Screen OS

Hi All,

we have a SSG 140 firewall device and a web server in the DMZ zone,

ethernet 0/1.

on the web server, we have python scripts to perform DB queries to

DB servers in the trusted zones.

what we're seeing is that some queries appear to hang.

wireshark traces show that the web and DB servers were talking

to one another, but sometimes, after the DB sent a packet,

it is not received by the web server (the script is waiting

on a read to the DB server).

at first it appears to be due to large data returned, but sometimes,

smaller data sets also hangs.

is there some settings that are needed ?

thanks very much in advance!

sam

Do you know what destination port number the DB queries are using?  It's possible that an ALG is triggered and packets are dropped.  For example, if the DB query is using TCP port 2000, then the SCCP ALG may be triggered, and packets may get dropped.

Also, it's possible that an ALG might be 'broken'.

To tell if an ALG is being triggered:

get session src-ip x.x.x.x dst-ip y.y.y.y
get session id xxxx

 When capturing the "get session id xxxx", look for the "application id" field. If it's '0', then no ALG is involved.

If no ALG is involved, then yes, you may need to do some wireshark captures.

hi samc,

thank you very much for your reply ..

as you suggested, i ran the "get session commands" and found

the following:

: SSG140-> get session src-ip X.X.X.X dst-ip Y.Y.Y.Y
: alloc 1180/max 48064, alloc failed 0, mcast alloc 0, di alloc failed 0
: total reserved 0, free sessions in shared pool 46884
: Total 1 sessions according filtering criteria.
: id 30648/s**,vsys 0,flag 08000040/0100/0001,policy 18,time 105, dip 0 module 0
: if 5(nspflag 801e01):X.X.X.X/57048->Y.Y.Y.Y/1521,6,02082008ed1c,sess token 13,vlan 0,tun 0,vsd 0,route 3,wsf 0
: if 0(nspflag 801e00):X.X.X.X/57048<-Y.Y.Y.Y/1521,6,02082044783d,sess token 3,vlan 0,tun 0,vsd 0,route 1,wsf 0
: Total 1 sessions shown
:
: SSG140-> get session id 30648
: id 30648(000077b8), flag 08000040/0100/0001/0000, vsys id 0(Root)
: policy id 18, application id 64, dip id 0, state 0
: current timeout 860, max timeout 1800 (second)
: status normal, start time 17297383, duration 0
: session id mask 0, app value 0
: ethernet0/1(vsd 0): X.X.X.X/57048->Y.Y.Y.Y/1521, protocol 6 session token 13 route 3
: gtwy Y.Y.Y.Y, mac 02082008ed1c, nsptn info 0, pmtu 1500
: flag 801e01, diff 0/0
: port seq 0, subif 0, cookie 0, fin seq 0, fin state 0
: ethernet0/0(vsd 0): X.X.X.X/57048<-Y.Y.Y.Y/1521, protocol 6 session token 3 route 1
: gtwy X.X.X.X, mac 02082044783d, nsptn info 0, pmtu 1500
: mac 02082044783d, nsptn info 0
: flag 801e00, diff 0/0
: port seq 0, subif 0, cookie 0, fin seq 0, fin state 0
: SSG140->

so it appears that ALG is triggered ?

how do i proceed to better understand (and fix) the problem ?

thank you very much again!

sam

Hi.

1) are the queries actual, valid SQL queries?  If so, please make sure to upgrade to the latest ScreenOS firmware as there were some major issues with SQL ALG not working properly in earlier releases of 6.2 and 6.3.

2) couple different ways to disable ALG and test:

   a) disable SQL ALG globally

            "unset alg sql enable"

   b) disable SQL ALG on a per-policy basis

            - create a policy specific for this port. for example:               

set policy top from trust to dmz x.x.x.x/32 y.y.y.y/32 "sql*net v2" permit log
set policy id XXX application ignore

        The application ignore will disable the ALG for this port 1521, for traffic matching only this policy.

If you still see issues even after disabling the ALG, then it's something else and will require sniffer captures.

Regards,

Sam

thanks Sam 😉

(i'm sam too 😉

i'll execute all your suggestions ...

and report how they go .. cos, many people

may be looking for the same solutions ..

am glad that you are responding ...

saw that you're tagged as "super contributor" ...

must be a guru in applied networking and juniper ...

the reason i wasn't replying promptly, is that, although

i kinda know netwokring basics (unix admin for networks),

i don't know HW network devices ...

had to ask the admin for a read-only account, to test

your theories 😉

was apprehensive to even connect to the CLI to run your

suggested tests 😛

but looks like i/we have a solution at hand ...

more later ...

thanks very much again,

sam

hi Sam,

sorry i forgot to mention ...

i am firing actual sql queries against oracle DB (port 1521,

from the dmz), using python scripts ...

some work, some didn't ... was previously thinking it was 

the size of the result-set for the returned query, but some 

larger result-sets returned without problems, some didn't ..

was pulling out what remains of my very sparse hairs,

now i see a solution in sight 😉

thanks again,

sam

hi Sam!

thanks very much ! it works!

cheers!

sam

Hello.

Could I ask which solution worked for you?

If you can also mark this thread as solved....

Thanks,

Sam

hi Sam,

turning off the sql ALG as you suggested,

solved the problems .

how do i mark it as solved ?

can't find any buttons to do that ...

cheers,

sam

glad it's working.

just to check, can you let me know what version of screenos you're running?

Thanks!

hi Sam,

will post the version info on monday ..

hope that is alright ...

thanks again 😉

sam