Unable to access the SQL Database Properly due to the Persistent Connection Is Not Configured

Publication Date:  2013-05-02 Views:  294 Downloads:  0
Issue Description
the Eudemon 1000E-U/X is deployed between the SQL server and the users to ensure the security of the SQL server.

User ---- FW ---- SQL server
Alarm Information
At first, the users can successfully access the SQL database. After a period, the access becomes slow or application programs report errors.
Handling Process
1. Configure the ACL for matching the packets that can be kept within a long period.

The persistent connection enables that data can be maintained on the Eudemon 1000E-U/X for a long period. If multiple persistent connection packets are matched, the performance of the Eudemon 1000E-U/X is affected. Therefore, the matching of the persistent connection must be accurate.

Assume that the source IP address of the user is 192.168.1.100/32.

acl number 3998
rule 0 permit tcp destination-port eq sqlnet
rule 5 permit ip source 192.168.1.100 0

2. Enable the interzone persistent connection function.

The default value of the persistent connection aging duration is 168 hours. You can set the persistent connection aging duration using firewall long-link aging-time aging-time.

Assume that the user is in the Trust zone and the SQL database server is in the Untrust area.

firewall interzone trust untrust firewall long-link 3998 outbound
Root Cause
By capturing and analyzing the packets of the Eudemon 1000E-U/X, you can find that the interval between packets sent for accessing the SQL database exceeds 600s. By default, the SQL session aging duration configured on the Eudemon 1000E-U/X is 600s. That is, after the SQL session is established, the Eudemon 1000E-U/X ages the session if no packets for the session are sent within 600s. The session aging on the Eudemon 1000E-U/X cannot be perceived by the application programs. When the user sends the data again, the Eudemon 1000E-U/X re-establishes the session. From the user experience perspective, the access delay is long. If the application programs have specific requirements for data sending delay, the application programs report errors.

In this situation, you must configure the persistent connection on the Eudemon 1000E-U/X to ensure that the session is not aged within a relative long period.

The session aging on the Eudemon 1000E-U/X causes the SQL access interruption. As a result, the SQL database access becomes slow or application programs report errors.
Suggestions
None

END