Dear Gokul,

My setting up is very simple; from Internet to SSG5, and from SSG5 to unmanaged switch. E0/0 connects to internet and E0/1 connects to unmanaged switch, but E0/1 I have configure few sub-interface IP address; such as, 192.168.1.x, 192.168.2.x, 192.168.3.x, ...).

My Application server(192.168.1.x) is able to ping oracle database server(192.168.2.x), but Application server(192.168.1.x) cannot query data from oracle database(192.168.2.x).

On SSG5, i just configure static route and it has no policy between those IP range.

Best regards,

PIsal

Hi Pisal,

If ping is working without any specific policy, then it is through the default allow policy. In that case, there is no reason for Oracle traffic to get blocked.

I think this is a problem with the SQL ALG. The oracle query uses SQL in your deployment, right?

You can try this:

- create a policy >>> From: app server/32 To: Database server/32  Service: Any Action: Permit.  Enable loggin and 'at session beginning' options on this policy

- test ping and oracle query -> I would expect ping to work and Oracle to fail

- now, modify the policy to >>>> Application - Ignore

- test query again and see if it works

Dear Gokul,

Yes, are running core banking application and Oracle DB is our backend database.

I am not able to modify on application to Ignore. Please help to check the message as attached.

Best regards,

Pisal

Dear Gokul,

Please also check the interface and secondary interface as attached.

Best regards,

Pisal

OK, my bad - application cant be IGNORE for a Any-service policy.

Any idea what port is used by your queries? Normally ii would be SQL over TCP-1521. In that case, modify the policy with service as 'SQL*Net V2' rather than Any. Now, you can make the application to be IGNORE.

Also, I see that you are using secondsr-IPs on bgroup, it is not the same as using sub-interfaces. Before doing a policy level testing, can you just try to telnet from app server to the DB server over the port that is used.

Something like--> telnet 192.168.2.x 1521

If this works, then you can try the policy testing above.

Hello Pisal.

What version of ScreenOS are you running?

There were a few issues with SQL ALG a couple of years back...  They've all been fixed now, but if you're running older ScreenOS firmware, you might be hitting this issue, preventing the ALG from functioning correctly.

Regards,

Sam

Hello Sam,

we are running on Netscreen 6.2

Best regards,

Pisal

Do you have logs enabled on the policy?

Please see what the log messages are for this traffic.  If it is using an ALG this will be noted in the logs.  This will also tell us which ports are needed for the communications.

I suspect you will need to create a specific permit policy with the particular ports so that the ignore application can be turned on.  Or you will need to disable an ALG that is not used elsewhere and causing a problem here.