今天在查詢數據時,無法獲取數據信息,程序卡死。通過debug sqlnet 信息發現如下提示:
SQLNet: received partial fragment, frag len: 2011, partial frag len: 1380, 631 bytes needed
SQLNet: multiple TNS frames in one packet!
這個問題是由於cisco防火牆sqlnet inspection 特點 造成的,當事件發生時,數據就被分開了 。tcp是檢查sqlnet引擎,被設計用於處理一個多重TNS幀TCP段,sqlnet處理許多TNS的檢驗框架在一個復雜的包 。為了解決這個問題,檢查引擎框架不應該處理多個TNS在一個包。解決方法參考如下:(主要參考紅色區域)
Oracle traffic does not pass through the firewall. How can I resolve this issue?
A. This issue is caused by the sqlnet inspection feature of the firewall. When it occurs, the connections are torn out. The TCP proxy for sqlnet inspection engine was designed to handle multiple TNS frames in one TCP segment. The sqlnet inspection handles many TNS frames in one packet rendering the code complex.
In order to resolve this issue, the inspection engine should not handle multiple TNS frames in one packet. It is assumed that each TNS frame to be a different TCP packet and is inspected individually.
Software bugs have been filed for this behavior; for more information, refer to
CSCsr27940 (registered customers only) and CSCsr14351 (registered customers only) .
The solution for this problem is given below.Use the no inspect sqlnet command in class configuration mode in order to disable the inspection for sqlnet.
ASA(config)#class-map sqlnet-port
ASA(config-cmap)#match port tcp eq 1521
ASA(config-cmap)#exit
ASA(config)#policy-map sqlnet_policy
ASA(config-pmap)#class sqlnet-port
ASA(config-pmap-c)#no inspect sqlnet
ASA(config-pmap-c)#exit
ASA(config)#service-policy sqlnet_policy interface outside
For more information, refer to the SQLNet inspection section of the Cisco Security Appliance Command Reference, Version 8.0.
Changes
Database Links to databases on Local Area Network (LAN) do not exhibit this problem. This issue is limited to a database link where the target is a remote database accessed via a VPN Tunnel using default port 1521.
Cause
Problem was isolated to use of port 1521 over a VPN Tunnel that utilizes Cisco 5400/5500 Series Adaptive Security Appliances (ASA) where the Cisco SQLnet fixup protocol/Sql Inspector was enabled. However, on port 1522 where this Sql packet Inspection was not enabled, the problem did not reproduce. Note: The Cisco 5400/5500 Series Adaptive Security Appliances (ASA) have this SQLnet fixup protocol/Sql Inspection enabled by default for port 1521.
Please see the following document for a list of other Firewall features that may cause issues such as the one documented here. Refer to this section: Note A – Firewall Restrictions
Note 119706.1Troubleshooting Guide TNS-12535 or ORA-12535 or ORA-12170 Errors
Solution
Customer’s Firewall Administrator(s) disabled the ‘SQLnet fixup protocol’ in the ASA’s on both sides of the VPN Tunnel, the INSERT from SELECT over the DBLINK where the number of rows was higher began to work over port 1521
